Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FFIEC's "Interagency Guidelines Establishing Information Security Standards."  For more information and to subscribe visit http://www.yennik.com/it-review/.

FYI - FDIC - Guidance on Mitigating Risk Posed by Information Stored on Photocopiers, Fax Machines and Printers - The FDIC has issued the attached guidance, which describes the risk posed by sensitive information stored on certain electronic devices and how institutions should mitigate that risk. http://www.fdic.gov/news/news/financial/2010/fil10056.html

FYI - Activists target recording industry websites - Piracy activists have carried out coordinated attacks on websites owned by the music and film industry. The assault temporarily knocked the Motion Picture Association of America (MPAA) and the Recording Industry Association of America (RIAA) offline. http://www.bbc.co.uk/news/technology-11371315

FYI - Google dismisses engineer who violated privacy policy - Security audits 'significantly increased' - Google has dismissed an engineer who had access to its back-end systems after he violated the company's internal privacy policies. http://www.theregister.co.uk/2010/09/15/google_dismisses_employee_for_violating_internal_privacy_policies/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Authorities charge 53 in N.J. identity theft/bank fraud ring - The U.S. Department of Justice (DoJ) on Thursday charged 53 individuals in New Jersey in connection with a widespread identity theft and fraud ring. http://www.scmagazineus.com/authorities-charge-53-in-nj-identity-theftbank-fraud-ring/article/179101/?DCMP=EMC-SCUS_Newswire

FYI - NBA star Shaquille O'Neal accused of hacking - A former employee of Shaquille O'Neal is suing the NBA star, claiming he hacked into phone systems and destroyed evidence. http://www.scmagazineus.com/nba-star-shaquille-oneal-accused-of-hacking/article/179031/?DCMP=EMC-SCUS_Newswire

FYI - Ex-UPMC Shadyside worker charged with selling patient info - A federal grand jury indicted on Wednesday a surgical instrument technician at UPMC Shadyside for selling patients' names, birth dates and Social Security numbers.
http://www.pittsburghlive.com/x/pittsburghtrib/news/pittsburgh/s_699655.html
http://www.phiprivacy.net/?p=3786

Return to the top of the newsletter

WEB SITE COMPLIANCE - Equal Credit Opportunity Act (Regulation B)

The regulations clarifies the rules concerning the taking of credit applications by specifying that application information entered directly into and retained by a computerized system qualifies as a written application under this section. If an institution makes credit application forms available through its on-line system, it must ensure that the forms satisfy the requirements.

The regulations also clarify the regulatory requirements that apply when an institution takes loan applications through electronic media. If an applicant applies through an electronic medium (for example, the Internet or a facsimile) without video capability that allows employees of the institution to see the applicant, the institution may treat the application as if it were received by mail.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 

PENETRATION ANALYSIS (Part 1 of 2)

After the initial risk assessment is completed, management may determine that a penetration analysis (test) should be conducted. For the purpose of this paper, "penetration analysis" is broadly defined. Bank management should determine the scope and objectives of the analysis. The scope can range from a specific test of a particular information systems security or a review of multiple information security processes in an institution.

A penetration analysis usually involves a team of experts who identify an information systems vulnerability to a series of attacks. The evaluators may attempt to circumvent the security features of a system by exploiting the identified vulnerabilities. Similar to running vulnerability scanning tools, the objective of a penetration analysis is to locate system vulnerabilities so that appropriate corrective steps can be taken.

The analysis can apply to any institution with a network, but becomes more important if system access is allowed via an external connection such as the Internet. The analysis should be independent and may be conducted by a trusted third party, qualified internal audit team, or a combination of both. The information security policy should address the frequency and scope of the analysis. In determining the scope of the analysis, items to consider include internal vs. external threats, systems to include in the test, testing methods, and system architectures.

A penetration analysis is a snapshot of the security at a point in time and does not provide a complete guaranty that the system(s) being tested is secure. It can test the effectiveness of security controls and preparedness measures. Depending on the scope of the analysis, the evaluators may work under the same constraints applied to ordinary internal or external users. Conversely, the evaluators may use all system design and implementation documentation. It is common for the evaluators to be given just the IP address of the institution and any other public information, such as a listing of officers that is normally available to outside hackers. The evaluators may use vulnerability assessment tools, and employ some of the attack methods discussed in this paper such as social engineering and war dialing. After completing the agreed-upon analysis, the evaluators should provide the institution a detailed written report. The report should identify vulnerabilities, prioritize weaknesses, and provide recommendations for corrective action.

FYI - Please remember that we perform vulnerability-penetration studies and would be happy to e-mail {custom4} a proposal. E-mail Kinney Williams at examiner@yennik.com for more information.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice

5)  When the subsequent delivery of a privacy notice is permitted, does the institution provide notice after establishing a customer relationship within a reasonable time? [§4(e)]