Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- HHS Proposes Changes To HIPAA Privacy Rule - Individuals would
know who accessed their e-health information as well as details
about the data disclosed. The U.S. Dept. of Health and Human
Services has proposed changes to the Health Insurance Portability
and Accountability Act privacy rule that would provide individuals
with more details about who accessed their electronic health
information and disclosures of the e-health data.
- Is sharing a log-in a criminal act? - Tennessee lawmakers have
passed a bill that would make sharing log-in information, including
usernames and passwords, illegal within the state's borders.
- Homeland Security Releases FISMA Compliance Metrics - The Obama
administration, by focusing on continuous monitoring, comes closer
to assessing the thoroughness of federal agencies' cybersecurity
efforts, says SANS Institute.
- Good passwords are no joke - And given that the static password is
a flawed authentication mechanism that should, according to most
expert opinion, have been quietly euthanized decades ago, it might
seem strange that so much of that attention, at least in terms of
informational writing, has been about improving password practice.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Lockheed admits to hack that may portend more breaches - Lockheed
Martin released a statement over the weekend admitting that its
network was breached by sophisticated adversaries, but the company
said no assets were compromised.
- Google Disrupts Chinese Spear-Phishing Attack on Senior U.S.
Officials - Google says it’s shut down a well-crafted social
engineering attack on Gmail users that targeted the personal
accounts of “senior U.S. government officials, Chinese political
activists, officials in several Asian countries (predominantly South
Korea), military personnel and journalists.”
- Honda Data Breach Triggers Lawsuit - The class action suit accuses
Honda of putting 283,000 customers at risk, in part by waiting two
months to inform them of the data exposure. Beware storing outdated
customer data on websites. Honda Canada is learning that lesson the
hard way, after a March breach in which 283,000 customers' details
- Hacker group raids Sony Pictures in latest breach - Fresh off the
successful infiltration and defacement of the PBS website, the
hacktivist collective known as LulzSec said Thursday that it has
compromised the personal information of more than one million users
confirms Lockheed hack linked to SecurID breach - Security giant RSA
has confirmed that hackers leveraged stolen information about its
SecurID two-factor authentication offerings in a recent attack on
U.S. defense contractor Lockheed Martin.
group LulzSec targets FBI partner InfraGard - On the heels of
successful infiltrations at PBS and Sony, a vigilante hacker
collective, known as LulzSec, has compromised the website of the
Atlanta chapter of InfraGard, an FBI partner organization.
admits customers' data was hacked - Citibank has confirmed that the
names, account numbers and contact information of hundreds of
thousands of customers have been stolen in a hacking attack.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the
FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
2 of 10)
A. RISK DISCUSSION
Compliance risk arises when the linked third party acts in a manner
that does not conform to regulatory requirements. For example,
compliance risk could arise from the inappropriate release or use of
shared customer information by the linked third party. Compliance
risk also arises when the link to a third party creates or affects
compliance obligations of the financial institution.
Financial institutions with weblinking relationships are also
exposed to other risks associated with the use of technology, as
well as certain risks specific to the products and services provided
by the linked third parties. The amount of risk exposure depends on
several factors, including the nature of the link.
Any link to a third-party website creates some risk exposure for an
institution. This guidance applies to links to affiliated, as well
as non-affiliated, third parties. A link to a third-party website
that provides a customer only with information usually does not
create a significant risk exposure if the information being provided
is relatively innocuous, for example, weather reports.
Alternatively, if the linked third party is providing information or
advice related to financial planning, investments, or other more
substantial topics, the risks may be greater. Links to websites that
enable the customer to interact with the third party, either by
eliciting confidential information from the user or allowing the
user to purchase a product or service, may expose the insured
financial institution to more risk than those that do not have such
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
SECURITY CONTROLS -
Network security requires effective implementation of several
control mechanisms to adequately secure access to systems and data.
Financial institutions must evaluate and appropriately implement
those controls relative to the complexity of their network. Many
institutions have increasingly complex and dynamic networks stemming
from the growth of distributed computing.
Security personnel and network administrators have related but
distinct responsibilities for ensuring secure network access across
a diverse deployment of interconnecting network servers, file
servers, routers, gateways, and local and remote client
workstations. Security personnel typically lead or assist in the
development of policies, standards, and procedures, and monitor
compliance. They also lead or assist in incident-response efforts.
Network administrators implement the policies, standards, and
procedures in their day-to-day operational role.
Internally, networks can host or provide centralized access to
mission-critical applications and information, making secure access
an organizational priority. Externally, networks integrate
institution and third-party applications that grant customers and
insiders access to their financial information and Web-based
services. Financial institutions that fail to restrict access
properly expose themselves to increased transaction, reputation, and
compliance risk from threats including the theft of customer
information, data alteration, system misuse, or denial-of-service
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
44. If the institution receives
information from a nonaffiliated financial institution under an
exception in §14 or §15, does the institution refrain from using or
disclosing the information except:
a. to disclose the information to the affiliates of the financial
institution from which it received the information; [§11(a)(1)(i)]
b. to disclose the information to its own affiliates, which are in
turn limited by the same disclosure and use restrictions as the
recipient institution; [§11(a)(1)(ii)] and
c. to disclose and use the information pursuant to an exception in
§14 or §15 in the ordinary course of business to carry out the
activity covered by the exception under which the information was
(Note: the disclosure or use described in section c of
this question need not be directly related to the activity covered
by the applicable exception. For instance, an institution receiving
information for fraud-prevention purposes could provide the
information to its auditors. But "in the ordinary course of
business" does not include marketing. [§11(a)(2)])