Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

TR39 Reviews - Every two years, EFT network members are required to submit a TR39 (formerly TG3) review to ensure compliance in maintaining secure systems for processing online PIN transactions. Billions of PIN activated transactions are switched through shared ATM and POS networks annually. Each transaction is originated using a debit or credit card and PIN. With each interchange transaction, the security of the customer's PIN is under the control of as many as eight or more processing entities. To schedule your TR39 review, please contact our associate Richard Gasdia with Aporia Solutions rgasdia@aporiasolutions.com.  His phone number is 713-266 8785 ext. 302 and the web site is http://aporiasolutions.com/index.shtml. 

FYI - Make the first 24 hours of data breach resolution count - As soon as you discover a breach of data privacy, it's go time for your response team. Sooner, rather than later, is the only acceptable timeframe for putting your data breach response plan in action. http://www.scmagazine.com/make-the-first-24-hours-of-data-breach-resolution-count/article/223789/?DCMP=EMC-SCUS_Newswire

FYI - Senators change sides on SOPA/PIPA issue - Several senators today abandoned their support of two highly controversial anti-web piracy bills making their way through Congress. http://www.scmagazine.com/senators-change-sides-on-sopapipa-issue/article/223719/

FYI - Alleged Muscovite cybercrime daddy hauled in to face US court - Feds allege père et fils duo scooped $100ks using malware - A suspected Russian cyber-crook has arrived in the US to face charges of security fraud, computer hacking and ID theft following his deportation from Switzerland. http://www.theregister.co.uk/2012/01/18/russian_cybercrime_suspect_deported/

FYI - Law solicitor at centre of internet piracy row suspended - The London-based lawyer at the centre of a long-running row over internet piracy has been suspended for two years and ordered to pay £76,000 in costs. http://www.guardian.co.uk/technology/2012/jan/18/acslaw-solicitor-internet-piracy-suspended?newsfeed=true

FYI - Supreme Court Rejects Student Social-Media Cases - The Supreme Court declined Tuesday to clarify on what grounds public schools may punish students for their off-campus online speech. http://www.wired.com/threatlevel/2012/01/scotus-student-social-media/

FYI - Warrants needed in GPS tracking - The Supreme Court on Monday unanimously restricted the police’s ability to use a GPS device to track criminal suspects in a first test of how privacy rights will be protected in the digital age. http://www.washingtonpost.com/politics/supreme-court-warrants-needed-in-gps-tracking/2012/01/23/gIQAx7qGLQ_story.html

FYI - Do you need a cyberumbrella? - If your company were hit with a cyberattack today, would it be able to foot the bill? The entire bill, including costs from regulatory fines, potential lawsuits, damage to your organizations' brand, and hardware and software repair, recovery and protection? http://www.computerworld.com.au/article/413142/do_need_cyberumbrella_/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Anonymous says it takes down FBI, DOJ, entertainment sites - Hacking group Anonymous said Thursday it knocked out the websites of the FBI, U.S. Department of Justice, and several entertainment industry sites as retribution for anti-piracy efforts by both the government and the entertainment industry. http://technolog.msnbc.msn.com/_news/2012/01/19/10193724-anonymous-says-it-takes-down-fbi-doj-entertainment-sites?chromedomain=usnews

FYI - Man charged with stealing NY Fed Reserve Bank source code - Authorities arrested a computer programmer today and charged him with stealing source code worth $9.5 million from the Federal Reserve Bank of New York. http://news.cnet.com/8301-27080_3-57361559-245/man-charged-with-stealing-ny-fed-reserve-bank-source-code/

FYI - Hackers hit UAE Central Bank website - Israeli hackers downed the website administered by the Central Bank of the United Arab Emirates on Thursday as the financial institution hosted European Central Bank chief. http://www.tgdaily.com/security-features/60896-hackers-hit-uae-central-bank-website

FYI - Lake Braddock students stole passwords, erased school data - Two Fairfax County middle-school students used stolen passwords to wreak havoc with a school software application used countywide by thousands of teachers, students and parents, according to authorities. http://www.washingtonpost.com/local/education/fairfax-officials-2-lake-braddock-students-stole-passwords-erased-school-data/2012/01/13/gIQArRuExP_story.html?tid=pm_local_pop

