Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Feds back off on Jan.1 eHealth standards deadline - U.S. health officials delay enforcement until March 31, 2012 - The U.S. Centers for Medicare & Medicaid said Thursday that it will delay enforcement of a deadline for healthcare providers to roll out a new version of a standard governing how medical transactions are processed. http://www.computerworld.com/s/article/9221981/Feds_back_off_on_Jan.1_eHealth_standards_deadline?taxonomyId=84

FYI - 10 security problems you might not realize you have - IT administrators are often so busy just trying to keep up with the obvious security threats that many more problems fly under the radar. Here are 10 security risks you may have in your organization that you are not aware of. http://i.techrepublic.com.com/downloads/Gilbert/adl_10_security_problems.pdf?tag=mantle_skin;content

FYI - Houston federal judge rules feds need search warrant to get cellphone tracking data - A federal judge in Houston has ruled that authorities need a search warrant to obtain cellphone records that can be used to track a person’s movements. http://www.washingtonpost.com/national/houston-federal-judge-rules-that-feds-need-search-warrant-to-get-cellphone-tracking-data/2011/11/18/gIQABS8OZN_story.html

FYI - House committee to investigate China's Huawei, ZTE - U.S. lawmakers have been concerned that Huawei's networking equipment could be used for espionage - A U.S. House Intelligence Committee is launching an investigation into Chinese telecommunication equipment suppliers Huawei and ZTE to determine whether the companies pose a security threat to the U.S. http://www.computerworld.com/s/article/9221998/House_committee_to_investigate_China_s_Huawei_ZTE

FYI - Police crackdown on fake shopping sites - More than 2,000 web shops selling fake or non-existent goods have been shut down by police. Goods purportedly from GHD, Ugg, Tiffany and Nike had been peddled by the sites, said the Metropolitan Police E-Crime Unit. http://www.bbc.co.uk/news/technology-15820758

FYI - Security spending to increase in 2012, survey shows - While the nation's economy remains in the tank, the information security market appears to be avoiding a major slowdown. http://www.scmagazineus.com/security-spending-to-increase-in-2012-survey-shows/article/217448/?DCMP=EMC-SCUS_Newswire

FYI - Three indicted in New York on ATM skimming charges - Authorities in New York have busted three men on charges they planted skimming devices on cash machines in Manhattan to rip off debit card numbers and make fraudulent transactions. http://www.scmagazineus.com/three-indicted-in-new-york-on-atm-skimming-charges/article/217419/?DCMP=EMC-SCUS_Newswirehttp://www.scmagazineus.com/three-indicted-in-new-york-on-atm-skimming-charges/article/217419/?DCMP=EMC-SCUS_Newswire

FYI - RockYou Proposed Settlement Would Leave Decision Standing - The parties in the Claridge v. RockYou case submitted a proposed settlement agreement to the court for approval on November 14, 2011. This case, which was filed shortly after RockYou disclosed a breach that compromised 32 million log-in credentials, received national attention in the spring. http://www.dataprivacymonitor.com/data-breaches/rockyou-proposed-settlement-would-leave-decision-standing/

FYI - Manila AT&T hackers linked to Mumbai terror attack - cops - Four alleged line-jackers cuffed with aid from FBI - Police in the Philippines have arrested a group of four suspected hackers accused of funnelling profits from attacking corporate telephone networks to an Islamic terrorist group blamed for the attacks on Mumbai three years ago. http://www.theregister.co.uk/2011/11/28/philippines_at_and_t_terror_hack_arrests/

FYI - Text Messages Should Not Be Used in Patient Orders - On Friday, the Joint Commission issued a statement saying that physicians and other health care professionals should not use text messages as a way to share patient health information, Fierce Mobile Healthcare reports. http://www.ihealthbeat.org/articles/2011/11/21/joint-commission-text-messages-should-not-be-used-in-patient-orders.aspx

