Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Shortage of skilled cyber specialists fuels debate over pay - The White House, Congress, academia and industry seem to be in rare agreement that the shortage of government cybersecurity specialists is a national security threat, but no one seems to agree which cyber jobs are the most needed -- and therefore should garner the highest salaries. http://www.nextgov.com/nextgov/ng_20110418_2791.php

FYI - Controversial internet piracy bill becomes law - The Copyright (Infringing File Sharing) Amendment Bill has today been passed, despite strong opposition from the Green Party and independent MPs, and an internet campaign against the bill. http://www.nzherald.co.nz/technology/news/article.cfm?c_id=5&objectid=10719201

FYI - US Needs Cyber-emergency Response, Lawmaker Says - The U.S. needs a cybersecurity emergency response capability to help businesses under major attacks, a U.S. senator said Monday. http://www.pcworld.com/businesscenter/article/224874/us_needs_cyberemergency_response_lawmaker_says.html

FYI - New report finds most applications don't pass security tests - A new report issued on Tuesday by security firm Veracode paints a grim picture of the amount of protection built into application software. http://www.scmagazineus.com/new-report-finds-most-applications-dont-pass-security-tests/article/201029/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Hackers gain root access to WordPress servers - Hackers have compromised several servers that support WordPress and may have obtained source code, according to the founding developer of Automattic, the company behind the popular blogging platform. http://www.computerworld.com/s/article/9215809/Hackers_gain_root_access_to_WordPress_servers?taxonomyId=17

FYI - Hacker breaks into Barracuda Networks database - A hacker has broken into a Barracuda Networks database and obtained names and e-mail addresses of some of the security company's employees, channel partners and sales leads.   http://www.computerworld.com/s/article/9215723/Hacker_breaks_into_Barracuda_Networks_database?taxonomyId=82

FYI - Justice vigilante sentenced for DDoS attacks - Two years for taking out sites chronicling steamy affair - A computer programmer was sentenced to two years in prison for unleashing crippling attacks on rollingstone.com and other news websites that published humiliating accounts of an adulterous online affair he pursued with a fictitious woman. http://www.theregister.co.uk/2011/04/15/bruce_raisley_sentencing/

FYI - Serial hacker admits breaching Federal Reserve computers - Faces 10 years in slammer - A Malaysian national has admitted hacking a computer network operated by the US Federal Reserve Bank and possessing stolen payment card data. http://www.theregister.co.uk/2011/04/14/federal_research_hacker_guilty/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Contract Issues

Ownership and License

The contract should address ownership and allowable use by the service provider of the institution’s data, equipment/hardware, system documentation, system and application software, and other intellectual property rights. Other intellectual property rights may include the institution’s name and logo; its trademark or copyrighted material; domain names; web sites designs; and other work products developed by the service provider for the institution. The contract should not contain unnecessary limitations on the return of items owned by the institution. Institutions that purchase software should consider establishing escrow agreements. These escrow agreements may provide for the following: institution access to source programs under certain conditions (e.g., insolvency of the vendor), documentation of programming and systems, and verification of updated source code.

Duration

Institutions should consider the type of technology and current state of the industry when negotiating the appropriate length of the contract and its renewal periods. While there can be benefits to long-term technology contracts, certain technologies may be subject to rapid change and a shorter-term contract may prove beneficial. Similarly, institutions should consider the appropriate length of time required to notify the service provider of the institutions’ intent not to renew the contract prior to expiration. Institutions should consider coordinating the expiration dates of contracts for inter-related services (e.g., web site, telecommunications, programming, network support) so that they coincide, where practical. Such coordination can minimize the risk of terminating a contract early and incurring penalties as a result of necessary termination of another related service contract.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

AUTHENTICATION - Public Key Infrastructure (Part 2 of 3)

The certificate authority (CA), which may be the financial institution or its service provider, plays a key role by attesting with a digital certificate that a particular public key and the corresponding private key belongs to a specific user or system. It is important when issuing a digital certificate that the registration process for initially verifying the identity of users is adequately controlled. The CA attests to the individual user's identity by signing the digital certificate with its own private key, known as the root key. Each time the user establishes a communication link with the financial institution's systems, a digital signature is transmitted with a digital certificate. These electronic credentials enable the institution to determine that the digital certificate is valid, identify the individual as a user, and confirm that transactions entered into the institution's computer system were performed by that user.

The user's private key exists electronically and is susceptible to being copied over a network as easily as any other electronic file. If it is lost or compromised, the user can no longer be assured that messages will remain private or that fraudulent or erroneous transactions would not be performed. User AUPs and training should emphasize the importance of safeguarding a private key and promptly reporting its compromise.

PKI minimizes many of the vulnerabilities associated with passwords because it does not rely on shared secrets to authenticate customers, its electronic credentials are difficult to compromise, and user credentials cannot be stolen from a central server. The primary drawback of a PKI authentication system is that it is more complicated and costly to implement than user names and passwords. Whether the financial institution acts as its own CA or relies on a third party, the institution should ensure its certificate issuance and revocation policies and other controls discussed below are followed.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

37.  For annual notices only, if the institution does not employ one of the methods described in question 36, does the institution employ one of the following reasonable means of delivering the notice such as:

a. for the customer who uses the institution's web site to access products and services electronically and who agrees to receive notices at the web site, continuously posting the current privacy notice on the web site in a clear and conspicuous manner; [§9(c)(1)] or

b. for the customer who has requested the institution refrain from sending any information about the customer relationship, making copies of the current privacy notice available upon customer request? [§9(c)(2)]