Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
- Senators explore Web site seizure options - U.S senators will
introduce legislation this year targeting Web sites that traffic in
digital piracy or counterfeited goods, said the primary sponsor of a
controversial bill proposed in 2010 that would give government
agencies more authority to shut down those sites.
- Feds Accidentally Seize 84,000 Innocent Domains - Imagine you're a
respectable, law-abiding owner of a small business. You show up to
your shop one morning, only to find the doors barred and a big sign
in front window reading, "The federal government has seized this
business as it's affiliated with creating, distributing, and/or
- Man pockets $8m running computer fraud ring - Zombies dialed
premium phone numbers - A New Hampshire man has admitted pocketing
almost $8 million in a scheme that infected people's computers with
software that forced their modems to surreptitiously dial premium
- Web-based services hurting wiretapping efforts - Web-based e-mail,
social-networking and peer-to-peer services are frustrating law
enforcement wiretapping efforts, a lawyer for the U.S. Federal
Bureau of Investigation told lawmakers Thursday, but she did not
offer concrete ideas on how to fix the problem.
- Can deploying monitoring software put you in jeopardy? - Some
probation and parole officers are using computer monitoring software
to manage risk associated with their cases.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Canadian cyberattack traced to China - A cyberattack against
Canada that tried to access classified government information and
forced two key departments to go offline has been traced back to
China, according to a story today from CBC News.
- Online banking hit by thieves - A new Trojan dubbed "OddJob" is
stealing people's money by taking over their online banking sessions
after they think they've logged off.http://news.cnet.com/8301-27080_3-20034954-245.html
Trojan steals session IDs, bypasses logout requests - A new banking
trojan targeting U.S. customers has the ability to keep online
account sessions open after customers believe they have logged off,
enabling criminals to surreptitiously steal money.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of Outsourced Technology Services ( Part 4 of 4)
Service Provider Oversight
Institutions should implement an oversight program to monitor each
service provider’s controls, condition, and performance.
Responsibility for the administration of the service provider
relationship should be assigned to personnel with appropriate
expertise to monitor and manage the relationship. The number of
personnel, functional responsibilities, and the amount of time
devoted to oversight activities will depend, in part, on the scope
and complexity of the services outsourced. Institutions should
document the administration of the service provider relationship.
Documenting the process is important for contract negotiations,
termination issues, and contingency planning.
The board of directors and management are responsible for ensuring
adequate risk mitigation practices are in place for effective
oversight and management of outsourcing relationships. Financial
institutions should incorporate an outsourcing risk management
process that includes a risk assessment to identify the
institution’s needs and requirements; proper due diligence to
identify and select a provider; written contracts that clearly
outline duties, obligations and responsibilities of the parties
involved; and ongoing oversight of outsourcing technology services.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Access Rights Administration (4 of 5)
The access rights process programs the system to allow
the users only the access rights they were granted. Since access
rights do not automatically expire or update, periodic updating and
review of access rights on the system is necessary. Updating should
occur when an individual's business needs for system use changes.
Many job changes can result in an expansion or reduction of access
rights. Job events that would trigger a removal of access rights
include transfers, resignations, and terminations. Institutions
should take particular care to remove promptly the access rights for
users who have remote access privileges, and those who administer
the institution's systems.
Because updating may not always be accurate, periodic review of user
accounts is a good control to test whether the access right removal
processes are functioning, and whether users exist who should have
their rights rescinded or reduced. Financial institutions should
review access rights on a schedule commensurate with risk.
Access rights to new software and hardware present a unique problem.
Typically, hardware and software are installed with default users,
with at least one default user having full access rights. Easily
obtainable lists of popular software exist that identify the default
users and passwords, enabling anyone with access to the system to
obtain the default user's access. Default user accounts should
either be disabled, or the authentication to the account should be
changed. Additionally, access to these default accounts should be
monitored more closely than other accounts.
Sometimes software installs with a default account that allows
anonymous access. Anonymous access is appropriate, for instance,
where the general public accesses an informational web server.
Systems that allow access to or store sensitive information,
including customer information, should be protected against
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
27. If each joint consumer may
opt out separately, does the institution permit:
a. one joint consumer to opt out on behalf of all of the joint
b. the joint consumers to notify the institution in a single
response; [§7(d)(5)] and
c. each joint consumer to opt out either for himself or herself,
and/or for another joint consumer? [§7(d)(5)]