A Tale of Three Breach Reports
This week a trio of reports came out on data breaches. I dec…
CUInfoSecurity.com Site Map
Articles Agency Releases Webinars
Agencies
These government regulatory bodies guide and govern the behavior of public and private organizations.Federal Deposit Insurance Corp - The FDIC insures deposits at the nation's 8,615 banks and savings associations and it promotes the safety and soundness of these institutions by identifying, monitoring and addressing risks to which they are exposed. www.fdic.gov
Federal Reserve Board - The Federal Reserve System is the central bank of the United States. The Federal Reserve's duties fall into four general areas: conducting the nation's monetary policy; supervising and regulating banking institutions; maintaining the stability of the financial system; and providing financial services to depository institutions, the U.S. government, and foreign official institutions. www.federalreserve.gov
Federal Trade Commission - The Federal Trade Commission (FTC) is directed to administer a wide variety of consumer protection laws.
FFIEC - The Federal Financial Institutions Examination Council is a formal interagency body empowered to prescribe uniform principles, standards and report forms for the federal examination of financial institutions, and to make recommendations to promote uniformity in the supervision of financial institutions. www.ffiec.gov
FHFA - The Federal Housing Finance Agency (FHFA) was created on July 30, 2008, when the President signed into law the Housing and Economic Recovery Act of 2008. The Act created a world-class, empowered regulator with all of the authorities necessary to oversee vital components of our country's secondary mortgage markets - Fannie Mae, Freddie Mac, and the Federal Home Loan Banks.
FinCEN - The Financial Crimes Enforcement Network (FinCEN) is a network, a means of bringing people and information together to fight the complex problem of money laundering. Through cooperation and partnerships, FinCEN's network approach encourages cost-effective and efficient measures to combat money laundering domestically and internationally. www.fincen.gov
Government Accountability Office - The Government Accountability Office (GAO), the investigative arm of Congress, conducts agency IT management and security audits
National Credit Union Admin. - The National Credit Union Administration (NCUA) is the federal agency that charters and supervises federal credit unions and insures savings in federal and most state-chartered credit unions across the country through the National Credit Union Share Insurance Fund (NCUSIF), a federal fund backed by the full faith and credit of the United States government. www.ncua.gov
NIST - Commerce's National Institute of Standards and Technology develops IT security standards for federal agencies and business
Office Comptroller of Currency - The Office of the Comptroller of the Currency (OCC) charters, regulates, and supervises all national banks. It also supervises the federal branches and agencies of foreign banks. Headquartered in Washington, D.C., the OCC has four district offices plus an office in London to supervise the international activities of national banks. www.occ.gov
Office of Thrift Supervision - The Office of Thrift Supervision (OTS) is the primary federal regulator of federally-chartered and state-chartered savings associations, their subsidiaries, and their registered savings and loan holding companies. www.ots.gov
Anti-Money Laundering
Money laundering is the criminal practice of filtering "dirty" money through a series of transactions, so the funds are "cleaned" to look like proceeds from legal activities. The Currency and Foreign Transactions Reporting Act, also known as the Bank Secrecy Act (BSA), and its implementing regulation, 31 CFR 103, is a tool the U.S. government uses to fight drug trafficking, money laundering and other crimes.Banking Today
A repository of news and resources related to current trends and topics within the banking and finance industry.Confidence In Banking - Banking confidence is something that every financial institution must deal with, and in times of economic crisis improving confidence in banking is a must.
Business Continuity & Disaster Recovery
Business Continuity/Disaster Recovery refer to strategies to prepare for and survive disruptions from man-made and natural disastersPandemic Preparation - Regulators require institutions to address pandemic preparation in their business continuity plans.
Compliance
News and insights on key U.S. regulatory issues that influence information security management.Bank Secrecy Act - The Currency and Foreign Transactions Reporting Act, also known as the Bank Secrecy Act (BSA), and its implementing regulation, 31 CFR 103, is a tool the U.S. government uses to fight drug trafficking, money laundering, and other crimes. The Office of the Comptroller of the Currency monitors national bank compliance with the BSA.
Basel II - Basel II is the second of the Basel Accords, which are recommendations on banking laws and regulations issued by Europe’s Basel Committee on Banking Supervision. Basel II is meant to create an international standard for banking regulators to use when creating regulations re: necessary capital to guard against financial and operational risks.
CA Bill 1386 - The State of California in 2002 enacted Bill Number: SB 1386, requiring state agencies and others who conduct business through computerized collection of personal information to immediately disclose any breach of data security to any California resident whose personal information may have been compromised.
E-SIGN Act - Congress in 2000 enacted the Electronic Signatures in Global and National Commerce Act (1) ("ESIGN" or "the Act"), to facilitate the use of electronic records and signatures in interstate and foreign commerce by ensuring the validity and legal effect of contracts entered into electronically.
FACTA - The Fair and Accurate Credit Transactions Act of 2003 (FACT Act or FACTA, Pub.L. 108-159) was passed by Congress as an amendment to the Fair Credit Reporting Act. The law contains provisions to help reduce identity theft and fraudulent applications for credit.
