Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and best practices.  For more information visit http://www.yennik.com/it-review/.

FYI - Achieving integrity in the cloud - The cloud is similar to the physical data center in that the same perimeter, system, and data protection mechanisms we've come to rely upon there must also be applied to the virtual environment (firewalls, intrusion prevention, anti-malware, data loss prevention, etc.). http://www.scmagazineus.com/achieving-integrity-in-the-cloud/article/192568/?DCMP=EMC-SCUS_Newswire

FYI - Goldman Sachs Programmer Found Guilty of Stealing Code - A Goldman Sachs programmer was found guilty on Friday of stealing high-speed trading software from his former employer. http://www.wired.com/threatlevel/2010/12/aleynikov-guilty/

FYI - Military Bans Disks, Threatens Courts-Martial to Stop New Leaks - It’s too late to stop WikiLeaks from publishing thousands more classified documents, nabbed from the Pentagon’s secret network. But the U.S. military is telling its troops to stop using CDs, DVDs, thumb drives and every other form of removable media - or risk a court martial. http://www.wired.com/dangerroom/2010/12/military-bans-disks-threatens-courts-martials-to-stop-new-leaks/

FYI - Adopt a proactive approach for security - Mobile devices, social media, cloud computing, disgruntled employees, cybercriminals, rogue nations. These are just some of the points of vulnerability and sources of threat you can expect in 2011, regardless of your organization's size. http://www.scmagazineus.com/deloitte-principal-adopt-a-proactive-approach-for-security/article/191450/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - NASA sold PCs with sensitive data - NASA failed to remove sensitive data from computers that it sold, according to an audit report released this week. http://news.cnet.com/8301-13639_3-20025161-42.html?tag=mncol;title

FYI - Navy petty officer accused of trying to sell classified military documents to undercover agent - A Navy intelligence specialist at the Joint Special Operations Command has been accused of taking top secret documents from military networks and offering to sell them to an investigator posing as a foreign agent. http://www.washingtonpost.com/wp-dyn/content/article/2010/12/06/AR2010120607294.html

FYI - Hackers access UW-Madison computer systems - Hackers infiltrated the University of Wisconsin (UW)-Madison computer systems and accessed the personal information of tens of thousands of individuals affiliated with the college. http://www.scmagazineus.com/hackers-access-uw-madison-computer-systems/article/192558/?DCMP=EMC-SCUS_Newswire

FYI - Warning over cybercrime scam - Consumers were today warned of a scam where cyber criminals call consumers, claiming to be from Microsoft or other legitimate technology companies to tell them they have a virus on their computer. http://www.irishexaminer.com/breakingnews/ireland/warning-over-cybercrime-scam-485504.html

FYI - Hacker Accessed McDonald's Customer Database - A database containing McDonald's customer information was hacked recently, though McDonald's said Monday that it does not contain any sensitive financial information. http://www.pcmag.com/article2/0,2817,2374253,00.asp

FYI - Gawker Media hacked, firm warns users to change passwords - E-mail addresses and password details for 200,000 registered users of Gawker Media websites are now circulating on peer-to-peer networks after a weekend hack attack. http://www.computerworld.com/s/article/9200978/Update_Gawker_Media_hacked_firm_warns_users_to_change_passwords?taxonomyId=17

Return to the top of the newsletter

WEB SITE COMPLIANCE - The Role Of Consumer Compliance In Developing And Implementing Electronic Services from FDIC:

When violations of the consumer protection laws regarding a financial institution's electronic services have been cited, generally the compliance officer has not been involved in the development and implementation of the electronic services.  Therefore, it is suggested that management and system designers consult with the compliance officer during the development and implementation stages in order to minimize compliance risk.  The compliance officer should ensure that the proper controls are incorporated into the system so that all relevant compliance issues are fully addressed.  This level of involvement will help decrease an institution's compliance risk and may prevent the need to delay deployment or redesign programs that do not meet regulatory requirements.

The compliance officer should develop a compliance risk profile as a component of the institution's online banking business and/or technology plan.  This profile will establish a framework from which the compliance officer and technology staff can discuss specific technical elements that should be incorporated into the system to ensure that the online system meets regulatory requirements.  For example, the compliance officer may communicate with the technology staff about whether compliance disclosures/notices on a web site should be indicated or delivered by the use of "pointers" or "hotlinks" to ensure that required disclosures are presented to the consumer.  The compliance officer can also be an ongoing resource to test the system for regulatory compliance.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

INFORMATION SECURITY RISK ASSESSMENT

ANALYZE INFORMATION (1 of 2)

The information gathered is used to characterize the system, to identify and measure threats to the system and the data it contains and transmits, and to estimate the likelihood that a threat will take action against the system or data.

System characterization articulates the understanding of the system, including the boundaries of the system being assessed, the system's hardware and software, and the information that is stored, processed, and transmitted. Since operational systems may have changed since they were last documented, a current review of the system should be performed. Developmental systems, on the other hand, should be analyzed to determine their key security rules and attributes. Those rules and attributes should be documented as part of the systems development lifecycle process. System characterization also requires the cross-referencing of vulnerabilities to current controls to identify those that mitigate specific threats, and to assist in highlighting the control areas that should be improved.

A key part of system characterization is the ranking of data and system components according to their sensitivity and importance to the institution's operations. Additionally, consistent with the GLBA, the ranking should consider the potential harm to customers of unauthorized access and disclosure of customer non - public personal information. Ranking allows for a reasoned and measured analysis of the relative outcome of various attacks, and the limiting of the analysis to sensitive information or information and systems that may materially affect the institution's condition and operations.

Threats are identified and measured through the creation and analysis of threat scenarios. Threat scenarios should be comprehensive in their scope (e.g., they should consider reasonably foreseeable threats and possible attacks against information and systems that may affect the institution's condition and operations or may cause data disclosures that could  result in substantial harm or inconvenience to customers). They should consider the potential effect and likelihood for failure within the control environment due to non-malicious or malicious events. They should also be coordinated with business continuity planning to include attacks performed when those plans are implemented. Non-malicious scenarios typically involve accidents related to inadequate access controls and natural disasters. Malicious scenarios, either general or specific, typically involve a motivated attacker (i.e., threat) exploiting a vulnerability to gain access to an asset to create an outcome that has an impact.

An example of a general malicious threat scenario is an unskilled attacker using a program script to exploit a vulnerable Internet-accessible Web server to extract customer information from the institution's database. Assuming the attacker's motivation is to seek recognition from others, the attacker publishes the information, causing the financial institution to suffer damage to its reputation. Ultimately, customers are likely to be victims of identity theft.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

15. If the institution provides a short-form initial privacy notice with the opt out notice, does the institution do so only to consumers with whom the institution does not have a customer relationship? [§6(d)(1)]