Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
TR39 Review - Every two years,
EFT network members are required to submit a TR39 (formerly TG3)
review to ensure compliance in maintaining secure systems for
processing online PIN transactions. Billions of PIN activated
transactions are switched through shared ATM and POS networks
annually. Each transaction is originated using a debit or credit
card and PIN. With each interchange transaction, the security of the
customer's PIN is under the control of as many as eight or more
processing entities. To schedule your TR39 review, please contact
our associate Richard Gasdia with Aporia Solutions
firstname.lastname@example.org. His phone number is 713-266
8785 ext. 302 and the web site is
- Joint Efforts Announced to Reduce Risk of Corporate Account
Takeover - Texas Banking Commissioner Charles G. Cooper and Edna J.
Perry, Special Agent in Charge of the U.S. Secret Service Dallas
Field Office jointly announced efforts to assist financial
institutions in adopting practices designed to reduce the risks of
corporate account takeover. Corporate account takeover is a form of
identity theft where cyber thieves gain control of a business’ bank
account, often by stealing user passwords and other valid
- Twenty critical controls for effective cyber defence - The UK
Centre for the Protection of National Infrastructure has released a
new guidance document which details the ‘Top Twenty Critical
Security Controls’. These provide a baseline of high-priority
information security measures and controls that can be applied
across an organization in order to improve its cyber defence.
- Loose Keystrokes Sink Cybersystems - Richard Clarke's June 15
op-ed "China's Cyberassault on America" provides a thoughtful
discussion of the prolific increase in data breaches and the
potential impact of these events. While I agree with his
perspective, his discussion was silent on the main catalyst of these
- NHS worker fined £500 for illegally accessing health records - A
former NHS health worker has been fined £500 for illegally accessing
the data of five members of her ex-husband's family in a breach of
Section 55 of the Data Protection Act (DPA).
- Anonymous, Reddit to protest SOPA with blackout - Hacktivist group
Anonymous and the popular news-sharing site Reddit both have pledged
to go offline on Wednesday in protest of the proposed Stop Online
Privacy Act (SOPA), an anti-piracy measure that critics believe
amounts to an internet censorship bill.
- Visa advises on more secure credit card transactions - Visa has
issued a set of best practices for implementing chip technologies,
which can be used to better secure debit and credit card
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Stratfor returns as Anonymous readies 5M stolen emails - Global
affairs firm Stratfor returned online this week amid admissions that
its systems were breached on two separate occasions.
- Israeli hacker retaliates to credit card hackingBy Yolande Knell -
An Israeli hacker has published details of hundreds of Saudi credit
cards online and is threatening to post more in revenge for acts by
- Zappos breach affects 24M, opens door for more attacks - Hackers
breached a server belonging to online retailer Zappos, allowing them
access to the personal information of more than 24 million
customers, the company announced.
- Hackers harvested City College of S.F. data since 1999 - Fingers
are being pointed at criminal networks based in Russia and China as
the culprits behind the more-than-decade-long siphoning of personal
banking information from students, faculty and staff of the City
College of San Francisco.
- Computer Virus Swipes Data from Japan's Space Agency - A computer
virus infected a data terminal at Japan's space agency, causing a
leak of potentially sensitive information, officials announced
- Hacktivists expose personal info of T-Mobile staff - T-Mobile was
hit on Saturday with a hacktivist attack, which resulted in the
publication of personal information of some 80 of the wireless
communications provider's employees.
- DoD ID cards under attack - A pernicious virus that infects the
middleware of smart card readers is attacking users of U.S.
Department of Defense (DoD) and Windows smart cards. A variant of
the Skyipot trojan, the malware uses a zero-day vulnerability in
Adobe software to install a keylogger and obtain the PINs and
certificate information from smart cards.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Disclosures/Notices (Part 1 of 2)
Several regulations require disclosures and notices to be given at
specified times during a financial transaction. For example, some
regulations require that disclosures be given at the time an
application form is provided to the consumer. In this situation,
institutions will want to ensure that disclosures are given to the
consumer along with any application form. Institutions may
accomplish this through various means, one of which may be through
the automatic presentation of disclosures with the application form.
Regulations that allow disclosures/notices to be delivered
electronically and require institutions to deliver disclosures in a
form the customer can keep have been the subject of questions
regarding how institutions can ensure that the consumer can "keep"
the disclosure. A consumer using certain electronic devices, such as
Web TV, may not be able to print or download the disclosure. If
feasible, a financial institution may wish to include in its on-line
program the ability for consumers to give the financial institution
a non-electronic address to which the disclosures can be mailed.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE
Financial institution system development, acquisition, and
maintenance functions should incorporate agreed upon security
controls into software prior to development and implementation.
Management should integrate consideration of security controls into
each phase of the system development process. For the purposes of
this section, system development could include the internal
development of customized systems, the creation of database systems,
or the acquisition of third-party developed software. System
development could include long-term projects related to large
mainframe-based software projects with legacy source code or rapid
Web-based software projects using fourth-generation programming. In
all cases, institutions need to prioritize security controls
SOFTWARE DEVELOPMENT AND ACQUISITION
Financial institutions should develop security control requirements
for new systems, system revisions, or new system acquisitions.
Management will define the security control requirements based on
their risk assessment process evaluating the value of the
information at risk and the potential impact of unauthorized access
or damage. Based on the risks posed by the system, management may
use a defined methodology for determining security requirements,
such as ISO 15408, the Common Criteria.23 Management may also refer
to published, widely recognized industry standards as a baseline for
establishing their security requirements. A member of senior
management should document acceptance of the security requirements
for each new system or system acquisition, acceptance of tests
against the requirements, and approval for implementing in a
Development projects should consider automated controls for
incorporation into the application and the need to determine
supporting manual controls. Financial institutions can implement
appropriate security controls with greater cost effectiveness by
designing them into the original software rather than making
subsequent changes after implementation. When evaluating purchased
software, financial institutions should consider the availability of
products that have either been independently evaluated or received
security accreditation through financial institution or information
technology-related industry groups.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Redisclosure of nonpublic personal information received
from a nonaffiliated financial institution outside of Sections 14
A. Through discussions with management and review of the
institution's procedures, determine whether the institution has
adequate practices to prevent the unlawful redisclosure of the
information where the institution is the recipient of nonpublic
personal information (§11(b)).
B. Select a sample of data received from nonaffiliated financial
institutions and shared with others to evaluate the financial
institution's compliance with redisclosure limitations.
1. Verify that the institution's redisclosure of the information
was only to affiliates of the financial institution from which the
information was obtained or to the institution's own affiliates,
except as otherwise allowed in the step b below (§11(b)(1)(i) and
2. If the institution shares information with entities other than
those under step a above, verify that the institution's information
sharing practices conform to those in the nonaffiliated financial
institution's privacy notice (§11(b)(1)(iii)).
3. Also, review the procedures used by the institution to ensure
that the information sharing reflects the opt out status of the
consumers of the nonaffiliated financial institution (§§10,