Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Cybersecurity Awareness Month launched - The eighth annual
National Cybersecurity Awareness Month was launched on Friday with a
gathering in Ypsilanti, Mich., featuring Janet Napolitano, the
secretary of the U.S. Department of Homeland Security (DHS), and
White House Cybersecurity Coordinator Howard Schmidt.
- White House Orders New Computer Security Rules - The White House
plans to issue an executive order on Friday to replace a flawed
patchwork of computer security safeguards exposed by the disclosure
of hundreds of thousands of classified government documents to
WikiLeaks last year.
- Calif. Governor Veto Allows Warrantless Cellphone Searches -
California Gov. Jerry Brown is vetoing legislation requiring police
to obtain a court warrant to search the mobile phones of suspects at
the time of any arrest.
- German government's Skype spying tool has holes, hackers say - A
hacker club found a Skype spying tool used by German law enforcement
may violate the country's constitutional law - An eavesdropping tool
allegedly used by the German government to intercept Skype calls is
full of security problems and may violate a ruling by the country's
constitutional court, according to a European hacker club.
- TD Ameritrade settles lawsuit over major breach - A U.S. District
Court judge has approved a settlement stemming from the 2007 TD
Ameritrade breach that exposed the personal information of some 6.3
million customers, two years after a deal was shot down because it
didn't benefit the plaintiffs enough.
- Couple files suit against Citigroup over breach - A couple from
New York state is seeking class-action status for a lawsuit against
Citigroup, alleging that the third-largest U.S. bank has "taken no
steps" to protect victims in the wake of a massive data breach,
according to reports.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Stanford Hospital blames contractor for data breach - After
patient files $20M lawsuit, health care provider firm says
contractor is responsible - Stanford Hospital & Clinics this week
blamed a third party billing contractor for a data breach that
exposed the personal data of some 20,000 patients.
- BofA site outages called 'unprecedented' - The bank has replaced
its standard online Web page with an alternate - The six days of
online brownouts and slowdowns that have plagued Bank of America's
website are "unprecedented," a leading Internet and mobile cloud
monitoring service said today.
- Anonymous Threatens New York Stock Exchange Attack - Calls for
distributed denial-of-service attack as part of the Occupy Wall
Street protests. A video that purports to be from the Anonymous
hacktivist collective has called for a distributed denial-of-service
(DDoS) attack to be launched against the New York Stock Exchange
- Computer Virus Hits U.S. Drone Fleet - rus has infected the
cockpits of America’s Predator and Reaper drones, logging pilots’
every keystroke as they remotely fly missions over Afghanistan and
- AmEx 'debug mode left site wide open', says hacker - Customer
cookies 'at risk' - An alleged vulnerability on American Express
site exposed customers to a serious security risk before the credit
card giant closed down a portion of its site on Thursday afternoon.
- Military jamming of GPS in Scotland suspended - Jamming of global
positioning signals (GPS) during Europe's largest military exercise
has been suspended, following complaints from fishermen.
- 111 arrested in massive ID theft bust - Restaurant workers and
bank insiders are charged in what's billed as the largest-ever ID
theft round-up - Prosecutors call it the biggest identity theft bust
in U.S. history. On Friday, 111 bank tellers, retail workers,
waiters and alleged criminals were charged with running a
credit-card-stealing organization that stole more than $13 million
in less than a year-and-a-half.
- Another PlayStation Network breach stings Sony customers - Sony on
Wednesday said hackers have again accessed its network, this time
compromising the accounts of some 93,000 customers.
- Delaware pediatric health facility loses data on 1.6 million -
Three unencrypted backup tapes containing the personal information
of more than a million and a half individuals have gone missing from
Nemours, a children's health system based in Wilmington, Del.
- Sensitive University of Georgia employee data posted online - The
personal information of thousands of individuals who worked at the
University of Georgia (UGA) in 2002 was accessible online for
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Advertisement Of Membership
The FDIC and NCUA consider every insured depository institution's
online system top-level page, or "home page", to be an
advertisement. Therefore, according to these agencies'
interpretation of their rules, financial institutions subject to the
regulations should display the official advertising statement on
their home pages unless subject to one of the exceptions described
under the regulations. Furthermore, each subsidiary page of an
online system that contains an advertisement should display the
official advertising statement unless subject to one of the
exceptions described under the regulations. Additional information
about the FDIC's interpretation can be found in the Federal
Register, Volume 62, Page 6145, dated February 11, 1997.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
SECURITY CONTROLS -
IMPLEMENTATION - APPLICATION
1 of 2)
Sensitive or mission - critical applications should incorporate
appropriate access controls that restrict which application
functions are available to users and other applications. The most
commonly referenced applications from an examination perspective
support the information processing needs of the various business
lines. These computer applications allow authorized users or other
applications to interface with the related database. Effective
application access control can enforce both segregation of duties
and dual control. Access rights to sensitive or critical
applications and their database should ensure that employees or
applications have the minimum level of access required to perform
their business functions. Effective application access control
involves a partnership between the security administrators, the
application programmers (including TSPs and vendors), and the
Some security software programs will integrate access control for
the operating system and some applications. That software is useful
when applications do not have their own access controls, and when
the institution wants to rely on the security software instead of
the application's access controls. Examples of such security
software products for mainframe computers include RACF, CA - ACF2,
and CA - TopSecret. Institutions should understand the functionality
and vulnerabilities of their application access control solutions
and consider those issues in their risk assessment process.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Financial Institution Duties ( Part 5 of 6)
Limitations on Disclosure of Account Numbers:
A financial institution must not disclose an account number or
similar form of access number or access code for a credit card,
deposit, or transaction account to any nonaffiliated third party
(other than a consumer reporting agency) for use in telemarketing,
direct mail marketing, or other marketing through electronic mail to
The disclosure of encrypted account numbers without an accompanying
means of decryption, however, is not subject to this prohibition.
The regulation also expressly allows disclosures by a financial
institution to its agent to market the institution's own products or
services (although the financial institution must not authorize the
agent to directly initiate charges to the customer's account). Also
not barred are disclosures to participants in private-label or
affinity card programs, where the participants are identified to the
customer when the customer enters the program.