Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - HHS Proposes Changes To HIPAA Privacy Rule - Individuals would know who accessed their e-health information as well as details about the data disclosed. The U.S. Dept. of Health and Human Services has proposed changes to the Health Insurance Portability and Accountability Act privacy rule that would provide individuals with more details about who accessed their electronic health information and disclosures of the e-health data. http://www.informationweek.com/news/healthcare/policy/229700217

FYI - Is sharing a log-in a criminal act? - Tennessee lawmakers have passed a bill that would make sharing log-in information, including usernames and passwords, illegal within the state's borders. http://news.cnet.com/8301-13506_3-20068233-17.html?tag=mncol;title

FYI - Homeland Security Releases FISMA Compliance Metrics - The Obama administration, by focusing on continuous monitoring, comes closer to assessing the thoroughness of federal agencies' cybersecurity efforts, says SANS Institute. http://www.informationweek.com/news/government/security/230100013

FYI - Good passwords are no joke - And given that the static password is a flawed authentication mechanism that should, according to most expert opinion, have been quietly euthanized decades ago, it might seem strange that so much of that attention, at least in terms of informational writing, has been about improving password practice. http://www.scmagazineus.com/good-passwords-are-no-joke/article/204675/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Lockheed admits to hack that may portend more breaches - Lockheed Martin released a statement over the weekend admitting that its network was breached by sophisticated adversaries, but the company said no assets were compromised. http://www.scmagazineus.com/lockheed-admits-to-hack-that-may-portend-more-breaches/article/204205/

FYI - Google Disrupts Chinese Spear-Phishing Attack on Senior U.S. Officials - Google says it’s shut down a well-crafted social engineering attack on Gmail users that targeted the personal accounts of “senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists.” http://www.wired.com/threatlevel/2011/06/gmail-hack/

FYI - Honda Data Breach Triggers Lawsuit - The class action suit accuses Honda of putting 283,000 customers at risk, in part by waiting two months to inform them of the data exposure. Beware storing outdated customer data on websites. Honda Canada is learning that lesson the hard way, after a March breach in which 283,000 customers' details were exposed. http://www.informationweek.com/news/security/attacks/229700261

FYI - Hacker group raids Sony Pictures in latest breach - Fresh off the successful infiltration and defacement of the PBS website, the hacktivist collective known as LulzSec said Thursday that it has compromised the personal information of more than one million users of SonyPictures.com.
http://www.scmagazineus.com/hacker-group-raids-sony-pictures-in-latest-breach/article/204379/?DCMP=EMC-SCUS_Newswire
http://www.informationweek.com/news/security/attacks/229900111

FYI - RSA confirms Lockheed hack linked to SecurID breach - Security giant RSA has confirmed that hackers leveraged stolen information about its SecurID two-factor authentication offerings in a recent attack on U.S. defense contractor Lockheed Martin. http://www.scmagazineus.com/rsa-confirms-lockheed-hack-linked-to-securid-breach/article/204744/?DCMP=EMC-SCUS_Newswire

FYI - Hacker group LulzSec targets FBI partner InfraGard - On the heels of successful infiltrations at PBS and Sony, a vigilante hacker collective, known as LulzSec, has compromised the website of the Atlanta chapter of InfraGard, an FBI partner organization. http://www.scmagazineus.com/hacker-group-lulzsec-targets-fbi-partner-infragard/article/204626/?DCMP=EMC-SCUS_Newswire

FYI - Citibank admits customers' data was hacked - Citibank has confirmed that the names, account numbers and contact information of hundreds of thousands of customers have been stolen in a hacking attack. http://www.tgdaily.com/security-features/56506-citibank-admits-customers-data-was-hacked?quicktabs_1=0

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 2 of 10)

A. RISK DISCUSSION

Introduction

Compliance risk arises when the linked third party acts in a manner that does not conform to regulatory requirements. For example, compliance risk could arise from the inappropriate release or use of shared customer information by the linked third party. Compliance risk also arises when the link to a third party creates or affects compliance obligations of the financial institution.

Financial institutions with weblinking relationships are also exposed to other risks associated with the use of technology, as well as certain risks specific to the products and services provided by the linked third parties. The amount of risk exposure depends on several factors, including the nature of the link.

Any link to a third-party website creates some risk exposure for an institution. This guidance applies to links to affiliated, as well as non-affiliated, third parties. A link to a third-party website that provides a customer only with information usually does not create a significant risk exposure if the information being provided is relatively innocuous, for example, weather reports. Alternatively, if the linked third party is providing information or advice related to financial planning, investments, or other more substantial topics, the risks may be greater. Links to websites that enable the customer to interact with the third party, either by eliciting confidential information from the user or allowing the user to purchase a product or service, may expose the insured financial institution to more risk than those that do not have such features.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Network security requires effective implementation of several control mechanisms to adequately secure access to systems and data. Financial institutions must evaluate and appropriately implement those controls relative to the complexity of their network.  Many institutions have increasingly complex and dynamic networks stemming from the growth of distributed computing.

Security personnel and network administrators have related but distinct responsibilities for ensuring secure network access across a diverse deployment of interconnecting network servers, file servers, routers, gateways, and local and remote client workstations.  Security personnel typically lead or assist in the development of policies, standards, and procedures, and monitor compliance. They also lead or assist in incident-response efforts.  Network administrators implement the policies, standards, and procedures in their day-to-day operational role.

Internally, networks can host or provide centralized access to mission-critical applications and information, making secure access an organizational priority. Externally, networks integrate institution and third-party applications that grant customers and insiders access to their financial information and Web-based services. Financial institutions that fail to restrict access properly expose themselves to increased transaction, reputation, and compliance risk from threats including the theft of customer information, data alteration, system misuse, or denial-of-service attacks.
 
Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

44.  If the institution receives information from a nonaffiliated financial institution under an exception in §14 or §15, does the institution refrain from using or disclosing the information except:

a.  to disclose the information to the affiliates of the financial institution from which it received the information; [§11(a)(1)(i)]

b.  to disclose the information to its own affiliates, which are in turn limited by the same disclosure and use restrictions as the recipient institution; [§11(a)(1)(ii)] and

c.  to disclose and use the information pursuant to an exception in §14 or §15 in the ordinary course of business to carry out the activity covered by the exception under which the information was received? [§11(a)(1)(iii)]

(Note: the disclosure or use described in section c of this question need not be directly related to the activity covered by the applicable exception. For instance, an institution receiving information for fraud-prevention purposes could provide the information to its auditors. But "in the ordinary course of business" does not include marketing. [§11(a)(2)])