Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - SEC Fines Former Executives For Client Privacy Breach - Private information on 16,000 customers was transferred to a departing manager's new employer in violation of government notification and opt-out regulations. The Securities and Exchange Commission (SEC) announced Thursday that it's levied its first-ever fine against people solely for failing to properly protect customer data. http://www.informationweek.com/news/security/privacy/229401339

FYI - College students gather for cyber defense competition nationals April 8-10 - Nine teams of college students from across the nation will compete this weekend at the finals of the nation's largest collegiate cyber security competition, the sixth annual National Collegiate Cyber Defense Competition (NCCDC). http://www.utsa.edu/today/2011/04/cybersecfinals.html

FYI - In Surprise Appeal, TJX Hacker Claims U.S. Authorized His Crimes - The hacker who masterminded the largest credit card heists in U.S. history, is asking a federal judge to throw out his earlier guilty pleas and lift his record-breaking 20-year prison sentence, on allegations that the government authorized his years-long crime spree. http://www.wired.com/threatlevel/2011/04/gonzalez-plea-withdrawal/

FYI - Deployed troops to get new security tool, allowing access to latest computers - Troops in the Middle East should soon have faster, safer access to the latest computers on the market, as a result of a small disk the Defense Department developed that instantly standardizes the security settings on Microsoft Windows desktops deployed overseas, Pentagon officials said. http://www.nextgov.com/nextgov/ng_20110406_5909.php

FYI - Tech Giants Challenge French Data Retention Law - Facebook, Google, Microsoft, Yahoo, and others are appealing a legal decree that would require companies to store and share usernames, passwords, and other personal details with authorities. A consortium of technology companies is fighting a recent French decree requiring them to store and provide the government with the usernames, passwords, and IP addresses of anyone who creates or accesses online content. http://www.informationweek.com/news/security/privacy/229401245

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Epsilon partner warned of phishing attacks months ago - The recent data breach reported by e-mail marketing service provider Epsilon that exposed names and e-mail addresses for customers at dozens of companies comes four months after an Epsilon technology partner warned about targeted phishing attacks on e-mail service providers and on its own network. http://news.cnet.com/8301-27080_3-20051796-245.html?tag=mncol;title

FYI - Windows Servers Hacked at The Hartford Insurance Company - Hackers have broken into The Hartford insurance company and installed password-stealing programs on several of the company's Windows servers. In a warning letter sent last month to about 300 employees, contractors, and a handful of customers, the company said it discovered the infection in late February. http://www.pcworld.com/businesscenter/article/224471/windows_servers_hacked_at_the_hartford_insurance_company.html

FYI - Fired Gucci BOFH accused of tearing up network - A fired network engineer has been charged with mounting a revenge hack attack against the American branch of Gucci. http://www.theregister.co.uk/2011/04/05/gucci_bofh_revenge_hack/

FYI - Texas mistakenly exposes personal data of 3.5 million - The records of about 3.5 million people, including Social Security numbers, were erroneously placed on a public computer server at the Texas Comptroller's Office and remained there for about a year until officials discovered the mistake less than two weeks ago, the agency acknowledged Monday.
http://www.mcclatchydc.com/2011/04/11/112004/texas-mistakenly-exposes-personal.html
http://www.scmagazineus.com/texas-breach-affects-millions-of-state-employees-retirees/article/200566/?DCMP=EMC-SCUS_Newswire

FYI - SpyEye suspects charged over alleged banking scam - UK police have arrested three men over an alleged scam involving stealing money from online bank accounts that had been compromised using the infamous SpyEye Trojan. http://www.theregister.co.uk/2011/04/11/spyeye_arrests/
 
FYI - Corrupt bank worker jailed over Trojan-powered tax scam - Funneled £3.2m through bogus bank accounts - A former local business manager at a bank who participated in a £3.2m self assessment tax fraud was jailed for three years and three months on Friday. http://www.theregister.co.uk/2011/04/11/virus_powered_tax_scam/

FYI - Hackers disclose SQL injection of Barracuda website - Chalk up Barracuda Networks as the latest information security firm to fall victim to a cyberattack. http://www.scmagazineus.com/hackers-disclose-sql-injection-of-barracuda-website/article/200501/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Contract Issues

Business Resumption and Contingency Plans

The contract should address the service provider’s responsibility for backup and record protection, including equipment, program and data files, and maintenance of disaster recovery and contingency plans. Responsibilities should include testing of the plans and providing results to the institution. The institution should consider interdependencies among service providers when determining business resumption testing requirements. The service provider should provide the institution with operating procedures the service provider and institution are to implement in the event business resumption contingency plans are implemented. Contracts should include specific provisions for business recovery timeframes that meet the institution’s business requirements. The institution should ensure that the contract does not contain any provisions that would excuse the service provider from implementing its contingency plans.

Sub-contracting and Multiple Service Provider Relationships

Some service providers may contract with third-parties in providing services to the financial institution. To provide accountability, it may be beneficial for the financial institution to seek an agreement with and designate a primary contracting service provider. The institution may want to consider including a provision specifying that the contracting service provider is responsible for the service provided to the institution regardless of which entity is actually conducting the operations. The institution may also want to consider including notification and approval requirements regarding changes to the service provider’s significant subcontractors.

Cost

The contract should fully describe fees and calculations for base services, including any development, conversion, and recurring services, as well as any charges based upon volume of activity and for special requests. Cost and responsibility for purchase and maintenance of hardware and software may also need to be addressed. Any conditions under which the cost structure may be changed should be addressed in detail including limits on any cost increases.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

AUTHENTICATION - Public Key Infrastructure (Part 1 of 3)

Public key infrastructure (PKI), if properly implemented and maintained, may provide a strong means of authentication. By combining a variety of hardware components, system software, policies, practices, and standards, PKI can provide for authentication, data integrity, defenses against customer repudiation, and confidentiality. The system is based on public key cryptography in which each user has a key pair - a unique electronic value called a public key and a mathematically related private key. The public key is made available to those who need to verify the user's identity.

The private key is stored on the user's computer or a separate device such as a smart card. When the key pair is created with strong encryption algorithms and input variables, the probability of deriving the private key from the public key is extremely remote. The private key must be stored in encrypted text and protected with a password or PIN to avoid compromise or disclosure. The private key is used to create an electronic identifier called a digital signature that uniquely identifies the holder of the private key and can only be authenticated with the corresponding public key.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

36. Does the institution use a reasonable means for delivering the notices, such as:

a. hand-delivery of a printed copy; [§9(b)(1)(i)]

b. mailing a printed copy to the last known address of the consumer; [§9(b)(1)(ii)]

c. for the consumer who conducts transactions electronically, clearly and conspicuously posting the notice on the institution's electronic site and requiring the consumer to acknowledge receipt as a necessary step to obtaining a financial product or service; [§9(b)(1)(iii)] or 

d. for isolated transactions, such as ATM transactions, posting the notice on the screen and requiring the consumer to acknowledge receipt as a necessary step to obtaining the financial product or service? [§9(b)(1)(iv)]

(Note: insufficient or unreasonable means of delivery include: exclusively oral notice, in person or by telephone; branch or office signs or generally published advertisements; and electronic mail to a customer who does not obtain products or services electronically. [§9 (b)(2)(i) and (ii), and (d)])