Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

FYI - Next Generation Banking Malware Emerges After Zeus - The rumored combination of two pieces of advanced online banking malware appears to be fully underway after several months of speculation. http://www.pcworld.com/article/218585/next_generation_banking_malware_emerges_after_zeus.html?tk=nl_dnx_t_crawl

FYI - NIST Issues Cloud Security Guidelines - The government standards body has launched a wiki to get feedback on its draft policies for securely deploying cloud computing. Organizations implementing cloud computing should think about security first before deploying a production environment, according to the National Institute of Standards and Technology (NIST). http://www.informationweek.com/news/government/cloud-saas/showArticle.jhtml?articleID=229201197&subSection=Security

FYI - The Internet kill switch that isn't - The comparisons to the Internet shutdown in Egypt grew loud enough that the three sponsors of the 2010 bill, Senators Joseph Lieberman, Maine Republican Susan Collins and Delaware Democrat Tom Carper issued a statement this week condemning the actions there. http://www.computerworld.com/s/article/9207980/The_Internet_kill_switch_that_isn_t?taxonomyId=17&pageNumber=2

FYI - NIST issues virtualization security guidance - The National Institute of Standards and Technology (NIST) this week issued a guidance document for securely configuring and using virtualization technologies. http://www.scmagazineus.com/nist-issues-virtualization-security-guidance/article/195756/?DCMP=EMC-SCUS_Newswire

FYI - An independent approach to PCI audit security and compliance - It has become quite apparent that the current PCI auditing system is broken. Not only have the scope and complexities of the PCI Data Security Standard made maintaining proper standards for security and compliance virtually inaccessible for the average merchant, there is potentially a much deeper problem with the system as well. http://www.scmagazineus.com/an-independent-approach-to-pci-audit-security-and-compliance/article/195749/?DCMP=EMC-SCUS_Newswire

FYI - ID fraud incidents decline in 2010, but costs go up - Incidents of identity fraud declined last year, but the cost per incident rose, and consumers are taking longer to respond to occurrences of theft, according to a survey released Tuesday. http://www.scmagazineus.com/id-fraud-incidents-decline-in-2010-but-costs-go-up/article/195924/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Hackers penetrated Nasdaq computers - Federal authorities are investigating repeated intrusions into the computer network that runs the Nasdaq stock exchange, according to a Wall Street Journal report that cited people familiar with the matter.
http://news.cnet.com/8301-1009_3-20030775-83.html
http://www.computerworld.com/s/article/9208358/Report_Nasdaq_systems_were_hacked_last_year?taxonomyId=203

FYI - UK government suffers Zeus attack - William Hague reveals government computers were infected last December - The UK government fell victim to a cyber attack using the notorious information-stealing Zeus malware in late December, according to the foreign secretary. http://www.v3.co.uk/v3/news/2274616/hague-cyber-attack-government

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services ( Part 2 of 4)

Risk Assessment

The board of directors and senior management are responsible for understanding the risks associated with outsourcing arrangements for technology services and ensuring that effective risk management practices are in place. As part of this responsibility, the board and management should assess how the outsourcing arrangement will support the institution’s objectives and strategic plans and how the service provider’s relationship will be managed. Without an effective risk assessment phase, outsourcing technology services may be inconsistent with the institution’s strategic plans, too costly, or introduce unforeseen risks.

Outsourcing of information and transaction processing and settlement activities involves risks that are similar to the risks that arise when these functions are performed internally. Risks include threats to security, availability and integrity of systems and resources, confidentiality of information, and regulatory compliance. In addition, the nature of the service provided, such as bill payment, funds transfer, or emerging electronic services, may result in entities performing transactions on behalf of the institution, such as collection or disbursement of funds, that can increase the levels of credit, liquidity, transaction, and reputation risks.

Management should consider additional risk management controls when services involve the use of the Internet. The broad geographic reach, ease of access, and anonymity of the Internet require close attention to maintaining secure systems, intrusion detection and reporting systems, and customer authentication, verification, and authorization. Institutions should also understand that the potential risks introduced are a function of a system’s structure, design and controls and not necessarily the volume of activity.

An outsourcing risk assessment should consider the following:  

• Strategic goals, objectives, and business needs of the financial institution.
• Ability to evaluate and oversee outsourcing relationships.
• Importance and criticality of the services to the financial institution.
• Defined requirements for the outsourced activity.
• Necessary controls and reporting processes.
• Contractual obligations and requirements for the service provider.
• Contingency plans, including availability of alternative service providers, costs and resources
required to switch service providers.
• Ongoing assessment of outsourcing arrangements to evaluate consistency with strategic
objectives and service provider performance.
• Regulatory requirements and guidance for the business lines affected and technologies used.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

Access Rights Administration (2 of 5)

System devices, programs, and data are system resources. Each system resource may need to be accessed by other system resources and individuals in order for work to be performed. Access beyond the minimum required for work to be performed exposes the institution's systems and information to a loss of confidentiality, integrity, and availability. Accordingly, the goal of access rights administration is to identify and restrict access to any particular system resource to the minimum required for work to be performed.  The financial institution's security policy should address access rights to system resources and how those rights are to be administered.

Management and information system administrators should critically evaluate information system access privileges and establish access controls to prevent unwarranted access.  Access rights should be based upon the needs of the applicable user or system resource to carry out legitimate and approved activities on the financial institution's information systems.  Policies, procedures, and criteria need to be established for both the granting of appropriate access rights and for the purpose of establishing those legitimate activities.  Formal access rights administration for users consists of four processes:

! An enrollment process to add new users to the system;

! An authorization process to add, delete, or modify authorized user access to operating systems, applications, directories, files, and specific types of information;

! An authentication process to identify the user during subsequent activities; and

! A monitoring process to oversee and manage the access rights granted to each user on the system.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

23. If the institution delivers the opt out notice after the initial notice, does the institution provide the initial notice once again with the opt out notice? [§7(c)]

24. Does the institution provide an opt out notice, explaining how the institution will treat opt out directions by the joint consumers, to at least one party in a joint consumer relationship? [§7(d)(1)]