Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Study finds $214 per breached record in 2010 - Data breaches cost organizations $7.2 million on average in 2010, up seven percent from $6.8 million the previous year, according to the latest Cost of Data Breach study, released Tuesday. http://www.scmagazineus.com/study-finds-214-per-breached-record-in-2010/article/197891/?DCMP=EMC-SCUS_Newswire

FYI - Wakefield postman wins Cyber Security Challenge - A postman from Wakefield has won the Cyber Security Challenge, a major competition designed to find UK information security talent and encourage people into the profession. http://www.zdnet.co.uk/news/security/2011/03/07/wakefield-postman-wins-cyber-security-challenge-40092043/

FYI - GhostNet cyber crime forum fraudsters jailed - The UK founder of the infamous GhostMarket.net cyber crime forum has been convicted along with three others of computer offences linked to the running of the largest English language site of its kind ever discovered. http://www.v3.co.uk/v3-uk/news/2030553/ghostnet-cyber-crime-forum-fraudsters-jailed

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - WordPress hit by 'extremely large' DDoS attack - Blog host WordPress.com was the target of a distributed denial-of-service (DDoS) attack earlier today described by the company as the largest in its history.
http://news.cnet.com/8301-1009_3-20038874-83.html?tag=mncol;title
http://news.cnet.com/8301-27080_3-20039385-245.html?tag=mncol;title

FYI - Woman sentenced for breaching former employer's PCs - Pants-ate-my-hard-drive defense fails - A California woman has been sentenced to 60 days home detention and a year of probation for breaching the mail system of a former employer and posting confidential company documents to public websites. http://www.theregister.co.uk/2011/03/01/sacked_employee_sentenced/

FYI - Man gets 7 years for forcing modems to call premium numbers - A New Hampshire man who made US$8 million by installing unwanted dial-up software on computers and then forcing them to call expensive premium telephone numbers was handed down an 82-month sentence on Monday.
http://www.computerworld.com/s/article/9212418/Man_gets_7_years_for_forcing_modems_to_call_premium_numbers?taxonomyId=17
http://www.scmagazineus.com/man-gets-82-months-for-role-in-computer-dialing-scam/article/197582/?DCMP=EMC-SCUS_Newswire

FYI - Missouri State University student data posted online - Officials at Missouri State University in Springfield are notifying thousands of students whose personal information inadvertently was exposed online. http://www.scmagazineus.com/missouri-state-university-student-data-posted-online/article/197644/?DCMP=EMC-SCUS_Newswire
 
FYI - Cyber attack on France targeted Paris G20 files - The French finance ministry has confirmed it came under a cyber attack in December that targeted files on the G20 summit held in Paris in February. http://www.bbc.co.uk/news/business-12662596

FYI - South Korean websites targeted by distributed denial-of-service attacks - According to the Associated Press and media reports, the websites of 29 government and other agencies have come under attack with distributed denial-of-service (DDoS) attacks initially having been expected to hit up to 40 websites. http://www.scmagazineuk.com/south-korean-websites-targeted-by-distributed-denial-of-service-attacks/article/197597/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Technical and Industry Expertise

• Assess the service provider’s experience and ability to provide the necessary services and supporting technology for current and anticipated needs.
• Identify areas where the institution would have to supplement the service provider’s expertise to fully manage risk.
• Evaluate the service provider’s use of third parties or partners that would be used to support the outsourced operations.
• Evaluate the experience of the service provider in providing services in the anticipated operating environment.
• Consider whether additional systems, data conversions, and work are necessary.
• Evaluate the service provider’s ability to respond to service disruptions.
• Contact references and user groups to learn about the service provider’s reputation and performance.
• Evaluate key service provider personnel that would be assigned to support the institution.
• Perform on-site visits, where necessary, to better understand how the service provider operates and supports its services.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

AUTHENTICATION

Action Summary - Financial institutions should use effective authentication methods appropriate to the level of risk. Steps include

1)  Selecting authentication mechanisms based on the risk associated with the particular application or services;
2)  Considering whether multi - factor authentication is appropriate for each application, taking into account that multifactor authentication is increasingly necessary for many forms of electronic banking and electronic payment activities; and
3)  Encrypting the transmission and storage of authenticators (e.g., passwords, PINs, digital certificates, and biometric templates).

Authentication is the verification of identity by a system based on the presentation of unique credentials to that system. The unique credentials are in the form of something the user knows, something the user has, or something the user is. Those forms exist as shared secrets, tokens, or biometrics. More than one form can be used in any authentication process. Authentication that relies on more than one form is called multi - factor authentication and is generally stronger than any single authentication method. Authentication contributes to the confidentiality of data and the accountability of actions performed on the system by verifying the unique identity of the system user.

Authentication is not identification as that term is used in the USA PATRIOT Act (31 U.S.C. 5318(l)). Authentication does not provide assurance that the initial identification of a system user is proper. Authentication only provides assurance that the user of the system is the same user that was initially identified. Procedures for the initial identification of a system user are beyond the scope of this booklet.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

30. Does the institution allow the consumer to opt out at any time? [§7(f)]

31. Does the institution continue to honor the consumer's opt out direction until revoked by the consumer in writing, or, if the consumer agrees, electronically? [§7(g)(1)]