Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Feds launch cloud security standards program - FedRAMP program will require that all federal agencies only use cloud providers that meet its security standards - Federal agencies will soon have a government-wide security standard for assessing, authorizing and monitoring cloud products and services. http://www.computerworld.com/s/article/9222525/Feds_launch_cloud_security_standards_program?taxonomyId=17

FYI - Criminal Records Bureau checks to go online - Service aimed at removing need for employees to make multiple applications - The Criminal Records Bureau (CRB) is to introduce an online status checking service for employers to verify that potential employees have been cleared for relevant jobs. http://www.guardian.co.uk/government-computing-network/2011/dec/07/crb-checks-online

FYI - Four charged with hacking point-of-sale computers - Four residents of Romania have been charged for their alleged participation in a multimillion-dollar scheme to remotely access point-of-sale systems at more than 150 Subway restaurants and other U.S. merchants and steal payment card data, the U.S. Department of Justice said. http://www.computerworld.com/s/article/9222520/Four_charged_with_hacking_point_of_sale_computers?taxonomyId=17

FYI - Man faces felony hacking charge for accessing wife's e-mail - The Michigan Court of Appeals wrestled Tuesday with the question of whether the state's computer hacking law allows prosecutors to charge people who read a spouse's e-mail without permission.   http://www.examiner.com/headlines-in-atlanta/gwinnett-medical-no-longer-on-diversion-status

FYI - As few as 12 hacker teams responsible for bulk of China-based data theft - U.S. cybersecurity analysts and experts say that as few as 12 Chinese groups, largely backed or directed by the government there, commit the bulk of the China-based cyberattacks stealing critical data from U.S. companies and government agencies. http://www.washingtonpost.com/business/summary-box-as-few-as-12-hacker-teams-responsible-for-bulk-of-china-based-data-theft/2011/12/12/gIQAjipmpO_story.html

FYI - Court dismisses most breach claims against Heartland by banks - Nine banks want Heartland to pay for damages related to 2008 breach - A U.S. district court in Texas has dismissed all but one of the claims brought by several banks against Heartland Payment Systems over the massive data breach the payment processor disclosed in January 2009. http://www.computerworld.com/s/article/9222549/Court_dismisses_most_breach_claims_against_Heartland_by_banks?taxonomyId=144

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Hackers Skim Lucky Supermarket Customers’ Credit Cards via Self-Checkout - Criminals have tampered with the credit and debit card readers at self-checkout lanes in more than 20 supermarkets operated by a California chain, allowing them to steal money from shoppers who used the compromised machines. http://www.wired.com/threatlevel/2011/12/hackers-skim-lucky-supermarket/

FYI - Anonymous claims new Monsanto-related hack - The Anonymous hacktivist group claims it is responsible for putting a Washington, D.C. public relations firm out of business. http://www.scmagazineus.com/anonymous-claims-new-monsanto-related-hack/article/218504/?DCMP=EMC-SCUS_Newswire

FYI - Ambulances turned away as computer virus infects Gwinnett Medical Center computers - Gwinnett Medical Center on Friday confirmed it has instructed ambulances to take patients to other area hospitals when possible after discovering a system-wide computer virus that slowed patient registration and other operations at its campuses in Lawrenceville and Duluth. http://www.ajc.com/news/gwinnett/ambulances-turned-away-as-1255750.html

FYI - Telstra resets 60k passwords after privacy gaffe - Telstra has reset some 60,000 customer passwords after accounts were exposed forcing services to be quickly shutdown. http://www.scmagazine.com.au/News/282986,telstra-resets-60k-passwords-after-privacy-gaffe.aspx

Return to the top of the newsletter

WEB SITE COMPLIANCE - Reserve Requirements of Depository Institutions (Regulation D)

Pursuant to the withdrawal and transfer restrictions imposed on savings deposits, electronic transfers, electronic withdrawals (paid electronically) or payments to third parties initiated by a depositor from a personal computer are included as a type of transfer subject to the six transaction limit imposed on passbook savings and MMDA accounts.

