Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Weatherford Named DHS Cybersec Leader - Mark Weatherford, the
former chief information security officer of California and
Colorado, will be the new Department of Homeland Security deputy
undersecretary for cybersecurity for the National Protection and
- Anonymous Interested in Hacking Nationís Infrastructure - The
hacker collective known as Anonymous has expressed interest in
hacking industrial systems that control critical infrastructures,
such as gas and oil pipelines, chemical plants and water and sewage
treatment facilities, according to a Department of Homeland Security
- Diplomat Loses Top Secret Clearance for Linking to WikiLeaks - A
veteran U.S. State Department foreign service officer lost his
security clearance and diplomatic passport this week while the
department investigates him over linking to a WikiLeaks document on
his blog and publishing a book critical of the government.
- Who Else Was Hit by the RSA Attackers? - The data breach disclosed
in March by security firm RSA received worldwide attention because
it highlighted the challenges that organizations face in detecting
and blocking intrusions from targeted cyber attacks. The subtext of
the story was that if this could happen to one of the largest and
most integral security firms, what hope was there for organizations
that arenít focused on security?
- XML Encryption Flaw Leaves Web Services Vulnerable - Apache, Red
Hat, IBM, Microsoft, and other major XML framework providers will
need to adopt new standard, say German researchers who found the
flaw. Watch your Web Services: the official XML Encryption Syntax
and Processing standard can be broken.
- FCC warns retailers to stop selling signal-jamming devices - The
Federal Communications Commission has issued warnings to 20 online
retailers to stop selling illegal signal-jamming devices, including
mobile phone, GPS and Wi-Fi jammers.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Fund manager withdraws legal threat over security vuln - First
State Super, the company that called the police and fired off legal
threats when a security researcher notified it of vulnerabilities in
its online funds management application, is reportedly softening its
- Social Security agency leaks thousands of SSNs every year, report
says - More than 400K SSNs may have leaked in last 30 years - The
Social Security Administration (SSA) puts thousands of Americans at
risk of identity theft each year by accidentally leaking their
Social Security Numbers, names and dates of birth, according to an
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Generally, Internet web sites are considered advertising by the
regulatory agencies. In some cases, the regulations contain special
rules for multiple-page advertisements. It is not yet clear what
would constitute a single "page" in the context of the Internet or
on-line text. Thus, institutions should carefully review their
on-line advertisements in an effort to minimize compliance risk.
In addition, Internet or other systems in which a credit application
can be made on-line may be considered "places of business" under
HUD's rules prescribing lobby notices. Thus, institutions may want
to consider including the "lobby notice," particularly in the case
of interactive systems that accept applications.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
SECURITY CONTROLS -
Many financial institutions use modems, remote - access servers
(RAS), and VPNs to provide remote access into their systems or to
allow remote access out of their systems. Remote access can support
mobile users through wireless, Internet, or dial-in capabilities. In
some cases, modem access is required periodically by vendors to make
emergency program fixes or to support a system.
Remote access to a financial institution's systems provides an
attacker with the opportunity to remotely attack the systems either
individually or in groups. Accordingly, management should establish
policies restricting remote access and be aware of all remote access
devices attached to their systems. These devices should be strictly
controlled. Good controls for remote access include the following
! Disallow remote access by policy and practice unless a compelling
business justification exists.
! Disable remote access at the operating system level if a business
need for such access does not exist.
! Require management approval for remote access.
! Require an operator to leave the modems unplugged or disabled by
default, to enable modems only for specific, authorized external
requests, and disable the modem immediately when the requested
purpose is completed.
! Configure modems not to answer inbound calls, if modems are for
outbound use only.
! Use automated callback features so the modems only call one number
(although this is subject to call forwarding schemes).
! Install a modem bank where the outside number to the modems uses a
different prefix than internal numbers and does not respond to
! Log and monitor the date, time, user, user location, duration, and
purpose for all remote access.
! Require a two-factor authentication process for all remote access
(e.g., PIN-based token card with a one-time random password
! Implement controls consistent with the sensitivity of remote use
(e.g., remote system administration requires strict controls and
oversight including encrypting the authentication and log-in
! Appropriately patch and maintain all remote access software.
! Use trusted, secure access devices.
! Use remote-access servers (RAS) to centralize modem and Internet
access, to provide a consistent authentication process, and to
subject the inbound and outbound network traffic to firewalls.
Return to the top of
INTERNET PRIVACY - We continue our series listing
the regulatory-privacy examination questions. When you answer the
question each week, you will help ensure compliance with the privacy
Fair Credit Reporting Act
The regulations do not modify, limit, or supersede the operation
of the Fair Credit Reporting Act.
The regulations do not supersede, alter, or affect any state
statute, regulation, order, or interpretation, except to the extent
that it is inconsistent with the regulations. A state statute,
regulation, order, etc. is consistent with the regulations if the
protection it affords any consumer is greater than the protection
provided under the regulations, as determined by the FTC.
Grandfathered Service Contracts
Contracts that a financial institution has entered into, on or
before July 1, 2000, with a nonaffiliated third party to perform
services for the financial institution or functions on its behalf,
as described in section 13, will satisfy the confidentiality
requirements of section 13(a)(1)(ii) until July 1, 2002, even if the
contract does not include a requirement that the third party
maintain the confidentiality of nonpublic personal information.
Guidelines Regarding Protecting Customer Information
The regulations require a financial institution to disclose its
policies and practices for protecting the confidentiality, security,
and integrity of nonpublic personal information about consumers
(whether or not they are customers). The disclosure need not
describe these policies and practices in detail, but instead may
describe in general terms who is authorized to have access to the
information and whether the institution has security practices and
procedures in place to ensure the confidentiality of the information
in accordance with the institution's policies.
The four federal bank and thrift regulators have published
guidelines, pursuant to section 501(b) of the Gramm-Leach-Bliley
Act, that address steps a financial institution should take in order
to protect customer information. The guidelines relate only to
information about customers, rather than all consumers. Compliance
examiners should consider the findings of a 501(b) inspection during
the compliance examination of a financial institution for purposes
of evaluating the accuracy of the institution's disclosure regarding
Next week we will start covering the examination objectives.