Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and best practices.
For more information visit
posts cause bank worker to lose layoff payoff? - It is now an
accepted wisdom that sharing yourself on Facebook can add to your
Federal Agencies Have Taken Steps to Secure Wireless Networks, but
Further Actions Can Mitigate Risk
TSA controversy can teach us about cyberterrorism and transparency -
If you think there is nothing personal to gain for public officials
who use words like "cyberterrorism" and "Digital Pearl Harbor,"
data security result in death? - In this case there are life and
death considerations. The frightening reality of the worst case
scenario is made clear by the Federal Trade Commission's site on
Medical Identity Theft:
Seattle sites named best cybersecurity resources - The state of
Delaware and city of Seattle have won an annual contest recognizing
the best state and local government cybersecurity websites.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
moves to Amazon servers after DoS attacks - After several
denial-of-service (DoS) attacks hit it over the weekend, WikiLeaks
is now being hosted by Amazon servers in the U.S. and Ireland, IP
traces conducted today revealed.
student hacker avoids jail over ID theft scam - A computer hacker
who posed as a student and used key-logging software to break into
the email accounts of genuine students has been ordered to pay
£21,000 in compensation and ordered to complete a 200-hour community
students charged in university hack in Mo. - Pair stole data on
90,000 students, faculty, staff and alumni at the Univ. of Central
Missouri - Two former students at the University of Central Missouri
(UCM) have been indicted by a federal grand jury on charges of
breaking into university databases and of stealing and attempting to
sell personal data on about 90,000 UCM students, faculty, staff and
alumni. Price for the data: $35,000.
secrets thief caught red handed with stolen blueprints - Was moving
to China, now he faces 5 to 6 years in US jail - A veteran
auto-plant worker faces an extended spell behind bars after pleading
guilty last week to stealing industrial secrets, including design
blueprints, from car maker Ford and passing them on to a Chinese
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Electronic Fund Transfer Act, Regulation E (Part 2 of 2)
Additionally, the regulations clarifies that a written authorization
for preauthorized transfers from a consumer's account includes an
electronic authorization that is not signed, but similarly
authenticated by the consumer, such as through the use of a security
code. According to the Official Staff Commentary (OSC,) an example
of a consumer's authorization that is not in the form of a signed
writing but is, instead, "similarly authenticated," is a consumer's
authorization via a home banking system. To satisfy the regulatory
requirements, the institution must have some means to identify the
consumer (such as a security code) and make a paper copy of the
authorization available (automatically or upon request). The text
of the electronic authorization must be displayed on a computer
screen or other visual display that enables the consumer to read the
communication from the institution. Only the consumer may authorize
the transfer and not, for example, a third-party merchant on behalf
of the consumer.
Pursuant to the regulations, timing in reporting an unauthorized
transaction, loss, or theft of an access device determines a
consumer's liability. A financial institution may receive
correspondence through an electronic medium concerning an
unauthorized transaction, loss, or theft of an access device.
Therefore, the institution should ensure that controls are in place
to review these notifications and also to ensure that an
investigation is initiated as required.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
INFORMATION SECURITY RISK ASSESSMENT
The quality of security controls can significantly influence all
categories of risk. Traditionally, examiners and bankers recognize
the direct impact on operational/transaction risk from incidents
related to fraud, theft, or accidental damage. Many security
weaknesses, however, can directly increase exposure in other risk
areas. For example, the GLBA introduced additional legal/compliance
risk due to the potential for regulatory noncompliance in
safeguarding customer information. The potential for legal liability
related to customer privacy breaches may present additional risk in
the future. Effective application access controls can reduce credit
and market risk by imposing risk limits on loan officers or traders.
If a trader were to exceed the intended trade authority, the
institution may unknowingly assume additional market risk exposure.
A strong security program reduces levels of reputation and strategic
risk by limiting the institution's vulnerability to intrusion
attempts and maintaining customer confidence and trust in the
institution. Security concerns can quickly erode customer confidence
and potentially decrease the adoption rate and rate of return on
investment for strategically important products or services.
Examiners and risk managers should incorporate security issues into
their risk assessment process for each risk category. Financial
institutions should ensure that security risk assessments adequately
consider potential risk in all business lines and risk categories.
Information security risk assessment is the process used to identify
and understand risks to the confidentiality, integrity, and
availability of information and information systems. An adequate
assessment identifies the value and sensitivity of information and
system components and then balances that knowledge with the exposure
from threats and vulnerabilities. A risk assessment is a necessary
pre-requisite to the formation of strategies that guide the
institution as it develops, implements, tests, and maintains its
information systems security posture. An initial risk assessment may
involve a significant one-time effort, but the risk assessment
process should be an ongoing part of the information security
Risk assessments for most industries focus only on the risk to the
business entity. Financial institutions should also consider the
risk to their customers' information. For example, section 501(b) of
the GLBA requires financial institutions to 'protect against
unauthorized access to or use of customer information that could
result in substantial harm or inconvenience to any customer."
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
13. If the institution does not disclose nonpublic personal
information, and does not reserve the right to do so, other than
under exceptions in §14 and §15, does the institution provide a
simplified privacy notice that contains at a minimum:
a. a statement to this effect;
b. the categories of nonpublic personal information it collects;
c. the policies and practices the institution uses to protect the
confidentiality and security of nonpublic personal information; and
d. a general statement that the institution makes disclosures to
other nonaffiliated third parties as permitted by law? [§6(c)(5)]
(Note: use of this type of simplified notice is optional; an
institution may always use a full notice.)