Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and best practices.
For more information visit
Proposes 'Do Not Track' Option For Internet - The Federal Trade
Commission has made a potentially far-reaching proposal that would
give web users the option of shielding personal information from
advertisers, retailers and other companies while browsing the
arrests hundreds of computer hackers - China has arrested 460
computer hackers this year and closed a number of hacker-training
websites, but warned that the chances of further cyber-attacks
remain "very grim".
Cracks Down On Software Piracy - Inspectors will sweep local and
central government computers to combat rampant illegal copying of
software and other goods, including DVDs, CDs and apparel.
firms in talks over BlackBerry security - The Indian government is
in talks with companies using Research In Motion's BlackBerry
service to gain access to their employees' secure communications.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
poison well of open-source FTP app - ProFTPD backdoored for 3 days -
Hackers breached the main server hosting ProFTPD and remained
undetected for three days, causing anyone who downloaded the popular
open-source file transfer application during that time to be
infected with a backdoor that grants unauthorized access to their
hackers target MasterCard, PayPal - A united band of WikiLeaks
supporters have knocked offline a number of high-profile websites
that have taken a stand against the whistleblower organization and
county files mistakenly posted online - More than 20 years worth of
personal and investigative Sheriff's Department records from Mesa
County, Colo. were inadvertently posted online, where they remained
for several months.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Reserve Requirements of Depository Institutions (Regulation D)
Pursuant to the withdrawal and transfer restrictions imposed on
savings deposits, electronic transfers, electronic withdrawals (paid
electronically) or payments to third parties initiated by a
depositor from a personal computer are included as a type of
transfer subject to the six transaction limit imposed on passbook
savings and MMDA accounts.
Institutions also should note that, to the extent stored value or
other electronic money represents a demand deposit or transaction
account, the provisions of Regulation D would apply to such
Consumer Leasing Act (Regulation M)
The regulation provides examples of advertisements that clarify the
definition of an advertisement under Regulation M. The term
advertisement includes messages inviting, offering, or otherwise
generally announcing to prospective customers the availability of
consumer leases, whether in visual, oral, print, or electronic
media. Included in the examples are on-line messages, such as those
on the Internet. Therefore, such messages are subject to the general
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
INFORMATION SECURITY RISK ASSESSMENT
Common elements of risk assessment approaches involve three phases:
information gathering, analysis, and prioritizing responses. Vendor
concerns add additional elements to the process.
Identifying and understanding risk requires the analysis of a
wide range of information relevant to the particular institution's
risk environment. Once gathered, the information can be catalogued
to facilitate later analysis. Information gathering generally
includes the following actions:
1) Obtaining listings of information system assets (e.g., data,
software, and hardware). Inventories on a device - by - device basis
can be helpful in risk assessment as well as risk mitigation.
Inventories should consider whether data resides in house or at a
2) Determining threats to those assets, resulting from people with
malicious intent, employees and others who accidentally cause
damage, and environmental problems that are outside the control of
the organization (e.g., natural disasters, failures of
interdependent infrastructures such as power, telecommunications,
3) Identifying organizational vulnerabilities (e.g., weak senior
management support, ineffective training, inadequate expertise or
resource allocation, and inadequate policies, standards, or
4) Identifying technical vulnerabilities (e.g., vulnerabilities in
hardware and software, configurations of hosts, networks,
workstations, and remote access).
5) Documenting current controls and security processes, including
both information technology and physical security.
6) Identifying security requirements and considerations (e.g.,
7) Maintaining the risk assessment process requires institutions to
review and update their risk assessment at least once a year, or
more frequently in response to material changes in any of the six
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
14. Does the institution describe the following about its policies
and practices with respect to protecting the confidentiality and
security of nonpublic personal information:
a. who is authorized to have access to the information; and
b. whether security practices and policies are in place to ensure
the confidentiality of the information in accordance with the
institution's policy? [§6(c)(6)(ii)]
(Note: the institution is not required to describe technical
information about the safeguards used in this respect.)