Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Computerized patient records will bring on hackers - A powerful Republican senator with a medical degree is warning that the nation's transition to electronic patient records will lure cyber intruders and should be reconsidered. http://www.nextgov.com/nextgov/ng_20111110_2226.php?oref=topnews

FYI - FBI arrests six in click-fraud cyber scam that netted $14M - Six men believed to be behind a massive click-fraud scheme were arrested on Monday following a two-year, international police investigation, dubbed Operation Ghost Click, the FBI announced Wednesday.
http://www.scmagazineus.com/fbi-arrests-six-in-click-fraud-cyber-scam-that-netted-14m/article/216399/

FYI - Darpa’s Plan to Trap the Next WikiLeaker: Decoy Documents - WikiLeakers may have to think twice before clicking on that “classified” document. It could be the digital smoking gun that points back at them. http://www.wired.com/dangerroom/2011/11/darpa-trap-wikileaks/

FYI - Apple kills code-signing bug that threatened iPhone users - Hacker who discovered it remains excommunicated - Apple has patched a serious bug in iPhones and iPads that allowed attackers to embed secret payloads in iTunes App Store offerings that were never approved during the official submission process. http://www.theregister.co.uk/2011/11/10/apple_iphone_security_bug/

FYI - ACH debit transfer emails leading to malware - Users should be cautious if they receive an email purportedly containing information about an Automated Clearing House (ACH) debit transfer created on their behalf, as it could lead to malware, researchers from anti-virus company MX Lab, said in a blog post Wednesday. http://www.scmagazineus.com/ach-debit-transfer-emails-leading-to-malware/article/216488/?DCMP=EMC-SCUS_Newswire

FYI - GAO again slams IRS over security weaknesses - After repeatedly sounding the alarm about lax data security practices at the Internal Revenue Service (IRS), the U.S. Government Accountability Office (GAO) again has warned that the nation's tax collector is operating with significant deficiencies. http://www.scmagazineus.com/gao-again-slams-irs-over-security-weaknesses/article/216753/?DCMP=EMC-SCUS_Newswire 

FYI - Canadian internet users wary of security and privacy, report - One in 10 Canadians cite security as the primary challenge to the success of the internet – the single largest issue identified in a survey sponsored by the Canadian Internet Registration Authority (CIRA). http://www.scmagazineus.com/canadian-internet-users-wary-of-security-and-privacy-report/article/216796/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Man charged with hacking Hoboken, N.J. mayor's email - A former information systems specialist for the city of Hoboken, N.J. surrendered Wednesday to the FBI on charges he hijacked emails meant for the Mayor. http://www.scmagazineus.com/man-charged-with-hacking-hoboken-nj-mayors-email/article/216487/?DCMP=EMC-SCUS_Newswire

FYI - Occupy St. Louis sympathizer hacks mayor's website - A person supportive of the Occupy Wall Street movements sweeping the nation has hacked into the website belonging to the St. Louis mayor, defacing it and publicly exposing contact information and emails. http://www.scmagazineus.com/occupy-st-louis-sympathizer-hacks-mayors-website/article/216510/?DCMP=EMC-SCUS_Newswire

FYI - VCU server hacked to compromise personal data of 175K - Hackers accessed a sensitive computer server containing the personal information of faculty and students at Virginia Commonwealth University (VCU) in Richmond. http://www.scmagazineus.com/vcu-server-hacked-to-compromise-personal-data-of-175k/article/216734/?DCMP=EMC-SCUS_Newswire

FYI - Title Firm Sues Bank Over $207k Cyberheist - A title insurance firm in Virginia is suing its bank after an eight-day cyber heist involving more than $2 million in thefts and more than $200,000 in losses last year. http://krebsonsecurity.com/2011/11/title-firm-sues-bank-over-207k-cyberheist/

FYI - Dozens used phone-hacker's services, inquiry hears - More than two dozen News International employees used the services of a convicted phone-hacker, the British government-backed inquiry into illegal eavesdropping and bribery by journalists heard Monday. http://edition.cnn.com/2011/11/14/world/europe/uk-phone-hacking-scandal/

FYI - Tour de France winner sentenced for hack of doping lab - The disgraced US cyclist who was stripped of his 2006 Tour de France victory for doping, was handed a suspended 12-month prison sentence for his part in a hack of an anti-doping lab computer. http://www.theregister.co.uk/2011/11/12/floyd_landis_sentenced/ 

