Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Cybersecurity bill would create costly regulations, say critics -
Some Republican senators and the Chamber of Commerce call for the
Senate to slow down its efforts to pass a new bill - Leaders in the
U.S. Senate are trying to fast-track new cybersecurity legislation
that will create costly new regulations for some businesses, some
critics said Thursday.
- The probability of a data breach lawsuit - If a data breach
occurs, when are companies more likely to be sued? Legal complaints,
from customers and employees, happen all the time following a
data-leakage incident, but exactly which kind of incidents are more
likely to force organizations into court?
- NSA chief sees possible Anonymous hit on power grid - The
computer-hacking confederacy Anonymous might be able to cause a
limited power blackout in a year or two, the general who directs the
National Security Agency has warned officials, TheWall Street
Journal is reporting.
- Brit student locked up for Facebook source code hack - A British
computer science student was jailed for eight months on Friday for
hacking into the internal network at Facebook.
- Goldman Sachs Code-Theft Conviction Reversed - A federal appeals
court on Friday reversed the conviction of a former Goldman Sachs
programmer sentenced to eight years for stealing the bank’s
high-speed trading software.
- Feds Urge Court to Reject Laptop Decryption Appeal - The
government is urging a federal appeals court not to entertain an
appeal from a bank-fraud defendant who has been ordered to decrypt
her laptop so its contents can be used in her criminal case.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Cyber thieves piggyback off Stratfor breach, target feds - Hackers
posing as officials from the geopolitical analysis publisher
Stratfor are emailing infected links to government subscribers whose
email addresses were stolen during an earlier raid on the company's
computers, Microsoft researchers say.
- Nortel hacking attack went unnoticed for almost 10 years - Hackers
broke into Nortel’s computer networks more than a decade ago and
over the years downloaded technical papers, research-and-development
reports, business plans, employee emails and other documents.
- Connecticut college computer infected with malware, 18K affected -
The Zbot, or Zeus, trojan infected a computer at Central Connecticut
State University (CCSU) in New Britain to expose the Social Security
numbers of thousands of people related to the college.
- Greek hackers are arrested over Anonymous attacks - Teenagers
picked up for government protests - THREE GREEK TEENAGERS have been
arrested and accused of hacking and defacing a government web site.
- Hackers target Putin's vote-monitoring system - Hackers have tried
to crash a vast network of Web cameras which Vladimir Putin has
ordered to allay fears of vote-rigging in the March presidential
election, a deputy minister said on Friday.
- Anonymous hacks FTC over Google privacy, ACTA - The Anonymous
collective has again targeted the Federal Trade Commission, this
time bringing down seven websites belonging to the consumer
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
While the Board of Directors has the responsibility for ensuring
that appropriate security control processes are in place for
e-banking, the substance of these processes needs special management
attention because of the enhanced security challenges posed by
e-banking. This should include establishing appropriate
authorization privileges and authentication measures, logical and
physical access controls, adequate infrastructure security to
maintain appropriate boundaries and restrictions on both internal
and external user activities and data integrity of transactions,
records and information. In addition, the existence of clear audit
trails for all e-banking transactions should be ensured and measures
to preserve confidentiality of key e-banking information should be
appropriate with the sensitivity of such information.
Although customer protection and privacy regulations vary from
jurisdiction to jurisdiction, banks generally have a clear
responsibility to provide their customers with a level of comfort.
Regarding information disclosures, protection of customer data and
business availability that approaches the level they can expect when
using traditional banking distribution channels. To minimize legal
and reputational risk associated with e-banking activities conducted
both domestically and cross-border, banks should make adequate
disclosure of information on their web sites and take appropriate
measures to ensure adherence to customer privacy requirements
applicable in the jurisdictions to which the bank is providing
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - HOST
AND USER EQUIPMENT ACQUISITION AND MAINTENANCE
Many financial institutions use commercial off-the-shelf (COTS)
software for operating systems and applications. COTS systems
generally provide more functions than are required for the specific
purposes for which it is employed. For example, a default
installation of a server operating system may install mail, Web, and
file-sharing services on a system whose sole function is a DNS
server. Unnecessary software and services represent a potential
security weakness. Their presence increases the potential number of
discovered and undiscovered vulnerabilities present in the system.
Additionally, system administrators may not install patches or
monitor the unused software and services to the same degree as
operational software and services. Protection against those risks
begins when the systems are constructed and software installed
through a process that is referred to as hardening a system.
When deploying off-the-shelf software, management should harden the
resulting system. Hardening includes the following actions:
! Determining the purpose of the system and minimum software and
! Documenting the minimum hardware, software and services to be
included on the system;
! Installing the minimum hardware, software, and services necessary
to meet the requirements using a documented installation procedure;
! Installing necessary patches;
! Installing the most secure and up-to-date versions of
! Configuring privilege and access controls by first denying all,
then granting back the minimum necessary to each user;
! Configuring security settings as appropriate, enabling allowed
activity, and disallowing other activity;
! Enabling logging;
! Creating cryptographic hashes of key files;
! Archiving the configuration and checksums in secure storage prior
to system deployment;
! Testing the system to ensure a secure configuration;
! Using secure replication procedures for additional, identically
configured systems, making configuration changes on a case-by-case
! Changing all default passwords; and
! Testing the resulting systems.
After deployment, the COTS systems may need updating with current
security patches. Additionally, the systems should be periodically
audited to ensure that the software present on the systems is
authorized and properly configured.
Return to the top of
INTERNET PRIVACY - We continue our
series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Initial Privacy Notice
4) Does the institution provide initial notice after
establishing a customer relationship only if:
a. the customer relationship is not established at the
customer's election; [§4(e)(1)(i)] or
b. to do otherwise would substantially delay the customer's
transaction (e.g. in the case of a telephone application), and the
customer agrees to the subsequent delivery? [§4 (e)(1)(ii)]