Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

FYI - HIPAA privacy actions seen as warning - Two separate enforcement actions taken this week by the U.S. Department of Health and Human Services for HIPAA privacy violations should serve as a warning to all healthcare entities, say privacy analysts.
http://www.computerworld.com/s/article/9211359/HIPAA_privacy_actions_seen_as_warning?taxonomyId=84
http://www.washingtonpost.com/wp-dyn/content/article/2011/02/22/AR2011022207094.html

FYI - Night Dragon hackers targeted Shell, BP and Exxon - IT security at global petrochemical firms called into question - The Night Dragon hacking attacks uncovered by security vendor McAfee were targeted at some of the world's largest petrochemical companies, including Shell, Exxon Mobil and BP, according to new reports. http://www.v3.co.uk/v3/news/2274971/shell-bp-exxon-mobil

FYI - Unwitting accomplices and complicit security teams - The running joke for years among security professionals has been that if you want to eliminate risk, or truly secure the network, just get rid of the users. http://www.scmagazineus.com/unwitting-accomplices-and-complicit-security-teams/article/197098/?DCMP=EMC-SCUS_Newswire

FYI - Thousands lose Vodafone service - Vodafone's mobile network has been disrupted following a break-in at its exchange centre in Basingstoke. http://www.bbc.co.uk/news/technology-12595681

FYI - DHS Immigration System Vulnerable To Insider Threats - An Inspector General report finds that a long-delayed Homeland Security project has not done enough to mitigate risks from current or former employees, contractors, or business partners. http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=229219512&subSection=Security

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - DDoS attack forces Dutch bank offline - The outage of Dutch bank Rabobank last weekend was caused by a massive DDoS attack. The perpetrators are still unknown. The bank reports the attack to the police. http://news.idg.no/cw/art.cfm?id=3F6822FF-1A64-6A71-CE67724BB606D61C

FYI - Man admits hacking into NASA, e-commerce servers - A Texas man has admitted hacking into servers owned by an e-commerce company and making off with about $275,000. http://www.theregister.co.uk/2011/02/24/nasa_hacker_guilty/

FYI - Keyloggers found plugged into library computers - Fears about banking credentials being harvested, following the discovery of keyloggers plugged into library computers, have been played down. http://www.scmagazineuk.com/keyloggers-found-plugged-into-library-computers/article/196936/

FYI - Belarus man pleads guilty to running identity theft site - A 26-year-old Belarusian man has admitted to running an identity theft website designed to thwart the antifraud measures used by many banks. http://www.computerworld.com/s/article/9210980/Belarus_man_pleads_guilty_to_running_identity_theft_site?taxonomyId=17

FYI - Trojan steals session IDs, bypasses logout requests - A new banking trojan targeting U.S. customers has the ability to keep online account sessions open after customers believe they have logged off, enabling criminals to surreptitiously steal money, according to researchers. http://www.scmagazineus.com/trojan-steals-session-ids-bypasses-logout-requests/article/196816/

FYI - NYC hospital system breach affects 1.7 million - The New York City Health and Hospitals Corp. (HHC), the city's municipal hospital system, has begun notifying 1.7 million individuals about the theft of electronic record files that contained their personal information. http://www.scmagazineus.com/nyc-hospital-system-breach-affects-17-million/article/196997/?DCMP=EMC-SCUS_Newswire

FYI - Morgan Stanley Attacked by China-Based Hackers Who Hit Google - Morgan Stanley experienced a “very sensitive” break-in to its network by the same China-based hackers who attacked Google Inc.’s computers more than a year ago, according to leaked e-mails from a cyber-security company working for the bank. http://www.businessweek.com/news/2011-02-28/morgan-stanley-attacked-by-china-based-hackers-who-hit-google.html

FYI - London Stock Exchange site shows malicious adverts - Booby-trapped adverts that hit visitors with fake security software have been discovered on the London Stock Exchange (LSE) website. http://www.bbc.co.uk/news/technology-12597819

FYI - Moldovan fraud ring mastermind arrested - A coordinated effort of the Irish gardai and custom officers has led to the arrest of a Moldovan man that is thought to be the leader of and mastermind behind an international fraud ring responsible of plundering many private and business bank accounts. http://www.net-security.org/secworld.php?id=10674

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider

Some of the factors that institutions should consider when performing due diligence in selecting a service provider are categorized and listed below. Institutions should review the service provider’s due diligence process for any of its significant supporting agents (i.e., subcontractors, support vendors, and other parties). Depending on the services being outsourced and the level of in-house expertise, institutions should consider whether to hire or consult with qualified independent sources. These sources include consultants, user groups, and trade associations that are familiar with products and services offered by third parties. Ultimately, the depth of due diligence will vary depending on the scope and importance of the outsourced services as well as the risk to the institution from these services.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

Access Rights Administration (5 of 5)

The access rights process also constrains user activities through an acceptable - use policy (AUP). Users who can access internal systems typically are required to agree to an AUP before using a system. An AUP details the permitted system uses and user activities and the consequences of noncompliance. AUPs can be created for all categories of system users, from internal programmers to customers. An AUP is a key control for user awareness and administrative policing of system activities. Examples of AUP elements for internal network and stand - alone users include:

! The specific access devices that can be used to access the network;

! Hardware and software changes the user can make to their access device;

! The purpose and scope of network activity;

! Network services that can be used, and those that cannot be used;

! Information that is allowable and not allowable for transmission using each allowable service;

! Bans on attempting to break into accounts, crack passwords, or disrupt service;

! Responsibilities for secure operation; and

! Consequences of noncompliance.

Depending on the risk associated with the access, authorized internal users should generally receive a copy of the policy and appropriate training, and signify their understanding and agreement with the policy before management grants access to the system.

Customers may be provided with a Web site disclosure as their AUP. Based on the nature of the Web site, the financial institution may require customers to demonstrate knowledge of and agreement to abide by the terms of the AUP. That evidence can be paper based or electronic.

Authorized users may seek to extend their activities beyond what is allowed in the AUP, and unauthorized users may seek to gain access to the system and move within the system. Network security controls provide the protection necessary to guard against those threats.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

28. Does the institution refrain from requiring all joint consumers to opt out before implementing any opt out direction with respect to the joint account? [§7(d)(4)]

29. Does the institution comply with a consumer's direction to opt out as soon as is reasonably practicable after receiving it? [§7(e)]