Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Staff to be banned from sending emails - The head of one of
Europe's largest information technology services companies is to ban
staff from sending each other emails, saying they waste time and are
- US Senator demands answers from Carrier IQ - Al Franken calls
smartphone tracker on the carpet - Senator and former late-night
funnyman Al Franken has called on Carrier IQ to explain why its
diagnostic software, buried in the bowels of 141 million
smartphones, isn't a massive violation of US wiretap laws.
- Suspicion in Iran that Stuxnet caused Revolutionary Guards base
explosions - Is the Stuxnet computer malworm back on the warpath in
- The Malls Are Watching - Two malls were recently criticized for
watching the shopping habits of their customers, according to a
report on CNNMoney.com.
- Cyberattacks up 50 percent in 2011 - A listing on the stock
exchange seemed to be an open invitation to hackers in 2011. An
annual study on internet crime, conducted by Telus Corp. and the
University of Toronto's Rotman School of Management, indicated that
publicly traded Canadian companies experienced 50 percent more
cyberattacks in 2011 than in the previous year.
- Should Homeland Security control the electrical grid? Maybe - The
time has come for the U.S. government to focus a single agency's
efforts on reinforcing the security of the electrical grid, MIT
researchers said today in a wide-ranging report.
- Data Protection Directive changes will 'be ineffective' - The
upcoming European data protection directive could be ineffective in
the short term and will place further financial and security burdens
upon European businesses.
- Cyber training no longer basic - For roughly a century, the U.S.
military has fought on land, by sea and in the air. For the most
part, the domains have been tangible and the boundaries defined. Now
a new domain is emerging: cyber warfare.
- Getting serious about health care security - Let's be truthful.
Being compliant with the Healthcare Insurance Portability Act and
Accountability Act (HIPAA) of 1996 and even its subsequent Privacy
and Security rules alone is really like doing the barest of minimums
possible to secure your health care organization and the protected
health care information (PHI) in its custodianship.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Hackers accessed city infrastructure via SCADA - The deputy
assistant director of the FBI's Cyber Division says hackers recently
accessed the infrastructure of three cities through SCADA systems.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Electronic Fund Transfer Act, Regulation E (Part 2 of 2)
Additionally, the regulations clarifies that a written authorization
for preauthorized transfers from a consumer's account includes an
electronic authorization that is not signed, but similarly
authenticated by the consumer, such as through the use of a security
code. According to the Official Staff Commentary (OSC,) an
example of a consumer's authorization that is not in the form of a
signed writing but is, instead, "similarly authenticated," is a
consumer's authorization via a home banking system. To satisfy
the regulatory requirements, the institution must have some means to
identify the consumer (such as a security code) and make a paper
copy of the authorization available (automatically or upon request).
The text of the electronic authorization must be displayed on a
computer screen or other visual display that enables the consumer to
read the communication from the institution. Only the consumer may
authorize the transfer and not, for example, a third-party merchant
on behalf of the consumer.
Pursuant to the regulations, timing in reporting an unauthorized
transaction, loss, or theft of an access device determines a
consumer's liability. A financial institution may receive
correspondence through an electronic medium concerning an
unauthorized transaction, loss, or theft of an access device.
Therefore, the institution should ensure that controls are in place
to review these notifications and also to ensure that an
investigation is initiated as required.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
ENCRYPTION - HOW ENCRYPTION
In general, encryption functions by taking data and a variable,
called a "key," and processing those items through a fixed algorithm
to create the encrypted text. The strength of the encrypted text is
determined by the entropy, or degree of uncertainty, in the key and
the algorithm. Key length and key selection criteria are important
determinants of entropy. Greater key lengths generally indicate more
possible keys. More important than key length, however, is the
potential limitation of possible keys posed by the key selection
criteria. For instance, a 128-bit key has much less than 128 bits of
entropy if it is selected from only certain letters or numbers. The
full 128 bits of entropy will only be realized if the key is
randomly selected across the entire 128-bit range.
The encryption algorithm is also important. Creating a mathematical
algorithm that does not limit the entropy of the key and testing the
algorithm to ensure its integrity are difficult. Since the strength
of an algorithm is related to its ability to maximize entropy
instead of its secrecy, algorithms are generally made public and
subject to peer review. The more that the algorithm is tested by
knowledgeable worldwide experts, the more the algorithm can be
trusted to perform as expected. Examples of public algorithms are
AES, DES and Triple DES, HSA - 1, and RSA.
Return to the top of
INTERNET PRIVACY - We continue our
series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Sharing nonpublic personal information with nonaffiliated third
parties under Sections 14 and/or 15 and outside of exceptions (with
or without also sharing under Section 13). (Part 2 of 3)
B. Presentation, Content, and Delivery of Privacy Notices
1) Review the financial institution's initial, annual and
revised notices, as well as any short-form notices that the
institution may use for consumers who are not customers. Determine
whether or not these notices:
a. Are clear and conspicuous (§§3(b), 4(a), 5(a)(1), 8(a)(1));
b. Accurately reflect the policies and practices used by the
institution (§§4(a), 5(a)(1), 8(a)(1)). Note, this includes
practices disclosed in the notices that exceed regulatory
c. Include, and adequately describe, all required items of
information and contain examples as applicable (§6). Note that if
the institution shares under Section 13 the notice provisions for
that section shall also apply.
2) Through discussions with management, review of the
institution's policies and procedures, and a sample of electronic or
written consumer records where available, determine if the
institution has adequate procedures in place to provide notices to
consumers, as appropriate. Assess the following:
a. Timeliness of delivery (§§4(a), 7(c), 8(a)); and
b. Reasonableness of the method of delivery (e.g., by hand; by
mail; electronically, if the consumer agrees; or as a necessary step
of a transaction) (§9).
customers only, review the timeliness of delivery (§§4(d), 4(e),
5(a)), means of delivery of annual notice (§9(c)), and accessibility
of or ability to retain the notice (§9(e)).