FYI - Alarm raised months before fed breach discovered - Like Rodney Dangerfield, it seems that Canadian spies don't get any respect. Documents show that the Canadian Security Intelligence Service (CSIS) sounded an alert at least two months before a massive internet intrusion was spotted at the Treasury Board of Canada – the branch of government responsible for fiscal control and human resources. http://www.scmagazineus.com/alarm-raised-months-before-fed-breach-discovered/article/216794/?DCMP=EMC-SCUS_Newswire

FYI - Lawrence Memorial Hospital experiences online security breach - Officials at Lawrence Memorial Hospital are anticipating a federal investigation and possible fine after an online security breach potentially compromised 8,000 patients' financial information. http://www.kansascity.com/2011/11/17/3271281/lawrence-memorial-hospital-experiences.html

FYI - Sutter Health loses computer, data on 4.2 million - A desktop computer stolen from a Northern California health care system contained the personal information of roughly 4.2 million patients, the organization revealed Wednesday. http://www.scmagazineus.com/sutter-health-loses-computer-data-on-42-million/article/216983/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - Flood Disaster Protection Act

The regulation implementing the National Flood Insurance Program requires a financial institution to notify a prospective borrower and the servicer that the structure securing the loan is located or to be located in a special flood hazard area. The regulation also requires a notice of the servicer's identity be delivered to the insurance provider. While the regulation addresses electronic delivery to the servicer and to the insurance provider, it does not address electronic delivery of the notice to the borrower.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY -  We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

PHYSICAL SECURITY IN DISTRIBUTED IS ENVIRONMENTS (Part 1 of 2)

Hardware and software located in a user department are often less secure than that located in a computer room. Distributed hardware and software environments (e.g., local area networks or LANs) that offer a full range of applications for small financial institutions as well as larger organizations are commonly housed throughout the organization, without special environmental controls or raised flooring. In such situations, physical security precautions are often less sophisticated than those found in large data centers, and overall building security becomes more important. Internal control procedures are necessary for all hardware and software deployed in distributed, and less secure, environments. The level of security surrounding any IS hardware and software should depend on the sensitivity of the data that can be accessed, the significance of applications processed, the cost of the equipment, and the availability of backup equipment.

Because of their portability and location in distributed environments, PCs often are prime targets for theft and misuse. The location of PCs and the sensitivity of the data and systems they access determine the extent of physical security required. For PCs in unrestricted areas such as a branch lobby, a counter or divider may provide the only barrier to public access. In these cases, institutions should consider securing PCs to workstations, locking or removing disk drives, and using screensaver passwords or automatic timeouts. Employees also should have only the access to PCs and data they need to perform their job. The sensitivity of the data processed or accessed by the computer usually dictates the level of control required. The effectiveness of security measures depends on employee awareness and enforcement of these controls.

An advantage of PCs is that they can operate in an office environment, providing flexible and informal operations. However, as with larger systems, PCs are sensitive to environmental factors such as smoke, dust, heat, humidity, food particles, and liquids. Because they are not usually located within a secure area, policies should be adapted to provide protection from ordinary contaminants.

Other environmental problems to guard against include electrical power surges and static electricity. The electrical power supply in an office environment is sufficient for a PC's requirements. However, periodic fluctuations in power (surges) can cause equipment damage or loss of data. PCs in environments that generate static electricity are susceptible to static electrical discharges that can cause damage to PC components or memory.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Examination Procedures (Part 2 of 3)

B. Use the information gathered from step A to work through the "Privacy Notice and Opt Out Decision Tree."  Identify which module(s) of procedures is (are) applicable.

C. Use the information gathered from step A to work through the Reuse and Redisclosure and Account Number Sharing Decision Trees, as necessary (Attachments B & C). Identify which module is applicable.

D. Determine the adequacy of the financial institution's internal controls and procedures to ensure compliance with the privacy regulation as applicable. Consider the following:

1)  Sufficiency of internal policies and procedures, and controls, including review of new products and services and controls over servicing arrangements and marketing arrangements;

2)  Effectiveness of management information systems, including the use of technology for monitoring, exception reports, and standardization of forms and procedures;

3)  Frequency and effectiveness of monitoring procedures;

4)  Adequacy and regularity of the institution's training program;

5)  Suitability of the compliance audit program for ensuring that: 

     a)  the procedures address all regulatory provisions as applicable; 
     b)  the work is accurate and comprehensive with respect to the institution's information sharing practices; 
     c)  the frequency is appropriate; 
     d)  conclusions are appropriately reached and presented to responsible parties; 
     e)  steps are taken to correct deficiencies and to follow-up on previously identified deficiencies; and

6)  Knowledge level of management and personnel.