Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Can the cloud be safe for banks? - Consider the issues at stake
for the banking industry to implement cloud technology. Here are
some of the possibilities for this security-sensitive industry.
- Spies get bonuses to halt Google poachers who pay three times as
much as GCHQ - Spies working at the Government’s communications
headquarters are being offered bonuses worth tens of thousands of
pounds to stop them being poached by corporate giants such as
Microsoft and Google.
NIST Protects BIOS With New Security Guidelines - The standards body
provides ways to detect changes to the code or configuration of a
PC's startup system. The organization that sets federal technology
standards has provided new security guidelines for protecting the
system that starts up PCs.
GAO - National Credit Union Administration: Earlier Actions Are
Needed to Better Address Troubled Credit Unions.
Vulnerability allows brute force hacking of wireleless routers - A
computing standard than enables users to easily stand up an
encrypted wireless network suffers from a design weakness that could
enable attackers to gain router access, according to US-CERT.
Credit Mutuel Units Inspected by French Data Protection Watchdog -
Two Credit Mutuel-CIC units were inspected by France’s data
protection authority following a data system failure reported on
Dec. 28 by weekly newspaper Canard Enchaine, the Paris-based
watchdog said today.
UK Police Fired Over 'Inappropriate' Facebook Behavior - Cops aren't
above the law when it comes to their behavior on Facebook. Nearly
200 police officers in the United Kingdom have received official
disciplinary action for posting inappropriate photos or comments,
including racist slurs, on Facebook.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Stratfor keeps website offline after hack - Security intelligence
firm Stratfor has warned subscribers that its website could stay
offline for a week or more.
Hacking group releases more Stratfor subscriber data - The data dump
includes 75,000 names and addresses of subscribers to the analysis
service - Hackers released another batch of data on Thursday
pilfered from Stratfor Global Intelligence, a widely used research
and analysis company whose website was attacked last weekend.
Aggressive Phishing Attack Targets Military Personnel - Emails
containing malware, which appear to come from senior officers or
legit companies, have been sent to military personnel during the
holiday season. The U.S. military received an unwanted present this
Christmas holiday season in the form of an "aggressive" phishing
attack that's been making the rounds of .mil email accounts,
according to the Army.
Cyber Threat to Power Grid Puts Utility Investors at Risk - The
electric-utility industry’s concerns about cyber security has
escalated sufficiently for several investor-owned utilities to
include cyber-attacks as a material risk factor in recent filings
with the U.S. Securities and Exchange Commission.
Gordon Brown's Downing Street emails 'hacked' - Computer crime by
press may be as widespread as phone scandal - Police investigating
computer hacking by private investigators commissioned by national
newspapers have uncovered evidence that emails sent and received by
Gordon Brown during his time as Chancellor were illegally accessed.
Hackers Expose Details of 15,000 Israeli Credit Cards on Web -
Details from 15,000 Israeli credit card customers have been exposed
by hackers on the Internet, the Bank of Israel said.
United flyer finds dozens of passengers' info online - Anna just
wanted to check her miles on United Airline's mobile website, but
instead, she ended up with a whole lot more.
California union latest Anonymous police victim - Anonymous hackers
affiliated with the group's "AntiSec" initiative stuck again over
the New Year's weekend, this time dumping private data they stole by
breaking into the website belonging to the California Statewide Law
Enforcement Association (CSLEA) union.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Fair Housing Act
A financial institution that advertises on-line credit products that
are subject to the Fair Housing Act must display the Equal Housing
Lender logotype and legend or other permissible disclosure of its
nondiscrimination policy if required by rules of the institution's
Home Mortgage Disclosure Act (Regulation C)
The regulations clarify that applications accepted through
electronic media with a video component (the financial institution
has the ability to see the applicant) must be treated as "in person"
applications. Accordingly, information about these applicants' race
or national origin and sex must be collected. An institution that
accepts applications through electronic media without a video
component, for example, the Internet or facsimile, may treat the
applications as received by mail.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
Malicious code is any program that acts in unexpected and
potentially damaging ways. Common types of malicious code are
viruses, worms, and Trojan horses. The functions of each were once
mutually exclusive; however, developers combined functions to create
more powerful malicious code. Currently malicious code can replicate
itself within a computer and transmit itself between computers.
Malicious code also can change, delete, or insert data, transmit
data outside the institution, and insert backdoors into institution
systems. Malicious code can attack institutions at either the server
or the client level. It can also attack routers, switches, and other
parts of the institution infrastructure. Malicious code can also
monitor users in many ways, such as logging keystrokes, and
transmitting screenshots to the attacker.
Typically malicious code is mobile, using e - mail, Instant
Messenger, and other peer-to-peer (P2P) applications, or active
content attached to Web pages as transmission mechanisms. The code
also can be hidden in programs that are downloaded from the Internet
or brought into the institution on diskette. At times, the malicious
code can be created on the institution's systems either by intruders
or by authorized users. The code can also be introduced to a Web
server in numerous ways, such as entering the code in a response
form on a Web page.
Malicious code does not have to be targeted at the institution to
damage the institution's systems or steal the institution's data.
Most malicious code is general in application, potentially affecting
all Internet users with whatever operating system or application the
code needs to function.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Sharing nonpublic personal information with nonaffiliated
third parties only under Sections 14 and/or 15.
Note: This module applies only to customers.
A. Disclosure of Nonpublic Personal Information
1) Select a sample of third party relationships with nonaffiliated
third parties and obtain a sample of data shared between the
institution and the third party.
a. Compare the data shared and with whom the data were shared to
ensure that the institution accurately states its information
sharing practices and is not sharing nonpublic personal information
outside the exceptions.
B. Presentation, Content, and Delivery of Privacy Notices
1) Obtain and review the financial institution's initial and annual
notices, as well as any simplified notice that the institution may
use. Note that the institution may only use the simplified notice
when it does not also share nonpublic personal information with
affiliates outside of Section 14 and 15 exceptions. Determine
whether or not these notices:
a. Are clear and conspicuous (§§3(b), 4(a), 5(a)(1));
b. Accurately reflect the policies and practices used by the
institution (§§4(a), 5(a)(1)). Note, this includes practices
disclosed in the notices that exceed regulatory requirements; and
c. Include, and adequately describe, all required items of
2) Through discussions with management, review of the institution's
policies and procedures, and a sample of electronic or written
customer records where available, determine if the institution has
adequate procedures in place to provide notices to customers, as
appropriate. Assess the following:
a) Timeliness of delivery (§§4(a), 4(d), 4(e), 5(a)); and
b. Reasonableness of the method of delivery (e.g., by hand; by
mail; electronically, if the customer agrees; or as a necessary step
of a transaction) (§9) and accessibility of or ability to retain the