Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Computerized patient records will bring on hackers - A powerful
Republican senator with a medical degree is warning that the
nation's transition to electronic patient records will lure cyber
intruders and should be reconsidered.
- FBI arrests six in click-fraud cyber scam that netted $14M - Six
men believed to be behind a massive click-fraud scheme were arrested
on Monday following a two-year, international police investigation,
dubbed Operation Ghost Click, the FBI announced Wednesday.
- Darpa’s Plan to Trap the Next WikiLeaker: Decoy Documents -
WikiLeakers may have to think twice before clicking on that
“classified” document. It could be the digital smoking gun that
points back at them.
- Apple kills code-signing bug that threatened iPhone users - Hacker
who discovered it remains excommunicated - Apple has patched a
serious bug in iPhones and iPads that allowed attackers to embed
secret payloads in iTunes App Store offerings that were never
approved during the official submission process.
- ACH debit transfer emails leading to malware - Users should be
cautious if they receive an email purportedly containing information
about an Automated Clearing House (ACH) debit transfer created on
their behalf, as it could lead to malware, researchers from
anti-virus company MX Lab, said in a blog post Wednesday.
- GAO again slams IRS over security weaknesses - After repeatedly
sounding the alarm about lax data security practices at the Internal
Revenue Service (IRS), the U.S. Government Accountability Office
(GAO) again has warned that the nation's tax collector is operating
with significant deficiencies.
- Canadian internet users wary of security and privacy, report - One
in 10 Canadians cite security as the primary challenge to the
success of the internet – the single largest issue identified in a
survey sponsored by the Canadian Internet Registration Authority (CIRA).
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Man charged with hacking Hoboken, N.J. mayor's email - A former
information systems specialist for the city of Hoboken, N.J.
surrendered Wednesday to the FBI on charges he hijacked emails meant
for the Mayor.
- Occupy St. Louis sympathizer hacks mayor's website - A person
supportive of the Occupy Wall Street movements sweeping the nation
has hacked into the website belonging to the St. Louis mayor,
defacing it and publicly exposing contact information and emails.
- VCU server hacked to compromise personal data of 175K - Hackers
accessed a sensitive computer server containing the personal
information of faculty and students at Virginia Commonwealth
University (VCU) in Richmond.
- Title Firm Sues Bank Over $207k Cyberheist - A title insurance
firm in Virginia is suing its bank after an eight-day cyber heist
involving more than $2 million in thefts and more than $200,000 in
losses last year.
- Dozens used phone-hacker's services, inquiry hears - More than two
dozen News International employees used the services of a convicted
phone-hacker, the British government-backed inquiry into illegal
eavesdropping and bribery by journalists heard Monday.
- Tour de France winner sentenced for hack of doping lab - The
disgraced US cyclist who was stripped of his 2006 Tour de France
victory for doping, was handed a suspended 12-month prison sentence
for his part in a hack of an anti-doping lab computer.
- Alarm raised months before fed breach discovered - Like Rodney
Dangerfield, it seems that Canadian spies don't get any respect.
Documents show that the Canadian Security Intelligence Service (CSIS)
sounded an alert at least two months before a massive internet
intrusion was spotted at the Treasury Board of Canada – the branch
of government responsible for fiscal control and human resources.
- Lawrence Memorial Hospital experiences online security breach -
Officials at Lawrence Memorial Hospital are anticipating a federal
investigation and possible fine after an online security breach
potentially compromised 8,000 patients' financial information.
- Sutter Health loses computer, data on 4.2 million - A desktop
computer stolen from a Northern California health care system
contained the personal information of roughly 4.2 million patients,
the organization revealed Wednesday.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Flood Disaster Protection Act
The regulation implementing the National Flood Insurance Program
requires a financial institution to notify a prospective borrower
and the servicer that the structure securing the loan is located or
to be located in a special flood hazard area. The regulation also
requires a notice of the servicer's identity be delivered to the
insurance provider. While the regulation addresses electronic
delivery to the servicer and to the insurance provider, it does not
address electronic delivery of the notice to the borrower.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
SECURITY CONTROLS -
PHYSICAL SECURITY IN DISTRIBUTED IS ENVIRONMENTS
(Part 1 of 2)
Hardware and software located in a user department are often less
secure than that located in a computer room. Distributed hardware
and software environments (e.g., local area networks or LANs) that
offer a full range of applications for small financial institutions
as well as larger organizations are commonly housed throughout the
organization, without special environmental controls or raised
flooring. In such situations, physical security precautions are
often less sophisticated than those found in large data centers, and
overall building security becomes more important. Internal control
procedures are necessary for all hardware and software deployed in
distributed, and less secure, environments. The level of security
surrounding any IS hardware and software should depend on the
sensitivity of the data that can be accessed, the significance of
applications processed, the cost of the equipment, and the
availability of backup equipment.
Because of their portability and location in distributed
environments, PCs often are prime targets for theft and misuse. The
location of PCs and the sensitivity of the data and systems they
access determine the extent of physical security required. For PCs
in unrestricted areas such as a branch lobby, a counter or divider
may provide the only barrier to public access. In these cases,
institutions should consider securing PCs to workstations, locking
or removing disk drives, and using screensaver passwords or
automatic timeouts. Employees also should have only the access to
PCs and data they need to perform their job. The sensitivity of the
data processed or accessed by the computer usually dictates the
level of control required. The effectiveness of security measures
depends on employee awareness and enforcement of these controls.
An advantage of PCs is that they can operate in an office
environment, providing flexible and informal operations. However, as
with larger systems, PCs are sensitive to environmental factors such
as smoke, dust, heat, humidity, food particles, and liquids. Because
they are not usually located within a secure area, policies should
be adapted to provide protection from ordinary contaminants.
Other environmental problems to guard against include electrical
power surges and static electricity. The electrical power supply in
an office environment is sufficient for a PC's requirements.
However, periodic fluctuations in power (surges) can cause equipment
damage or loss of data. PCs in environments that generate static
electricity are susceptible to static electrical discharges that can
cause damage to PC components or memory.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Examination Procedures (Part 2 of 3)
B. Use the information gathered from step A to work through the
"Privacy Notice and Opt Out Decision Tree." Identify which module(s)
of procedures is (are) applicable.
C. Use the information gathered from step A to work through the
Reuse and Redisclosure and Account Number Sharing Decision Trees, as
necessary (Attachments B & C). Identify which module is applicable.
D. Determine the adequacy of the financial institution's internal
controls and procedures to ensure compliance with the privacy
regulation as applicable. Consider the following:
1) Sufficiency of internal policies and procedures, and controls,
including review of new products and services and controls over
servicing arrangements and marketing arrangements;
2) Effectiveness of management information systems, including the
use of technology for monitoring, exception reports, and
standardization of forms and procedures;
3) Frequency and effectiveness of monitoring procedures;
4) Adequacy and regularity of the institution's training program;
5) Suitability of the compliance audit program for ensuring that:
a) the procedures address all regulatory provisions as
b) the work is accurate and comprehensive with respect to the
institution's information sharing practices;
c) the frequency is appropriate;
d) conclusions are appropriately reached and presented to
e) steps are taken to correct deficiencies and to follow-up on
previously identified deficiencies; and
6) Knowledge level of management and personnel.