FYI - GAO - Cybersecurity Human Capital: Initiatives Need Better Planning and Coordination
Release - http://www.gao.gov/products/GAO-12-8
Highlights - http://www.gao.gov/highlights/d128high.pdf

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Hacker Apparently Triggers Illinois Water Pump Burnout - Attack illustrates the extent to which industrial control systems are Internet-connected, yet lack basic password checks or access controls. Federal authorities are investigating a hack that resulted in the burnout of a water pump at the Curran-Gardner Township Public Water District in Illinois. Located west of Springfield, Ill., the utility serves about 2,200 customers. http://www.informationweek.com/news/security/attacks/231903481

FYI - Anonymous Hacks Back at Cybercrime Investigators - The Antisec wing of Anonymous has come out with another document release in its ongoing assault on law enforcement. http://www.wired.com/threatlevel/2011/11/anonymous-hacks-forensics/

FYI - "Organized' hack targets AT&T wireless subscribers - 'Auto script' attack fails to breach accounts - Hackers used automatic scripts to target AT&T wireless subscribers in an unsuccessful attempt to steal information stored in their online accounts, company officials said. http://www.theregister.co.uk/2011/11/21/att_attack/

FYI - Sutter Health faces lawsuit after lost computer - Individuals affected by the massive data breach at Sutter Health, in which the personal information of 4.2 million patients went missing when an unencrypted desktop computer was stolen, have filed a class-action lawsuit against the Northern California-based health care system, according to a report in The Sacramento Bee. http://www.scmagazineus.com/sutter-health-faces-lawsuit-after-lost-computer/article/217507/?DCMP=EMC-SCUS_Newswire

FYI - VCU server hacked to compromise personal data of 175K - Hackers accessed a sensitive computer server containing the personal information of faculty and students at Virginia Commonwealth University (VCU) in Richmond. http://www.scmagazineus.com/vcu-server-hacked-to-compromise-personal-data-of-175k/article/216734/?DCMP=EMC-SCUS_Newswire

FYI - Feds Now Say Hacker Didn’t Destroy Water Pump - A report from an Illinois intelligence fusion center saying that a water utility was hacked cannot be substantiated, according to an announcement released Tuesday by the Department of Homeland Security. http://www.wired.com/threatlevel/2011/11/scada-hack-report-wrong/

FYI - Former UBS banker sentenced for fraud - A former bank executive has been sentenced to 33 months in prison for committing 84 fraudulent wire transfers that deposited $673,000 of UBS Securities funds into his personal accounts. http://www.scmagazineus.com/former-ubs-banker-sentenced-for-fraud/article/217907/

FYI - Hackers steal credit card numbers from cash registers at UC Riverside - Hackers compromised cash registers at campus dining locations at the University of California, Riverside to hijack credit and debit card numbers. http://www.scmagazineus.com/hackers-steal-credit-card-numbers-from-cash-registers-at-uc-riverside/article/217808/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - Electronic Fund Transfer Act, Regulation E (Part 1 of 2)

Generally, when online banking systems include electronic fund transfers that debit or credit a consumer's account, the requirements of the Electronic Fund Transfer Act and Regulation E apply.  A transaction involving stored value products is covered by Regulation E when the transaction accesses a consumer's account (such as when value is "loaded" onto the card from the consumer's deposit account at an electronic terminal or personal computer).

Financial institutions must provide disclosures that are clear and readily understandable, in writing, and in a form the consumer may keep.  An Interim rule was issued on March 20, 1998 that allows depository institutions to satisfy the requirement to deliver by electronic communication any of these disclosures and other information required by the act and regulations, as long as the consumer agrees to such method of delivery.

Financial institutions must ensure that consumers who sign up for a new banking service are provided with disclosures for the new service if the service is subject to terms and conditions different from those described in the initial disclosures.  Although not specifically mentioned in the commentary, this applies to all new banking services including electronic financial services.

