Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - (At least) 4 web authentication authorities breached since June - SSL security chain as good a broken - At least four web authentication authorities have reported being compromised in as many months, according to research from the Electronic Frontier Foundation that renews serious questions about a technology millions of websites rely on to remain secure. http://www.theregister.co.uk/2011/10/27/ssl_certificate_authorities_hacked/

FYI - Tool Lets Single Laptop Take Down An SSL Server - Yet another strike against SSL security - SSL is in the hot seat again: A new, free tool is now circulating that can take down an HTTPS Web server in a denial-of-service attack using a single laptop via a DSL connection. http://www.darkreading.com/authentication/167901072/security/vulnerabilities/231901641/index.html?itc=edit_stub

FYI - Insulin pump hack delivers fatal dosage over the air - Sugar Blues, James Bond style - In a hack fitting of a James Bond movie, a security researcher has devised an attack that hijacks nearby insulin pumps, enabling him to surreptitiously deliver fatal doses to diabetic patients who rely on them. http://www.theregister.co.uk/2011/10/27/fatal_insulin_pump_attack/

FYI - National Security Agency helps banks battle hackers - The National Security Agency, a secretive arm of the U.S. military, has begun providing Wall Street banks with intelligence on foreign hackers, a sign of growing U.S. fears of financial sabotage. http://www.reuters.com/article/2011/10/26/us-cybersecurity-banks-idUSTRE79P5E020111026

FYI - Federal cyber rules halt LAPD's move to Google Apps - FBI security rules are holding up the Los Angeles Police Department's move to Google Web-based email and office applications, according to contractors. The federal policies, which relate to confidentiality of criminal history data, could prevent certain agencies from ever moving operations to the cloud, or third-party data centers that provide software over the Internet, experts say. http://www.nextgov.com/nextgov/ng_20111026_6213.php?oref=topstory

FYI - Breaches lead to major reputation, brand damage - Companies spend on average up to a year to restore their reputation following a data breach, according to a study released Thursday. http://www.scmagazineus.com/breaches-lead-to-major-reputation-brand-damage/article/215595/?DCMP=EMC-SCUS_Newswire

FYI - Banker trade group warns of phishing uptick - The American Bankers Association (ABA) on Wednesday issued a new warning about a “sudden increase” in phishing scams being reported throughout the country. http://www.scmagazineus.com/banker-trade-group-warns-of-phishing-uptick/article/215440/?DCMP=EMC-SCUS_Newswire

FYI - Internet privacy tools too confusing for most users - Users wishing to stop advertisers from tracking their online behaviors face major hurdles, according to a report released this week by Carnegie Mellon University. http://www.scmagazineus.com/internet-privacy-tools-too-confusing-for-most-users/article/215869/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Chinese Military Suspected in Hacker Attacks on U.S. Satellites - Computer hackers, possibly from the Chinese military, interfered with two U.S. government satellites four times in 2007 and 2008 through a ground station in Norway, according to a congressional commission. http://www.businessweek.com/news/2011-10-27/chinese-military-suspected-in-hacker-attacks-on-u-s-satellites.html

FYI - Nasdaq Server Breach: 3 Expected Findings - While federal investigators remain quiet about the ongoing investigation, experts say that the Directors Desk data breach is even worse than thought. Last week, two experts with knowledge of Nasdaq OMX Group's internal investigation said that while attackers hadn't directly attacked trading servers, they had installed malware on sensitive systems, which enabled them to spy on dozens of company directors. http://www.informationweek.com/news/security/attacks/231901580

FYI - Anonymous downs Oakland police site after violence - The hacktivist group Anonymous is making good on its promise of digital retaliation against the Oakland Police Department for the force it used against protesters this week. http://www.scmagazineus.com/anonymous-downs-oakland-police-site-after-violence/article/215433/?DCMP=EMC-SCUS_Newswire

FYI - Ottawa warned about hackers weeks before crippling cyber attack: CSIS report - Canada's spy agency warned the government that federal departments were under assault from rogue hackers just weeks before an attack crippled key computers. http://www.theglobeandmail.com/news/national/ottawa-warned-about-hackers-weeks-before-crippling-cyber-attack-csis-report/article2219129/?from=sec434

Return to the top of the newsletter

WEB SITE COMPLIANCE - Record Retention

Record retention provisions apply to electronic delivery of disclosures to the same extent required for non-electronic delivery of information. For example, if the web site contains an advertisement, the same record retention provisions that apply to paper-based or other types of advertisements apply. Copies of such advertisements should be retained for the time period set out in the relevant regulation. Retention of electronic copies is acceptable. 

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY -  We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - PHYSICAL SECURITY

The confidentiality, integrity, and availability of information can be impaired through physical access and damage or destruction to physical components. Conceptually, those physical security risks are mitigated through zone-oriented implementations. Zones are physical areas with differing physical security requirements. The security requirements of each zone are a function of the sensitivity of the data contained or accessible through the zone and the information technology components in the zone. For instance, data centers may be in the highest security zone, and branches may be in a much lower security zone. Different security zones can exist within the same structure. Routers and servers in a branch, for instance, may be protected to a greater degree than customer service terminals. Computers and telecommunications equipment within an operations center will have a higher security zone than I/O operations, with the media used in those equipment stored at yet a higher zone.

The requirements for each zone should be determined through the risk assessment. The risk assessment should include, but is not limited to, the following threats:

! Aircraft crashes
! Chemical effects
! Dust
! Electrical supply interference
! Electromagnetic radiation
! Explosives
! Fire
! Smoke
! Theft/Destruction
! Vibration/Earthquake
! Water
! Wireless emissions
! Any other threats applicable based on the entity's unique geographical location, building configuration, neighboring entities, etc.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Examination Objectives 

1. To assess the quality of a financial institution's compliance management policies and procedures for implementing the privacy regulation, specifically ensuring consistency between what the financial institution tells consumers in its notices about its policies and practices and what it actually does.

2. To determine the reliance that can be placed on a financial institution's internal controls and procedures for monitoring the institution's compliance with the privacy regulation.

3. To determine a financial institution's compliance with the privacy regulation, specifically in meeting the following requirements:

a)  Providing to customers notices of its privacy policies and practices that are timely, accurate, clear and conspicuous, and delivered so that each customer can reasonably be expected to receive actual notice; 
b)  Disclosing nonpublic personal information to nonaffiliated third parties, other than under an exception, after first meeting the applicable requirements for giving consumers notice and the right to opt out; 
c)  Appropriately honoring consumer opt out directions; 
d)  Lawfully using or disclosing nonpublic personal information received from a nonaffiliated financial institution; and
e)  Disclosing account numbers only according to the limits in the regulations.

4. To initiate effective corrective actions when violations of law are identified, or when policies or internal controls are deficient.