Gramm-Leach-Bliley Act - The Financial Modernization Act of 1999, also known as the "Gramm-Leach-Bliley Act" or GLBA, includes provisions to protect consumers' personal financial information held by financial institutions. GLBA repealed the Glass-Steagall Act, opening up competition among banks, securities companies and insurance companies. Historically, the combined industry has been known as the financial services industry.
Guidance - Recommendations from regulatory agencies on how to improve compliance with major regulations such as BSA and GLBA. Agencies frequently update their guidelines and processes, issuing these updates under the umbrella of "guidance."
Identity Theft Red Flags Rule - Federal guidelines detailing how organizations must prevent and respond to identity theft.
NCUA Part 748 - Appendix A of Part 748 of NCUA’s Rules and Regulations, calls for credit unions to identify internal and external threats that could result in unauthorized disclosure, misuse, alteration or destruction of member information or member information systems, as well as assess the potential of these threats.
Patriot Act - The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (Public Law 107-56), known as the USA PATRIOT Act , was signed into law in 2001. The law expands the authority of U.S. law enforcement agencies to fight terrorism.
PCI DSS - Payment Card Industry Data Security Standard (PCI) Compliance is a set of security standards created by the major credit card companies (American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International) to protect their customers from increasing identity theft and security breaches.
Sarbanes-Oxley Act - The Sarbanes-Oxley Act of 2002 (Pub. L. No. 107-204, 116 Stat. 745), also known as the Public Company Accounting Reform and Investor Protection Act of 2002, was signed into law in 2002 in response to several well-publicized corporate scandals. SOX establishes new or enhanced standards for all U.S. public company boards, management, and public accounting firms.
Emerging Technology
The latest/greatest tools and techniques for ensuring information security.Application Security - Banks rely on applications to ensure accurate, timely and confidential processing of data. Vulnerabilities, particularly those associated with Web-based applications, are increasingly the focus of attacks from external and internal sources for the purposes of committing identity theft and other types of fraud.
Authentication - Ensuring that systems are accessed only by the properly-authorized individuals. In computer security, authentication is the process of attempting to verify the digital identity of the sender of a communication such as a request to log in.
Cloud Computing - Cloud computing allows access to applications and data over the Internet.
Data Loss - Tools to prevent loss of critical data in an information systems disaster – man-made, natural or pandemic. Data loss may be intentional – an attack – or unintentional, i.e. an accident.
Encryption - Encryption is the process of obscuring information to make it unreadable without special knowledge. In the mid-1970s, strong encryption emerged from the sole preserve of secretive government agencies into the public domain, and is now used in protecting widely-used systems, such as Internet e-commerce, mobile telephone networks and bank automatic teller machines.
GRC - Governance, Risk and Compliance platforms help institutions get a handle on compliance with the myriad of corporate and government regulations. Faced with endless mandates and new regulations, financial institutions increasingly turn to automated GRC platforms to help them manage the load.
ID Access & Management - Tools to ensure that systems and networks are open only to the right people at the right times. Automated systems are programmed to extend – and withdraw – access to the proper employees, contractors and customers.
Messaging - Email, IM, text-messaging and other forms of electronic communications. Increasingly, these are the historic record of business, and as such they are highly vulnerable to attack.
Mobile Banking - Tools to enable the processes and protections that drive Internet and remote banking. Mobile banking activities include performing balance checks, account transactions, payments etc. via a mobile device such as a cell phone or PC.
Network/Perimeter - The critical information system – physical and virtual – upon which individuals depend to conduct daily business. The perimeter is the boundary between the private and locally managed-and-owned side of a network and the public and usually provider-managed side of a network.
Remote Capture - Remote Deposit Capture allows a user to scan checks and transmit the images to a bank for posting and clearing. “Check 21” legislation makes Remote Capture possible, allowing banks to clear checks based upon images of the original items, instead of the traditional practice of having to transport the original check to the paying bank for clearance.
SIM/SEM - Security Information Management/Security Event Management tools help prevent potentially catastrophic attacks upon critical information systems. These tools enable the ability to aggregate data from multiple products into one central location, to correlate events, and to review this data.
Social Media - Facebook, LinkedIn and Twitter are now part of our professional lives. What are the risks?
Storage - Systems to store and preserve critical business information, i.e. memory, components, devices and media that retain digital computer data used in business. Regulatory requirements increasingly mandate types and terms of storage.
Web Security - The system of interlinked, hypertext documents accessed via the Internet. With a web browser, user views web pages that may contain text, images, videos, and other multimedia and navigates between them using hyperlinks. Critical to conducting business, the web is equally critical to secure for correspondence and transactions.
Fraud
Fraud, a "crime of persuasion," involves efforts to knowingly execute, or attempting to execute, a plan to defraud an organization.ACH - Automated Clearing House (ACH) fraud involves batch-processed transactions between banks, i.e. direct deposit payroll. ACH crimes include payroll fraud and kiting.
