Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- (At least) 4 web authentication authorities breached since June -
SSL security chain as good a broken - At least four web
authentication authorities have reported being compromised in as
many months, according to research from the Electronic Frontier
Foundation that renews serious questions about a technology millions
of websites rely on to remain secure.
- Tool Lets Single Laptop Take Down An SSL Server - Yet another
strike against SSL security - SSL is in the hot seat again: A new,
free tool is now circulating that can take down an HTTPS Web server
in a denial-of-service attack using a single laptop via a DSL
- Insulin pump hack delivers fatal dosage over the air - Sugar
Blues, James Bond style - In a hack fitting of a James Bond movie, a
security researcher has devised an attack that hijacks nearby
insulin pumps, enabling him to surreptitiously deliver fatal doses
to diabetic patients who rely on them.
- National Security Agency helps banks battle hackers - The National
Security Agency, a secretive arm of the U.S. military, has begun
providing Wall Street banks with intelligence on foreign hackers, a
sign of growing U.S. fears of financial sabotage.
- Federal cyber rules halt LAPD's move to Google Apps - FBI security
rules are holding up the Los Angeles Police Department's move to
Google Web-based email and office applications, according to
contractors. The federal policies, which relate to confidentiality
of criminal history data, could prevent certain agencies from ever
moving operations to the cloud, or third-party data centers that
provide software over the Internet, experts say.
- Breaches lead to major reputation, brand damage - Companies spend
on average up to a year to restore their reputation following a data
breach, according to a study released Thursday.
- Banker trade group warns of phishing uptick - The American Bankers
Association (ABA) on Wednesday issued a new warning about a “sudden
increase” in phishing scams being reported throughout the country.
- Internet privacy tools too confusing for most users - Users
wishing to stop advertisers from tracking their online behaviors
face major hurdles, according to a report released this week by
Carnegie Mellon University.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Chinese Military Suspected in Hacker Attacks on U.S. Satellites -
Computer hackers, possibly from the Chinese military, interfered
with two U.S. government satellites four times in 2007 and 2008
through a ground station in Norway, according to a congressional
- Nasdaq Server Breach: 3 Expected Findings - While federal
investigators remain quiet about the ongoing investigation, experts
say that the Directors Desk data breach is even worse than thought.
Last week, two experts with knowledge of Nasdaq OMX Group's internal
investigation said that while attackers hadn't directly attacked
trading servers, they had installed malware on sensitive systems,
which enabled them to spy on dozens of company directors.
- Anonymous downs Oakland police site after violence - The
hacktivist group Anonymous is making good on its promise of digital
retaliation against the Oakland Police Department for the force it
used against protesters this week.
- Ottawa warned about hackers weeks before crippling cyber attack:
CSIS report - Canada's spy agency warned the government that federal
departments were under assault from rogue hackers just weeks before
an attack crippled key computers.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Record retention provisions apply to electronic delivery of
disclosures to the same extent required for non-electronic delivery
of information. For example, if the web site contains an
advertisement, the same record retention provisions that apply to
paper-based or other types of advertisements apply. Copies of such
advertisements should be retained for the time period set out in the
relevant regulation. Retention of electronic copies is acceptable.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
SECURITY CONTROLS -
IMPLEMENTATION - PHYSICAL
The confidentiality, integrity, and availability of information can
be impaired through physical access and damage or destruction to
physical components. Conceptually, those physical security risks are
mitigated through zone-oriented implementations. Zones are physical
areas with differing physical security requirements. The security
requirements of each zone are a function of the sensitivity of the
data contained or accessible through the zone and the information
technology components in the zone. For instance, data centers may be
in the highest security zone, and branches may be in a much lower
security zone. Different security zones can exist within the same
structure. Routers and servers in a branch, for instance, may be
protected to a greater degree than customer service terminals.
Computers and telecommunications equipment within an operations
center will have a higher security zone than I/O operations, with
the media used in those equipment stored at yet a higher zone.
The requirements for each zone should be determined through the risk
assessment. The risk assessment should include, but is not limited
to, the following threats:
! Aircraft crashes
! Chemical effects
! Electrical supply interference
! Electromagnetic radiation
! Wireless emissions
! Any other threats applicable based on the entity's unique
geographical location, building configuration, neighboring entities,
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
1. To assess the quality of a financial institution's compliance
management policies and procedures for implementing the privacy
regulation, specifically ensuring consistency between what the
financial institution tells consumers in its notices about its
policies and practices and what it actually does.
2. To determine the reliance that can be placed on a financial
institution's internal controls and procedures for monitoring the
institution's compliance with the privacy regulation.
3. To determine a financial institution's compliance with the
privacy regulation, specifically in meeting the following
a) Providing to customers notices of its privacy policies and
practices that are timely, accurate, clear and conspicuous, and
delivered so that each customer can reasonably be expected to
receive actual notice;
b) Disclosing nonpublic personal information to nonaffiliated third
parties, other than under an exception, after first meeting the
applicable requirements for giving consumers notice and the right to
c) Appropriately honoring consumer opt out directions;
d) Lawfully using or disclosing nonpublic personal information
received from a nonaffiliated financial institution; and
e) Disclosing account numbers only according to the limits in the
4. To initiate effective corrective actions when violations of law
are identified, or when policies or internal controls are deficient.