Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

TR39 Review - Every two years, EFT network members are required to submit a TR39 (formerly TG3) review to ensure compliance in maintaining secure systems for processing online PIN transactions. Billions of PIN activated transactions are switched through shared ATM and POS networks annually. Each transaction is originated using a debit or credit card and PIN. With each interchange transaction, the security of the customer's PIN is under the control of as many as eight or more processing entities. To schedule your TR39 review, please contact our associate Richard Gasdia with Aporia Solutions rgasdia@aporiasolutions.com.  His phone number is 713-266 8785 ext. 302 and the web site is http://aporiasolutions.com/index.shtml. 

FYI - Joint Efforts Announced to Reduce Risk of Corporate Account Takeover - Texas Banking Commissioner Charles G. Cooper and Edna J. Perry, Special Agent in Charge of the U.S. Secret Service Dallas Field Office jointly announced efforts to assist financial institutions in adopting practices designed to reduce the risks of corporate account takeover. Corporate account takeover is a form of identity theft where cyber thieves gain control of a business’ bank account, often by stealing user passwords and other valid credentials. http://www.dob.texas.gov/news/press/2012/01-17-12pr.htm 

FYI - Twenty critical controls for effective cyber defence - The UK Centre for the Protection of National Infrastructure has released a new guidance document which details the ‘Top Twenty Critical Security Controls’. These provide a baseline of high-priority information security measures and controls that can be applied across an organization in order to improve its cyber defence.
http://continuitycentral.com/news06099.html
http://www.sans.org/critical-security-controls/winter-2012-poster.pdf

FYI - Loose Keystrokes Sink Cybersystems - Richard Clarke's June 15 op-ed "China's Cyberassault on America" provides a thoughtful discussion of the prolific increase in data breaches and the potential impact of these events. While I agree with his perspective, his discussion was silent on the main catalyst of these events. http://online.wsj.com/article/SB10001424052702304186404576387973475738018.html

FYI - NHS worker fined £500 for illegally accessing health records - A former NHS health worker has been fined £500 for illegally accessing the data of five members of her ex-husband's family in a breach of Section 55 of the Data Protection Act (DPA). http://www.v3.co.uk/v3-uk/news/2137137/nhs-worker-fined-gbp500-illegally-accessing-health-records

FYI - Anonymous, Reddit to protest SOPA with blackout - Hacktivist group Anonymous and the popular news-sharing site Reddit both have pledged to go offline on Wednesday in protest of the proposed Stop Online Privacy Act (SOPA), an anti-piracy measure that critics believe amounts to an internet censorship bill.
http://www.scmagazine.com/anonymous-reddit-to-protest-sopa-with-blackout/article/223025/?DCMP=EMC-SCUS_Newswire
http://www.computerworld.com/s/article/9223411/Reddit_to_go_dark_in_SOPA_protest?taxonomyId=17

FYI - Visa advises on more secure credit card transactions - Visa has issued a set of best practices for implementing chip technologies, which can be used to better secure debit and credit card transactions. http://www.scmagazine.com/visa-advises-on-more-secure-credit-card-transactions/article/223358/?DCMP=EMC-SCUS_Newswire 

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Stratfor returns as Anonymous readies 5M stolen emails - Global affairs firm Stratfor returned online this week amid admissions that its systems were breached on two separate occasions. http://www.scmagazine.com/stratfor-returns-as-anonymous-readies-5m-stolen-emails/article/222990/

FYI - Israeli hacker retaliates to credit card hackingBy Yolande Knell - An Israeli hacker has published details of hundreds of Saudi credit cards online and is threatening to post more in revenge for acts by Arab hackers. http://www.bbc.co.uk/news/world-middle-east-16526067

FYI - Zappos breach affects 24M, opens door for more attacks - Hackers breached a server belonging to online retailer Zappos, allowing them access to the personal information of more than 24 million customers, the company announced. http://www.scmagazine.com/zappos-breach-affects-24m-opens-door-for-more-attacks/article/223257/

FYI - Hackers harvested City College of S.F. data since 1999 - Fingers are being pointed at criminal networks based in Russia and China as the culprits behind the more-than-decade-long siphoning of personal banking information from students, faculty and staff of the City College of San Francisco. http://www.scmagazine.com/hackers-harvested-city-college-of-sf-data-since-1999/article/223155/?DCMP=EMC-SCUS_Newswire

