Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
With Companies Over Exposed Records - Beware poor website data
security practices. The Federal Trade Commission on Tuesday said
that payroll provider Ceridian and immigration services software
provider Lookout Services had settled charges that they failed to
put sufficient security measure in place to protect sensitive
information relating to 65,000 people.
Cyber Investigation Capabilities - An FBI official argues that an
audit finding insufficient national cybersecurity investigation
skills doesn't reflect current expertise and results.
brace for debate over "do-not-track" bill - A new “do-not-track”
bill introduced Monday in the U.S. Senate would give consumers the
ability to prevent companies from collecting information about their
web browsing activities.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
data of "X-Factor" hopefuls exposed - Individuals have illegally
accessed Fox.com, the website of the Fox Broadcasting Co., to
compromise the personal information of tens of thousands of
individuals who applied to appear on Simon Cowell's new reality
hack - Cash for Anonymous heads on platters - Sony execs are mulling
the possibility of offering bounties for any information that leads
to the arrests of hackers who breached its network.
store sued for alleged Webcam spying - When you rent out your house,
it's always tempting to visit your renters to check that they are
happy--and to see that the walls are still in place.
30 hospital workers fired for snooping - Thirty-two employees were
fired from two hospitals in Minnesota after they viewed electronic
records belonging to patients who were hospitalized after overdosing
at a house party.
PSN restart as third breach is discovered - As Sony works to restore
its PlayStation Network (PSN) and Qriocity services – which likely
will remain offline until at least the end of the month following
two massive data breaches – the company has sustained a third
exposure, this time involving the personal information of thousands
of sweepstakes contestants.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of Outsourced Technology Services
Due Diligence in Selecting a Service Provider - Oversight of Service Provider
Some of the oversight activities management should consider in
administering the service provider relationship are categorized and
listed below. The degree of oversight activities will vary depending
upon the nature of the services outsourced. Institutions should
consider the extent to which the service provider conducts similar
oversight activities for any of its significant supporting agents
(i.e., subcontractors, support vendors, and other parties) and the
extent to which the institution may need to perform oversight
activities on the service provider’s significant supporting agents.
Monitor Financial Condition and Operations
Evaluate the service provider’s financial condition
• Ensure that the service provider’s financial obligations to
subcontractors are being met in a timely manner.
• Review audit reports (e.g., SAS 70 reviews, security reviews)
as well as regulatory examination reports if available, and
evaluate the adequacy of the service providers’ systems and
controls including resource availability, security, integrity,
• Follow up on any deficiencies noted in the audits and reviews
of the service provider.
• Periodically review the service provider’s policies relating
to internal controls, security, systems development and
maintenance, and back up and contingency planning to ensure they
meet the institution’s minimum guidelines, contract
requirements, and are consistent with the current market and
• Review access control reports for suspicious activity.
• Monitor changes in key service provider project personnel
allocated to the institution.
• Review and monitor the service provider’s insurance policies
for effective coverage.
• Perform on-site inspections in conjunction with some of the
reviews performed above, where practicable and necessary.
• Sponsor coordinated audits and reviews with other client
Some services provided to insured depository institutions by service
providers are examined by the FFIEC member agencies. Regulatory
examination reports, which are only available to clients/customers
of the service provider, may contain information regarding a service
provider’s operations. However, regulatory reports are not a
substitute for a financial institution’s due diligence in oversight
of the service provider.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
AUTHENTICATION - Biometrics (Part 2 of 2)
Weaknesses in biometric systems relate to the ability of an attacker
to submit false physical characteristics, or to take advantage of
system flaws to make the system erroneously report a match between
the characteristic submitted and the one stored in the system. In
the first situation, an attacker might submit to a thumbprint
recognition system a copy of a valid user's thumbprint. The control
against this attack involves ensuring a live thumb was used for the
submission. That can be done by physically controlling the thumb
reader, for instance having a guard at the reader to make sure no
tampering or fake thumbs are used. In remote entry situations,
logical liveness tests can be performed to verify that the submitted
data is from a live subject.
Attacks that involve making the system falsely deny or accept a
request take advantage of either the low degrees of freedom in the
characteristic being tested, or improper system tuning. Degrees of
freedom relate to measurable differences between biometric readings,
with more degrees of freedom indicating a more unique biometric.
Facial recognition systems, for instance, may have only nine degrees
of freedom while other biometric systems have over one hundred.
Similar faces may be used to fool the system into improperly
authenticating an individual. Similar irises, however, are difficult
to find and even more difficult to fool a system into improperly
Attacks against system tuning also exist. Any biometric system has
rates at which it will falsely accept a reading and falsely reject a
reading. The two rates are inseparable; for any given system
improving one worsens the other. Systems that are tuned to maximize
user convenience typically have low rates of false rejection and
high rates of false acceptance. Those systems may be more open to
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
40. Does the institution provide at least one initial, annual, and
revised notice, as applicable, to joint consumers? [§9(g)]