FYI - Auditors hack
Interior's financial and personal data - Lapses in the Interior
Department's oversight allowed government-hired hackers to
infiltrate the agency's systems. "We made - and then corrected - an
address change in the Federal Personnel/Payroll System," the report
states. "Having done this, we also believe we could have changed
bank routing information and other electronic funds records to
potentially divert electronic payments to other banks."
FYI - Visa gives
CardSystems three-month reprieve - Visa U.S.A. Inc. is giving
CardSystems Solutions Inc. a little more time to get its act
together. On Thursday, Visa announced that it has delayed plans to
sever ties with the Atlanta payment processor by three months, in
order to facilitate a planned sale of CardSystems to electronic
payment vendor CyberSource Corp.
FYI - Unattended PCs a
menace - It's 10 a.m. and you're on break; so who's using your
computer? Many organizations turn a blind eye to the risks posed by
PCs that are logged into corporate networks but left unattended,
according to a new analysis from research firm Gartner Inc.
FYI - Phishers Target
Swedish Bank - A phishing attack has broken new ground by attacking
a Scandinavian bank operating a one-time password. F-Secure chief
Mikko Hypponen said the attack was special because the emails were
in Swedish, and because Nordea operates a one-time password system,
consisting of a scratch sheet, which the customer scratches to
uncover the next available PIN code for login.
FYI - Tackling mobile
security - Very few companies worry about the cost of replacing
mobile devices, it's more about the value and amount of data that
resides of mobile devices and the adverse consequences to the
company if the data on these devices falls into the wrong hands.
CFOs Are Worried About Information Security - Information security
was ranked as the leading technology concern for financial
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
week begins our series on the Federal Financial Institutions Examination Council Guidance
on Electronic Financial Services and Consumer Compliance.
Electronic Fund Transfer Act,
Regulation E (Part 1 of 2)
Generally, when on-line banking systems include electronic fund
transfers that debit or credit a consumer's account, the
requirements of the Electronic Fund Transfer Act and Regulation E
apply. A transaction involving stored value products is covered by
Regulation E when the transaction accesses a consumer's account
(such as when value is "loaded" onto the card from the
consumer's deposit account at an electronic terminal or personal
Financial institutions must provide disclosures that are clear and
readily understandable, in writing, and in a form the consumer may
keep. An Interim rule was issued on March 20, 1998 that allows
depository institutions to satisfy the requirement to deliver by
electronic communication any of these disclosures and other
information required by the act and regulations, as long as the
consumer agrees to such method of delivery.
Financial institutions must ensure that consumers who sign-up for a
new banking service are provided with disclosures for the new
service if the service is subject to terms and conditions different
from those described in the initial disclosures. Although not
specifically mentioned in the commentary, this applies to all new
banking services including electronic financial services.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
INFORMATION SECURITY RISK ASSESSMENT
This phase ranks the risk (outcomes and probabilities) presented
by various scenarios produced in the analysis phase to prioritize
management's response. Management may decide that since some risks
do not meet the threshold set in their security requirement, they
will accept those risks and not proceed with a mitigation strategy.
Other risks may require immediate corrective action. Still others
may require mitigation, either fully or partially, over time. Risks
that warrant action are addressed in the information security
In some borderline instances, or if planned controls cannot fully
mitigate the risk, management may need to review the risk assessment
and risk ranking with the board of directors or a delegated
committee. The board should then document its acceptance of the risk
or authorize other risk mitigation measures.
the top of the newsletter
IT SECURITY QUESTION:
A. AUTHENTICATION AND ACCESS CONTROLS
5. Determine if passwords are stored on any
machine that is directly or easily accessible from outside the
institution, and if passwords are stored in programs on machines,
which query customer information databases.
Evaluate the appropriateness of such storage and the
associated protective mechanisms.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
45. If the institution receives information from a
nonaffiliated financial institution other than under an exception in
§14 or §15, does the institution refrain from disclosing the
a. to the affiliates of the financial institution from which
it received the information; [§11(b)(1)(i)]
b. to its own affiliates, which are in turn limited by the
same disclosure restrictions as the recipient institution; [§11(b)(1)(ii)]
c. to any other person, if the disclosure would be lawful if
made directly to that person by the institution from which the
recipient institution received the information? [§11(b)(1)(iii)]
VISTA - Does
Your Financial Institution need an affordable Internet security
Our clients in 41 states rely on
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
testing focuses on
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give Kinney Williams a call
today at 806-798-7119 or visit