Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

REQUIRED READING FOR BANKERS - Incident Prevention and Detection-Protecting Information Security of National Banks - This alert highlights the need for national banks and their technology service providers (TSP) to take steps to ensure their enterprise risk management is sufficiently robust to protect and secure the bank’s own and their customers’ information. http://www.occ.gov/news-issuances/alerts/2011/alert-2011-4.html

FYI - FBI warns of millions lost in fraudulent transfers to China - The FBI is asking U.S. banks to be on the lookout for large wire transfers being sent to accounts registered to companies located in Chinese port cities near the Russian border. http://www.scmagazineus.com/fbi-warns-of-millions-lost-in-fraudulent-transfers-to-china/article/201573/

FYI - DOJ report critical of FBI ability to fight national cyber intrusions - Despite a push to bulk up its security expertise, the FBI in some case lacks the skills to properly investigate national security intrusions. http://www.csoonline.com/article/680869/doj-report-critical-of-fbi-ability-to-fight-national-cyber-intrusions

FYI - Cops raid man whose Wi-Fi was used to download unlawful material - A man recently found a swarm of armed federal agents descending on his Buffalo, New York, home after a neighbor accessed his open Wi-Fi network. http://www.theregister.co.uk/2011/04/26/open_wifi_networks/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Amazon's cloud crash destroyed many customers' data - In addition to taking down the sites of dozens of high-profile companies for hours (and, in some cases, days), Amazon's huge EC2 cloud services crash permanently destroyed some data.
http://technolog.msnbc.msn.com/_news/2011/04/28/6549775-amazons-cloud-crash-destroyed-many-customers-data
http://www.informationweek.com/news/cloud-computing/infrastructure/229402385

FYI - Amazon cloud outage was triggered by configuration error - Company's postmortem and apology wins praise for transparency - Amazon has released a detailed postmortem and mea culpa about the partial outage of its cloud services platform last week and identified the culprit: A configuration error made during a network upgrade. http://www.computerworld.com/s/article/9216303/Amazon_cloud_outage_was_triggered_by_configuration_error?taxonomyId=17

FYI - Sony closes PC games site over security concern - Station.com suddenly unreachable - Sony shut down its website for online PC games on Monday, almost two weeks after it closed the PlayStation Network following a criminal intrusion that stole personally identifiable information from 77 million account holders. http://www.theregister.co.uk/2011/05/02/sony_online_entertainment_closed/

FYI - Sony Sued Over PlayStation Network Hack - A class action lawsuit charges that Sony failing to protect personal information and credit card numbers of up to 77 million users. http://www.informationweek.com/news/security/attacks/229402362

FYI - High school hackers expose security gap in Seattle Public Schools - In the wake of suspected computer password theft and reports that student grades may have been altered in Seattle Public Schools, security improvements are in order - IT might be tempting to give those in Seattle Public Schools suspected of stealing computer passwords and altering grades extra credit for ingenuity, but the only thing they deserve is to be caught. http://seattletimes.nwsource.com/html/editorials/2014914193_edit02grades.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Contract Issues

Termination

The extent and flexibility of termination rights sought can vary depending upon the service. Contracts for technologies subject to rapid change, for example, may benefit from greater flexibility in termination rights. Termination rights may be sought for a variety of conditions including change in control (e.g., acquisitions and mergers), convenience, substantial increase in cost, repeated failure to meet service levels, failure to provide critical services, bankruptcy,
company closure, and insolvency.

Institution management should consider whether or not the contract permits the institution to terminate the contract in a timely manner and without prohibitive expense (e.g., reasonableness of cost or penalty provisions). The contract should state termination and notification requirements with time frames to allow the orderly conversion to another provider. The contract must provide for return of the institution’s data, as well as other institution resources, in a timely manner and in machine readable format. Any costs associated with transition assistance should be clearly stated.

Assignment

The institution should consider contract provisions that prohibit assignment of the contract to a third party without the institution’s consent, including changes to subcontractors.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

AUTHENTICATION - Biometrics (Part 1 of 2)

Biometrics can be implemented in many forms, including tokens. Biometrics verifies the identity of the user by reference to unique physical or behavioral characteristics. A physical characteristic can be a thumbprint or iris pattern. A behavioral characteristic is the unique pattern of key depression strength and pauses made on a keyboard when a user types a phrase. The strength of biometrics is related to the uniqueness of the physical characteristic selected for verification. Biometric technologies assign data values to the particular characteristics associated with a certain feature. For example, the iris typically provides many more characteristics to store and compare, making it more unique than facial characteristics. Unlike other authentication mechanisms, a biometric authenticator does not rely on a user's memory or possession of a token to be effective. Additional strengths are that biometrics do not rely on people to keep their biometric secret or physically secure their biometric. Biometrics is the only authentication methodology with these advantages.

Enrollment is a critical process for the use of biometric authentication. The user's physical characteristics must be reliably recorded. Reliability may require several samples of the characteristic and a recording device free of lint, dirt, or other interference. The enrollment device must be physically secure from tampering and unauthorized use.

When enrolled, the user's biometric is stored as a template. Subsequent authentication is accomplished by comparing a submitted biometric against the template, with results based on probability and statistical confidence levels. Practical usage of biometric solutions requires consideration of how precise systems must be for positive identification and authentication. More precise solutions increase the chances a person is falsely rejected. Conversely, less precise solutions can result in the wrong person being identified or authenticated as a valid user (i.e., false acceptance rate). The equal error rate (EER) is a composite rating that considers the false rejection and false acceptance rates. Lower EERs mean more consistent operations. However, EER is typically based upon laboratory testing and may not be indicative of actual results due to factors that can include the consistency of biometric readers to capture data over time, variations in how a user presents their biometric sample (e.g., occasionally pressing harder on a finger scanner), and environmental factors.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

39.  Does the institution use an appropriate means to ensure that notices may be retained or obtained later, such as:

a. hand-delivery of a printed copy of the notice; [§9(e)(2)(i)]

b. mailing a printed copy to the last known address of the customer; [§9(e)(2)(ii)] or

c. making the current privacy notice available on the institution's web site (or via a link to the notice at another site) for the customer who agrees to receive the notice at the web site? [§9(e)(2)(iii)]