Institutions also should note that, to the extent stored value or other electronic money represents a demand deposit or transaction account, the provisions of Regulation D would apply to such obligations. 

Consumer Leasing Act (Regulation M)

The regulation provides examples of advertisements that clarify the definition of an advertisement under Regulation M. The term advertisement includes messages inviting, offering, or otherwise generally announcing to prospective customers the availability of consumer leases, whether in visual, oral, print, or electronic media. Included in the examples are on-line messages, such as those on the Internet. Therefore, such messages are subject to the general advertising requirements.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY -  
We continue our series on the FFIEC interagency Information Security Booklet.  

ENCRYPTION KEY MANAGEMENT

Since security is primarily based on the encryption keys, effective key management is crucial. Effective key management systems are based on an agreed set of standards, procedures, and secure methods that address

! Generating keys for different cryptographic systems and different applications;
! Generating and obtaining public keys;
! Distributing keys to intended users, including how keys should be activated when received;
! Storing keys, including how authorized users obtain access to keys;
! Changing or updating keys including rules on when keys should be changed and how this will be done;
! Dealing with compromised keys;
! Revoking keys and specifying how keys should be withdrawn or deactivated;
! Recovering keys that are lost or corrupted as part of business continuity management;
! Archiving keys;
! Destroying keys;
! Logging the auditing of key management - related activities; and
! Instituting defined activation and deactivation dates, limiting the usage period of keys.

Secure key management systems are characterized by the following precautions.

! Key management is fully automated (e.g. personnel do not have the opportunity to expose a key or influence the key creation).
! No key ever appears unencrypted.
! Keys are randomly chosen from the entire key space, preferably by hardware.
! Key - encrypting keys are separate from data keys. No data ever appears in clear text that was encrypted using a key - encrypting key. (A key - encrypting key is used to encrypt other keys, securing them from disclosure.)
! All patterns in clear text are disguised before encrypting.
! Keys with a long life are sparsely used. The more a key is used, the greater the opportunity for an attacker to discover the key.
! Keys are changed frequently. The cost of changing keys rises linearly while the cost of attacking the keys rises exponentially. Therefore, all other factors being equal, changing keys increases the effective key length of an algorithm.
! Keys that are transmitted are sent securely to well - authenticated parties.
! Key generating equipment is physically and logically secure from construction through receipt, installation, operation, and removal from service.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Sharing nonpublic personal information with nonaffiliated third parties under Sections 14 and/or 15 and outside of exceptions (with or without also sharing under Section 13).  (Part 3 of 3)

C. Opt Out Right 

1)  Review the financial institution's opt out notices. An opt out notice may be combined with the institution's privacy notices. Regardless, determine whether the opt out notices:

a.  Are clear and conspicuous (§§3(b) and 7(a)(1));

b.  Accurately explain the right to opt out (§7(a)(1));

c.  Include and adequately describe the three required items of information (the institution's policy regarding disclosure of nonpublic personal information, the consumer's opt out right, and the means to opt out) (§7(a)(1)); and

d.  Describe how the institution treats joint consumers (customers and those who are not customers), as applicable (§7(d)).

2)  Through discussions with management, review of the institution's policies and procedures, and a sample of electronic or written records where available, determine if the institution has adequate procedures in place to provide the opt out notice and comply with opt out directions of consumers (customers and those who are not customers), as appropriate. Assess the following:

a.  Timeliness of delivery (§10(a)(1));

b.  Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the consumer agrees; or as a necessary step of a transaction) (§9).

c.  Reasonableness of the opportunity to opt out (the time allowed to and the means by which the consumer may opt out) (§§10(a)(1)(iii), 10(a)(3)); and

d.  Adequacy of procedures to implement and track the status of a consumer's (customers and those who are not customers) opt out direction, including those of former customers (§7(e), (f), (g)).