Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Government, companies taking steps to ward off cyberattacks -
Warnings of a cyber Pearl Harbor. Major breaches of classified
computer networks. Hundreds of billions of dollars’ worth of
corporate data stolen by hackers.
Romanian hacker accused of breaking into NASA server - Police in
Romania this week arrested a 26-year-old hacker accused of breaking
into several servers belonging to NASA, and causing hundreds of
thousands of dollars in damages.
GAO - Information Technology: Critical Factors Underlying Successful
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Phishers net Norwegian secrets - E-mail trojans sweep hard drives -
Oil, gas and defense data has been boosted from computers in Norway,
in what the country fears is its largest-ever data espionage case.
Stolen Sutter Medical Foundation computer had information on
millions of patients - A Sutter Medical Foundation computer stolen
in mid-October held information on more than 4 million patients,
some dating back to 1995, including names, addresses and
descriptions of diagnoses, officials at the health network said
Mystery 'virus' disrupts St John's ambulance service - Staff at New
Zealand's St John's Ambulance service were forced to coordinate
emergency call-outs using manual radio systems last week after
computers systems were hit by a mystery 'virus'.
Water utilities in Illinois, Houston reportedly hacked - Hackers
have reportedly breached the systems of two U.S. water utility
companies, potentially causing physical damage in one case.
Anonymous leaks cybercrime investigator's private emails - The
hacktivist group Anonymous on Friday released 38,000 private emails
belonging to a retired California Department of Justice (DoJ)
cybercrime investigator as revenge for police crackdowns against the
Occupy Wall Street movement.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Disclosures and Notices
Several consumer regulations provide for disclosures and/or notices
to consumers. The compliance officer should check the specific
regulations to determine whether the disclosures/notices can be
delivered via electronic means. The delivery of disclosures via
electronic means has raised many issues with respect to the format
of the disclosures, the manner of delivery, and the ability to
ensure receipt by the appropriate person(s). The following
highlights some of those issues and offers guidance and examples
that may be of use to institutions in developing their electronic
Disclosures are generally required to be "clear and conspicuous."
Therefore, compliance officers should review the web site to
determine whether the disclosures have been designed to meet this
standard. Institutions may find that the format(s) previously used
for providing paper disclosures may need to be redesigned for an
electronic medium. Institutions may find it helpful to use "pointers
" and "hotlinks" that will automatically present the disclosures to
customers when selected. A financial institution's use solely of
asterisks or other symbols as pointers or hotlinks would not be as
clear as descriptive references that specifically indicate the
content of the linked material.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security
SECURITY CONTROLS -
PHYSICAL SECURITY IN DISTRIBUTED IS ENVIRONMENTS (Part 2 of
Physical security for distributed IS, particularly LANs that are
usually PC - based, is slightly different than for mainframe
platforms. With a network there is often no centralized computer
room. In addition, a network often extends beyond the local
premises. There are certain components that need physical security.
These include the hardware devices and the software and data that
may be stored on the file servers, PCs, or removable media (tapes
and disks). As with more secure IS environments, physical network
security should prevent unauthorized personnel from accessing LAN
devices or the transmission of data. In the case of wire - transfer
clients, more extensive physical security is required.
Physical protection for networks as well as PCs includes power
protection, physical locks, and secure work areas enforced by
security guards and authentication technologies such as magnetic
badge readers. Physical access to the network components (i.e.,
files, applications, communications, etc.) should be limited to
those who require access to perform their jobs. Network workstations
or PCs should be password protected and monitored for workstation
Network wiring requires some form of protection since it does not
have to be physically penetrated for the data it carries to be
revealed or contaminated. Examples of controls include using a
conduit to encase the wiring, avoiding routing through publicly
accessible areas, and avoiding routing networking cables in close
proximity to power cables. The type of wiring can also provide a
degree of protection; signals over fiber, for instance, are less
susceptible to interception than signals over copper cable.
Capturing radio frequency emissions also can compromise network
security. Frequency emissions are of two types, intentional and
unintentional. Intentional emissions are those broadcast, for
instance, by a wireless network. Unintentional emissions are the
normally occurring radiation from monitors, keyboards, disk drives,
and other devices. Shielding is a primary control over emissions.
The goal of shielding is to confine a signal to a defined area. An
example of shielding is the use of foil-backed wallboard and window
treatments. Once a signal is confined to a defined area, additional
controls can be implemented in that area to further minimize the
risk that the signal will be intercepted or changed.
Return to the top of
INTERNET PRIVACY -
We continue our series listing
the regulatory-privacy examination questions. When you answer the
question each week, you will help ensure compliance with the privacy
Examination Procedures (Part 3 of 3)
E. Ascertain areas of risk associated with the financial
institution's sharing practices (especially those within Section 13
and those that fall outside of the exceptions ) and any weaknesses
found within the compliance management program. Keep in mind any
outstanding deficiencies identified in the audit for follow-up when
completing the modules.
F. Based on the results of the foregoing initial procedures and
discussions with management, determine which procedures if any
should be completed in the applicable module, focusing on areas of
particular risk. The selection of procedures to be employed depends
upon the adequacy of the institution's compliance management system
and level of risk identified. Each module contains a series of
general instruction to verify compliance, cross-referenced to cites
within the regulation.
Additionally, there are cross-references to a more comprehensive
checklist, which the examiner may use if needed to evaluate
compliance in more detail.
G. Evaluate any additional information or documentation discovered
during the course of the examination according to these procedures.
Note that this may reveal new or different sharing practices
necessitating reapplication of the Decision Trees and completion of
additional or different modules.
H. Formulate conclusions.
1) Summarize all findings.
2) For violation(s) noted, determine the cause by identifying
weaknesses in internal controls, compliance review, training,
management oversight, or other areas.
3) Identify action needed to correct violations and weaknesses in
the institution's compliance system, as appropriate.
4) Discuss findings with management and obtain a commitment for