Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
SEC Fines Former Executives For Client Privacy Breach - Private
information on 16,000 customers was transferred to a departing
manager's new employer in violation of government notification and
opt-out regulations. The Securities and Exchange Commission (SEC)
announced Thursday that it's levied its first-ever fine against
people solely for failing to properly protect customer data.
- College students gather for cyber defense competition nationals
April 8-10 - Nine teams of college students from across the nation
will compete this weekend at the finals of the nation's largest
collegiate cyber security competition, the sixth annual National
Collegiate Cyber Defense Competition (NCCDC).
In Surprise Appeal, TJX Hacker Claims U.S. Authorized His Crimes -
The hacker who masterminded the largest credit card heists in U.S.
history, is asking a federal judge to throw out his earlier guilty
pleas and lift his record-breaking 20-year prison sentence, on
allegations that the government authorized his years-long crime
Deployed troops to get new security tool, allowing access to latest
computers - Troops in the Middle East should soon have faster, safer
access to the latest computers on the market, as a result of a small
disk the Defense Department developed that instantly standardizes
the security settings on Microsoft Windows desktops deployed
overseas, Pentagon officials said.
Tech Giants Challenge French Data Retention Law - Facebook, Google,
Microsoft, Yahoo, and others are appealing a legal decree that would
require companies to store and share usernames, passwords, and other
personal details with authorities. A consortium of technology
companies is fighting a recent French decree requiring them to store
and provide the government with the usernames, passwords, and IP
addresses of anyone who creates or accesses online content.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Epsilon partner warned of phishing attacks months ago - The recent
data breach reported by e-mail marketing service provider Epsilon
that exposed names and e-mail addresses for customers at dozens of
companies comes four months after an Epsilon technology partner
warned about targeted phishing attacks on e-mail service providers
and on its own network.
Windows Servers Hacked at The Hartford Insurance Company - Hackers
have broken into The Hartford insurance company and installed
password-stealing programs on several of the company's Windows
servers. In a warning letter sent last month to about 300 employees,
contractors, and a handful of customers, the company said it
discovered the infection in late February.
Fired Gucci BOFH accused of tearing up network - A fired network
engineer has been charged with mounting a revenge hack attack
against the American branch of Gucci.
Texas mistakenly exposes personal data of 3.5 million - The records
of about 3.5 million people, including Social Security numbers, were
erroneously placed on a public computer server at the Texas
Comptroller's Office and remained there for about a year until
officials discovered the mistake less than two weeks ago, the agency
SpyEye suspects charged over alleged banking scam - UK police have
arrested three men over an alleged scam involving stealing money
from online bank accounts that had been compromised using the
infamous SpyEye Trojan.
Corrupt bank worker jailed over Trojan-powered tax scam - Funneled
£3.2m through bogus bank accounts - A former local business manager
at a bank who participated in a £3.2m self assessment tax fraud was
jailed for three years and three months on Friday.
Hackers disclose SQL injection of Barracuda website - Chalk up
Barracuda Networks as the latest information security firm to fall
victim to a cyberattack.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of Outsourced Technology Services
Due Diligence in Selecting a Service Provider - Contract Issues
Business Resumption and Contingency Plans
The contract should address the service provider’s responsibility
for backup and record protection, including equipment, program and
data files, and maintenance of disaster recovery and contingency
plans. Responsibilities should include testing of the plans and
providing results to the institution. The institution should
consider interdependencies among service providers when determining
business resumption testing requirements. The service provider
should provide the institution with operating procedures the service
provider and institution are to implement in the event business
resumption contingency plans are implemented. Contracts should
include specific provisions for business recovery timeframes that
meet the institution’s business requirements. The institution should
ensure that the contract does not contain any provisions that would
excuse the service provider from implementing its contingency plans.
Sub-contracting and Multiple Service Provider Relationships
Some service providers may contract with third-parties in providing
services to the financial institution. To provide accountability, it
may be beneficial for the financial institution to seek an agreement
with and designate a primary contracting service provider. The
institution may want to consider including a provision specifying
that the contracting service provider is responsible for the service
provided to the institution regardless of which entity is actually
conducting the operations. The institution may also want to consider
including notification and approval requirements regarding changes
to the service provider’s significant subcontractors.
The contract should fully describe fees and calculations for base
services, including any development, conversion, and recurring
services, as well as any charges based upon volume of activity and
for special requests. Cost and responsibility for purchase and
maintenance of hardware and software may also need to be addressed.
Any conditions under which the cost structure may be changed should
be addressed in detail including limits on any cost increases.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
SECURITY CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
AUTHENTICATION - Public Key Infrastructure (Part 1 of 3)
Public key infrastructure (PKI), if properly implemented and
maintained, may provide a strong means of authentication. By
combining a variety of hardware components, system software,
policies, practices, and standards, PKI can provide for
authentication, data integrity, defenses against customer
repudiation, and confidentiality. The system is based on public key
cryptography in which each user has a key pair - a unique electronic
value called a public key and a mathematically related private key.
The public key is made available to those who need to verify the
The private key is stored on the user's computer or a separate
device such as a smart card. When the key pair is created with
strong encryption algorithms and input variables, the probability of
deriving the private key from the public key is extremely remote.
The private key must be stored in encrypted text and protected with
a password or PIN to avoid compromise or disclosure. The private key
is used to create an electronic identifier called a digital
signature that uniquely identifies the holder of the private key and
can only be authenticated with the corresponding public key.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
36. Does the institution use a reasonable means for delivering
the notices, such as:
a. hand-delivery of a printed copy; [§9(b)(1)(i)]
b. mailing a printed copy to the last known address of the consumer;
c. for the consumer who conducts transactions electronically,
clearly and conspicuously posting the notice on the institution's
electronic site and requiring the consumer to acknowledge receipt as
a necessary step to obtaining a financial product or service;
d. for isolated transactions, such as ATM transactions, posting the
notice on the screen and requiring the consumer to acknowledge
receipt as a necessary step to obtaining the financial product or
(Note: insufficient or unreasonable means of delivery include:
exclusively oral notice, in person or by telephone; branch or office
signs or generally published advertisements; and electronic mail to
a customer who does not obtain products or services electronically.
[§9 (b)(2)(i) and (ii), and (d)])