Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Weatherford Named DHS Cybersec Leader - Mark Weatherford, the former chief information security officer of California and Colorado, will be the new Department of Homeland Security deputy undersecretary for cybersecurity for the National Protection and Programs Directorate. http://www.govinfosecurity.com/articles.php?art_id=4173

FYI - Anonymous Interested in Hacking Nation’s Infrastructure - The hacker collective known as Anonymous has expressed interest in hacking industrial systems that control critical infrastructures, such as gas and oil pipelines, chemical plants and water and sewage treatment facilities, according to a Department of Homeland Security bulletin. http://www.wired.com/threatlevel/2011/10/hacking-industrial-systems/

FYI - Diplomat Loses Top Secret Clearance for Linking to WikiLeaks - A veteran U.S. State Department foreign service officer lost his security clearance and diplomatic passport this week while the department investigates him over linking to a WikiLeaks document on his blog and publishing a book critical of the government. http://www.wired.com/threatlevel/2011/10/diplomat-loses-security-clearance/

FYI - Who Else Was Hit by the RSA Attackers? - The data breach disclosed in March by security firm RSA received worldwide attention because it highlighted the challenges that organizations face in detecting and blocking intrusions from targeted cyber attacks. The subtext of the story was that if this could happen to one of the largest and most integral security firms, what hope was there for organizations that aren’t focused on security? https://krebsonsecurity.com/2011/10/who-else-was-hit-by-the-rsa-attackers/

FYI - XML Encryption Flaw Leaves Web Services Vulnerable - Apache, Red Hat, IBM, Microsoft, and other major XML framework providers will need to adopt new standard, say German researchers who found the flaw. Watch your Web Services: the official XML Encryption Syntax and Processing standard can be broken. http://www.informationweek.com/news/security/vulnerabilities/231901532

FYI - FCC warns retailers to stop selling signal-jamming devices - The Federal Communications Commission has issued warnings to 20 online retailers to stop selling illegal signal-jamming devices, including mobile phone, GPS and Wi-Fi jammers. http://www.computerworld.com/s/article/359439/FCC_to_Retailers_Stop_Selling_Phone_Jammers?taxonomyId=17 

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Fund manager withdraws legal threat over security vuln - First State Super, the company that called the police and fired off legal threats when a security researcher notified it of vulnerabilities in its online funds management application, is reportedly softening its stance. http://www.theregister.co.uk/2011/10/19/first_state_super_tones_it_down/

FYI - Social Security agency leaks thousands of SSNs every year, report says - More than 400K SSNs may have leaked in last 30 years - The Social Security Administration (SSA) puts thousands of Americans at risk of identity theft each year by accidentally leaking their Social Security Numbers, names and dates of birth, according to an investigative report. http://www.computerworld.com/s/article/9220861/Social_Security_agency_leaks_thousands_of_SSNs_every_year_report_says

Return to the top of the newsletter

WEB SITE COMPLIANCE - Advertisements

Generally, Internet web sites are considered advertising by the regulatory agencies. In some cases, the regulations contain special rules for multiple-page advertisements. It is not yet clear what would constitute a single "page" in the context of the Internet or on-line text. Thus, institutions should carefully review their on-line advertisements in an effort to minimize compliance risk.

In addition, Internet or other systems in which a credit application can be made on-line may be considered "places of business" under HUD's rules prescribing lobby notices. Thus, institutions may want to consider including the "lobby notice," particularly in the case of interactive systems that accept applications.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY -  We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - REMOTE ACCESS

Many financial institutions use modems, remote - access servers (RAS), and VPNs to provide remote access into their systems or to allow remote access out of their systems. Remote access can support mobile users through wireless, Internet, or dial-in capabilities. In some cases, modem access is required periodically by vendors to make emergency program fixes or to support a system.

Remote access to a financial institution's systems provides an attacker with the opportunity to remotely attack the systems either individually or in groups. Accordingly, management should establish policies restricting remote access and be aware of all remote access devices attached to their systems. These devices should be strictly controlled. Good controls for remote access include the following actions:

! Disallow remote access by policy and practice unless a compelling business justification exists.
! Disable remote access at the operating system level if a business need for such access does not exist.
! Require management approval for remote access.
! Require an operator to leave the modems unplugged or disabled by default, to enable modems only for specific, authorized external requests, and disable the modem immediately when the requested purpose is completed.
! Configure modems not to answer inbound calls, if modems are for outbound use only.
! Use automated callback features so the modems only call one number (although this is subject to call forwarding schemes).
! Install a modem bank where the outside number to the modems uses a different prefix than internal numbers and does not respond to incoming calls.
! Log and monitor the date, time, user, user location, duration, and purpose for all remote access.
! Require a two-factor authentication process for all remote access (e.g., PIN-based token card with a one-time random password generator).
! Implement controls consistent with the sensitivity of remote use (e.g., remote system administration requires strict controls and oversight including encrypting the authentication and log-in process).
! Appropriately patch and maintain all remote access software.
! Use trusted, secure access devices.
! Use remote-access servers (RAS) to centralize modem and Internet access, to provide a consistent authentication process, and to subject the inbound and outbound network traffic to firewalls.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Other Matters

Fair Credit Reporting Act

The regulations do not modify, limit, or supersede the operation of the Fair Credit Reporting Act.

State Law

The regulations do not supersede, alter, or affect any state statute, regulation, order, or interpretation, except to the extent that it is inconsistent with the regulations. A state statute, regulation, order, etc. is consistent with the regulations if the protection it affords any consumer is greater than the protection provided under the regulations, as determined by the FTC.

Grandfathered Service Contracts

Contracts that a financial institution has entered into, on or before July 1, 2000, with a nonaffiliated third party to perform services for the financial institution or functions on its behalf, as described in section 13, will satisfy the confidentiality requirements of section 13(a)(1)(ii) until July 1, 2002, even if the contract does not include a requirement that the third party maintain the confidentiality of nonpublic personal information.

Guidelines Regarding Protecting Customer Information

The regulations require a financial institution to disclose its policies and practices for protecting the confidentiality, security, and integrity of nonpublic personal information about consumers (whether or not they are customers). The disclosure need not describe these policies and practices in detail, but instead may describe in general terms who is authorized to have access to the information and whether the institution has security practices and procedures in place to ensure the confidentiality of the information in accordance with the institution's policies.

The four federal bank and thrift regulators have published guidelines, pursuant to section 501(b) of the Gramm-Leach-Bliley Act, that address steps a financial institution should take in order to protect customer information. The guidelines relate only to information about customers, rather than all consumers. Compliance examiners should consider the findings of a 501(b) inspection during the compliance examination of a financial institution for purposes of evaluating the accuracy of the institution's disclosure regarding data security.

Next week we will start covering the examination objectives.