Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Air Force Says Drone Virus Is No Threat - An attack on the network that controls U.S. military unmanned aerial vehicles was only a "nuisance," military arm claims. A virus that attacked the system that controls U.S. military drones was never an operational threat, but merely a "nuisance," the Air Force said late Wednesday. http://www.informationweek.com/news/government/security/231900741

FYI - Duo Who Sold Lost iPhone 4 Prototype Sentenced to Probation - Two young men involved in the sale of an iPhone 4 prototype found in a Silicon Valley bar last year pleaded no contest to misdemeanor charges of theft Tuesday, putting an end to the drawn-out drama. http://www.wired.com/threatlevel/2011/10/brian-hogan-sentenced/

FYI - SEC Mandates Cyber Incident Reporting - Securities and Exchange Commission issues its first guidance for how and when companies should report cybersecurity or other incidents that pose a cyber risk. The Securities and Exchange Commission (SEC) has issued its first official guidance for how companies should report cybersecurity incidents that could have a negative impact on operations or their financial status. http://www.informationweek.com/news/government/policy/231900861

FYI - Judge OKs warrantless tracking of suspect's cellphone - Surveillance in the digital age - Investigators seeking the location history of an armed robbery suspect's cellphone aren't required to obtain a search warrant before compelling the carrier to turn over the information, a federal judge has ruled. http://www.theregister.co.uk/2011/10/15/warrantless_cellphone_tracking_ok/ 

FYI - U.S. Considered Hacking Libya’s Air Defense to Disable Radar - Officials in the Obama administration considered launching a cyber offensive against Libya’s computer networks last March as part of the NATO-led air strikes against the Qaddafi regime. http://www.wired.com/threatlevel/2011/10/us-considered-hacking-libya/

FYI - GAO - Federal Chief Information Officers: Opportunities Exist to Improve Role in Information Technology Management.
Release - http://www.gao.gov/products/GAO-11-634 
Highlights - http://www.gao.gov/highlights/d11634high.pdf 

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - More Than 93,000 Sony Customers Affected in New Breach - Sony announced on Tuesday that hackers broke into the accounts of more than 93,000 customers by trying to log in to Sony using a large list of usernames and passwords. http://www.wired.com/threatlevel/2011/10/93000-sony-accounts-breached/ 

FYI - Arrest made in Hollywood hacking probe - The FBI has arrested and charged a Florida man in a probe of email hacking that targeted Hollywood celebrities, US law enforcement officials say. http://www.bbc.co.uk/news/entertainment-arts-15277900

FYI - Defense industry body target of cyber-attack - A cyber-attack was launched on an organization of defense contractors in an attempt to steal confidential information on the nation's defense industry, according to sources. http://www.yomiuri.co.jp/dy/national/T111015002242.htm 

FYI - An Air Force veteran of the first Iraq war and a military spouse and her two children have hit the Defense Department with a class action lawsuit seeking $4.9 billion in damages from the theft of a computer tape containing personal and sensitive health information from the car of an employee. http://www.nextgov.com/nextgov/ng_20111013_6702.php?oref=topnews

FYI - U.S. agency admits massive data breach - The U.S. government failed to tell nearly 32,000 people their Social Security numbers were inadvertently published in an electronic database, documents show. http://www.upi.com/Top_News/US/2011/10/14/US-agency-admits-massive-data-breach/UPI-68761318609840/?spt=hs&or=tn

FYI - Hackers take over "Sesame Street" YouTube station - Big Bird, Oscar the Grouch and Elmo briefly were replaced on Sunday by guests not welcome on Sesame Street. http://www.scmagazineus.com/porn-hackers-take-over-sesame-street-youtube-station/article/214614/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - Truth in Lending Act (Regulation Z)

The commentary to regulation Z was amended recently to clarify that periodic statements for open-end credit accounts may be provided electronically, for example, via remote access devices. The regulations state that financial institutions may permit customers to call for their periodic statements, but may not require them to do so. If the customer wishes to pick up the statement and the plan has a grace period for payment without imposition of finance charges, the statement, including a statement provided by electronic means, must be made available in accordance with the "14-day rule," requiring mailing or delivery of the statement not later than 14 days before the end of the grace period.

