Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT security as
required by the FFIEC's "Interagency Guidelines Establishing
Information Security Standards."
information and to subscribe visit
School District Pays $610,000 to Settle Webcam Spying Lawsuits - A
suburban Philadelphia school district is agreeing to pay $610,000 to
settle two lawsuits brought by students who were victims of a webcam
spying scandal in which high school-issued laptops secretly snapped
thousands of pictures of pupils.
Government vows to transform cyber defences - The Government tonight
pledged to transform Britain's defences to counter cyber attacks as
it warned of the "devastating real-world effect" of a successful
assault on the UK's communications infrastructure.
Government agents following suspects on social networks - The issue
of whether or not government or law enforcement agents are or should
be allowed to go "undercover" on social networks is not a new one,
but thanks to the Electronic Frontier Foundation, it is one that
will continue to be in the public spotlight at least for a while
Data theft by cybercriminals biggest loss for businesses, survey
reveals - Data theft has more than doubled to overtake physical
property losses for the first time in the past year, according to an
annual global fraud survey.
ID fraud costs UK £2.7bn a year - Victims can spend up to 200 hours
undoing damage. Identity fraud affects 1.8 million Britons every
year, costing £2.7bn in the process, researcher claimed today.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Europe's ATM skimming attacks rise, but losses fall - European banks
reported a record number of skimming attacks, where payment card
details were captured by criminals as bank customers tried to
withdraw cash from ATMs.
Microsoft confirms Russian pill-pusher attack on its network - Is
there a Linux admin in the house? Microsoft has confirmed that two
devices on its corporate network were compromised to help a
notorious gang of Russian criminals.
University of North Florida breach exposes data on 107,000
individuals - University networks are said to be frequently breached
because they are rich targets, enrolling thousands of students a
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Record retention provisions apply to electronic delivery of
disclosures to the same extent required for non-electronic delivery
of information. For example, if the web site contains an
advertisement, the same record retention provisions that apply to
paper-based or other types of advertisements apply. Copies of such
advertisements should be retained for the time period set out in the
relevant regulation. Retention of electronic copies is acceptable.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We begin our series on the FFIEC
interagency Information Security Booklet. This booklet is
required reading for anyone involved in information systems
security, such as the Network Administrator, Information Security
Officer, members of the IS Steering Committee, and most important
your outsourced network security consultants. Your outsourced
network security consultants can receive the "Internet Banking News"
by completing the subscription for at
https://yennik.com/newletter_page.htm. There is no charge for
Information security enables a financial institution to meet its
business objectives by implementing business systems with due
consideration of information technology (IT) - related risks to the
organization, business and trading partners, technology service
providers, and customers. Organizations meet this goal by striving
to accomplish the following objectives.
1) Availability - The ongoing availability of systems addresses the
processes, policies, and controls used to ensure authorized users
have prompt access to information. This objective protects against
intentional or accidental attempts to deny legitimate users access
to information and/or systems.
2) Integrity of Data or Systems - System and data integrity relate
to the processes, policies, and controls used to ensure information
has not been altered in an unauthorized manner and that systems are
free from unauthorized manipulation that will compromise accuracy,
completeness, and reliability.
3) Confidentiality of Data or Systems - Confidentiality covers the
processes, policies, and controls employed to protect information of
customers and the institution against unauthorized access or use.
4) Accountability - Clear accountability involves the processes,
policies, and controls necessary to trace actions to their source.
Accountability directly supports non-repudiation, deterrence,
intrusion prevention, intrusion detection, recovery, and legal
admissibility of records.
5) Assurance - Assurance addresses the processes, policies, and
controls used to develop confidence that technical and operational
security measures work as intended. Assurance levels are part of the
system design and include availability, integrity, confidentiality,
and accountability. Assurance highlights the notion that secure
systems provide the intended functionality while preventing
Appropriate security controls are necessary for financial
institutions to challenge potential customer or user claims that
they did not initiate a transaction. Financial institutions can
accomplish this by achieving both integrity and accountability to
produce what is known as non-repudiation. Non-repudiation occurs
when the financial institution demonstrates that the originators who
initiated the transaction are who they say they are, the recipient
is the intended counter party, and no changes occurred in transit or
storage. Non-repudiation can reduce fraud and promote the legal
enforceability of electronic agreements and transactions. While
non-repudiation is a goal and is conceptually clear, the manner in
which non-repudiation can be achieved for electronic systems in a
practical, legal sense may have to wait for further judicial
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
8) Do the initial, annual, and revised privacy notices include each
of the following, as applicable: (Part 2 of 2)
e) if the institution discloses nonpublic personal information to a
nonaffiliated third party under §13, and no exception under §14 or
§15 applies, a separate statement of the categories of information
the institution discloses and the categories of third parties with
whom the institution has contracted; [§6(a)(5)]
f) an explanation of the opt out right, including the method(s) of
opt out that the consumer can use at the time of the notice;
g) any disclosures that the institution makes under §603(d)(2)(A)(iii)
of the Fair Credit Reporting Act (FCRA); [§6(a)(7)]
h) the institution's policies and practices with respect to
protecting the confidentiality and security of nonpublic personal
information; [§6(a)(8)] and
i) a general statement--with no specific reference to the
exceptions or to the third parties--that the institution makes
disclosures to other nonaffiliated third parties as permitted by
law? [§6(a)(9), (b)]