Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
Shortage of skilled cyber specialists fuels debate over pay - The
White House, Congress, academia and industry seem to be in rare
agreement that the shortage of government cybersecurity specialists
is a national security threat, but no one seems to agree which cyber
jobs are the most needed -- and therefore should garner the highest
Controversial internet piracy bill becomes law - The Copyright
(Infringing File Sharing) Amendment Bill has today been passed,
despite strong opposition from the Green Party and independent MPs,
and an internet campaign against the bill.
Cyber-emergency Response, Lawmaker Says - The U.S. needs a
cybersecurity emergency response capability to help businesses under
major attacks, a U.S. senator said Monday.
finds most applications don't pass security tests - A new report
issued on Tuesday by security firm Veracode paints a grim picture of
the amount of protection built into application software.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
gain root access to WordPress servers - Hackers have compromised
several servers that support WordPress and may have obtained source
code, according to the founding developer of Automattic, the company
behind the popular blogging platform.
breaks into Barracuda Networks database - A hacker has broken into a
Barracuda Networks database and obtained names and e-mail addresses
of some of the security company's employees, channel partners and
vigilante sentenced for DDoS attacks - Two years for taking out
sites chronicling steamy affair - A computer programmer was
sentenced to two years in prison for unleashing crippling attacks on
rollingstone.com and other news websites that published humiliating
accounts of an adulterous online affair he pursued with a fictitious
hacker admits breaching Federal Reserve computers - Faces 10 years
in slammer - A Malaysian national has admitted hacking a computer
network operated by the US Federal Reserve Bank and possessing
stolen payment card data.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of Outsourced Technology Services
Due Diligence in Selecting a Service Provider - Contract Issues
Ownership and License
The contract should address ownership and allowable use by the
service provider of the institution’s data, equipment/hardware,
system documentation, system and application software, and other
intellectual property rights. Other intellectual property rights may
include the institution’s name and logo; its trademark or
copyrighted material; domain names; web sites designs; and other
work products developed by the service provider for the institution.
The contract should not contain unnecessary limitations on the
return of items owned by the institution. Institutions that purchase
software should consider establishing escrow agreements. These
escrow agreements may provide for the following: institution access
to source programs under certain conditions (e.g., insolvency of the
vendor), documentation of programming and systems, and verification
of updated source code.
Institutions should consider the type of technology and current
state of the industry when negotiating the appropriate length of the
contract and its renewal periods. While there can be benefits to
long-term technology contracts, certain technologies may be subject
to rapid change and a shorter-term contract may prove beneficial.
Similarly, institutions should consider the appropriate length of
time required to notify the service provider of the institutions’
intent not to renew the contract prior to expiration. Institutions
should consider coordinating the expiration dates of contracts for
inter-related services (e.g., web site, telecommunications,
programming, network support) so that they coincide, where
practical. Such coordination can minimize the risk of terminating a
contract early and incurring penalties as a result of necessary
termination of another related service contract.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
AUTHENTICATION - Public Key Infrastructure (Part 2
The certificate authority (CA), which may be the financial
institution or its service provider, plays a key role by attesting
with a digital certificate that a particular public key and the
corresponding private key belongs to a specific user or system. It
is important when issuing a digital certificate that the
registration process for initially verifying the identity of users
is adequately controlled. The CA attests to the individual user's
identity by signing the digital certificate with its own private
key, known as the root key. Each time the user establishes a
communication link with the financial institution's systems, a
digital signature is transmitted with a digital certificate. These
electronic credentials enable the institution to determine that the
digital certificate is valid, identify the individual as a user, and
confirm that transactions entered into the institution's computer
system were performed by that user.
The user's private key exists electronically and is susceptible to
being copied over a network as easily as any other electronic file.
If it is lost or compromised, the user can no longer be assured that
messages will remain private or that fraudulent or erroneous
transactions would not be performed. User AUPs and training should
emphasize the importance of safeguarding a private key and promptly
reporting its compromise.
PKI minimizes many of the vulnerabilities associated with passwords
because it does not rely on shared secrets to authenticate
customers, its electronic credentials are difficult to compromise,
and user credentials cannot be stolen from a central server. The
primary drawback of a PKI authentication system is that it is more
complicated and costly to implement than user names and passwords.
Whether the financial institution acts as its own CA or relies on a
third party, the institution should ensure its certificate issuance
and revocation policies and other controls discussed below are
Return to the top of
INTERNET PRIVACY -
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
37. For annual notices only, if the institution does not employ one
of the methods described in question 36, does the institution employ
one of the following reasonable means of delivering the notice such
a. for the customer who uses the institution's web site to access
products and services electronically and who agrees to receive
notices at the web site, continuously posting the current privacy
notice on the web site in a clear and conspicuous manner; [§9(c)(1)]
b. for the customer who has requested the institution refrain from
sending any information about the customer relationship, making
copies of the current privacy notice available upon customer