Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
- HIPAA privacy actions seen as warning - Two separate enforcement
actions taken this week by the U.S. Department of Health and Human
Services for HIPAA privacy violations should serve as a warning to
all healthcare entities, say privacy analysts.
- Night Dragon hackers targeted Shell, BP and Exxon - IT security at
global petrochemical firms called into question - The Night Dragon
hacking attacks uncovered by security vendor McAfee were targeted at
some of the world's largest petrochemical companies, including
Shell, Exxon Mobil and BP, according to new reports.
- Unwitting accomplices and complicit security teams - The running
joke for years among security professionals has been that if you
want to eliminate risk, or truly secure the network, just get rid of
- Thousands lose Vodafone service - Vodafone's mobile network has
been disrupted following a break-in at its exchange centre in
- DHS Immigration System Vulnerable To Insider Threats - An
Inspector General report finds that a long-delayed Homeland Security
project has not done enough to mitigate risks from current or former
employees, contractors, or business partners.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- DDoS attack forces Dutch bank offline - The outage of Dutch bank
Rabobank last weekend was caused by a massive DDoS attack. The
perpetrators are still unknown. The bank reports the attack to the
- Man admits hacking into NASA, e-commerce servers - A Texas man has
admitted hacking into servers owned by an e-commerce company and
making off with about $275,000.
- Keyloggers found plugged into library computers - Fears about
banking credentials being harvested, following the discovery of
keyloggers plugged into library computers, have been played down.
- Belarus man pleads guilty to running identity theft site - A
26-year-old Belarusian man has admitted to running an identity theft
website designed to thwart the antifraud measures used by many
- Trojan steals session IDs, bypasses logout requests - A new
banking trojan targeting U.S. customers has the ability to keep
online account sessions open after customers believe they have
logged off, enabling criminals to surreptitiously steal money,
according to researchers.
- NYC hospital system breach affects 1.7 million - The New York City
Health and Hospitals Corp. (HHC), the city's municipal hospital
system, has begun notifying 1.7 million individuals about the theft
of electronic record files that contained their personal
- Morgan Stanley Attacked by China-Based Hackers Who Hit Google -
Morgan Stanley experienced a “very sensitive” break-in to its
network by the same China-based hackers who attacked Google Inc.’s
computers more than a year ago, according to leaked e-mails from a
cyber-security company working for the bank.
- London Stock Exchange site shows malicious adverts - Booby-trapped
adverts that hit visitors with fake security software have been
discovered on the London Stock Exchange (LSE) website.
- Moldovan fraud ring mastermind arrested - A coordinated effort of
the Irish gardai and custom officers has led to the arrest of a
Moldovan man that is thought to be the leader of and mastermind
behind an international fraud ring responsible of plundering many
private and business bank accounts.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of Outsourced Technology Services
Due Diligence in Selecting a Service Provider
Some of the factors that institutions should consider when
performing due diligence in selecting a service provider are
categorized and listed below. Institutions should review the service
provider’s due diligence process for any of its significant
supporting agents (i.e., subcontractors, support vendors, and other
parties). Depending on the services being outsourced and the level
of in-house expertise, institutions should consider whether to hire
or consult with qualified independent sources. These sources include
consultants, user groups, and trade associations that are familiar
with products and services offered by third parties. Ultimately, the
depth of due diligence will vary depending on the scope and
importance of the outsourced services as well as the risk to the
institution from these services.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Access Rights Administration (5 of 5)
The access rights process also constrains user activities through an
acceptable - use policy (AUP). Users who can access internal systems
typically are required to agree to an AUP before using a system. An
AUP details the permitted system uses and user activities and the
consequences of noncompliance. AUPs can be created for all
categories of system users, from internal programmers to customers.
An AUP is a key control for user awareness and administrative
policing of system activities. Examples of AUP elements for internal
network and stand - alone users include:
! The specific access devices that can be used to access the
! Hardware and software changes the user can make to their access
! The purpose and scope of network activity;
! Network services that can be used, and those that cannot be used;
! Information that is allowable and not allowable for transmission
using each allowable service;
! Bans on attempting to break into accounts, crack passwords, or
! Responsibilities for secure operation; and
! Consequences of noncompliance.
Depending on the risk associated with the access, authorized
internal users should generally receive a copy of the policy and
appropriate training, and signify their understanding and agreement
with the policy before management grants access to the system.
Customers may be provided with a Web site disclosure as their AUP.
Based on the nature of the Web site, the financial institution may
require customers to demonstrate knowledge of and agreement to abide
by the terms of the AUP. That evidence can be paper based or
Authorized users may seek to extend their activities beyond what is
allowed in the AUP, and unauthorized users may seek to gain access
to the system and move within the system. Network security controls
provide the protection necessary to guard against those threats.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
28. Does the institution refrain from
requiring all joint consumers to opt out before implementing any opt
out direction with respect to the joint account? [§7(d)(4)]
29. Does the institution comply with a consumer's direction to opt
out as soon as is reasonably practicable after receiving it? [§7(e)]