Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and best practices.  For more information visit http://www.yennik.com/it-review/.

FYI - Eight questions CIOs should ask on cloud security - Cloud computing disrupts an organization's style of working by altering business processes, information flows and, above all, the control over IT systems exerted by individual departments. http://www.scmagazineus.com/eight-questions-cios-should-ask-on-cloud-security/article/190736/?DCMP=EMC-SCUS_Newswire

FYI - Best practices for security awareness training - Security awareness training programs should be an essential part of information security endeavors because technology cannot stop all threats, a security professional said Thursday at SC World Congress in New York. http://www.scmagazineus.com/best-practices-for-security-awareness-training/article/190630/?DCMP=EMC-SCUS_Newswire

FYI - UK Government will not disconnect suspected file-sharers - The UK government will not disconnect people suspected of sharing copyrighted material online as part of the Digital Economy Act, according to its response to a petition published on Wednesday. - http://www.zdnet.co.uk/blogs/tech-tech-boom-10017860/government-will-not-disconnect-suspected-file-sharers-10021026/

FYI - Data traffic to be stored - Phone and Internet service providers may become forced to store logs on phone calls, text messages, email, and internet connections for six months. This will be the case if the Government coalitions data retention bill is voted through in the Swedish parliament. http://www.stockholmnews.com/more.aspx?NID=6254

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Verizon launches website to collect information on data breaches - Verizon has launched a website designed to collect and share information about data breach incidents that are reported by participating organizations. http://www.infosecurity-us.com/view/13943/verizon-launches-website-to-collect-information-on-data-breaches/

FYI - FBI probes 4chan's 'Anonymous' DDoS attacks - The FBI has launched an investigation into an online protest that allegedly took down numerous Web sites belonging to antipiracy and entertainment groups, as well as the U.S. Copyright Office, a source with knowledge of the probe told CNET today. http://news.cnet.com/8301-31001_3-20022264-261.html

FYI - Prankster broadcasts message to WSU students - Washington State University police are trying to find out who hijacked the school's computer system on Friday and broadcast on classroom video screens throughout the day a bizarre rant by someone wearing a "V for Vendetta" costume. http://news.cnet.com/8301-27080_3-20022460-245.html?tag=mncol;txt

FYI - Florida hospital admits to data breach affecting 1500 patients - A data breach at Holy Cross Hospital in Ft. Lauderdale, Fla., resulted in the theft of sensitive information concerning 1500 patients who visited the hospital’s emergency room. http://www.infosecurity-us.com/view/13963/florida-hospital-admits-to-data-breach-affecting-1500-patients/

FYI - Sarah Palin E-mail Hacker Sentenced to 1 Year in Custody - The former Tennessee student convicted of hacking into Sarah Palin’s personal e-mail account, was sentenced on Friday to one year in custody. http://www.wired.com/threatlevel/2010/11/palin-hacker-sentenced/

FYI - The Great Cyberheist - One night in July 2003, a little before midnight, a plainclothes N.Y.P.D. detective, investigating a series of car thefts in upper Manhattan, followed a suspicious-looking young man with long, stringy hair and a nose ring into the A.T.M. lobby of a bank. http://www.nytimes.com/2010/11/14/magazine/14Hacker-t.html?_r=1&ref=technology

Return to the top of the newsletter

WEB SITE COMPLIANCE - Disclosures and Notices

Several consumer regulations provide for disclosures and/or notices to consumers.  The compliance officer should check the specific regulations to determine whether the disclosures/notices can be delivered via electronic means.  The delivery of disclosures via electronic means has raised many issues with respect to the format of the disclosures, the manner of delivery, and the ability to ensure receipt by the appropriate person(s).  The following highlights some of those issues and offers guidance and examples that may be of use to institutions in developing their electronic services.

Disclosures are generally required to be "clear and conspicuous."  Therefore, compliance officers should review the web site to determine whether the disclosures have been designed to meet this standard. Institutions may find that the format(s) previously used for providing paper disclosures may need to be redesigned for an electronic medium. Institutions may find it helpful to use "pointers " and "hotlinks" that will automatically present the disclosures to customers when selected.  A financial institution's use solely of asterisks or other symbols as pointers or hotlinks would not be as clear as descriptive references that specifically indicate the content of the linked material.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  This booklet is required reading for anyone involved in information systems security, such as the Network Administrator, Information Security Officer, members of the IS Steering Committee, and most important your outsourced network security consultants.  Your outsourced network security consultants can receive the "Internet Banking News" by completing the subscription for at https://yennik.com/newletter_page.htm.  There is no charge for the e-newsletter. 

ROLES AND RESPONSIBILITIES (2 of 2)

Senior management should enforce its security program by clearly communicating responsibilities and holding appropriate individuals accountable for complying with these requirements. A central authority should be responsible for establishing and monitoring the security program. Security management responsibilities, however, may be distributed throughout the institution from the IT department to various lines of business depending on the institution's size, complexity, culture, nature of operations, and other factors. The distribution of duties should ensure an appropriate segregation of duties between individuals or organizational groups.

Senior management also has the responsibility to ensure integration of security controls throughout the organization. To support integration, senior management should

1)  Ensure the security process is governed by organizational policies and practices that are consistently applied,
2)  Require that data with similar criticality and sensitivity characteristics be protected consistently regardless of where in the organization it resides,
3)  Enforce compliance with the security program in a balanced and consistent manner across the organization, and
4)  Coordinate information security with physical security.

Senior management should make decisions regarding the acceptance of security risks and the performance of risk mitigation activities using guidance approved by the board of directors.

Employees should know, understand, and be held accountable for fulfilling their security responsibilities. Institutions should define these responsibilities in their security policy. Job descriptions or contracts should specify any additional security responsibilities beyond the general policies. Financial institutions can achieve effective employee awareness and understanding through security training, employee certifications of compliance, self - assessments, audits, and monitoring.

Management also should consider the roles and responsibilities of external parties. Technology service providers (TSPs), contractors, customers, and others who have access to the institution's systems and data should have their security responsibilities clearly delineated and documented in contracts.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

11. Does the institution list the following categories of affiliates and nonaffiliated third parties to whom it discloses information, as applicable, and a few examples to illustrate the types of the third parties in each category:

a. financial service providers; [§6(c)(3)(i)]

b. non-financial companies; [§6(c)(3)(ii)] and

c. others? [§6(c)(3)(iii)]