Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- The State Department's approach to cybersecurity is so innovative
and effective that companies are clamoring to copy it. The State
Department has pioneered an approach to network security that makes
it easier for managers in large organizations to identify trouble
spots, prioritize them and get them fixed fast.
- California bill would ban warrantless cell phone searches - If you
get arrested in California, the photos, e-mails and other personal
data on your cell phone soon could be a bit safer from prying police
- 3 indicted in sophisticated hacking, theft scheme - At least 53
Seattle-area companies hit, with losses in the hundreds of thousands
- Soon after his office was burglarized - twice - Jeff walked in and
found a payroll report sitting on his printer. He hadn't printed it,
and as his company's chief financial officer, he's the only person
who would have.
- Losing medical data - It may seem strange that someone who works
so closely with ESET North America should keep writing about the
UK's National Health Service, but then I do live there.
- National breach notification bill passes hurdle - Three separate
national breach notification bills making their way through the
Senate came a step closer to being enacted into law on Thursday.
- Dutch government to revoke #DigiNotar certificates on Wednesday -
Certificates issued by DigiNotar are to be officially revoked this
week by the Dutch government.
- Senator Wants Investigation of OnStar’s ‘Brazen’ Privacy Invasion
- New York’s senior senator Charles Schumer wants the feds to
the Detroit navigation-and-emergency company refrain from monitoring
vehicles after customers cancel service.
- Corporate bank fraud losses expected to total $210M - Businesses
in North America are expected to lose $210 million this year to
corporate bank account takeovers, according to a new report from
financial research and consulting firm.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Alleged LulzSec, Anonymous hackers arrested in Ariz., Calif. - An
Arizona man was arrested today for allegedly stealing data from Sony
Pictures Entertainment earlier this year, and two others were
indicted on charges of participating in a denial-of-service (DoS)
attack that temporarily shut down Santa Cruz County servers late
- Mitsubishi Heavy Industries attack puts Japan's defence
contractors on alert - Viruses have been found on more than 80
computers and servers belonging to a Japanese weapons contractor.
- Harvard site back online after "sophisticated" defacement - The
home page of Harvard University is functioning normally after it was
defaced Monday morning by activists in support of the embattled
regime in Syria.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Electronic Fund Transfer
Act, Regulation E (Part 2 of 2)
Federal Reserve Board Official Staff Commentary (OSC) also clarifies
that terminal receipts are unnecessary for transfers initiated
on-line. Specifically, OSC regulations provides that, because the
term "electronic terminal" excludes a telephone operated by a
consumer, financial institutions need not provide a terminal receipt
when a consumer initiates a transfer by a means analogous in
function to a telephone, such as by a personal computer or a
Additionally, the regulations clarifies that a written authorization
for preauthorized transfers from a consumer's account includes an
electronic authorization that is not signed, but similarly
authenticated by the consumer, such as through the use of a security
code. According to the OSC, an example of a consumer's authorization
that is not in the form of a signed writing but is, instead,
"similarly authenticated" is a consumer's authorization via a home
banking system. To satisfy the regulatory requirements, the
institution must have some means to identify the consumer (such as a
security code) and make a paper copy of the authorization available
(automatically or upon request). The text of the electronic
authorization must be displayed on a computer screen or other visual
display that enables the consumer to read the communication from the
Only the consumer may authorize the transfer and not, for example, a
third-party merchant on behalf of the consumer.
Pursuant to the regulations, timing in reporting an unauthorized
transaction, loss, or theft of an access device determines a
consumer's liability. A financial institution may receive
correspondence through an electronic medium concerning an
unauthorized transaction, loss, or theft of an access device.
Therefore, the institution should ensure that controls are in place
to review these notifications and also to ensure that an
investigation is initiated as required.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
SECURITY CONTROLS -
IMPLEMENTATION - OPERATING SYSTEM ACCESS (Part 1 of 2)
Financial institutions must control access to system software within
the various network clients and servers as well as stand-alone
systems. System software includes the operating system and system
utilities. The computer operating system manages all of the other
applications running on the computer. Common operating systems
include IBM OS/400 and AIX, LINUX, various versions of Microsoft
Windows, and Sun Solaris. Security administrators and IT auditors
need to understand the common vulnerabilities and appropriate
mitigation strategies for their operating systems. Application
programs and data files interface through the operating system.
System utilities are programs that perform repetitive functions such
as creating, deleting, changing, or copying files. System utilities
also could include numerous types of system management software that
can supplement operating system functionality by supporting common
system tasks such as security, system monitoring, or transaction
System software can provide high-level access to data and data
processing. Unauthorized access could result in significant
financial and operational losses. Financial institutions must
restrict privileged access to sensitive operating systems. While
many operating systems have integrated access control software,
third - party security software is available for most operating
systems. In the case of many mainframe systems, these programs are
essential to ensure effective access control and can often integrate
the security management of both the operating system and the
applications. Network security software can allow institutions to
improve the effectiveness of the administration and security policy
compliance for a large number of servers often spanning multiple
operating system environments. The critical aspects for access
control software, whether included in the operating system or
additional security software, are that management has the capability
! Restrict access to sensitive or critical system resources or
processes and have the capability, depending on the sensitivity to
extend protection at the program, file, record, or field level;
! Log user or program access to sensitive system resources including
files, programs, processes, or operating system parameters; and
! Filter logs for potential security events and provide adequate
reporting and alerting capabilities.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Financial Institution Duties ( Part 3 of 6)
Requirements for Notices
Clear and Conspicuous. Privacy notices must be clear and
conspicuous, meaning they must be reasonably understandable and
designed to call attention to the nature and significance of the
information contained in the notice. The regulations do not
prescribe specific methods for making a notice clear and
conspicuous, but do provide examples of ways in which to achieve the
standard, such as the use of short explanatory sentences or bullet
lists, and the use of plain-language headings and easily readable
typeface and type size. Privacy notices also must accurately reflect
the institution's privacy practices.
Delivery Rules. Privacy notices must be provided so that each
recipient can reasonably be expected to receive actual notice in
writing, or if the consumer agrees, electronically. To meet this
standard, a financial institution could, for example, (1)
hand-deliver a printed copy of the notice to its consumers, (2) mail
a printed copy of the notice to a consumer's last known address, or
(3) for the consumer who conducts transactions electronically, post
the notice on the institution's web site and require the consumer to
acknowledge receipt of the notice as a necessary step to completing
For customers only, a financial institution must provide the initial
notice (as well as the annual notice and any revised notice) so that
a customer may be able to retain or subsequently access the notice.
A written notice satisfies this requirement. For customers who
obtain financial products or services electronically, and agree to
receive their notices on the institution's web site, the institution
may provide the current version of its privacy notice on its web