Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
- Banks may soon require new online authentication steps - The
Federal Financial Institutions Examination Council (FFIEC) could
soon release new guidelines for banks to use when authenticating
users to online banking transactions.
Court orders seizure of PS3 hacker's computers - A federal judge
ordered prolific hacker Geohot to turn over his computers and hard
drives and to stop publishing the tools used to root Sony's
PlayStation 3 after finding his hack was likely a violation of US
Showing how security is a value-add to the organization - The past
two years have transformed the way the world does business. The
global economic crisis has led to many transformations in the way
businesses operate both here and abroad.
Out of the woods - Resources running low is not something one
usually associates with the state of Alaska, but that is exactly
what happened at the third largest credit union in the state. It
wasn't a shortage of fish, game, oil or natural beauty that the
full-service financial institution was faced with. Rather, it had
outgrown the capabilities of its existing log management and
security information event management (SIEM) system.
FBI serves 40 search warrants in Anonymous crackdown - Worldwide
DDoS dragnet - FBI agents executed more than 40 search warrants on
Thursday as part of an investigation into coordinated web attacks
carried out by the hacking collective known as Anonymous.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Newspaper site pulls plug after 'sustained' hack attack - South
African newspaper The Mail & Guardian pulled down its website to
protect readers against “sustained attacks” that attempted to infect
them with malware.
U.S. Can’t Link Bradley Manning to Julian Assange - After months of
investigation, U.S. authorities have apparently been unable to find
any independent evidence that a jailed Army private accused of
leaking classified documents gave them to the secret-spilling site
WikiLeaks, according to a news report.
Drive-by exploit slurps sensitive data from Android phones - A
computer scientist has found a vulnerability in the latest version
of Google's Android operating system that can be exploited to
disclose sensitive user information.
London Stock Exchange under cyber attack - Report suggests hackers
are trying to disrupt UK's critical infrastructure - The London
Stock Exchange (LSE) has reportedly been investigating a suspected
cyber attack on its systems designed to disrupt and spread panic
across the markets.
SourceForge applies global password reset after hack attack - Just a
precaution, you understand - Open-source code repository SourceForge
has advised users to change their passwords following a concerted
Online Dating Site Breached - PlentyOfFish.com has been compromised
and the company is blaming the messenger. Online dating Web site
PlentyOfFish.com has been hacked, exposing the personal information
and passwords associated with almost 30 million accounts. However,
the site's founder Markus Frind claims that only 345 accounts were
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of Outsourced Technology Services ( Part 1 of
Purpose and Background
This statement focuses on the risk management process of
identifying, measuring, monitoring, and controlling the risks
associated with outsourcing technology services.1 Financial
institutions should consider the guidance outlined in this statement
and the attached appendix in managing arrangements with their
technology service providers. While this guidance covers a
broad range of issues that financial institutions should address,
each financial institution should apply those elements based on the
scope and importance of the outsourced services as well as the risk
to the institution from the services.
Financial institutions increasingly rely on services provided by
other entities to support an array of technology-related functions.
While outsourcing to affiliated or nonaffiliated entities can help
financial institutions manage costs, obtain necessary expertise,
expand customer product offerings, and improve services, it also
introduces risks that financial institutions should address.
This guidance covers four elements of a risk management process:
risk assessment, selection of
service providers, contract review, and monitoring of service
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
The goal of logical and administrative access control is to restrict
access to system resources. Access should be provided only to
authorized individuals whose identity is established, and their
activities should be limited to the minimum required for business
purposes. Authorized individuals (users) may be employees, TSP
employees, vendors, contractors, customers, or visitors.
An effective control mechanism includes numerous controls to
safeguard and limit access to key information system assets. This
section addresses logical and administrative controls, including
access rights administration and authentication through network,
operating system, application, and remote access. A subsequent
section addresses physical security controls.
ACCESS RIGHTS ADMINISTRATION (1 of 5)
Action Summary - Financial institutions should have an effective
process to administer access rights. The process should include the
1) Assign users and system resources only the access required to
perform their required functions,
2) Update access rights based on personnel or system changes,
3) Periodically review users' access rights at an appropriate
frequency based on the risk to the application or system, and
4) Design appropriate acceptable-use policies and require users to
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
22. Does the institution provide the consumer with at least one of
the following reasonable means of opting out, or with another
a. check-off boxes prominently displayed on the relevant forms with
the opt out notice; [§7(a)(2)(ii)(A)]
b. a reply form included with the opt out notice; [§7(a)(2)(ii)(B)]
c. an electronic means to opt out, such as a form that can be sent
via electronic mail or a process at the institution's web site, if
the consumer agrees to the electronic delivery of information;
d. a toll-free telephone number? [§7(a)(2)(ii)(D)]
institution may require the consumer to use one specific means, as
long as that means is reasonable for that consumer. [§7(a)(iv)])