Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and best practices.  For more information visit http://www.yennik.com/it-review/.

FYI - European banks see new ATM skimming attacks - Banks in Europe are seeing innovative skimming attacks against ATMs, where fraudsters rig special devices to the cash machines to record payment card details. http://www.computerworld.com/s/article/9197138/European_banks_see_new_ATM_skimming_attacks?taxonomyId=17

FYI - Report sounds alarm on China's rerouting of U.S. Internet traffic - Substantial portion of traffic was routed through China earlier this year, says U.S.-China commission - A report submitted to Congress on Wednesday by the U.S.-China Economic and Security Review Commission expressed concerns over what the commission claims is China's growing ability to control and manipulate Internet traffic. http://www.computerworld.com/s/article/9197019/Update_Report_sounds_alarm_on_China_s_rerouting_of_U.S._Internet_traffic?taxonomyId=17

FYI - Air Force Warns Against Location Based Sites - Military says careless use could disclose service members' position to enemy, compromising safety and operations. The U.S. Air Force is warning servicemen and women that popular geolocation services such as Facebook Places, Foursquare, Gowalla, and Loopt could inadvertently reveal their position to the enemy. http://www.informationweek.com/news/government/mobile/showArticle.jhtml?articleID=228300144&cid=RSSfeed_IWK_All

FYI - FBI brass ask Google, Facebook to expand wiretaps - Top officials from the FBI traveled to Silicon Valley on Tuesday to persuade Facebook and Google executives to support a proposal that would make it easier for law enforcement to wiretap the companies' users. http://www.theregister.co.uk/2010/11/17/google_facebook_wiretapping/

FYI - Cybersecurity bill gives DHS power to punish tech firms - Democratic politicians are proposing a novel approach to cybersecurity: fine technology companies $100,000 a day unless they comply with directives imposed by the U.S. Department of Homeland Security. http://news.cnet.com/8301-13578_3-20023464-38.html

FYI - Top judge says internet 'could kill jury system' - The jury system may not survive if it is undermined by social networking sites, England's top judge has said. http://www.bbc.co.uk/news/uk-11796648

FYI - After FTC settlement, LifeLock refund checks going out - The check is in the mail for nearly a million LifeLock customers, after the provider of identity-theft protection services settled accusations of deceptive advertising. http://www.computerworld.com/s/article/9197482/After_FTC_settlement_LifeLock_refund_checks_going_out?taxonomyId=17

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Malaysian Charged With Hacking Federal Reserve, Others - A Malaysian man has been charged with hacking into major U.S. corporations, including the U.S. Federal Reserve Bank of Cleveland and FedComp, a company that processes financial transactions for credit unions. http://www.pcworld.com/businesscenter/article/211104/malaysian_charged_with_hacking_federal_reserve_others.html
http://www.scmagazineus.com/malaysian-man-charged-with-hacking-into-bank-systems/article/191300/?DCMP=EMC-SCUS_Newswire

FYI - Man charged with stealing secrets from wireless company Sirf - A San Ramon, California, man is facing charges he stole valuable technology from his former employer in hopes of building competitive location-aware products. http://www.computerworld.com/s/article/9196878/Man_charged_with_stealing_secrets_from_wireless_company_Sirf?taxonomyId=144

FYI - Computer hacker controlled victims' webcams from mother's front room - A computer hacker accessed highly personal data and controlled victims' webcams as part of a sophisticated email scam carried out from his mother's front room. http://news.stv.tv/scotland/highlands-islands/211018-computer-hacker-controlled-victims-webcams-from-mothers-front-room/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Electronic Fund Transfer Act, Regulation E (Part 1 of 2)

Generally, when online banking systems include electronic fund transfers that debit or credit a consumer's account, the requirements of the Electronic Fund Transfer Act and Regulation E apply.  A transaction involving stored value products is covered by Regulation E when the transaction accesses a consumer's account (such as when value is "loaded" onto the card from the consumer's deposit account at an electronic terminal or personal computer).

Financial institutions must provide disclosures that are clear and readily understandable, in writing, and in a form the consumer may keep.  An Interim rule was issued on March 20, 1998 that allows depository institutions to satisfy the requirement to deliver by electronic communication any of these disclosures and other information required by the act and regulations, as long as the consumer agrees to such method of delivery.

Financial institutions must ensure that consumers who sign up for a new banking service are provided with disclosures for the new service if the service is subject to terms and conditions different from those described in the initial disclosures.  Although not specifically mentioned in the commentary, this applies to all new banking services including electronic financial services.

The Federal Reserve Board Official Staff Commentary (OSC) also clarifies that terminal receipts are unnecessary for transfers initiated online. Specifically, OSC regulations provides that, because the term "electronic terminal" excludes a telephone operated by a consumer, financial institutions need not provide a terminal receipt when a consumer initiates a transfer by a means analogous in function to a telephone, such as by a personal computer or a facsimile machine.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

INFORMATION SECURITY RISK ASSESSMENT

Action Summary -Financial institutions must maintain an ongoing information security risk assessment program that effectively

1)  Gathers data regarding the information and technology assets of the organization, threats to those assets, vulnerabilities, existing security controls and processes, and the current security standards and requirements;

2)  Analyzes the probability and impact associated with the known threats and vulnerabilities to its assets; and

3) Prioritizes the risks present due to threats and vulnerabilities to determine the appropriate level of training, controls, and testing necessary for effective mitigation.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

12. Does the institution make the following disclosures regarding service providers and joint marketers to whom it discloses nonpublic personal information under §13:

a. as applicable, the same categories and examples of nonpublic personal information disclosed as described in paragraphs (a)(2) and (c)(2) of section six (6) (see questions 8b and 10); and [§6(c)(4)(i)]

b. that the third party is a service provider that performs marketing on the institution's behalf or on behalf of the institution and another financial institution; [§6(c)(4)(ii)(A)] or

c. that the third party is a financial institution with which the institution has a joint marketing agreement? [§6(c)(4)(ii)(B)]