Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- FDIC - Payment Processor Relationships Revised Guidance - Attached
is revised guidance describing potential risks associated with
relationships with third-party entities that process payments for
telemarketers, online businesses, and other merchants (collectively
"merchants"). These relationships can pose increased risk to
institutions and require careful due diligence and monitoring.
- Mining social networks - Criminals are finding social media
websites like Facebook, which contain a vast array of personal
assets, to be a treasure trove of information that they can use to
launch further attacks.
- Romanian cops cuff suspected serial hacker - Alleged Royal Navy,
Pentagon invader gets keelhauled - Romanian police have arrested a
man suspected of breaking into the websites of NASA and the Pentagon
in a series of high-profile hack attacks.
- Don't let Wi-Fi hotspots get the best of you - According to a
report from the Wireless Broadband Alliance and analyst firm Informa
Telecoms & Media, the number of public Wi-Fi hotspots globally is
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- VeriSign admits multiple hacks in 2010, keeps details under wraps
- Claims its DNS network wasn't breached, but mum on whether SSL
certificates were compromised - VeriSign, the company responsible
for guiding most of the world's Internet users to the correct
websites and once the largest encryption certificate issuing
authority, has acknowledged that it was successfully hacked several
times in 2010.
- Anonymous raids law firm over its defense of Marine - Anonymous
stayed busy on Friday with the dump of 300 GB of emails and other
communications, lifted from the law firm representing a U.S. Marine
who recently escaped jail time for his role in a 2005 massacre.
- Patient data at U of M hospital breached - A thief broke into a
doctor's car and stole a briefcase containing a flash drive that
held personal data on patients of the University of Miami (UM)
Miller School of Medicine.
- Virus Hits Part Of U.S. Commerce Dept. - Economic Development
Administration has disabled its website and email while attack is
investigated. A virus has caused the Department of Commerce's
Economic Development Administration (EDA) to disable its email and
Internet access indefinitely while the nature and origin of the
attack is investigated.
- Hackers apparently hit Swedish government site - A group linked to
the hacker network Anonymous on Saturday said it had attacked the
Swedish government's website, bringing it down for periods of time
by overloading it with traffic.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Over the next few
weeks, we will cover some of the issues discussed in the "Risk
Management Principles for Electronic Banking" published by the Basel
Committee on Bank Supervision.
Continuing technological innovation and competition among
existing banking organizations and new entrants have allowed for a
much wider array of banking products and services to become
accessible and delivered to retail and wholesale customers through
an electronic distribution channel collectively referred to as
e-banking. However, the rapid development of e-banking capabilities
carries risks as well as benefits.
The Basel Committee on Banking Supervision expects such risks to be
recognized, addressed and managed by banking institutions in a
prudent manner according to the fundamental characteristics and
challenges of e-banking services. These characteristics include the
unprecedented speed of change related to technological and customer
service innovation, the ubiquitous and global nature of open
electronic networks, the integration of e-banking applications with
legacy computer systems and the increasing dependence of banks on
third parties that provide the necessary information technology.
While not creating inherently new risks, the Committee noted that
these characteristics increased and modified some of the traditional
risks associated with banking activities, in particular strategic,
operational, legal and reputational risks, thereby influencing the
overall risk profile of banking.
Based on these conclusions, the Committee considers that while
existing risk management principles remain applicable to e-banking
activities, such principles must be tailored, adapted and, in some
cases, expanded to address the specific risk management challenges
created by the characteristics of e-banking activities. To this end,
the Committee believes that it is incumbent upon the Boards of
Directors and banks' senior management to take steps to ensure that
their institutions have reviewed and modified where necessary their
existing risk management policies and processes to cover their
current or planned e-banking activities. The Committee also believes
that the integration of e-banking applications with legacy systems
implies an integrated risk management approach for all banking
activities of a banking institution.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE -
SOFTWARE DEVELOPMENT AND ACQUISITION
Source Code Review and Testing
Application and operating system source code can have numerous
vulnerabilities due to programming errors or misconfiguration. Where
possible, financial institutions should use software that has been
subjected to independent security reviews of the source code
especially for Internet facing systems. Software can contain
erroneous or intentional code that introduces covert channels,
backdoors, and other security risks into systems and applications.
These hidden access points can often provide unauthorized access to
systems or data that circumvents built-in access controls and
logging. The source code reviews should be repeated after the
creation of potentially significant changes.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Initial Privacy Notice
2) Does the institution provide a clear and conspicuous notice that
accurately reflects its privacy policies and practices to all
consumers, who are not customers, before any nonpublic
personal information about the consumer is disclosed to a
nonaffiliated third party, other than under an exception in §§14 or