Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Microsoft calls for 24/7 international co-operation on cyber security - Harmonisation of global laws and swifter collaboration between law enforcement and other parties across international boundaries are essential in order to speed up cyber crime prosecutions, according to former US government prosecutor Scott Charney. http://www.v3.co.uk/v3-uk/news/2121991/-londoncyber-microsoft-calls-international-cooperation-cyber-security

FYI - Internet privacy tools too confusing for most users - Users wishing to stop advertisers from tracking their online behaviors face major hurdles, according to a report released this week by Carnegie Mellon University. http://www.scmagazineus.com/internet-privacy-tools-too-confusing-for-most-users/article/215869/

FYI - Federal Bureau of Investigation and the U.S. Attorney General's Office Win National Cybersecurity Innovation Award - The SANS Institute announced today that the Federal Bureau of Investigation and the U.S. Attorney General's Office have won the 2011 U.S. National Cybersecurity Innovation Award for their innovative techniques in cyber law enforcement using the computer virus' own command and control system to disable the malicious software. http://www.prnewswire.com/news-releases/federal-bureau-of-investigation-and-the-us-attorney-generals-office-win-national-cybersecurity-innovation-award-133168328.html

FYI - DHS to set up policies for monitoring Twitter, Facebook - Homeland Security is working on guidelines to protect U.S. citizens' rights while it looks at social media sites - When the U.S. Department of Homeland Security receives information about potential threats to the U.S., agents may turn to social networking sites like Facebook and Twitter. http://www.computerworld.com/s/article/9221374/DHS_to_set_up_policies_for_monitoring_Twitter_Facebook_?taxonomyId=84

FYI - GAO - Federal Bureau of Investigation: Actions Needed to Document Security Decisions and Address Issues with Condition of Headquarters Buildings
Release - http://www.gao.gov/products/GAO-12-96
Highlights - http://www.gao.gov/highlights/d1296high.pdf

FYI - Feds’ Use of Fake Cell Tower: Did it Constitute a Search? - Federal authorities used a fake Verizon cellphone tower to zero in on a suspect’s wireless card, and say they were perfectly within their rights to do so, even without a warrant. http://www.wired.com/threatlevel/2011/11/feds-fake-cell-phone-tower/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - UK Cops Using Fake Mobile Phone Tower to Intercept Calls, Shut Off Phones - Britain’s largest police force has been using covert surveillance technology that can masquerade as a mobile phone network to intercept communications and unique IDs from phones or even transmit a signal to shut off phones remotely, according to the Guardian. http://www.wired.com/threatlevel/2011/10/datong-surveillance/

FYI - KPN stops issuing SSL certificates after possible breach - KPN said it does not appear any fraudulent SSL certificates were issued, though - The largest telecommunications company in the Netherlands has stopped issuing SSL certificates after finding indications that the website used for purchasing the certificates may have been hacked. http://www.computerworld.com/s/article/9221551/KPN_stops_issuing_SSL_certificates_after_possible_breach?taxonomyId=17

FYI - Web credential authority rebuked for 'poor' security - Digicert Malaysia banished from Chrome, IE, Firefox - Microsoft, Google, and Mozilla will banish yet another web authentication authority from their software after learning that it issued secure sockets layer certificates that could be used to attack people visiting Malaysian government websites. http://www.theregister.co.uk/2011/11/03/certificate_authority_banished/

FYI - Vulnerabilities give hackers ability to open prison cells from afar - Researchers have demonstrated a vulnerability in the computer systems used to control facilities at federal prisons that could allow an outsider to remotely take them over, doing everything from opening and overloading cell door mechanisms to shutting down internal communications systems. http://arstechnica.com/business/news/2011/11/vulnerabilities-give-hackers-ability-to-open-prison-cells-from-afar.ars

Return to the top of the newsletter

WEB SITE COMPLIANCE - TRUTH IN SAVINGS ACT (REG DD)

Financial institutions that advertise deposit products and services on-line must verify that proper advertising disclosures are made in accordance with all provisions of the regulations. Institutions should note that the disclosure exemption for electronic media does not specifically address commercial messages made through an institution's web site or other on-line banking system. Accordingly, adherence to all of the advertising disclosure requirements is required.

Advertisements should be monitored for recency, accuracy, and compliance. Financial institutions should also refer to OSC regulations if the institution's deposit rates appear on third party web sites or as part of a rate sheet summary. These types of messages are not considered advertisements unless the depository institution, or a deposit broker offering accounts at the institution, pays a fee for or otherwise controls the publication.

