Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

FYI - Fortifying Phones From Attackers - AT&T Hires Ph.Ds for Security Lab - As consumers and companies embrace smartphones to do more of their computing, the wireless industry is taking its first steps to beef up security on mobile devices. http://online.wsj.com/article/SB10001424052748704774604576035960449272404.html

FYI - To secure agency systems, start at the top - NIST outlines an organizational-level approach to continuous monitoring - Effective IT security requires a top-down approach, with strategic planning at the organizational level rather than on a system-by-system basis, the National Institute of Standards and Technology says in newly released draft guidelines for continuous monitoring. http://gcn.com/articles/2010/12/21/nist-continuous-monitoring.aspx

FYI - FCC's Performance Management Weaknesses Could Jeopardize Proposed Reforms of the Rural Health Care Program.
Release - http://www.gao.gov/products/GAO-11-27
Highlights - http://www.gao.gov/highlights/d1127high.pdf

FYI - Germany plans news cyber-warfare defence centre - Germany will create a new cyber-warfare defence centre next year to fight off espionage attacks, the German interior ministry said. http://uk.reuters.com/article/idUKTRE6BQ2JS20101227

FYI - Man faces criminal charges for reading wife's e-mail - You know, things that they don't know you know, things that you happen to have read when they might have idly left their laptop open on their Gmail homepage. http://news.cnet.com/8301-17852_3-20026611-71.html

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - VA doctors' foray into cloud causes potential breach - The Veterans Affairs Department has ordered an immediate shutdown of a cloud application on the Yahoo website that VA doctors were using to store patients’ medical information without appropriate data security controls, officials said. http://fcw.com/articles/2010/12/23/va-calendar-cloud-breach.aspx?admgarea=TC_SECCYBERSEC

FYI - Hacker charged over siphoning off funds meant for software devs - Accused of diverting Mystic River of cash- An alleged hacker has been charged with breaking into the e-commerce systems of Digital River before redirecting more than $250,000 to an account under his control. http://www.theregister.co.uk/2010/12/23/digital_river_hack_charges/

FYI - Escrow Co. Sues Bank Over $440K Cyber Theft - An escrow firm in Missouri is suing its bank to recover $440,000 that organized cyber thieves stole in an online robbery earlier this year, claiming the bank’s reliance on passwords to secure high-dollar transactions failed to measure up to federal e-banking security guidelines. http://krebsonsecurity.com/2010/11/escrow-co-sues-bank-over-440k-cyber-theft/

FYI - Hackers Attack Criminal Sites, Security Experts to Expose Security Flaws - A group of hackers attacked and took offline several sites belonging to credit-card sharing groups, security experts and other hacking communities who made mistakes in basic security. http://www.eweek.com/c/a/Security/Hackers-Attack-Criminal-Sites-Security-Experts-to-Expose-Security-Flaws-296445/

FYI - NYC bus tour company's database hacked of credit card info - The credit card details belonging to customers of CitySights NY were stolen when a database belonging to the sightseeing bus tours company was hacked. http://www.scmagazineus.com/nyc-bus-tour-companys-database-hacked-of-credit-card-info/article/193195/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - Fair Housing Act

A financial institution that advertises on-line credit products that are subject to the Fair Housing Act must display the Equal Housing Lender logotype and legend or other permissible disclosure of its nondiscrimination policy if required by rules of the institution's regulator.

Home Mortgage Disclosure Act (Regulation C)

The regulations clarify that applications accepted through electronic media with a video component (the financial institution has the ability to see the applicant) must be treated as "in person" applications. Accordingly, information about these applicants' race or national origin and sex must be collected. An institution that accepts applications through electronic media without a video component, for example, the Internet or facsimile, may treat the applications as received by mail.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

INFORMATION SECURITY RISK ASSESSMENT

PRIORITIZE RESPONSES

This phase ranks the risk (outcomes and probabilities) presented by various scenarios produced in the analysis phase to prioritize management's response. Management may decide that since some risks do not meet the threshold set in their security requirement, they will accept those risks and not proceed with a mitigation strategy. Other risks may require immediate corrective action. Still others may require mitigation, either fully or partially, over time. Risks that warrant action are addressed in the information security strategy.

In some borderline instances, or if planned controls cannot fully mitigate the risk, management may need to review the risk assessment and risk ranking with the board of directors or a delegated committee. The board should then document its acceptance of the risk or authorize other risk mitigation measures.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

17. Does the institution provide consumers who receive the short-form initial notice with a reasonable means of obtaining the longer initial notice, such as: 

a. a toll-free telephone number that the consumer may call to request the notice;  [§6(d)(4)(i)] or

b. for the consumer who conducts business in person at the institution's office, having copies available to provide immediately by hand-delivery?  [§6(d)(4)(ii)]

Apology - The last addition had the incorrect date of the newsletter; however the content was correct.  We greatly apologize for this oversight.  For those of you that contacted us - thanks.