Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and best practices.
For more information visit
FYI - Eight questions CIOs
should ask on cloud security - Cloud computing disrupts an
organization's style of working by altering business processes,
information flows and, above all, the control over IT systems
exerted by individual departments.
FYI - Best practices for
security awareness training - Security awareness training programs
should be an essential part of information security endeavors
because technology cannot stop all threats, a security professional
said Thursday at SC World Congress in New York.
FYI - UK Government will not
disconnect suspected file-sharers - The UK government will not
disconnect people suspected of sharing copyrighted material online
as part of the Digital Economy Act, according to its response to a
petition published on Wednesday. -
FYI - Data traffic to be stored
- Phone and Internet service providers may become forced to store
logs on phone calls, text messages, email, and internet connections
for six months. This will be the case if the Government coalitions
data retention bill is voted through in the Swedish parliament.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
FYI - Verizon launches website
to collect information on data breaches - Verizon has launched a
website designed to collect and share information about data breach
incidents that are reported by participating organizations.
FYI - FBI probes 4chan's
'Anonymous' DDoS attacks - The FBI has launched an investigation
into an online protest that allegedly took down numerous Web sites
belonging to antipiracy and entertainment groups, as well as the
U.S. Copyright Office, a source with knowledge of the probe told
FYI - Prankster broadcasts
message to WSU students - Washington State University police are
trying to find out who hijacked the school's computer system on
Friday and broadcast on classroom video screens throughout the day a
bizarre rant by someone wearing a "V for Vendetta" costume.
FYI - Florida hospital admits to
data breach affecting 1500 patients - A data breach at Holy Cross
Hospital in Ft. Lauderdale, Fla., resulted in the theft of sensitive
information concerning 1500 patients who visited the hospital’s
FYI - Sarah Palin E-mail Hacker
Sentenced to 1 Year in Custody - The former Tennessee student
convicted of hacking into Sarah Palin’s personal e-mail account, was
sentenced on Friday to one year in custody.
FYI - The Great Cyberheist - One
night in July 2003, a little before midnight, a plainclothes N.Y.P.D.
detective, investigating a series of car thefts in upper Manhattan,
followed a suspicious-looking young man with long, stringy hair and
a nose ring into the A.T.M. lobby of a bank.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Disclosures and Notices
Several consumer regulations provide for disclosures and/or notices
to consumers. The compliance officer should check the specific
regulations to determine whether the disclosures/notices can be
delivered via electronic means. The delivery of disclosures via
electronic means has raised many issues with respect to the format
of the disclosures, the manner of delivery, and the ability to
ensure receipt by the appropriate person(s). The following
highlights some of those issues and offers guidance and examples
that may be of use to institutions in developing their electronic
Disclosures are generally required to be "clear and conspicuous."
Therefore, compliance officers should review the web site to
determine whether the disclosures have been designed to meet this
standard. Institutions may find that the format(s) previously used
for providing paper disclosures may need to be redesigned for an
electronic medium. Institutions may find it helpful to use "pointers
" and "hotlinks" that will automatically present the disclosures to
customers when selected. A financial institution's use solely of
asterisks or other symbols as pointers or hotlinks would not be as
clear as descriptive references that specifically indicate the
content of the linked material.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet. This
booklet is required reading for anyone involved in information
systems security, such as the Network Administrator, Information
Security Officer, members of the IS Steering Committee, and most
important your outsourced network security consultants. Your
outsourced network security consultants can receive the "Internet
Banking News" by completing the subscription for at
https://yennik.com/newletter_page.htm. There is no charge for
ROLES AND RESPONSIBILITIES (2 of 2)
Senior management should enforce its security program by clearly
communicating responsibilities and holding appropriate individuals
accountable for complying with these requirements. A central
authority should be responsible for establishing and monitoring the
security program. Security management responsibilities, however, may
be distributed throughout the institution from the IT department to
various lines of business depending on the institution's size,
complexity, culture, nature of operations, and other factors. The
distribution of duties should ensure an appropriate segregation of
duties between individuals or organizational groups.
Senior management also has the responsibility to ensure integration
of security controls throughout the organization. To support
integration, senior management should
1) Ensure the security process is governed by organizational
policies and practices that are consistently applied,
2) Require that data with similar criticality and sensitivity
characteristics be protected consistently regardless of where in the
organization it resides,
3) Enforce compliance with the security program in a balanced and
consistent manner across the organization, and
Coordinate information security with physical security.
Senior management should make decisions regarding the acceptance of
security risks and the performance of risk mitigation activities
using guidance approved by the board of directors.
Employees should know, understand, and be held accountable for
fulfilling their security responsibilities. Institutions should
define these responsibilities in their security policy. Job
descriptions or contracts should specify any additional security
responsibilities beyond the general policies. Financial institutions
can achieve effective employee awareness and understanding through
security training, employee certifications of compliance, self -
assessments, audits, and monitoring.
Management also should consider the roles and responsibilities of
external parties. Technology service providers (TSPs), contractors,
customers, and others who have access to the institution's systems
and data should have their security responsibilities clearly
delineated and documented in contracts.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
11. Does the institution list the following categories of
affiliates and nonaffiliated third parties to whom it discloses
information, as applicable, and a few examples to illustrate the
types of the third parties in each category:
a. financial service providers; [§6(c)(3)(i)]
b. non-financial companies; [§6(c)(3)(ii)] and
c. others? [§6(c)(3)(iii)]