FYI - Computer Virus Swipes Data from Japan's Space Agency - A computer virus infected a data terminal at Japan's space agency, causing a leak of potentially sensitive information, officials announced today. http://www.securitynewsdaily.com/japan-space-agency-computer-virus--1495/

FYI - Hacktivists expose personal info of T-Mobile staff - T-Mobile was hit on Saturday with a hacktivist attack, which resulted in the publication of personal information of some 80 of the wireless communications provider's employees. http://www.scmagazine.com/hacktivists-expose-personal-info-of-t-mobile-staff/article/223511/ 

FYI - DoD ID cards under attack - A pernicious virus that infects the middleware of smart card readers is attacking users of U.S. Department of Defense (DoD) and Windows smart cards. A variant of the Skyipot trojan, the malware uses a zero-day vulnerability in Adobe software to install a keylogger and obtain the PINs and certificate information from smart cards. http://www.scmagazine.com/dod-id-cards-under-attack/article/223625/ 

Return to the top of the newsletter

WEB SITE COMPLIANCE - Disclosures/Notices (Part 1 of 2)

Several regulations require disclosures and notices to be given at specified times during a financial transaction. For example, some regulations require that disclosures be given at the time an application form is provided to the consumer. In this situation, institutions will want to ensure that disclosures are given to the consumer along with any application form. Institutions may accomplish this through various means, one of which may be through the automatic presentation of disclosures with the application form. Regulations that allow disclosures/notices to be delivered electronically and require institutions to deliver disclosures in a form the customer can keep have been the subject of questions regarding how institutions can ensure that the consumer can "keep" the disclosure. A consumer using certain electronic devices, such as Web TV, may not be able to print or download the disclosure. If feasible, a financial institution may wish to include in its on-line program the ability for consumers to give the financial institution a non-electronic address to which the disclosures can be mailed.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY -  We continue our series on the FFIEC interagency Information Security Booklet.  

SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE

Financial institution system development, acquisition, and maintenance functions should incorporate agreed upon security controls into software prior to development and implementation. Management should integrate consideration of security controls into each phase of the system development process. For the purposes of this section, system development could include the internal development of customized systems, the creation of database systems, or the acquisition of third-party developed software. System development could include long-term projects related to large mainframe-based software projects with legacy source code or rapid Web-based software projects using fourth-generation programming. In all cases, institutions need to prioritize security controls appropriately.

SOFTWARE DEVELOPMENT AND ACQUISITION

Security Requirements

Financial institutions should develop security control requirements for new systems, system revisions, or new system acquisitions. Management will define the security control requirements based on their risk assessment process evaluating the value of the information at risk and the potential impact of unauthorized access or damage. Based on the risks posed by the system, management may use a defined methodology for determining security requirements, such as ISO 15408, the Common Criteria.23 Management may also refer to published, widely recognized industry standards as a baseline for establishing their security requirements. A member of senior management should document acceptance of the security requirements for each new system or system acquisition, acceptance of tests against the requirements, and approval for implementing in a production environment.

Development projects should consider automated controls for incorporation into the application and the need to determine supporting manual controls. Financial institutions can implement appropriate security controls with greater cost effectiveness by designing them into the original software rather than making subsequent changes after implementation. When evaluating purchased software, financial institutions should consider the availability of products that have either been independently evaluated or received security accreditation through financial institution or information technology-related industry groups.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Redisclosure of nonpublic personal information received from a nonaffiliated financial institution outside of Sections 14 and 15.

A. Through discussions with management and review of the institution's procedures, determine whether the institution has adequate practices to prevent the unlawful redisclosure of the information where the institution is the recipient of nonpublic personal information (§11(b)). 

B. Select a sample of data received from nonaffiliated financial institutions and shared with others to evaluate the financial institution's compliance with redisclosure limitations.

1.  Verify that the institution's redisclosure of the information was only to affiliates of the financial institution from which the information was obtained or to the institution's own affiliates, except as otherwise allowed in the step b below (§11(b)(1)(i) and (ii)).

2.  If the institution shares information with entities other than those under step a above, verify that the institution's information sharing practices conform to those in the nonaffiliated financial institution's privacy notice (§11(b)(1)(iii)).

3.  Also, review the procedures used by the institution to ensure that the information sharing reflects the opt out status of the consumers of the nonaffiliated financial institution (§§10, 11(b)(1)(iii)).