Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

FYI - FFIEC IT Examination Handbook InfoBase: New Look and Improved Navigation - The Federal Financial Institutions Examination Council today announced the launch of its redesigned IT Examination Handbook InfoBase. The IT InfoBase is the primary distribution method for the IT Examination Handbook.
Press Release: www.fdic.gov/news/news/press/2011/pr11037.html 
Press Release: www.ffiec.gov/press/pr021611.htm 
Press Release: www.ncua.gov/news/press_releases/2011/JR11-0216FFIEC-ITInfoBase.pdf 

FYI - UK Press Watchdog Rules Tweets Are Public Information- A ruling by the Press Complaints Commissions (PCC) has given British journalists the green-light to lift tweets from social networking site Twitter. The public nature of tweeting, PCC says, means quoting those 140 character outbursts in print or online does not “constitute a privacy intrusion.” http://www.wired.com/epicenter/2011/02/uk-tweets-are-public-info/

FYI - Two councils hit with big fines for laptop blunder - Unencrypted data gaffe hits Hounslow, Ealing - The UK's information watchdog has slapped two London councils with hefty penalties for failing to encrypt personal data on laptops that were stolen by thieves. http://www.theregister.co.uk/2011/02/08/ico_fines_two_councils_over_unencrypted_laptop_thefts/

FYI - RSA Conference study to reveal cloud frustration - Security practitioners are working to safeguard cloud computing environments but believe they need more education and training, according to a soon-to-be released study. http://www.scmagazineus.com/rsa-conference-study-to-reveal-cloud-frustration/article/196030/?DCMP=EMC-SCUS_Newswire

FYI - Microsoft accuses former manager of stealing 600MB of confidential docs - Microsoft yesterday accused a former manager of taking hundreds of megabytes of confidential company material when he left the firm for a new position at another company. http://www.computerworld.com/s/article/9209119/Microsoft_accuses_former_manager_of_stealing_600MB_of_confidential_docs?taxonomyId=144

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - CTO warns of new combined threat named 'Night Dragon' - A new large scale attack has been detailed that targets financial systems behind oil and gas fields. http://www.scmagazineuk.com/mcafee-cto-warns-of-new-combined-threat-named-night-dragon/article/196043/

FYI - Hack of Irish job site exposes user names, addresses - Barn door promptly closed - Employment search site RecruitIreland.com has reopened its doors following a security breach that exposed users' names and email addresses. http://www.theregister.co.uk/2011/02/10/job_site_breach/

FYI - Twitter User Tricks Sony Into Posting ‘Secret’ PS3 Code - Sony is having a rough time trying to keep the PlayStation 3 secure, and the company seems intent on policing the entirety of the Internet to stop the spread of the tools and information needed to hack the device. This can be hard to do when your own faux spokesperson decides to retweet one of the offending series of letters and numbers in their entirety online. http://www.wired.com/threatlevel/2011/02/sony_code/

FYI - eHarmony advice site hacked to expose user information - Less than a month after the dating site PlentyOfFish suffered a breach of customer data, rival eHarmony has confirmed that a hacker gained access to some of its users' information. http://www.scmagazineus.com/eharmony-advice-site-hacked-to-expose-user-information/article/196216/?DCMP=EMC-SCUS_Newswire

FYI - Chinese hackers break into oil companies' networks - Sophisticated hackers, believed to be from China, have broken into the networks of several global oil, energy and petrochemical companies, according to a report released late Wednesday. http://www.scmagazineus.com/chinese-hackers-break-into-oil-companies-networks/article/196099/?DCMP=EMC-SCUS_Newswire

FYI - Spanish police arrest man over Nintendo gamer hack - Police in Spain have arrested a man who allegedly stole details on thousands of Nintendo users and tried to blackmail the company. http://www.bbc.co.uk/news/technology-12456922

FYI - Ambulance dispatch system hit by virus: reports - Take two aspirin, call in the morning - Australia’s ABC News is reporting that the dispatch system of the NSW Ambulance Service has been infected with a computer virus. http://www.theregister.co.uk/2011/02/13/ambulance_system_virus/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services ( Part 3 of 4)

Due Diligence in Selecting a Service Provider

Once the institution has completed the risk assessment, management should evaluate service providers to determine their ability, both operationally and financially, to meet the institution’s needs. Management should convey the institution’s needs, objectives, and necessary controls to the potential service provider. Management also should discuss provisions that the contract should contain. The appendix to this statement contains some specific factors for management to consider in selecting a service provider.

Contract Issues

Contracts between the institution and service provider should take into account business requirements and key risk factors identified during the risk assessment and due diligence phases. Contracts should be clearly written and sufficiently detailed to provide assurances for performance, reliability, security, confidentiality, and reporting. Management should consider whether the contract is flexible enough to allow for changes in technology and the financial
institution's operations. Appropriate legal counsel should review contracts prior to signing.

Institutions may encounter situations where service providers cannot or will not agree to terms that the institution requests to manage the risk effectively. Under these circumstances, institutions should either not contract with that provider or supplement the service provider’s commitments with additional risk mitigation controls. The appendix to this statement contains some specific considerations for management in contracting with a service provider.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

Access Rights Administration (3 of 5)

The enrollment process establishes the user's identity and anticipated business needs to information and systems. New employees, IT outsourcing relationships, and contractors may also be identified, and the business need for access determined during the hiring or contracting process.

During enrollment and thereafter, an authorization process determines user access rights. In certain circumstances the assignment of access rights may be performed only after the manager responsible for each accessed resource approves the assignment and documents the approval. In other circumstances, the assignment of rights may be established by the employee's role or group membership, and managed by pre - established authorizations for that group. Customers, on the other hand, may be granted access based on their relationship with the institution.

Authorization for privileged access should be tightly controlled. Privileged access refers to the ability to override system or application controls. Good practices for controlling privileged access include

! Identifying each privilege associated with each system component,

! Implementing a process to allocate privileges and allocating those privileges either on a need - to - use or an event - by - event basis,! Documenting the granting and administrative limits on privileges,

! Finding alternate ways of achieving the business objectives,

! Assigning privileges to a unique user ID apart from the one used for normal business use,

! Logging and auditing the use of privileged access,

! Reviewing privileged access rights at appropriate intervals and regularly reviewing privilege access allocations, and

! Prohibiting shared privileged access by multiple users.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

25. Does the institution permit each of the joint consumers in a joint relationship to opt out? [§7(d)(2)]

26. Does the opt out notice to joint consumers state that either: 

a. the institution will consider an opt out by a joint consumer as applying to all associated joint consumers; [§7(d)(2)(i)] or

b. each joint consumer is permitted to opt out separately? [§7(d)(2)(ii)]