Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

FYI - Bank lobby warns Cambridge over IT security thesis - Seeks censorship of student's work on chip and pin vulnerabilities. Bank lobby group The UK Cards Association has written to Cambridge University requesting the censorship of a student thesis concerned with vulnerabilities in the "chip and pin" transaction card systems used by the majority of the world's banks. http://www.securecomputing.net.au/News/242795,bank-lobby-warns-cambridge-over-it-security-thesis.aspx

FYI - Feds raid server farms in bid to root out PayPal DDoS perps - On the trail of Anonymous - Federal investigators have seized servers allegedly abused to launch a denial of service attack against PayPal earlier this month. http://www.theregister.co.uk/2010/12/30/avenge_assange_server_raids/

FYI - Web attack takes Anonymous activists offline - The notorious message board 4Chan has been taken offline by an overwhelming web attack. http://www.bbc.co.uk/news/technology-12090245

FYI - Nationwide employee sentenced to 2 1/2 years for counterfeit video games - New monitoring software at Nationwide Insurance spelled the beginning of the end for an employee who had been counterfeiting and selling computer games for five years. http://www.dispatch.com/live/content/local_news/stories/2010/12/30/nationwide-employee-sentenced-to-212-years.html?sid=101

FYI - ‘White House’ eCard Dupes Dot-Gov Geeks - A malware-laced e-mail that spoofed seasons greetings from The White House siphoned gigabytes of sensitive documents from dozens of victims over the holidays, including a number of government employees and contractors who work on cybersecurity matters. http://krebsonsecurity.com/2011/01/white-house-ecard-dupes-dot-gov-geeks/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Russian e-Payment Giant ChronoPay Hacked - Criminals this week hijacked ChronoPay.com, the domain name for Russia’s largest online payment processor, redirecting hundreds of unsuspecting visitors to a fake ChronoPay page that stole customer financial data. http://krebsonsecurity.com/2010/12/russian-e-payment-giant-chronopay-hacked/

FYI - Charges filed in high-tech insider trading case - Federal authorities have charged a California woman with securities fraud for allegedly passing detailed financial information on Nvidia and Marvell Technologies to portfolio managers at two hedge funds. http://www.computerworld.com/s/article/9202730/Charges_filed_in_high_tech_insider_trading_case?taxonomyId=82

FYI - Honda warns customers of email database breach - Hackers have compromised the email addresses of millions of Honda Motor Co. customers in an incident likely linked to a recently announced breach at an email marketing solutions provider.
http://www.scmagazineus.com/honda-warns-customers-of-email-database-breach/article/193491/?DCMP=EMC-SCUS_Newswire
http://www.theregister.co.uk/2010/12/31/honda_data_breach/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Non-Deposit Investment Products

Financial institutions advertising or selling non-deposit investment products on-line should ensure that consumers are informed of the risks associated with non-deposit investment products as discussed in the "Interagency Statement on Retail Sales of Non Deposit Investment Products."  On-line systems should comply with this Interagency Statement, minimizing the possibility of customer confusion and preventing any inaccurate or misleading impression about the nature of the non-deposit investment product or its lack of FDIC insurance.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

INFORMATION SECURITY RISK ASSESSMENT

KEY RISK ASSESSMENT PRACTICES (1 of 2)

A risk assessment is the key driver of the information security process. Its effectiveness is directly related to the following key practices:

1)  Multidisciplinary and Knowledge - based Approach - A consensus evaluation of the risks and risk mitigation practices followed by the institution requires the involvement of a broad range of users, with a range of expertise and business knowledge. Not all users may have the same opinion of the severity of various attacks, the importance of various controls, and the importance of various data elements and information system components. Management should apply a sufficient level of expertise to the assessment.

2)  Systematic and Central Control - Defined procedures and central control and coordination help to ensure standardization, consistency, and completeness of risk assessment policies and procedures, as well as coordination in planning and performance. Central control and coordination will also facilitate an organizational view of risks and lessons learned from the risk assessment process.

3)  Integrated Process - A risk assessment provides a foundation for the remainder of the security process by guiding the selection and implementation of security controls and the timing and nature of testing those controls. Testing results, in turn, provide evidence to the risk assessment process that the controls selected and implemented are achieving their intended purpose. Testing can also validate the basis for accepting risks.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

18. If the institution, in its privacy policies, reserves the right to disclose nonpublic personal information to nonaffiliated third parties in the future, does the privacy notice include, as applicable, the:

a. categories of nonpublic personal information that the financial institution reserves the right to disclose in the future, but does not currently disclose;  [§6(e)(1)] and

b. categories of affiliates or nonaffiliated third parties to whom the financial institution reserves the right in the future to disclose, but to whom it does not currently disclose, nonpublic personal information? [§6(e)(2)]