Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

FYI - Breaches aided by weak passwords, poor AV detection - Cyber criminals are still targeting customer data, but as larger organizations become more apt at locking down sensitive information, attackers are going after industries with franchise models. http://www.scmagazine.com/breaches-aided-by-weak-passwords-poor-av-detection/article/227150/?DCMP=EMC-SCUS_Newswire

FYI - GSA Details Federal Cloud Security Program - The General Services Administration on Tuesday released extensive new details on FedRAMP, the federal government's new standardized approach to vetting the security of cloud computing services, taking an important step toward launching the program. http://www.informationweek.com/news/government/cloud-saas/232600484

FYI - Want CSI without the blood? Investigate computer forensics - Most people may not have any idea what a computer forensics expert does beyond a general knowledge gleaned from spy novels. http://www.usatoday.com/money/jobcenter/workplace/bruzzese/story/2012-01-31/profession-that-hunts-cybercriminals/52909566/1

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Hackers claim to have penetrated Foxconn backdoor - It had to happen eventually. Controversial hardware manufacturer Foxconn was reportedly hacked late on Wednesday and a heap of staff email log-ins and intranet credentials posted online which could allow third parties to lodge fraudulent orders. http://www.theregister.co.uk/2012/02/09/foxconn_hack_swagg/

FYI - Android botnet may net millions yearly for its operators - Researchers from Symantec and North Carolina State University may have stumbled upon one of the largest and most lucrative mobile botnets yet. http://www.scmagazine.com/android-botnet-may-net-millions-yearly-for-its-operators/article/227377/?DCMP=EMC-SCUS_Newswire

FYI - Hackers Probably Stole Steam Transaction Data, Valve Says - Valve found evidence that suggests Steam hackers copied encrypted credit card details and billing addresses - Valve has informed users of its Steam online game distribution platform that hackers have probably downloaded encrypted credit card transaction data from a backup database during an intrusion last year. http://www.csoonline.com/article/700059/hackers-probably-stole-steam-transaction-data-valve-says

FYI - TicketWeb coughs to email database hack - Punters get phishy mails sniffing for credit card info - Customers of UK ticketing agency TicketWeb, a subsidiary of TicketMaster, received phishing emails from the company over the weekend after its direct email marketing system was hacked. http://www.theregister.co.uk/2012/02/13/ticketweb_email_lists_hacked/

FYI - CIA Website Hacked, Struggles To Recover - Anonymous and other hacktivists also left their marks on the U.S. Census Bureau, Interpol, and Mexico, as well as law enforcement websites in Alabama and Texas. An Anonymous-related Twitter channel claimed Friday that the group had successfully taken down the CIA's public-facing website. http://www.informationweek.com/news/security/attacks/232600729

FYI - Microsoft online customer accounts hacked in India - A group calling itself Evil Shadow Team reportedly stole usernames and passwords of Microsoft Store customers. Microsoft's online store in India was hacked on Sunday, resulting in the theft of usernames and passwords of the site's customers. http://news.cnet.com/8301-1009_3-57376462-83/microsoft-online-customer-accounts-hacked-in-india/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Board and Management Oversight 

Because the Board of Directors and senior management are responsible for developing the institution's business strategy and establishing an effective management oversight over risks, they are expected to take an explicit, informed and documented strategic decision as to whether and how the bank is to provide e-banking services. The initial decision should include the specific accountabilities, policies and controls to address risks, including those arising in a cross-border context. Effective management oversight is expected to encompass the review and approval of the key aspects of the bank's security control process, such as the development and maintenance of a security control infrastructure that properly safeguards e-banking systems and data from both internal and external threats. It also should include a comprehensive process for managing risks associated with increased complexity of and increasing reliance on outsourcing relationships and third-party dependencies to perform critical e-banking functions.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY -  We continue our series on the FFIEC interagency Information Security Booklet.  

SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - SOFTWARE DEVELOPMENT AND ACQUISITION

Outsourced Development

Many financial institutions outsource software development to third parties. Numerous vendor management issues exist when outsourcing software development. The vendor management program established by management should address the following:

! Verifying credentials and contracting only with reputable providers;
! Evaluating the provider's secure development environment, including background checks on its employees and code development and testing processes;
! Obtaining fidelity coverage;
! Requiring signed nondisclosure agreements to protect the financial institution's rights to source code and customer data as appropriate;
! Establishing security requirements, acceptance criterion, and test plans;
! Reviewing and testing source code for security vulnerabilities, including covert channels or backdoors that might obscure unauthorized access into the system;
! Restricting any vendor access to production source code and systems and monitoring their access to development systems; and
! Performing security tests to verify that the security requirements are met before implementing the software in production.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice

3)  Does the institution provide to existing customers, who obtain a new financial product or service, an initial privacy notice that covers the customer's new financial product or service, if the most recent notice provided to the customer was not accurate with respect to the new financial product or service? [§4(d)(1)]