Disclosures generally are required to be in writing and in a form that the consumer can keep. Until the regulation has been reviewed and changed, if necessary, to allow electronic delivery of disclosures, an institution that wishes to deliver disclosures electronically to consumers, would supplement electronic disclosures with paper disclosures.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY -  We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - DATA CENTER SECURITY

When selecting a site for the most important information systems components, one major objective is to limit the risk of exposure from internal and external sources. The selection process should include a review of the surrounding area to determine if it is relatively safe from exposure to fire, flood, explosion, or similar environmental hazards. Outside intruders can be deterred through the use of guards, fences, barriers, surveillance equipment, or other similar devices. Since access to key information system hardware and software should be limited, doors and windows must be secure. Additionally, the location should not be identified or advertised by signage or other indicators.

Detection devices, where applicable, should be utilized to prevent theft and safeguard the equipment. They should provide continuous coverage. Detection devices have two purposes - to alarm when a response is necessary and to support subsequent forensics. The alarm capability is only useful when a response will occur. Some intruder detection devices available include:

! Switches that activate an alarm when an electrical circuit is broken;
! Light and laser beams, ultraviolet beams and sound or vibration detectors that are invisible to the intruder, and ultrasonic and radar devices that detect movement in a room; and
! Closed-circuit television that allows visual observation and recording of actions.

Risks from environmental threats can be addressed somewhat through devices such as halon gas, smoke alarms, raised flooring, heat sensors, and the like.

Physical security devices frequently need preventive maintenance to function properly. Maintenance logs are one control the institution can use to determine whether the devices are appropriately maintained. Periodic testing of the devices provides assurance that they are operating correctly.

Security guards should be properly instructed about their duties. The employees who access secured areas should have proper identification and authorization to enter the area. All visitors should sign in and wear proper IDs so that they can be identified easily. Security guards should be trained to restrict the removal of assets from the premises and to record the identity of anyone removing assets. Consideration should be given to implementing a specific and formal authorization process for the removal of hardware and software from premises.

The following security zones should have access restricted to a need basis:

! Operations center
! Uninterrupted power supply
! Telecommunications equipment
! Media library

CABINET AND VAULT SECURITY

Protective containers are designed to meet either fire-resistant or burglar-resistant standards. Labels describing expected tolerance levels are usually attached to safes and vault doors. An institution should select the tolerance level based on the sensitivity and importance of the information being protected.

Return to the top of the newsletter

INTERNET PRIVACY - 

We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Examination Procedures (Part 1 of 3)

A. Through discussions with management and review of available information, identify the institution's information sharing practices (and changes to those practices) with affiliates and nonaffiliated third parties; how it treats nonpublic personal information; and how it administers opt-outs. Consider the following as appropriate:

1)  Notices (initial, annual, revised, opt out, short-form, and simplified);

2)  Institutional privacy policies and procedures, including those to: 
     a)  process requests for nonpublic personal information, including requests for aggregated data; 
     b)  deliver notices to consumers; manage consumer opt out directions (e.g., designating files, allowing a reasonable time to opt out, providing new opt out and privacy notices when necessary, receiving opt out directions, handling joint account holders); 
     c)  prevent the unlawful disclosure and use of the information received from nonaffiliated financial institutions; and 
     d)  prevent the unlawful disclosure of account numbers;

3)  Information sharing agreements between the institution and affiliates and service agreements or contracts between the institution and nonaffiliated third parties either to obtain or provide information or services;

4)  Complaint logs, telemarketing scripts, and any other information obtained from nonaffiliated third parties (Note: review telemarketing scripts to determine whether the contractual terms set forth under section 13 are met and whether the institution is disclosing account number information in violation of section 12);

5)  Categories of nonpublic personal information collected from or about consumers in obtaining a financial product or service (e.g., in the application process for deposit, loan, or investment products; for an over-the-counter purchase of a bank check; from E-banking products or services, including the data collected electronically through Internet cookies; or through ATM transactions);

6)  Categories of nonpublic personal information shared with, or received from, each nonaffiliated third party; and

7)  Consumer complaints regarding the treatment of nonpublic personal information, including those received electronically.

8)  Records that reflect the bank's categorization of its information sharing practices under Sections 13, 14, 15, and outside of these exceptions.

9)  Results of a 501(b) inspection (used to determine the accuracy of the institution's privacy disclosures regarding data security).