The Federal Reserve Board Official Staff Commentary (OSC) also clarifies that terminal receipts are unnecessary for transfers initiated online. Specifically, OSC regulations provides that, because the term "electronic terminal" excludes a telephone operated by a consumer, financial institutions need not provide a terminal receipt when a consumer initiates a transfer by a means analogous in function to a telephone, such as by a personal computer or a facsimile machine.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY -  We continue our series on the FFIEC interagency Information Security Booklet.  

ENCRYPTION

Encryption is used to secure communications and data storage, particularly authentication credentials and the transmission of sensitive information. It can be used throughout a technological environment, including the operating systems, middleware, applications, file systems, and communications protocols.

Encryption is used both as a prevention and detection control. As a prevention control, encryption acts to protect data from disclosure to unauthorized parties. As a detective control, encryption is used to allow discovery of unauthorized changes to data and to assign responsibility for data among authorized parties. When prevention and detection are joined, encryption is a key control in ensuring confidentiality, data integrity, and accountability.

Properly used, encryption can strengthen the security of an institution's systems. Encryption also has the potential, however, to weaken other security aspects. For instance, encrypted data drastically lessens the effectiveness of any security mechanism that relies on inspections of the data, such as anti - virus scanning and intrusion detection systems. When encrypted communications are used, networks may have to be reconfigured to allow for adequate detection of malicious code and system intrusions.

Although necessary, encryption carries the risk of making data unavailable should anything go wrong with data handling, key management, or the actual encryption. The products used and administrative controls should contain robust and effective controls to ensure reliability.

Encryption can impose significant overhead on networks and computing devices. A loss of encryption keys or other failures in the encryption process can deny the institution access to the encrypted data.

Financial institutions should employ an encryption strength sufficient to protect information from disclosure until such time as the information's disclosure poses no material threat. For instance, authenticators should be encrypted at a strength sufficient to allow the institution time to detect and react to an authenticator theft before the attacker can decrypt the stolen authenticators.

Decisions regarding what data to encrypt and at what points to encrypt the data are typically based on the risk of disclosure and the costs and risks of encryption. Generally speaking, authenticators are always encrypted whether on public networks or on the financial institution's network. Sensitive information is also encrypted when passing over a public network, and also may be encrypted within the institution.

Encryption cannot guarantee data security. Even if encryption is properly implemented, for example, a security breach at one of the endpoints of the communication can be used to steal the data or allow an intruder to masquerade as a legitimate system user.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Sharing nonpublic personal information with nonaffiliated third parties under Sections 14 and/or 15 and outside of exceptions (with or without also sharing under Section 13).  (Part 1 of 3)

Note: Financial institutions whose practices fall within this category engage in the most expansive degree of information sharing permissible. Consequently, these institutions are held to the most comprehensive compliance standards imposed by the Privacy regulation.

A. Disclosure of Nonpublic Personal Information 

1)  Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of data shared between the institution and the third party both inside and outside of the exceptions. The sample should include a cross-section of relationships but should emphasize those that are higher risk in nature as determined by the initial procedures. Perform the following comparisons to evaluate the financial institution's compliance with disclosure limitations.

a.  Compare the categories of data shared and with whom the data were shared to those stated in the privacy notice and verify that what the institution tells consumers (customers and those who are not customers) in its notices about its policies and practices in this regard and what the institution actually does are consistent (§§10, 6).

b.  Compare the data shared to a sample of opt out directions and verify that only nonpublic personal information covered under the exceptions or from consumers (customers and those who are not customers) who chose not to opt out is shared (§10).

2)  If the financial institution also shares information under Section 13, obtain and review contracts with nonaffiliated third parties that perform services for the financial institution not covered by the exceptions in section 14 or 15. Determine whether the contracts prohibit the third party from disclosing or using the information other than to carry out the purposes for which the information was disclosed. Note that the "grandfather" provisions of Section 18 apply to certain of these contracts (§13(a)).