Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Government, companies taking steps to ward off cyberattacks - Warnings of a cyber Pearl Harbor. Major breaches of classified computer networks. Hundreds of billions of dollars’ worth of corporate data stolen by hackers. http://www.washingtonpost.com/national/national-security/government-companies-taking-steps-to-ward-off-cyberattacks/2011/11/10/gIQAdvERVN_story.html

FYI - Romanian hacker accused of breaking into NASA server - Police in Romania this week arrested a 26-year-old hacker accused of breaking into several servers belonging to NASA, and causing hundreds of thousands of dollars in damages. http://www.scmagazineus.com/romanian-hacker-accused-of-breaking-into-nasa-server/article/217019/

FYI - GAO - Information Technology: Critical Factors Underlying Successful Major Acquisitions
Release - http://www.gao.gov/products/GAO-12-7
Highlights - http://www.gao.gov/highlights/d127high.pdf

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Phishers net Norwegian secrets - E-mail trojans sweep hard drives - Oil, gas and defense data has been boosted from computers in Norway, in what the country fears is its largest-ever data espionage case. http://www.theregister.co.uk/2011/11/17/noway_data_theft_attack/

FYI - Stolen Sutter Medical Foundation computer had information on millions of patients - A Sutter Medical Foundation computer stolen in mid-October held information on more than 4 million patients, some dating back to 1995, including names, addresses and descriptions of diagnoses, officials at the health network said Wednesday.
http://www.mercurynews.com/breaking-news/ci_19351997
http://abcnews.go.com/US/wireStory/theft-data-4m-patients-part-wider-problem-14977828

FYI - Mystery 'virus' disrupts St John's ambulance service - Staff at New Zealand's St John's Ambulance service were forced to coordinate emergency call-outs using manual radio systems last week after computers systems were hit by a mystery 'virus'. http://computerworld.co.nz/news.nsf/news/mystery-virus-disrupts-st-johns-ambulance-service

FYI - Water utilities in Illinois, Houston reportedly hacked - Hackers have reportedly breached the systems of two U.S. water utility companies, potentially causing physical damage in one case. http://www.scmagazineus.com/water-utilities-in-illinois-houston-reportedly-hacked/article/217173/

FYI - Anonymous leaks cybercrime investigator's private emails - The hacktivist group Anonymous on Friday released 38,000 private emails belonging to a retired California Department of Justice (DoJ) cybercrime investigator as revenge for police crackdowns against the Occupy Wall Street movement. http://www.scmagazineus.com/anonymous-leaks-cybercrime-investigators-private-emails/article/217303/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - Disclosures and Notices

Several consumer regulations provide for disclosures and/or notices to consumers.  The compliance officer should check the specific regulations to determine whether the disclosures/notices can be delivered via electronic means.  The delivery of disclosures via electronic means has raised many issues with respect to the format of the disclosures, the manner of delivery, and the ability to ensure receipt by the appropriate person(s).  The following highlights some of those issues and offers guidance and examples that may be of use to institutions in developing their electronic services.

Disclosures are generally required to be "clear and conspicuous."  Therefore, compliance officers should review the web site to determine whether the disclosures have been designed to meet this standard. Institutions may find that the format(s) previously used for providing paper disclosures may need to be redesigned for an electronic medium. Institutions may find it helpful to use "pointers " and "hotlinks" that will automatically present the disclosures to customers when selected.  A financial institution's use solely of asterisks or other symbols as pointers or hotlinks would not be as clear as descriptive references that specifically indicate the content of the linked material.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY -  We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

PHYSICAL SECURITY IN DISTRIBUTED IS ENVIRONMENTS (Part 2 of 2)

Physical security for distributed IS, particularly LANs that are usually PC - based, is slightly different than for mainframe platforms. With a network there is often no centralized computer room. In addition, a network often extends beyond the local premises. There are certain components that need physical security. These include the hardware devices and the software and data that may be stored on the file servers, PCs, or removable media (tapes and disks). As with more secure IS environments, physical network security should prevent unauthorized personnel from accessing LAN devices or the transmission of data. In the case of wire - transfer clients, more extensive physical security is required.

Physical protection for networks as well as PCs includes power protection, physical locks, and secure work areas enforced by security guards and authentication technologies such as magnetic badge readers. Physical access to the network components (i.e., files, applications, communications, etc.) should be limited to those who require access to perform their jobs. Network workstations or PCs should be password protected and monitored for workstation activity.

Network wiring requires some form of protection since it does not have to be physically penetrated for the data it carries to be revealed or contaminated. Examples of controls include using a conduit to encase the wiring, avoiding routing through publicly accessible areas, and avoiding routing networking cables in close proximity to power cables. The type of wiring can also provide a degree of protection; signals over fiber, for instance, are less susceptible to interception than signals over copper cable.

Capturing radio frequency emissions also can compromise network security. Frequency emissions are of two types, intentional and unintentional. Intentional emissions are those broadcast, for instance, by a wireless network. Unintentional emissions are the normally occurring radiation from monitors, keyboards, disk drives, and other devices. Shielding is a primary control over emissions. The goal of shielding is to confine a signal to a defined area. An example of shielding is the use of foil-backed wallboard and window treatments. Once a signal is confined to a defined area, additional controls can be implemented in that area to further minimize the risk that the signal will be intercepted or changed.

Return to the top of the newsletter

INTERNET PRIVACY - 

We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Examination Procedures (Part 3 of 3)

E. Ascertain areas of risk associated with the financial institution's sharing practices (especially those within Section 13 and those that fall outside of the exceptions ) and any weaknesses found within the compliance management program. Keep in mind any outstanding deficiencies identified in the audit for follow-up when completing the modules.

F. Based on the results of the foregoing initial procedures and discussions with management, determine which procedures if any should be completed in the applicable module, focusing on areas of particular risk. The selection of procedures to be employed depends upon the adequacy of the institution's compliance management system and level of risk identified. Each module contains a series of general instruction to verify compliance, cross-referenced to cites within the regulation. 
Additionally, there are cross-references to a more comprehensive checklist, which the examiner may use if needed to evaluate compliance in more detail.

G. Evaluate any additional information or documentation discovered during the course of the examination according to these procedures. Note that this may reveal new or different sharing practices necessitating reapplication of the Decision Trees and completion of additional or different modules.

H. Formulate conclusions.

1)  Summarize all findings.

2)  For violation(s) noted, determine the cause by identifying weaknesses in internal controls, compliance review, training, management oversight, or other areas.

3)  Identify action needed to correct violations and weaknesses in the institution's compliance system, as appropriate.

4)  Discuss findings with management and obtain a commitment for corrective action.