Provisions pertaining to advertising of credit products should be carefully applied to an on-line system to ensure compliance with the regulation. Financial institutions advertising open-end or closed-end credit products on-line have options. Financial institutions should ensure that on-line advertising complies with the regulations. For on-line advertisements that may be deemed to contain more than a single page, financial institutions should comply with the regulations, which describe the requirements for multiple-page advertisements.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY -  We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - APPLICATION ACCESS (Part 2 of 2)

Institution management should consider a number of issues regarding application-access control. Many of these issues could also apply to oversight of operating system access:

! Implementing a robust authentication method consistent with the criticality and sensitivity of the application. Historically, the majority of applications have relied solely on user IDs and passwords, but increasingly applications are using other forms of authentication. Multi-factor authentication, such as token and PKI-based systems coupled with a robust enrollment process, can reduce the potential for unauthorized access.
! Maintaining consistent processes for assigning new user access, changing existing user access, and promptly removing access to departing employees.
! Communicating and enforcing the responsibilities of programmers (including TSPs and vendors), security administrators, and business line owners for maintaining effective application-access control. Business line managers are responsible for the security and privacy of the information within their units. They are in the best position to judge the legitimate access needs of their area and should be held accountable for doing so. However, they require support in the form of adequate security capabilities provided by the programmers or vendor and adequate direction and support from security administrators.
! Monitoring existing access rights to applications to help ensure that users have the minimum access required for the current business need. Typically, business application owners must assume responsibility for determining the access rights assigned to their staff within the bounds of the AUP. Regardless of the process for assigning access, business application owners should periodically review and approve the application access assigned to their staff.
! Setting time-of-day or terminal limitations for some applications or for the more sensitive functions within an application. The nature of some applications requires limiting the location and number of workstations with access. These restrictions can support the implementation of tighter physical access controls.
! Logging access and events.
! Easing the administrative burden of managing access rights by utilizing software that supports group profiles. Some financial institutions manage access rights individually and it often leads to inappropriate access levels. By grouping employees with similar access requirements under a common access profile (e.g., tellers, loan operations, etc.), business application owners and security administrators can better assign and oversee access rights. For example, a teller performing a two-week rotation as a proof operator does not need year-round access to perform both jobs. With group profiles, security administrators can quickly reassign the employee from a teller profile to a proof operator profile. Note that group profiles are used only to manage access rights; accountability for system use is maintained through individuals being assigned their own unique identifiers and authenticators.

Return to the top of the newsletter

INTERNET PRIVACY - 

We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 6 of 6)

Redisclosure and Reuse Limitations on Nonpublic Personal Information Received:

If a financial institution receives nonpublic personal information from a nonaffiliated financial institution, its disclosure and use of the information is limited.

A)  For nonpublic personal information received under a section 14 or 15 exception, the financial institution is limited to:

     1)  Disclosing the information to the affiliates of the financial institution from which it received the information; 

     2)  Disclosing the information to its own affiliates, who may, in turn, disclose and use the information only to the extent that the financial institution can do so; and 

     3)  Disclosing and using the information pursuant to a section 14 or 15 exception (for example, an institution receiving information for account processing could disclose the information to its auditors). 

B)  For nonpublic personal information received other than under a section 14 or 15 exception, the recipient's use of the information is unlimited, but its disclosure of the information is limited to:

     1)  Disclosing the information to the affiliates of the financial institution from which it received the information;

     2)  Disclosing the information to its own affiliates, who may, in turn disclose the information only to the extent that the financial institution can do so; and

     3)  Disclosing the information to any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which it received the information. For example, an institution that received a customer list from another financial institution could disclose the list (1) in accordance with the privacy policy of the financial institution that provided the list, (2) subject to any opt out election or revocation by the consumers on the list, and (3) in accordance with appropriate exceptions under sections 14 and 15.