FYI - Anonymous Takes Out CBS.com, Universal Music - Anonymous didn't blow CBS' website apart, as early reports suggested. It appears that attackers used DNS poisoning to redirect the site's traffic to a different web server entirely. http://www.pcmag.com/article2/0,2817,2399185,00.asp

FYI - Hackers manipulated railway computers, TSA memo says - This story has been updated with new information from the railroad industry and to clearly state the industry's contention that the TSA memo was inaccurate. http://www.nextgov.com/nextgov/ng_20120123_3491.php?oref=topstory

FYI - DreamHost resets passwords after database breach - Unauthorized database access prompted DreamHost to reset the FTP and shell access passwords of its customers - Los Angeles-based Web hosting firm DreamHost reset the FTP and shell access passwords for all of its customers on Friday after detecting unauthorized activity within one of its databases. http://www.computerworld.com/s/article/9223625/DreamHost_resets_passwords_after_database_breach?taxonomyId=17

FYI - Symantec admits stolen source code impacts pcAnywhere - Big Yellow has done an about-face in light of new analysis that confirms users of its pcAnywhere software may be at risk to attack due to the disclosure of source code. http://www.scmagazine.com/symantec-admits-stolen-source-code-impacts-pcanywhere/article/224724/ 

FYI - Some 2M possibly affected by NYSEG, RG&E data compromise - Unauthorized individuals gained access to the personal data belonging to customers of New York State Electric & Gas (NYSEG) and Rochester Gas & Electric (RG&E), which are owned by Iberdrola USA. But an outside contractor is to blame.
http://www.scmagazine.com/some-2m-possibly-affected-by-nyseg-rge-data-compromise/article/224738/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - Disclosures/Notices (Part 2 of 2)

In those instances where an electronic form of communication is permissible by regulation, to reduce compliance risk institutions should ensure that the consumer has agreed to receive disclosures and notices through electronic means. Additionally, institutions may want to provide information to consumers about the ability to discontinue receiving disclosures through electronic means, and to implement procedures to carry out consumer requests to change the method of delivery. Furthermore, financial institutions advertising or selling non-deposit investment products through on-line systems, like the Internet, should ensure that consumers are informed of the risks associated with non-deposit investment products as discussed in the "Interagency Statement on Retail Sales of Non Deposit Investment Products." On-line systems should comply with this Interagency Statement, minimizing the possibility of customer confusion and preventing any inaccurate or misleading impression about the nature of the non-deposit investment product or its lack of FDIC insurance.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY -  We continue our series on the FFIEC interagency Information Security Booklet.  

SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - SOFTWARE DEVELOPMENT AND ACQUISITION

Security Controls in Application Software

Application development should incorporate appropriate security controls, audit trails, and activity logs. Typical application access controls are addressed in earlier sections. Application security controls should also include validation controls for data entry and data processing. Data entry validation controls include access controls over entry and changes to data, error checks, review of suspicious or unusual data, and dual entry or additional review and authorization for highly sensitive transactions or data. Data processing controls include: batch control totals; hash totals of data for comparison after processing; identification of any changes made to data outside the application (e.g., data-altering utilities); and job control checks to ensure programs run in correct sequence (see the booklet "Computer Operations" for additional considerations).

Some applications will require the integration of additional authentication and encryption controls to ensure integrity and confidentiality of the data. As customers and merchants originate an increasing number of transactions, authentication and encryption become increasingly important to ensure non-repudiation of transactions.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Account number sharing

A. If available, review a sample of telemarketer scripts used when making sales calls to determine whether the scripts indicate that the telemarketers have the account numbers of the institution's consumers (§12).

B. Obtain and review a sample of contracts with agents or service providers to whom the financial institution discloses account numbers for use in connection with marketing the institution's own products or services. Determine whether the institution shares account numbers with nonaffiliated third parties only to perform marketing for the institution's own products and services. Ensure that the contracts do not authorize these nonaffiliated third parties to directly initiate charges to customer's accounts (§12(b)(1)).

C. Obtain a sample of materials and information provided to the consumer upon entering a private label or affinity credit card program. Determine if the participants in each program are identified to the customer when the customer enters into the program (§12(b)(2)).