Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - GAO - Additional Guidance Needed to Address Cloud Computing Concerns
Release - http://www.gao.gov/products/GAO-12-130T
Highlights - http://www.gao.gov/highlights/d12130thigh.pdf

FYI - EU cloud vendors liable for breaches - Directive asks vendors to prove security and accept liability. The European Union will introduce rules that make cloud providers legally liable for data breaches. http://www.scmagazine.com.au/News/275173,eu-cloud-vendors-liable-for-breaches.aspx

FYI - Lawmakers want investigation of supercookies - Markey and Barton call on the FTC to investigate the use of the hard-to-delete tracking tools - Two U.S. lawmakers have called on the U.S. Federal Trade Commission to investigate the use of so-called supercookies on many websites, with the two suggesting that use of the hard-to-remove tracking tools may be an unfair business practice. http://www.computerworld.com/s/article/9220333/Lawmakers_want_investigation_of_supercookies?taxonomyId=17

FYI - (ISC)2 at a crossroads: CISSP value vs. security industry growth - (ISC)2 wants to dramatically swell its CISSP ranks in the next few years. That plan does not sit well with some CISSPs, who say their numbers are already growing too fast and putting CISSP value in question, even though the organization itself believes it’s not growing nearly fast enough. http://searchsecurity.techtarget.com/opinion/ISC2-at-a-crossroads-CISSP-value-vs-security-industry-growth

FYI - State Department Employee Faces Firing for Posting WikiLeaks Link - A veteran U.S. State Department foreign service officer says his job is on the line after he posted a link on his blog to a WikiLeaks document. http://www.wired.com/threatlevel/2011/09/gov-employee-faces-firing/

FYI - GAO - Weaknesses Continue Amid New Federal Efforts to Implement Requirements
Release - http://www.gao.gov/products/GAO-12-137
Highlights - http://www.gao.gov/highlights/d12137high.pdf

FYI - Most businesses lack social media security controls - IT security practitioners agree that employees' social media use represents a security threat, but 29 percent polled in a new survey said their company has the necessary controls in place to mitigate the risks. http://www.scmagazineus.com/most-businesses-lack-social-media-security-controls/article/213161/?DCMP=EMC-SCUS_Newswire

FYI - GAO - Federal Reserve System: Opportunities Exist to Strengthen Policies and Processes for Managing Emergency Assistance
Release - http://www.gao.gov/products/GAO-12-122T
Highlights - http://www.gao.gov/highlights/d12122thigh.pdf

FYI - Malware victim loses net connection to iCode - An Australian woman this month has had her internet connection cut off under the iCode initiative after she received 42 consecutive emails warning that her computer was infected. http://www.scmagazine.com.au/News/275219,malware-victim-loses-net-connection-to-icode.aspx

FYI - On the frontlines of cyber defence - Meet the teams fighting the malware threat - Something has gone terribly wrong on the plant floor at ACME Specialty Chemical International. http://features.techworld.com/security/3307725/modern-warfare-on-the-frontlines-of-cyber-defence

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Countrywide insider gets eight months in prison for theft - A former employee of mortgage company Countrywide Financial was sentenced Tuesday to eight months in prison and ordered to pay $1.2 million in restitution after admitting to stealing and selling customers' personal data. http://www.scmagazineus.com/countrywide-insider-gets-eight-months-in-prison-for-theft/article/213093/

FYI - Air traffic control data found on eBayed network gear - NATS passwords and info left on £20 switch - A switch with networking configurations and passwords for the UK traffic control centre was offered for sale on eBay, raising serious security concerns. http://www.theregister.co.uk/2011/09/30/nats_switch_fail/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Equal Credit Opportunity Act (Regulation B)

The regulations clarifies the rules concerning the taking of credit applications by specifying that application information entered directly into and retained by a computerized system qualifies as a written application under this section. If an institution makes credit application forms available through its on-line system, it must ensure that the forms satisfy the requirements.

The regulations also clarify the regulatory requirements that apply when an institution takes loan applications through electronic media. If an applicant applies through an electronic medium (for example, the Internet or a facsimile) without video capability that allows employees of the institution to see the applicant, the institution may treat the application as if it were received by mail.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY -  e continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - OPERATING SYSTEM ACCESS (Part 2 of 2)

Additional operating system access controls include the following actions:

! Ensure system administrators and security professionals have adequate expertise to securely configure and manage the operating system.
! Ensure effective authentication methods are used to restrict system access to both users and applications.
! Activate and utilize operating system security and logging capabilities and supplement with additional security software where supported by the risk assessment process.
! Restrict operating system access to specific terminals in physically secure and monitored locations.
! Lock or remove external drives from system consoles or terminals residing outside physically secure locations.
! Restrict and log access to system utilities, especially those with data altering capabilities.
! Restrict access to operating system parameters.
! Prohibit remote access to sensitive operating system functions, where feasible, and at a minimum require strong authentication and encrypted sessions before allowing remote support.
! Limit the number of employees with access to sensitive operating systems and grant only the minimum level of access required to perform routine responsibilities.
! Segregate operating system access, where possible, to limit full or root - level access to the system.
! Monitor operating system access by user, terminal, date, and time of access.
! Update operating systems with security patches and using appropriate change control mechanisms.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 4 of 6)

Requirements for Notices (continued)

Notice Content. A privacy notice must contain specific disclosures. However, a financial institution may provide to consumers who are not customers a "short form" initial notice together with an opt out notice stating that the institution's privacy notice is available upon request and explaining a reasonable means for the consumer to obtain it. The following is a list of disclosures regarding nonpublic personal information that institutions must provide in their privacy notices, as applicable:

1)  categories of information collected;

2)  categories of information disclosed;

3)  categories of affiliates and nonaffiliated third parties to whom the institution may disclose information;

4)  policies with respect to the treatment of former customers' information;

5)  information disclosed to service providers and joint marketers (Section 13);

6)  an explanation of the opt out right and methods for opting out;

7)  any opt out notices the institution must provide under the Fair Credit Reporting Act with respect to affiliate information sharing;

8)  policies for protecting the security and confidentiality of information; and

9)  a statement that the institution makes disclosures to other nonaffiliated third parties as permitted by law (Sections 14 and 15).