Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT security as
required by the FFIEC's "Interagency Guidelines Establishing
Information Security Standards."
information and to subscribe visit
Vulnerabilities Found In Banking Apps - Security holes in Android
and iPhone apps from PayPal, Bank of America, Chase, Wells Fargo,
and more could give attackers access to financial data.
Federal gov't releases draft cloud security guidelines - The U.S.
government's CIO Council this week released a draft document
outlining a proposed government-wide cloud computing risk and
authorization management program.
FTC names Princeton computer security expert as first chief
technologist - The Federal Trade Commission appointed Princeton
University professor Edward Felten as its first chief technologist.
File Sharing Mom Ordered To Pay $1.5 Million - RIAA applauds jury's
decision in third trial of the Minnesota mother of four who
illegally downloaded 24 songs. - A Minnesota woman was ordered to
pay $1.5 million for illegally downloading 24 songs, in her third
trial in three years. The verdict was hailed by the record industry
Sealed Courtroom Sought in High-Speed - Federal prosecutors in
Manhattan have asked a judge to seal the courtroom in an upcoming
corporate-espionage trial to protect the secret of Goldman Sachs’
controversial high-speed trading software.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Facebook, Twitter fail latest security assessment - A nonprofit
security think tank's "report card" has failed Facebook and Twitter
for neglecting to implement safeguards that are available on other
popular online services.
Two alleged Zeus mules arrested in Wisconsin - Two Moldovan men were
charged this week for their involvement with the Zeus trojan, which
has been used to steal millions of dollars from U.S. bank accounts.
Royal Navy website attacked by Romanian hacker - The hacker gained
access to the website on 5 November using a common attack method
known as SQL injection.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Flood Disaster Protection Act
The regulation implementing the National Flood Insurance Program
requires a financial institution to notify a prospective borrower
and the servicer that the structure securing the loan is located or
to be located in a special flood hazard area. The regulation also
requires a notice of the servicer's identity be delivered to the
insurance provider. While the regulation addresses electronic
delivery to the servicer and to the insurance provider, it does not
address electronic delivery of the notice to the borrower.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet. This
booklet is required reading for anyone involved in information
systems security, such as the Network Administrator, Information
Security Officer, members of the IS Steering Committee, and most
important your outsourced network security consultants. Your
outsourced network security consultants can receive the "Internet
Banking News" by completing the subscription for at
https://yennik.com/newletter_page.htm. There is no charge for
ROLES AND RESPONSIBILITIES (1 of 2)
Information security is the responsibility of everyone at the
institution, as well as the institution's service providers and
contractors. The board, management, and employees all have different
roles in developing and implementing an effective security process.
The board of directors is responsible for overseeing the
development, implementation, and maintenance of the institution's
information security program. Oversight requires the board to
provide management with guidance and receive reports on the
effectiveness of management's response. The board should approve
written information security policies and the information security
program at least annually. The board should provide management with
its expectations and requirements for:
1) Central oversight and coordination,
2) Areas of responsibility,
3) Risk measurement,
4) Monitoring and testing,
5) Reporting, and
6) Acceptable residual risk.
Senior management's attitude towards security affects the entire
organization's commitment to security. For example, the failure of a
financial institution president to comply with security policies
could undermine the entire organization's commitment to security.
Senior management should designate one or more individuals as
information security officers. Security officers should be
responsible and accountable for security administration. At a
minimum, they should directly manage or oversee risk assessment,
development of policies, standards, and procedures, testing, and
security reporting processes. Security officers should have the
authority to respond to a security event by ordering emergency
actions to protect the financial institution and its customers from
an imminent loss of information or value. They should have
sufficient knowledge, background, and training, as well as an
organizational position, to enable them to perform their assigned
Return to the top of
PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
10) Does the institution list the following categories of nonpublic
personal information that it discloses, as applicable, and a few
examples of each, or alternatively state that it reserves the right
to disclose all the nonpublic personal information that it collects:
a) information from the consumer;
b) information about the consumer's transactions with the
institution or its affiliates;
c) information about the consumer's transactions with nonaffiliated
third parties; and
d) information from a consumer reporting agency? [§6(c)(2)]