Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Hackers outwit online banking identity security systems - Criminal
hackers have found a way round the latest generation of online
banking security devices given out by banks, the BBC has learned.
- Feds Issue Comprehensive Cloud Security Guidance - National
Institute of Standards and Technology urges government and private
sector users not to leave cloud security to providers or service
arrangements. There's no silver bullet to ensuring security in the
public cloud, but organizations need to take the reins and not leave
security up to service providers and service arrangements, the
National Institute of Standards and Technology (NIST) said in
comprehensive new cloud security guidance.
- Final phase of Mass. data protection law kicks in March 1 - It
requires companies to take measures to protect personal data of
state residents - All companies storing personal data on
Massachusetts residents have just over a month to ensure that their
contractors, suppliers, technology providers and other third parties
comply with a provision of a state data breach law that went into
effect in March 2010.
- I Spy Your Company’s Boardroom - Rapid7 discovered that they could
remotely infiltrate conference rooms in some of the top venture
capital and law firms across the country, as well as pharmaceutical
and oil companies and even the boardroom of Goldman Sachs - all by
simply calling in to unsecured videoconferencing systems that they
found by doing a scan of the internet.
- FINRA advises brokers to bulk up security - The Financial Industry
Regulatory Authority (FINRA), the largest regulator of investment
firms, is warning its members to strengthen their policies around
verifying fund transfer and withdrawal requests from customers.
- Best practices to secure the mobile enterprise - Mobile devices
have infiltrated nearly every aspect of people's lives. The amount
of personal and corporate data stored on these devices makes
securing the information on the tool a priority.
- SEC accuses Latvian man of hacking brokerage accounts - The
federal Securities and Exchange Commission has charged a Latvian man
with participating in a pump-and-dump scheme that manipulated the
value of more than 100 New York Stock Exchange and Nasdaq stocks.
- Security breaches impacting VeriSign emerge in filing - VeriSign,
the company that manages more than 100 million .com, .net and .gov
domains, was hacked numerous times in 2010, and the intruders got
away with unspecified data.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Symantec admits stolen source code impacts pcAnywhere - Big Yellow
has done an about-face in light of new analysis that confirms users
of its pcAnywhere software may be at risk to attack due to the
disclosure of source code.
- European Parliament says its website taken offline by attackers -
The European Parliament's website fell under a distributed
denial-of-service attack (DDOS) on Thursday in what the organization
classified as retaliation for the shutdown of the Megaupload
file-sharing site and an anti-counterfeiting trade agreement.
- Students busted for hacking computers, changing grades - 'Very
bright kids' too bright for their own good - Three high school
juniors have been arrested after they devised a sophisticated
hacking scheme to up their grades and make money selling quiz
answers to their classmates.
- Univ. of Hawaii settles with 98,000 over five breaches - The
University of Hawaii (UH) has settled a class-action data breach
lawsuit brought by nearly 100,000 students, faculty, alumni and
staff, according to the plaintiffs' lawyers.
- Central Kentucky's largest group practice hit with patient data
breach - A laptop storing patient data was stolen from the neurology
department of Lexington Clinic on the night of Dec. 7, 2011.
- Indiana University hospital hacked to steal data - Malware may
have allowed attackers to make off with the personal information of
thousands of people connected to Indiana University Health Goshen
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Expedited Funds Availability Act (Regulation CC)
Generally, the rules pertaining to the duty of an institution to
make deposited funds available for withdrawal apply in the
electronic financial services environment. This includes rules on
fund availability schedules, disclosure of policy, and payment of
interest. Recently, the FRB published a commentary that clarifies
requirements for providing certain written notices or disclosures to
customers via electronic means. Specifically, the commentary to the
regulations states that a financial institution satisfies the
written exception hold notice requirement, and the commentary to the
regulations states that a financial institution satisfies the
general disclosure requirement by sending an electronic version that
displays the text and is in a form that the customer may keep.
However, the customer must agree to such means of delivery of
notices and disclosures. Information is considered to be in a form
that the customer may keep if, for example, it can be downloaded or
printed by the customer. To reduce compliance risk, financial
institutions should test their programs' ability to provide
disclosures in a form that can be downloaded or printed.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE -
SOFTWARE DEVELOPMENT AND ACQUISITION
Development and Support
Development and support activities should ensure that new software
and software changes do not compromise security. Financial
institutions should have an effective application and system change
control process for developing, implementing, and testing changes to
internally developed software and purchased software. Weak change
control procedures can corrupt applications and introduce new
security vulnerabilities. Change control considerations relating to
security include the following:
! Restricting changes to authorized users,
! Reviewing the impact changes will have on security controls,
! Identifying all system components that are impacted by the
! Ensuring the application or system owner has authorized changes in
! Maintaining strict version control of all software updates, and
! Maintaining an audit trail of all changes.
Changes to operating systems may degrade the efficiency and
effectiveness of applications that rely on the operating system for
interfaces to the network, other applications, or data. Generally,
management should implement an operating system change control
process similar to the change control process used for application
changes. In addition, management should review application systems
following operating system changes to protect against a potential
compromise of security or operational integrity.
When creating and maintaining software, separate software libraries
should be used to assist in enforcing access controls and
segregation of duties. Typically, separate libraries exist for
development, test, and production.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Initial Privacy Notice
1) Does the institution provide a clear and conspicuous notice
that accurately reflects its privacy policies and practices to all
customers not later than when the customer relationship is
established, other than as allowed in paragraph (e) of section four
(4) of the regulation? [§4(a)(1))]?
(Note: no notice is required if nonpublic personal information is
disclosed to nonaffiliated third parties only under an exception in
Sections 14 and 15, and there is no customer relationship. [§4(b)]
With respect to credit relationships, an institution establishes a
customer relationship when it originates a consumer loan. If the
institution subsequently sells the servicing rights to the loan to
another financial institution, the customer relationship transfers
with the servicing rights. [§4(c)])