Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Hackers outwit online banking identity security systems - Criminal hackers have found a way round the latest generation of online banking security devices given out by banks, the BBC has learned. http://www.bbc.co.uk/news/technology-16812064

FYI - Feds Issue Comprehensive Cloud Security Guidance - National Institute of Standards and Technology urges government and private sector users not to leave cloud security to providers or service arrangements. There's no silver bullet to ensuring security in the public cloud, but organizations need to take the reins and not leave security up to service providers and service arrangements, the National Institute of Standards and Technology (NIST) said in comprehensive new cloud security guidance. http://www.informationweek.com/news/government/security/232500472

FYI - Final phase of Mass. data protection law kicks in March 1 - It requires companies to take measures to protect personal data of state residents - All companies storing personal data on Massachusetts residents have just over a month to ensure that their contractors, suppliers, technology providers and other third parties comply with a provision of a state data breach law that went into effect in March 2010. http://www.computerworld.com/s/article/9223709/Final_phase_of_Mass._data_protection_law_kicks_in_March_1?taxonomyId=84

FYI - I Spy Your Company’s Boardroom - Rapid7 discovered that they could remotely infiltrate conference rooms in some of the top venture capital and law firms across the country, as well as pharmaceutical and oil companies and even the boardroom of Goldman Sachs - all by simply calling in to unsecured videoconferencing systems that they found by doing a scan of the internet. http://www.wired.com/threatlevel/2012/01/videoconferencing-hijacked/

FYI - FINRA advises brokers to bulk up security - The Financial Industry Regulatory Authority (FINRA), the largest regulator of investment firms, is warning its members to strengthen their policies around verifying fund transfer and withdrawal requests from customers. http://www.scmagazine.com/finra-advises-brokers-to-bulk-up-security/article/225163/

FYI - Best practices to secure the mobile enterprise - Mobile devices have infiltrated nearly every aspect of people's lives. The amount of personal and corporate data stored on these devices makes securing the information on the tool a priority. http://www.scmagazine.com/best-practices-to-secure-the-mobile-enterprise/article/225335/?DCMP=EMC-SCUS_Newswire

FYI - SEC accuses Latvian man of hacking brokerage accounts - The federal Securities and Exchange Commission has charged a Latvian man with participating in a pump-and-dump scheme that manipulated the value of more than 100 New York Stock Exchange and Nasdaq stocks. http://www.scmagazine.com/sec-accuses-latvian-man-of-hacking-brokerage-accounts/article/225544/?DCMP=EMC-SCUS_Newswire

FYI - Security breaches impacting VeriSign emerge in filing - VeriSign, the company that manages more than 100 million .com, .net and .gov domains, was hacked numerous times in 2010, and the intruders got away with unspecified data. http://www.scmagazine.com/security-breaches-impacting-verisign-emerge-in-filing/article/226029/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Symantec admits stolen source code impacts pcAnywhere - Big Yellow has done an about-face in light of new analysis that confirms users of its pcAnywhere software may be at risk to attack due to the disclosure of source code. http://www.scmagazine.com/symantec-admits-stolen-source-code-impacts-pcanywhere/article/224724/

FYI - European Parliament says its website taken offline by attackers - The European Parliament's website fell under a distributed denial-of-service attack (DDOS) on Thursday in what the organization classified as retaliation for the shutdown of the Megaupload file-sharing site and an anti-counterfeiting trade agreement. http://www.networkworld.com/news/2012/012612-european-parliament-says-its-website-255359.html

FYI - Students busted for hacking computers, changing grades - 'Very bright kids' too bright for their own good - Three high school juniors have been arrested after they devised a sophisticated hacking scheme to up their grades and make money selling quiz answers to their classmates. http://www.theregister.co.uk/2012/01/27/students_hack_teachers_computers/

FYI - Univ. of Hawaii settles with 98,000 over five breaches - The University of Hawaii (UH) has settled a class-action data breach lawsuit brought by nearly 100,000 students, faculty, alumni and staff, according to the plaintiffs' lawyers. http://www.scmagazine.com/univ-of-hawaii-settles-with-98000-over-five-breaches/article/225158/

FYI - Central Kentucky's largest group practice hit with patient data breach - A laptop storing patient data was stolen from the neurology department of Lexington Clinic on the night of Dec. 7, 2011. http://www.scmagazine.com/central-kentuckys-largest-group-practice-hit-with-patient-data-breach/article/225558/?DCMP=EMC-SCUS_Newswire

FYI - Indiana University hospital hacked to steal data - Malware may have allowed attackers to make off with the personal information of thousands of people connected to Indiana University Health Goshen Hospital. http://www.scmagazine.com/indiana-university-hospital-hacked-to-steal-data/article/225887/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - Expedited Funds Availability Act (Regulation CC)

Generally, the rules pertaining to the duty of an institution to make deposited funds available for withdrawal apply in the electronic financial services environment. This includes rules on fund availability schedules, disclosure of policy, and payment of interest. Recently, the FRB published a commentary that clarifies requirements for providing certain written notices or disclosures to customers via electronic means. Specifically, the commentary to the regulations states that a financial institution satisfies the written exception hold notice requirement, and the commentary to the regulations states that a financial institution satisfies the general disclosure requirement by sending an electronic version that displays the text and is in a form that the customer may keep. However, the customer must agree to such means of delivery of notices and disclosures. Information is considered to be in a form that the customer may keep if, for example, it can be downloaded or printed by the customer. To reduce compliance risk, financial institutions should test their programs' ability to provide disclosures in a form that can be downloaded or printed.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY -  We continue our series on the FFIEC interagency Information Security Booklet.  

SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - SOFTWARE DEVELOPMENT AND ACQUISITION

Development and Support

Development and support activities should ensure that new software and software changes do not compromise security. Financial institutions should have an effective application and system change control process for developing, implementing, and testing changes to internally developed software and purchased software. Weak change control procedures can corrupt applications and introduce new security vulnerabilities. Change control considerations relating to security include the following:

! Restricting changes to authorized users,
! Reviewing the impact changes will have on security controls,
! Identifying all system components that are impacted by the changes,
! Ensuring the application or system owner has authorized changes in advance,
! Maintaining strict version control of all software updates, and
! Maintaining an audit trail of all changes.

Changes to operating systems may degrade the efficiency and effectiveness of applications that rely on the operating system for interfaces to the network, other applications, or data. Generally, management should implement an operating system change control process similar to the change control process used for application changes. In addition, management should review application systems following operating system changes to protect against a potential compromise of security or operational integrity.

When creating and maintaining software, separate software libraries should be used to assist in enforcing access controls and segregation of duties. Typically, separate libraries exist for development, test, and production.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice

1)  Does the institution provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to all customers not later than when the customer relationship is established, other than as allowed in paragraph (e) of section four (4) of the regulation? [§4(a)(1))]?

(Note: no notice is required if nonpublic personal information is disclosed to nonaffiliated third parties only under an exception in Sections 14 and 15, and there is no customer relationship. [§4(b)] With respect to credit relationships, an institution establishes a customer relationship when it originates a consumer loan. If the institution subsequently sells the servicing rights to the loan to another financial institution, the customer relationship transfers with the servicing rights. [§4(c)])