Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
REQUIRED READING FOR BANKERS -
Incident Prevention and Detection-Protecting Information Security of
National Banks - This alert highlights the need for national banks
and their technology service providers (TSP) to take steps to ensure
their enterprise risk management is sufficiently robust to protect
and secure the bank’s own and their customers’ information.
- FBI warns of millions lost in fraudulent transfers to China - The
FBI is asking U.S. banks to be on the lookout for large wire
transfers being sent to accounts registered to companies located in
Chinese port cities near the Russian border.
- DOJ report critical of FBI ability to fight national cyber
intrusions - Despite a push to bulk up its security expertise, the
FBI in some case lacks the skills to properly investigate national
- Cops raid man whose Wi-Fi was used to download unlawful material -
A man recently found a swarm of armed federal agents descending on
his Buffalo, New York, home after a neighbor accessed his open Wi-Fi
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Amazon's cloud crash destroyed many customers' data - In addition
to taking down the sites of dozens of high-profile companies for
hours (and, in some cases, days), Amazon's huge EC2 cloud services
crash permanently destroyed some data.
- Amazon cloud outage was triggered by configuration error -
Company's postmortem and apology wins praise for transparency -
Amazon has released a detailed postmortem and mea culpa about the
partial outage of its cloud services platform last week and
identified the culprit: A configuration error made during a network
- Sony closes PC games site over security concern - Station.com
suddenly unreachable - Sony shut down its website for online PC
games on Monday, almost two weeks after it closed the PlayStation
Network following a criminal intrusion that stole personally
identifiable information from 77 million account holders.
- Sony Sued Over PlayStation Network Hack - A class action lawsuit
charges that Sony failing to protect personal information and credit
card numbers of up to 77 million users.
- High school hackers expose security gap in Seattle Public Schools
- In the wake of suspected computer password theft and reports that
student grades may have been altered in Seattle Public Schools,
security improvements are in order - IT might be tempting to give
those in Seattle Public Schools suspected of stealing computer
passwords and altering grades extra credit for ingenuity, but the
only thing they deserve is to be caught.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of Outsourced Technology Services
Due Diligence in Selecting a Service Provider - Contract Issues
The extent and flexibility of termination rights sought can vary
depending upon the service. Contracts for technologies subject to
rapid change, for example, may benefit from greater flexibility in
termination rights. Termination rights may be sought for a variety
of conditions including change in control (e.g., acquisitions and
mergers), convenience, substantial increase in cost, repeated
failure to meet service levels, failure to provide critical
company closure, and insolvency.
Institution management should consider whether or not the contract
permits the institution to terminate the contract in a timely manner
and without prohibitive expense (e.g., reasonableness of cost or
penalty provisions). The contract should state termination and
notification requirements with time frames to allow the orderly
conversion to another provider. The contract must provide for return
of the institution’s data, as well as other institution resources,
in a timely manner and in machine readable format. Any costs
associated with transition assistance should be clearly stated.
The institution should consider contract provisions that prohibit
assignment of the contract to a third party without the
institution’s consent, including changes to subcontractors.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
AUTHENTICATION - Biometrics (Part 1 of 2)
Biometrics can be implemented in many forms, including tokens.
Biometrics verifies the identity of the user by reference to unique
physical or behavioral characteristics. A physical characteristic
can be a thumbprint or iris pattern. A behavioral characteristic is
the unique pattern of key depression strength and pauses made on a
keyboard when a user types a phrase. The strength of biometrics is
related to the uniqueness of the physical characteristic selected
for verification. Biometric technologies assign data values to the
particular characteristics associated with a certain feature. For
example, the iris typically provides many more characteristics to
store and compare, making it more unique than facial
characteristics. Unlike other authentication mechanisms, a biometric
authenticator does not rely on a user's memory or possession of a
token to be effective. Additional strengths are that biometrics do
not rely on people to keep their biometric secret or physically
secure their biometric. Biometrics is the only authentication
methodology with these advantages.
Enrollment is a critical process for the use of biometric
authentication. The user's physical characteristics must be reliably
recorded. Reliability may require several samples of the
characteristic and a recording device free of lint, dirt, or other
interference. The enrollment device must be physically secure from
tampering and unauthorized use.
When enrolled, the user's biometric is stored as a template.
Subsequent authentication is accomplished by comparing a submitted
biometric against the template, with results based on probability
and statistical confidence levels. Practical usage of biometric
solutions requires consideration of how precise systems must be for
positive identification and authentication. More precise solutions
increase the chances a person is falsely rejected. Conversely, less
precise solutions can result in the wrong person being identified or
authenticated as a valid user (i.e., false acceptance rate). The
equal error rate (EER) is a composite rating that considers the
false rejection and false acceptance rates. Lower EERs mean more
consistent operations. However, EER is typically based upon
laboratory testing and may not be indicative of actual results due
to factors that can include the consistency of biometric readers to
capture data over time, variations in how a user presents their
biometric sample (e.g., occasionally pressing harder on a finger
scanner), and environmental factors.
Return to the top of
INTERNET PRIVACY -
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
39. Does the institution use an appropriate means to ensure that
notices may be retained or obtained later, such as:
a. hand-delivery of a printed copy of the notice; [§9(e)(2)(i)]
b. mailing a printed copy to the last known address of the customer;
c. making the current privacy notice available on the institution's
web site (or via a link to the notice at another site) for the
customer who agrees to receive the notice at the web site?