Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT security as
required by the FFIEC's "Interagency Guidelines Establishing
Information Security Standards."
information and to subscribe visit
50 arrested in smartphone
spyware dragnet - Cop, judge, and parliamentarian among the suspects
- Romanian authorities have arrested 50 individuals accused of using
off-the-shelf software to monitor cellphone communications of their
spouses, competitors, and others, according to news reports.
HIPAA encryption: meeting
today's regulations - If you work with an organization that must
adhere to the Health Insurance Portability and Accountability
(HIPAA), you know by now that encryption is now a de facto primary
aspect of HIPAA compliance after the passing of the HITECH Act.
IT staffer at New York bank
pleads guilty to data theft, fraud - Charged with using stolen
employee data to steal $1 million-plus from charities - A former IT
staffer with the Bank of New York Mellon pleaded guilty Thursday to
stealing sensitive information belonging to 2,000 bank employees and
then using that data to steal more than $1 million from charities.
Federal agencies lack
advisement on cloud security - A growing number of federal agencies
are running some form of cloud computing, but nearly all lack
policies around securing data hosted offsite, according to a new
report from the U.S. Government Accountability Office (GAO).
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
WellPoint Breach Could Have
Exposed Enrollees' Medical, Financial Data - The insurer WellPoint
recently notified 470,000 individual policyholders that their
medical records, Social Security numbers, credit card information
and other sensitive data might have been exposed during a recent
Destination Hotels' credit card system - Guests at 21 Destination
Hotels & Resorts' properties may have been subjected to credit card
theft after the chain discovered malware installed in its credit
card processing system.
University of Maine student
information exposed - Hackers recently gained access to a pair of
file servers containing the personal information of University of
Maine students who received counseling services at the school for
the past eight years.
Indiana restaurant chain in
the US hit by credit card breach, after hack of central processing
system - Several restaurants have been hit by a credit card breach
following a hack of the processing system.
New York hospital loses
data on 130,000 via FedEx - Breach affects 130,495 patients - New
York's Lincoln Medical and Mental Health Center is notifying
patients that their personal information may have been compromised
after seven CDs full of unencrypted data were FedExed by a hospital
contractor and then lost in transit.
Mass. secretary of state's
office accidentally releases sensitive data - The Massachusetts
secretary of state's office earlier this year accidentally released
the confidential personal information of state-registered investment
advisers to a business publication.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the
FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 8 of 10)
B. RISK MANAGEMENT TECHNIQUES
Implementing Weblinking Relationships
The strategy that financial institutions choose when
implementing weblinking relationships should address ways to avoid
customer confusion regarding linked third-party products and
services. This includes disclaimers and disclosures to limit
customer confusion and a customer service plan to address confusion
when it occurs.
Disclaimers and Disclosures
Financial institutions should use clear and conspicuous webpage
disclosures to explain their limited role and responsibility with
respect to products and services offered through linked third-party
websites. The level of detail of the disclosure and its prominence
should be appropriate to the harm that may ensue from customer
confusion inherent in a particular link. The institution might post
a disclosure stating it does not provide, and is not responsible
for, the product, service, or overall website content available at a
third-party site. It might also advise the customer that its privacy
polices do not apply to linked websites and that a viewer should
consult the privacy disclosures on that site for further
information. The conspicuous display of the disclosure, including
its placement on the appropriate webpage, by effective use of size,
color, and graphic treatment, will help ensure that the information
is noticeable to customers. For example, if a financial institution
places an otherwise conspicuous disclosure at the bottom of its
webpage (requiring a customer to scroll down to read it), prominent
visual cues that emphasize the information's importance should point
the viewer to the disclosure.
In addition, the technology used to provide disclosures is
important. While many institutions may simply place a disclaimer
notice on applicable webpages, some institutions use "pop-ups," or
intermediate webpages called "speedbumps," to notify customers they
are leaving the institution's website. For the reasons described
below, financial institutions should use speedbumps rather than
pop-ups if they choose to use this type of technology to deliver
their online disclaimers.
A "pop up" is a screen generated by mobile code, for example Java or
Active X, when the customer clicks on a particular hyperlink. Mobile
code is used to send small programs to the user's browser.
