Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
TR39 Reviews - Every two years,
EFT network members are required to submit a TR39 (formerly TG3)
review to ensure compliance in maintaining secure systems for
processing online PIN transactions. Billions of PIN activated
transactions are switched through shared ATM and POS networks
annually. Each transaction is originated using a debit or credit
card and PIN. With each interchange transaction, the security of the
customer's PIN is under the control of as many as eight or more
processing entities. To schedule your TR39 review, please contact
our associate Richard Gasdia with Aporia Solutions
email@example.com. His phone number is 713-266
8785 ext. 302 and the web site is
- Make the first 24 hours of data breach resolution count - As soon
as you discover a breach of data privacy, it's go time for your
response team. Sooner, rather than later, is the only acceptable
timeframe for putting your data breach response plan in action.
- Senators change sides on SOPA/PIPA issue - Several senators today
abandoned their support of two highly controversial anti-web piracy
bills making their way through Congress.
- Alleged Muscovite cybercrime daddy hauled in to face US court -
Feds allege père et fils duo scooped $100ks using malware - A
suspected Russian cyber-crook has arrived in the US to face charges
of security fraud, computer hacking and ID theft following his
deportation from Switzerland.
- Law solicitor at centre of internet piracy row suspended - The
London-based lawyer at the centre of a long-running row over
internet piracy has been suspended for two years and ordered to pay
£76,000 in costs.
- Supreme Court Rejects Student Social-Media Cases - The Supreme
Court declined Tuesday to clarify on what grounds public schools may
punish students for their off-campus online speech.
- Warrants needed in GPS tracking - The Supreme Court on Monday
unanimously restricted the police’s ability to use a GPS device to
track criminal suspects in a first test of how privacy rights will
be protected in the digital age.
- Do you need a cyberumbrella? - If your company were hit with a
cyberattack today, would it be able to foot the bill? The entire
bill, including costs from regulatory fines, potential lawsuits,
damage to your organizations' brand, and hardware and software
repair, recovery and protection?
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Anonymous says it takes down FBI, DOJ, entertainment sites -
Hacking group Anonymous said Thursday it knocked out the websites of
the FBI, U.S. Department of Justice, and several entertainment
industry sites as retribution for anti-piracy efforts by both the
government and the entertainment industry.
- Man charged with stealing NY Fed Reserve Bank source code -
Authorities arrested a computer programmer today and charged him
with stealing source code worth $9.5 million from the Federal
Reserve Bank of New York.
- Hackers hit UAE Central Bank website - Israeli hackers downed the
website administered by the Central Bank of the United Arab Emirates
on Thursday as the financial institution hosted European Central
- Lake Braddock students stole passwords, erased school data - Two
Fairfax County middle-school students used stolen passwords to wreak
havoc with a school software application used countywide by
thousands of teachers, students and parents, according to
- Anonymous Takes Out CBS.com, Universal Music - Anonymous didn't
blow CBS' website apart, as early reports suggested. It appears that
attackers used DNS poisoning to redirect the site's traffic to a
different web server entirely.
- Hackers manipulated railway computers, TSA memo says - This story
has been updated with new information from the railroad industry and
to clearly state the industry's contention that the TSA memo was
- DreamHost resets passwords after database breach - Unauthorized
database access prompted DreamHost to reset the FTP and shell access
passwords of its customers - Los Angeles-based Web hosting firm
DreamHost reset the FTP and shell access passwords for all of its
customers on Friday after detecting unauthorized activity within one
of its databases.
- Symantec admits stolen source code impacts pcAnywhere - Big Yellow
has done an about-face in light of new analysis that confirms users
of its pcAnywhere software may be at risk to attack due to the
disclosure of source code.
- Some 2M possibly affected by NYSEG, RG&E data compromise -
Unauthorized individuals gained access to the personal data
belonging to customers of New York State Electric & Gas (NYSEG) and
Rochester Gas & Electric (RG&E), which are owned by Iberdrola USA.
But an outside contractor is to blame.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
2 of 2)
In those instances where an electronic form of communication is
permissible by regulation, to reduce compliance risk institutions
should ensure that the consumer has agreed to receive disclosures
and notices through electronic means. Additionally, institutions may
want to provide information to consumers about the ability to
discontinue receiving disclosures through electronic means, and to
implement procedures to carry out consumer requests to change the
method of delivery. Furthermore, financial institutions advertising
or selling non-deposit investment products through on-line systems,
like the Internet, should ensure that consumers are informed of the
risks associated with non-deposit investment products as discussed
in the "Interagency Statement on Retail Sales of Non Deposit
Investment Products." On-line systems should comply with this
Interagency Statement, minimizing the possibility of customer
confusion and preventing any inaccurate or misleading impression
about the nature of the non-deposit investment product or its lack
of FDIC insurance.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE -
SOFTWARE DEVELOPMENT AND ACQUISITION
Security Controls in Application Software
Application development should incorporate appropriate security
controls, audit trails, and activity logs. Typical application
access controls are addressed in earlier sections. Application
security controls should also include validation controls for data
entry and data processing. Data entry validation controls include
access controls over entry and changes to data, error checks, review
of suspicious or unusual data, and dual entry or additional review
and authorization for highly sensitive transactions or data. Data
processing controls include: batch control totals; hash totals of
data for comparison after processing; identification of any changes
made to data outside the application (e.g., data-altering
utilities); and job control checks to ensure programs run in correct
sequence (see the booklet "Computer Operations" for additional
Some applications will require the integration of additional
authentication and encryption controls to ensure integrity and
confidentiality of the data. As customers and merchants originate an
increasing number of transactions, authentication and encryption
become increasingly important to ensure non-repudiation of
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Account number sharing
A. If available, review a sample of telemarketer scripts used
when making sales calls to determine whether the scripts indicate
that the telemarketers have the account numbers of the institution's
B. Obtain and review a sample of contracts with agents or service
providers to whom the financial institution discloses account
numbers for use in connection with marketing the institution's own
products or services. Determine whether the institution shares
account numbers with nonaffiliated third parties only to perform
marketing for the institution's own products and services. Ensure
that the contracts do not authorize these nonaffiliated third
parties to directly initiate charges to customer's accounts
C. Obtain a sample of materials and information provided to the
consumer upon entering a private label or affinity credit card
program. Determine if the participants in each program are
identified to the customer when the customer enters into the program