Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT security as
required by the FFIEC's "Interagency Guidelines Establishing
Information Security Standards."
information and to subscribe visit
Open slather for hackers on official databases - Computer hackers
could gain access to personal information held in government (New
South Wales, Australia) databases as state departments routinely
ignore government edicts that tighter security be imposed.
Murky FinCEN SAR reporting: Is malware responsible? - Is there
finally a "smoking gun" for business banking trojans? Consider 10
years of the growth of malware compared to 10 years of the growth of
FinCEN SAR category reporting in Delaware.
Air Force manual describes shadowy cyberwar world - A new Air Force
manual for cyberwarfare describes a shadowy, fast-changing world
where anonymous enemies can carry out devastating attacks in seconds
and where conventional ideas about time and space don't apply.
Govt plans to cut internet services in case of cyber attacks - NEW
DELHI: Indian law enforcement and national security officials are
drawing up plans that will give them technology capabilities to cut
off all internet services during emergencies.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Penn. Medicaid recipients' information on missing flash drive - Two
health insurers said a flash drive containing the personal health
information of hundreds of thousands of Pennsylvania Medicaid
recipients has gone missing.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
TRUTH IN SAVINGS ACT (REG
Financial institutions that advertise deposit products and services
on-line must verify that proper advertising disclosures are made in
accordance with all provisions of the regulations. Institutions
should note that the disclosure exemption for electronic media does
not specifically address commercial messages made through an
institution's web site or other on-line banking system. Accordingly,
adherence to all of the advertising disclosure requirements is
Advertisements should be monitored for recency, accuracy, and
compliance. Financial institutions should also refer to OSC
regulations if the institution's deposit rates appear on third party
web sites or as part of a rate sheet summary. These types of
messages are not considered advertisements unless the depository
institution, or a deposit broker offering accounts at the
institution, pays a fee for or otherwise controls the publication.
Disclosures generally are required to be in writing and in a form
that the consumer can keep. Until the regulation has been reviewed
and changed, if necessary, to allow electronic delivery of
disclosures, an institution that wishes to deliver disclosures
electronically to consumers, would supplement electronic disclosures
with paper disclosures.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet. This booklet is
required reading for anyone involved in information systems
security, such as the Network Administrator, Information Security
Officer, members of the IS Steering Committee, and most important
your outsourced network security consultants. Your outsourced
network security consultants can receive the "Internet Banking News"
by completing the subscription for at
https://yennik.com/newletter_page.htm. There is no charge for
Action Summary - Financial institutions should implement an ongoing
security process, and assign clear and appropriate roles and
responsibilities to the board of directors, management, and
The security process is the method an organization uses to implement
and achieve its security objectives. The process is designed to
identify, measure, manage and control the risks to system and data
availability, integrity, and confidentiality, and ensure
accountability for system actions. The process includes five areas
that serve as the framework for this booklet:
Information Security Risk Assessment - A process to identify
threats, vulnerabilities, attacks, probabilities of occurrence, and
2) Information Security Strategy - A plan to mitigate risk that
integrates technology, policies, procedures and training. The plan
should be reviewed and approved by the board of directors.
3) Security Controls Implementation - The acquisition and operation
of technology, the specific assignment of duties and
responsibilities to managers and staff, the deployment of risk -
appropriate controls, and assurance that management and staff
understand their responsibilities and have the knowledge, skills,
and motivation necessary to fulfill their duties.
4) Security Testing - The use of various methodologies to gain
assurance that risks are appropriately assessed and mitigated. These
testing methodologies should verify that significant controls are
effective and performing as intended.
5) Monitoring and Updating - The process of continuously gathering
and analyzing information regarding new threats and vulnerabilities,
actual attacks on the institution or others combined with the
effectiveness of the existing security controls. This information is
used to update the risk assessment, strategy, and controls.
Monitoring and updating makes the process continuous instead of a
one - time event.
Security risk variables include threats, vulnerabilities, attack
techniques, the expected frequency of attacks, financial institution
operations and technology, and the financial institution's defensive
posture. All of these variables change constantly. Therefore, an
institution's management of the risks requires an ongoing process.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
9) Does the institution list the following categories of nonpublic
personal information that it collects, as applicable:
a) information from the consumer; [§6(c)(1)(i)]
b) information about the consumer's transactions with the
institution or its affiliates; [§6(c)(1)(ii)]
c) information about the consumer's transactions with nonaffiliated
third parties; [§6(c)(1)(iii)] and
d) information from a consumer reporting agency? [§6(c)(1)(iv)]