Frequently, those programs cause unsolicited messages to appear
automatically on a user's screen. At times, the programs may be
malicious, enabling harmful viruses or allowing unauthorized access
to a user's personal information. Consequently, customers may
reconfigure their browsers or install software to block disclosures
delivered via mobile codes.
In contrast, an intermediate webpage, or "speedbump," alerts the
customer to the transition to the third-party website. Like a
pop-up, a speedbump is activated when the customer clicks on a
particular weblink. However, use of a speedbump avoids the problems
of pop-up technology, because the speedbump is not generated
externally using mobile code, but is created within the
institution's operating system, and cannot be disabled by the
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
This completes our
review of the OCC Bulletin about Infrastructure Threats and
Intrusion Risks. This week we review Information Sharing.
Information sharing among reliable and reputable experts can help
institutions reduce the risk of information system intrusions. The
OCC encourages management to participate in information-sharing
mechanisms as part of an effort to detect and respond to intrusions
and vulnerabilities. Mechanisms for information sharing are being
developed by many different organizations, each with a different
mission and operation. In addition, many vendors offer information
sharing and analysis services. Three organizations that are
primarily involved with the federal government's national
information security initiatives are the Financial Services
Information Sharing and Analysis Center (FS/ISAC), the Federal
Bureau of Investigation (FBI), and Carnegie Mellon University's
The FS/ISAC was formed in response to Presidential Decision
Directive 63: Critical Infrastructure Protection (May 22, 1998),
which encourages the banking, finance, and other industries to
establish information-sharing efforts in conjunction with the
federal government. The FS/ISAC allows financial services entities
to report incidents anonymously. In turn, the FS/ISAC rapidly
distributes information about attacks to the FS/ISAC members. Banks
can contact FS/ISAC by telephone at (888) 660-0134, e-mail at
firstname.lastname@example.org or their Web site at http://www.fsisac.com.
The FBI operates the National Information Protection Center
Infraguard outreach effort. Since Infraguard supports law
enforcement efforts, Infraguard members submit two versions of an
incident report. One complete version is used by law enforcement and
contains information that identifies the reporting member. The other
version does not contain that identifying information, and is
distributed to other Infraguard members. Banks can contact the FBI
by contacting local FBI field offices or via e-mail at
CERT/CC is part of a federally funded research and development
center at Carnegie Mellon University that helps organizations
identify vulnerabilities and recover from intrusions. It provides
up-to-date information on specific attacks (including viruses and
denial of service) and collates and shares information with other
organizations. CERT/CC does not require membership to report
problems. Banks can contact CERT/CC by phone at (412) 268-7090 or
e-mail at email@example.com.
Return to the top of
INTERNET PRIVACY - We continue our
series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Sharing nonpublic personal information with nonaffiliated third
parties under Sections 14 and/or 15 and outside of exceptions (with
or without also sharing under Section 13). (Part 3 of 3)
C. Opt Out Right
1) Review the financial institution's opt out notices. An opt
out notice may be combined with the institution's privacy notices.
Regardless, determine whether the opt out notices:
a. Are clear and conspicuous (§§3(b) and 7(a)(1));
b. Accurately explain the right to opt out (§7(a)(1));
c. Include and adequately describe the three required items of
information (the institution's policy regarding disclosure of
nonpublic personal information, the consumer's opt out right, and
the means to opt out) (§7(a)(1)); and
d. Describe how the institution treats joint consumers
(customers and those who are not customers), as applicable (§7(d)).
2) Through discussions with management, review of the
institution's policies and procedures, and a sample of electronic or
written records where available, determine if the institution has
adequate procedures in place to provide the opt out notice and
comply with opt out directions of consumers (customers and those who
are not customers), as appropriate. Assess the following:
a. Timeliness of delivery (§10(a)(1));
b. Reasonableness of the method of delivery (e.g., by hand; by
mail; electronically, if the consumer agrees; or as a necessary step
of a transaction) (§9).
c. Reasonableness of the opportunity to opt out (the time
allowed to and the means by which the consumer may opt out)
(§§10(a)(1)(iii), 10(a)(3)); and
d. Adequacy of procedures to implement and track the status of
a consumer's (customers and those who are not customers) opt out
direction, including those of former customers (§7(e), (f), (g)).