ATM - Automated Teller Machines (ATMs) are increasingly vulnerable to fraud schemes involving skimming devices, malware and "ram raids."
Check - Attempted check fraud at U.S. banks totaled $12.2 billion in 2006, the most recent survey by the American Bankers Association. Counterfeit checks are an everyday risk to institutions.
Debit, Credit, Prepaid Cards - Payment card fraud -- including debit, credit and prepaid cards -- is one of the most prevalent security threats against banking institutions and customers alike. Private information is relatively easy to steal, and consumers face greater liability for debit card loss than they do for credit card fraud.
First Party - When individuals offer deceptive information about themselves to receive a loan or credit they have no ability or intention to repay.
Insider - Insider fraud -- whether intentional or accidental -- is one of the leading risks to organizations, which must be vigilant against embezzlement, data theft and other crimes.
Mortgage - Includes first- and third-party crimes involving mortgage loans.
Payments - Crimes against payments processors are on the rise. Medical payments fraud is also a huge threat.
Wire - Wire fraud involves unauthorized activity during wire transfers to and between accounts. It's a classic fraud crime that has not diminished.
Governance & Standards
Common processes and industry standards employed to assure best practices in securing information systems and assuring privacy.BITS - BITS is a non-profit industry consortium whose members are 100 of the largest financial institutions in the United States. BITS fosters the growth and development of electronic financial services and e-commerce for the benefit of financial institutions and their customers. www.bitsinfo.org.
Cobit - IT governance schema and toolset that lets managers bridge the gap among control requirements, technical issues and risks.
COSO - The Committee of Sponsoring Organizations of the Treadwell Commission is dedicated to improving the quality of financial reporting.
FFIEC Handbook - The FFIEC Information Technology (IT) Examination Handbook (Handbook) is comprised of 12 booklets, each on a different topic, i.e. Business Continuity Planning, Management and Operations. www.ffiec.gov
ISO - The International Organization for Standardization is a network of the national standards institutes of some 157 countries.
ITGI - The IT Governance Institute was established in recognition of the crucial role of information technology in the success of an enterprise.
ITIL - The Information Technology Infrastructure Library is a set of concepts for managing IT infrastructure, development, and operations.
PCAOB - The Public Company Accounting Oversight Board is a private-sector, non-profit group created by the Sarbanes-Oxley Act of 2002 to oversee the auditors of public companies. www.pcaob.org
Identity Theft
Identity theft occurs when someone uses personally identifying information -- name, Social Security number, or credit card number -- without express permission, to commit fraud or other crimes.Pharming - Pharming is an attack aimed to fool unsuspecting users by redirecting a website's traffic to another, bogus website. Pharming can be conducted either by changing the hosts file on a victim’s computer or by exploitation of a vulnerability in DNS server software.
Phishing - Phishing is an attempt to fraudulently acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity (a bank or online commerce site) in an electronic communication, i.e. an email of text message.
Skimming - Skimming is a hi-tech method of credit card fraud by which thieves capture personal information from credit cards, drivers’ licenses, or even passports via an electronic device called a “skimmer,” which reads information encoded on the cards’ magnetic stripes.
Leadership & Management
Techniques and tips for growing your expertise as a security executive.Physical Security
Physical information security concerns the protection of data from non-electronic means such as physical attacks or thefts.Biometrics - In security, biometrics refers to use of technology to recognize and authenticate specific human characteristics, including fingerprints and retinal scans. It is an emerging technology in physical security today.
Risk Management
Risk Management is the process of measuring or assessing risk and developing strategies to manage it.HR - Human Resource issues such as hiring, termination and background checks relative to risk management.
Incident Response - The formal reaction to a security breach, i.e. a physical or electronic hack. Includes forensics, eDiscovery and other tactics necessary in the wake of a security breach.
Information Security Compliance - Policies and procedures that enable compliance with government, industry and corporate information security standards.
Insider Threat - The risk that current, former or contract employees might abuse system access to compromise data, operations or security.
IT Audit - The process of collecting and evaluating evidence of an IT organization's assets, practices and operations to ensure policy/regulatory compliance.
Privacy - The protection of personal or classified data contained within a business information system.
Risk Assessment - Risk assessment measures the magnitude of potential loss and the probability that loss will occur
Social Engineering - Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery for information gathering or computer system access and in most (but not all) cases the attacker never comes face-to-face with the victim.
Vendor Management - Ensuring that service providers adhere to the same information security standards by which your institution abides
Training & Education
Features for enhancing your own information security education, as well as for improving awareness among employees and customers.Topics of Interest
Risk Management
- Building Enterprise Secure File Transfer Processes that Improve Security and Compliance
- PCI Compliance Realized; Grocery Chain Saves Millions
Application Security
ISO
Latest Tweets & Mentions
CUInfoSecurity.com Research
Recent Blog Entries
Vendor Solutions
-
Solutions For:
Access Control, Application Security, Risk Management, Risk Analysis
-
Solutions For:
Email Security, Identity Theft Prevention, Network Security
