Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
FFIEC IT Examination Handbook InfoBase: New Look and Improved
Navigation - The Federal Financial Institutions Examination Council
today announced the launch of its redesigned IT Examination Handbook
InfoBase. The IT InfoBase is the primary distribution method for the
IT Examination Handbook.
- UK Press Watchdog Rules Tweets Are Public Information- A ruling by
the Press Complaints Commissions (PCC) has given British journalists
the green-light to lift tweets from social networking site Twitter.
The public nature of tweeting, PCC says, means quoting those 140
character outbursts in print or online does not “constitute a
Two councils hit with big fines for laptop blunder - Unencrypted
data gaffe hits Hounslow, Ealing - The UK's information watchdog has
slapped two London councils with hefty penalties for failing to
encrypt personal data on laptops that were stolen by thieves.
RSA Conference study to reveal cloud frustration - Security
practitioners are working to safeguard cloud computing environments
but believe they need more education and training, according to a
soon-to-be released study.
Microsoft accuses former manager of stealing 600MB of confidential
docs - Microsoft yesterday accused a former manager of taking
hundreds of megabytes of confidential company material when he left
the firm for a new position at another company.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
CTO warns of new combined threat named 'Night Dragon' - A new large
scale attack has been detailed that targets financial systems behind
oil and gas fields.
Hack of Irish job site exposes user names, addresses - Barn door
promptly closed - Employment search site RecruitIreland.com has
reopened its doors following a security breach that exposed users'
names and email addresses.
Twitter User Tricks Sony Into Posting ‘Secret’ PS3 Code - Sony is
having a rough time trying to keep the PlayStation 3 secure, and the
company seems intent on policing the entirety of the Internet to
stop the spread of the tools and information needed to hack the
device. This can be hard to do when your own faux spokesperson
decides to retweet one of the offending series of letters and
numbers in their entirety online.
eHarmony advice site hacked to expose user information - Less than a
month after the dating site PlentyOfFish suffered a breach of
customer data, rival eHarmony has confirmed that a hacker gained
access to some of its users' information.
Chinese hackers break into oil companies' networks - Sophisticated
hackers, believed to be from China, have broken into the networks of
several global oil, energy and petrochemical companies, according to
a report released late Wednesday.
Spanish police arrest man over Nintendo gamer hack - Police in Spain
have arrested a man who allegedly stole details on thousands of
Nintendo users and tried to blackmail the company.
Ambulance dispatch system hit by virus: reports - Take two aspirin,
call in the morning - Australia’s ABC News is reporting that the
dispatch system of the NSW Ambulance Service has been infected with
a computer virus.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of Outsourced Technology Services ( Part 3 of 4)
Due Diligence in Selecting a Service Provider
Once the institution has completed the risk assessment, management
should evaluate service providers to determine their ability, both
operationally and financially, to meet the institution’s needs.
Management should convey the institution’s needs, objectives, and
necessary controls to the potential service provider. Management
also should discuss provisions that the contract should contain. The
appendix to this statement contains some specific factors for
management to consider in selecting a service provider.
Contracts between the institution and service provider should take
into account business requirements and key risk factors identified
during the risk assessment and due diligence phases. Contracts
should be clearly written and sufficiently detailed to provide
assurances for performance, reliability, security, confidentiality,
and reporting. Management should consider whether the contract is
flexible enough to allow for changes in technology and the financial
institution's operations. Appropriate legal counsel should review
contracts prior to signing.
Institutions may encounter situations where service providers cannot
or will not agree to terms that the institution requests to manage
the risk effectively. Under these circumstances, institutions should
either not contract with that provider or supplement the service
provider’s commitments with additional risk mitigation controls. The
appendix to this statement contains some specific considerations for
management in contracting with a service provider.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Access Rights Administration (3 of 5)
The enrollment process establishes the user's identity
and anticipated business needs to information and systems. New
employees, IT outsourcing relationships, and contractors may also be
identified, and the business need for access determined during the
hiring or contracting process.
During enrollment and thereafter, an authorization process
determines user access rights. In certain circumstances the
assignment of access rights may be performed only after the manager
responsible for each accessed resource approves the assignment and
documents the approval. In other circumstances, the assignment of
rights may be established by the employee's role or group
membership, and managed by pre - established authorizations for that
group. Customers, on the other hand, may be granted access based on
their relationship with the institution.
Authorization for privileged access should be tightly controlled.
Privileged access refers to the ability to override system or
application controls. Good practices for controlling privileged
! Identifying each privilege associated with each system component,
! Implementing a process to allocate privileges and allocating those
privileges either on a need - to - use or an event - by - event
basis,! Documenting the granting and administrative limits on
! Finding alternate ways of achieving the business objectives,
! Assigning privileges to a unique user ID apart from the one used
for normal business use,
! Logging and auditing the use of privileged access,
! Reviewing privileged access rights at appropriate intervals and
regularly reviewing privilege access allocations, and
! Prohibiting shared privileged access by multiple users.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
25. Does the institution permit
each of the joint consumers in a joint relationship to opt out?
26. Does the opt out notice to joint consumers state that either:
a. the institution will consider an opt out by a joint consumer as
applying to all associated joint consumers; [§7(d)(2)(i)] or
b. each joint consumer is permitted to opt out separately?