Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FFIEC's "Interagency Guidelines Establishing Information Security Standards."  For more information and to subscribe visit http://www.yennik.com/it-review/.

FYI - Youth jailed for not handing over encryption password - Second ever sentence for RIPA offence - A 19-year old from Lancashire has been sentenced to 16 weeks in a young offenders institution for refusing to give police the password to an encrypted file on his computer. http://www.theregister.co.uk/2010/10/06/jail_password_ripa/

FYI - Jury convicts programmer of planting Fannie Mae server bomb - Faces 10 years in prison for trying to erase data on nearly 5,000 servers - A programmer who worked for the Federal National Mortgage Association, better known as Fannie Mae, was convicted Monday on a charge that he tried to destroy data on the organization's nearly 5,000 servers. http://www.computerworld.com/s/article/9189939/Jury_convicts_programmer_of_planting_Fannie_Mae_server_bomb?taxonomyId=144

FYI - Banking bill would treat schools, towns like consumers - A New York lawmaker has introduced a bill that would extend financial protection to municipalities and school districts that fall victim to unauthorized bank funds transfers. http://www.scmagazineus.com/banking-bill-would-treat-schools-towns-like-consumers/article/180818/

FYI - Feds Unlikely To Meet Cybersecurity Compliance Deadline - A Nov. 15 date for federal cybersecurity managers to start using the new CyberScope online reporting tool will be missed by many, as 85% have yet to use the new software. http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=227701081&cid=RSSfeed_IWK_All

FYI - Caught Spying on Student, FBI Demands GPS Tracker Back - A California student got a visit from the FBI this week after he found a secret GPS tracking device on his car, and a friend posted photos of it online. http://www.wired.com/threatlevel/2010/10/fbi-tracking-device/all/1

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Aldi data breach shows payment terminal holes - Thieves hit point-of-sale terminals in Aldi grocery stores in 11 states - A debit card breach disclosed late last week by discount grocer Aldi Inc. shows how hardware hacks are starting to pose as much of a threat to payment card data as software-based attacks. http://www.computerworld.com/s/article/9189982/Aldi_data_breach_shows_payment_terminal_holes?taxonomyId=17

FYI - Russian authorities detain suspected bank carding kingpin - $660,000 gone in 6 months - Russian authorities have detained a Ukrainian citizen accused of overseeing a criminal operation that used fraudulent credit cards and passports to siphon large amounts of cash out of banks around the world. http://www.theregister.co.uk/2010/10/05/russia_detains_bank_fraud_kingpin/

FYI - Cancer researcher fights UNC demotion - She was deemed responsible for security breach -
A UNC cancer researcher is fighting a demotion and pay cut she received after a security breach in the medical study she directs. http://www.heraldsun.com/view/full_story/9804450/article-Cancer-researcher-fights-UNC-demotion?instance=homesecondleft

FYI - Personal data on Tamil refugees exposed - A computer containing the names of Tamil refugees has been stolen from the offices of the Canadian Tamil Congress. http://www.scmagazineus.com/personal-data-on-tamil-refugees-exposed/article/180656/?DCMP=EMC-SCUS_Newswire

FYI - Swiss bank accounts under CRA investigation - The Canadian Revenue Agency (CRA) is investigating more than 1,000 high-value bank accounts in Switzerland, after a former employee stole the account data and handed it to investigators. http://www.scmagazineus.com/swiss-bank-accounts-under-cra-investigation/article/180653/?DCMP=EMC-SCUS_Newswire

FYI - Virus strikes University of Oklahoma computer - A virus recently compromised a clinic computer at the University of Oklahoma-Tulsa neurology practice to possibly retrieve sensitive documents on the machine. http://www.scmagazineus.com/virus-strikes-university-of-oklahoma-computer/article/180883/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - Advertisements

Generally, Internet web sites are considered advertising by the regulatory agencies. In some cases, the regulations contain special rules for multiple-page advertisements. It is not yet clear what would constitute a single "page" in the context of the Internet or on-line text. Thus, institutions should carefully review their on-line advertisements in an effort to minimize compliance risk.

In addition, Internet or other systems in which a credit application can be made on-line may be considered "places of business" under HUD's rules prescribing lobby notices. Thus, institutions may want to consider including the "lobby notice," particularly in the case of interactive systems that accept applications.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We conclude our review of the FDIC paper "Risk Assessment Tools and Practices of Information System Security." We hope you have found this series useful.

INCIDENT RESPONSE - Discusses implementing an incident response strategy for the response component of an institution's information security program. After implementing a defense strategy and monitoring for new attacks, hacker activities, and unauthorized insider access, management should develop a response strategy. The sophistication of an incident response plan will vary depending on the risks inherent in each system deployed and the resources available to an institution. In developing a response strategy or plan, management should consider the following:

1) The plan should provide a platform from which an institution can prepare for, address, and respond to intrusions or unauthorized activity. The beginning point is to assess the systems at risk, as identified in the overall risk assessment, and consider the potential types of security incidents.

2) The plan should identify what constitutes a break-in or system misuse, and incidents should be prioritized by the seriousness of the attack or system misuse.

3) Individuals should be appointed and empowered with the latitude and authority to respond to an incident. The plan should include what the appropriate responses may be for potential intrusions or system misuse.

4) A recovery plan should be established, and in some cases, an incident response team should be identified.

5) The plan should include procedures to officially report the incidents to senior management, the board of directors, legal counsel, and law enforcement agents as appropriate.

FYI - Please remember that we perform vulnerability-penetration studies and would be happy to e-mail {custom4} a proposal. E-mail Kinney Williams at examiner@yennik.com for more information.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice  

8)  Do the initial, annual, and revised privacy notices include each of the following, as applicable:  (Part 1 of 2)

a)  the categories of nonpublic personal information that the institution collects; [§6(a)(1)]

b)  the categories of nonpublic personal information that the institution discloses; [§6(a)(2)]

c)  the categories of affiliates and nonaffiliated third parties to whom the institution discloses nonpublic personal information, other than parties to whom information is disclosed under an exception in §14 or §15; [§6(a)(3)]

d)  the categories of nonpublic personal information disclosed about former customers, and the categories of affiliates and nonaffiliated third parties to whom the institution discloses that information, other than those parties to whom the institution discloses information under an exception in §14 or §15; [§6(a)(4)]