Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
- Next Generation Banking Malware Emerges After Zeus - The rumored
combination of two pieces of advanced online banking malware appears
to be fully underway after several months of speculation.
- NIST Issues Cloud Security Guidelines - The government standards
body has launched a wiki to get feedback on its draft policies for
securely deploying cloud computing. Organizations implementing cloud
computing should think about security first before deploying a
production environment, according to the National Institute of
Standards and Technology (NIST).
- The Internet kill switch that isn't - The comparisons to the
Internet shutdown in Egypt grew loud enough that the three sponsors
of the 2010 bill, Senators Joseph Lieberman, Maine Republican Susan
Collins and Delaware Democrat Tom Carper issued a statement this
week condemning the actions there.
- NIST issues virtualization security guidance - The National
Institute of Standards and Technology (NIST) this week issued a
guidance document for securely configuring and using virtualization
- An independent approach to PCI audit security and compliance - It
has become quite apparent that the current PCI auditing system is
broken. Not only have the scope and complexities of the PCI Data
Security Standard made maintaining proper standards for security and
compliance virtually inaccessible for the average merchant, there is
potentially a much deeper problem with the system as well.
- ID fraud incidents decline in 2010, but costs go up - Incidents of
identity fraud declined last year, but the cost per incident rose,
and consumers are taking longer to respond to occurrences of theft,
according to a survey released Tuesday.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Hackers penetrated Nasdaq computers - Federal authorities are
investigating repeated intrusions into the computer network that
runs the Nasdaq stock exchange, according to a Wall Street Journal
report that cited people familiar with the matter.
government suffers Zeus attack - William Hague reveals government
computers were infected last December - The UK government fell
victim to a cyber attack using the notorious information-stealing
Zeus malware in late December, according to the foreign secretary.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of Outsourced Technology Services ( Part 2 of 4)
The board of directors and senior management are responsible for
understanding the risks associated with outsourcing arrangements for
technology services and ensuring that effective risk management
practices are in place. As part of this responsibility, the board
and management should assess how the outsourcing arrangement will
support the institution’s objectives and strategic plans and how the
service provider’s relationship will be managed. Without an
effective risk assessment phase, outsourcing technology services may
be inconsistent with the institution’s strategic plans, too costly,
or introduce unforeseen risks.
Outsourcing of information and transaction processing and settlement
activities involves risks that are similar to the risks that arise
when these functions are performed internally. Risks include threats
to security, availability and integrity of systems and resources,
confidentiality of information, and regulatory compliance. In
addition, the nature of the service provided, such as bill payment,
funds transfer, or emerging electronic services, may result in
entities performing transactions on behalf of the institution, such
as collection or disbursement of funds, that can increase the levels
of credit, liquidity, transaction, and reputation risks.
Management should consider additional risk management controls when
services involve the use of the Internet. The broad geographic
reach, ease of access, and anonymity of the Internet require close
attention to maintaining secure systems, intrusion detection and
reporting systems, and customer authentication, verification, and
authorization. Institutions should also understand that the
potential risks introduced are a function of a system’s structure,
design and controls and not necessarily the volume of activity.
An outsourcing risk assessment should consider the following:
• Strategic goals, objectives, and business needs of the
• Ability to evaluate and oversee outsourcing relationships.
• Importance and criticality of the services to the financial
• Defined requirements for the outsourced activity.
• Necessary controls and reporting processes.
• Contractual obligations and requirements for the service
• Contingency plans, including availability of alternative
service providers, costs and resources
required to switch service providers.
• Ongoing assessment of outsourcing arrangements to evaluate
consistency with strategic
objectives and service provider performance.
• Regulatory requirements and guidance for the business lines
affected and technologies used.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security
SECURITY CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Access Rights Administration (2 of 5)
System devices, programs, and data are system resources. Each system
resource may need to be accessed by other system resources and
individuals in order for work to be performed. Access beyond the
minimum required for work to be performed exposes the institution's
systems and information to a loss of confidentiality, integrity, and
availability. Accordingly, the goal of access rights administration
is to identify and restrict access to any particular system resource
to the minimum required for work to be performed. The financial
institution's security policy should address access rights to system
resources and how those rights are to be administered.
Management and information system administrators should critically
evaluate information system access privileges and establish access
controls to prevent unwarranted access. Access rights should be
based upon the needs of the applicable user or system resource to
carry out legitimate and approved activities on the financial
institution's information systems. Policies, procedures, and
criteria need to be established for both the granting of appropriate
access rights and for the purpose of establishing those legitimate
activities. Formal access rights administration for users consists
of four processes:
! An enrollment process to add new users to the system;
! An authorization process to add, delete, or modify authorized user
access to operating systems, applications, directories, files, and
specific types of information;
! An authentication process to identify the user during subsequent
! A monitoring process to oversee and manage the access rights
granted to each user on the system.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
23. If the institution delivers the opt out notice after the initial
notice, does the institution provide the initial notice once again
with the opt out notice? [§7(c)]
24. Does the institution provide an opt out notice, explaining how
the institution will treat opt out directions by the joint
consumers, to at least one party in a joint consumer relationship?