Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - White House Releases Cybersecurity Plans - The Obama administration's legislative proposal includes critical infrastructure protection, breach notification, privacy requirements, and overhauls for internal government cybersecurity. http://www.informationweek.com/news/government/security/229500148

FYI - ACS:Law fined for data breach - ACS:Law has been fined by the Information Commissioner's Office for failing to follow data protection law. The one-man law firm, which has since ceased trading, won infamy for using IP numbers to accuse people of illegal file-sharing. Victims received a letter offering to settle the claims rather than go to court. But ACS:Law never took anyone to court, and some judges doubted whether it ever had the legal basis to do so. http://www.theregister.co.uk/2011/05/10/acslaw_ico_fine/
|
FYI - Senators call on SEC to mandate more breach reporting - Prompted by recent breaches of intellectual property belonging to U.S. corporations, federal lawmakers want the Securities and Exchange Commission (SEC) to clarify guidance around the obligation to publicly disclose these incidents to shareholders. http://www.scmagazineus.com/senators-call-on-sec-to-mandate-more-breach-reporting/article/202689/?DCMP=EMC-SCUS_Newswire

FYI - FCC unveils cyber defense website for small businesses - The Federal Communications Commission (FCC) on Monday announced the launch of a new website designed to help small businesses protect against cyberattack. http://www.scmagazineus.com/fcc-unveils-cyber-defense-website-for-small-businesses/article/203061/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Breach at Michaels Stores Extends Nationwide - Earlier this month, arts & crafts chain Michaels Stores disclosed that crooks had tampered with some point-of-sale devices at store registers in the Chicago area in a scheme to steal credit and debit card numbers and associated PINs. But new information on the investigation shows that many Michaels stores across the country have discovered compromised payment terminals. http://krebsonsecurity.com/2011/05/breach-at-michaels-stores-extends-nationwide/

FYI - Man sentenced to 3 years for ATM hack scheme - Attempted heist worth $200,000 - A North Carolina man has been sentenced to three years in prison after admitting he planned to pocket as much as $200,000 by hacking into automatic teller machines. http://www.theregister.co.uk/2011/05/09/atm_hacker_sentenced/

FYI - Teenage duo sentenced over credit card Ghostmarket - 'I will never get a job in IT,' laments hacker - Two UK teenagers received sentences for repeated hack attacks that stole credit card data and took one online webhost offline. http://www.theregister.co.uk/2011/05/16/hacker_duo_sentenced/

FYI - Anonymous Splinter Group Implicated in Game Company Hack - The Web sites for computer game giant Eidos Interactive and one of its biggest titles - Deus Ex - were defaced and plundered on Wednesday in what appears to have been an attack from a splinter cell of the hacktivist group Anonymous. http://krebsonsecurity.com/2011/05/anonymous-splinter-group-implicated-in-game-company-hack/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Oversight of Service Provider

Assess Quality of Service and Support

• Regularly review reports documenting the service provider’s performance. Determine if the reports are accurate and allow for a meaningful assessment of the service provider’s performance.
• Document and follow up on any problem in service in a timely manner. Assess service provider plans to enhance service levels.
• Review system update procedures to ensure appropriate change controls are in effect, and ensure authorization is established for significant system changes.
• Evaluate the provider’s ability to support and enhance the institution’s strategic direction including anticipated business development goals and objectives, service delivery requirements, and technology initiatives.
• Determine adequacy of training provided to financial institution employees.
• Review customer complaints on the products and services provided by the service provider.
• Periodically meet with contract parties to discuss performance and operational issues.
• Participate in user groups and other forums.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

AUTHENTICATION - Single Sign - On

Several single sign - on protocols are in use. Those protocols allow clients to authenticate themselves once to obtain access to a range of services. An advantage of single sign - on systems is that users do not have to remember or possess multiple authentication mechanisms, potentially allowing for more complex authentication methods and fewer user - created weaknesses. Disadvantages include the broad system authorizations potentially tied to any given successful authentication, the centralization of authenticators in the single sign - on server, and potential weaknesses in the single sign - on technologies.

When single sign - on systems allow access for a single login to multiple instances of sensitive data or systems, financial institutions should employ robust authentication techniques, such as multi - factor, PKI, and biometric techniques. Financial institutions should also employ additional controls to protect the authentication server and detect attacks against the server and server communications.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

41. Does the institution refrain from disclosing any nonpublic personal information about a consumer to a nonaffiliated third party, other than as permitted under §§13-15, unless:

a.  it has provided the consumer with an initial notice; [§10(a)(1)(i)]

b.  it has provided the consumer with an opt out notice; [§10(a)(1)(ii)]

c.  it has given the consumer a reasonable opportunity to opt out before the disclosure; [§10(a)(1)(iii)] and

d.  the consumer has not opted out? [§10(a)(1)(iv)]

(Note: this disclosure limitation applies to consumers as well as to customers [§10(b)(1)], and to all nonpublic personal information regardless of whether collected before or after receiving an opt out direction. [§10(b)(2)])