Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FFIEC's "Interagency Guidelines Establishing Information Security Standards."  For more information and to subscribe visit http://www.yennik.com/it-review/.

FYI - U.S. Tries to Make It Easier to Wiretap the Internet - Federal law enforcement and national security officials are preparing to seek sweeping new regulations for the Internet, arguing that their ability to wiretap criminal and terrorism suspects is “going dark” as people increasingly communicate online instead of by telephone. http://www.nytimes.com/2010/09/27/us/27wiretap.html?_r=3&hp=&adxnnl=1&pagewanted=all&adxnnlx=1285855211-bpHUSDOzix12XhuQ3+ByJQ

FYI - BlackBerry CEO suggests route to eavesdropping - Says companies that use phones would need to hand over encryption keys - BlackBerry maker Research in Motion Ltd. says it has no way of providing government officials with the text of encrypted corporate e-mails its devices serve up. But if the companies that employ BlackBerry phones want to hand over the encryption keys to their e-mail, it won't object. http://www.msnbc.msn.com/id/39387290/ns/technology_and_science-security/

FYI - Palin hacker's verdict stands - Judge denies ex-UT student's bid to toss out convictions - A federal judge has shot down a former University of Tennessee student's bid to have tossed out convictions in the illegal access of Sarah Palin's personal e-mail account during the 2008 presidential election. http://www.knoxnews.com/news/2010/sep/25/palin-hackers-verdict-stands/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Privacy group takes on ACS:Law over data breach - ACS:Law, which has conducted a letter-writing campaign against people suspected of unlawful file-sharing, is facing legal action by Privacy International after those people's details were leaked during a security breach. http://www.zdnet.co.uk/news/security-threats/2010/09/27/privacy-group-takes-on-acslaw-over-porn-data-breach-40090288/

FYI - Maine court limits damage claims in data breach cases - Victims can't seek restitution unless they suffer actual losses, state Supreme Court says - Maine's Supreme Court has ruled that consumers affected by the data breach at supermarket chain Hannaford Bros. in 2008 cannot claim damages from the company unless they suffered uncompensated financial losses or some other tangible injury. http://www.computerworld.com/s/article/9187340/Maine_court_limits_damage_claims_in_data_breach_cases?source=rss_news

FYI - Belarusian extradited to US for one-stop ID theft site - US prosecutors have extradited a Belarusian national accused of running a website that helped thousands of criminals exploit stolen financial information. http://www.theregister.co.uk/2010/09/21/id_theft_website_extradition/

FYI - Two remaining Comcast.net hijackers sentenced - The remaining two members of a cybergang implicated in a 2008 scheme that redirected visitors wishing to reach Comcast.net to websites of the hackers' choosing each have been sentenced to 18 months in federal prison. http://www.scmagazineus.com/two-remaining-comcastnet-hijackers-sentenced/article/179713/?DCMP=EMC-SCUS_Newswire

FYI - Extradited VoIP hacker sentenced to 10 years - The mastermind behind a scheme to hack into internet phone networks and resell services for a profit was sentenced Friday to 10 years in federal prison, the U.S. Attorney's Office in New Jersey announced. http://www.scmagazineus.com/extradited-voip-hacker-sentenced-to-10-years/article/179538/?DCMP=EMC-SCUS_Newswire

FYI - U.K. police arrest 19 in major Zeus bust - Police in the U.K. have arrested 19 individuals believed to be part of an organized cybercrime network that used the Zeus trojan to steal six million pounds ($9.5 million) from U.K. bank accounts. http://www.scmagazineus.com/uk-police-arrest-19-in-major-zeus-bust/article/179946/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - Advertisement Of Membership

The FDIC and NCUA consider every insured depository institution's online system top-level page, or "home page", to be an advertisement. Therefore, according to these agencies' interpretation of their rules, financial institutions subject to the regulations should display the official advertising statement on their home pages unless subject to one of the exceptions described under the regulations. Furthermore, each subsidiary page of an online system that contains an advertisement should display the official advertising statement unless subject to one of the exceptions described under the regulations. Additional information about the FDIC's interpretation can be found in the Federal Register, Volume 62, Page 6145, dated February 11, 1997.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 

PENETRATION ANALYSIS (Part 2 of 2)

A penetration analysis itself can introduce new risks to an institution; therefore, several items should be considered before having an analysis completed, including the following:

1) If using outside testers, the reputation of the firm or consultants hired. The evaluators will assess the weaknesses in the bank's information security system. As such, the confidentiality of results and bank data is crucial. Just like screening potential employees prior to their hire, banks should carefully screen firms, consultants, and subcontractors who are entrusted with access to sensitive data. A bank may want to require security clearance checks on the evaluators. An institution should ask if the evaluators have liability insurance in case something goes wrong during the test. The bank should enter into a written contact with the evaluators, which at a minimum should address the above items.

2) If using internal testers, the independence of the testers from system administrators.

3) The secrecy of the test. Some senior executives may order an analysis without the knowledge of information systems personnel. This can create unwanted results, including the notification of law enforcement personnel and wasted resources responding to an attack. To prevent excessive responses to the attacks, bank management may consider informing certain individuals in the organization of the penetration analysis.

4) The importance of the systems to be tested. Some systems may be too critical to be exposed to some of the methods used by the evaluators such as a critical database that could be damaged during the test.

FYI - Please remember that we perform vulnerability-penetration studies and would be happy to e-mail {custom4} a proposal. E-mail Kinney Williams at examiner@yennik.com for more information.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice

6)  Does the institution provide a clear and conspicuous notice that accurately reflects its privacy policies and practices at least annually (that is, at least once in any period of 12 consecutive months) to all customers, throughout the customer relationship? [§5(a)(1)and (2)]
(Note: annual notices are not required for former customers. [§5(b)(1)and (2)])