Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and best practices.  For more information visit http://www.yennik.com/it-review/.

FYI - FTC Proposes 'Do Not Track' Option For Internet - The Federal Trade Commission has made a potentially far-reaching proposal that would give web users the option of shielding personal information from advertisers, retailers and other companies while browsing the Internet.
http://www.informationweek.com/news/security/privacy/showArticle.jhtml?articleID=228500104&subSection=Security
http://www.nytimes.com/2010/12/03/technology/03privacy.html?_r=2&partner=rss&emc=rss 

FYI - China arrests hundreds of computer hackers - China has arrested 460 computer hackers this year and closed a number of hacker-training websites, but warned that the chances of further cyber-attacks remain "very grim". http://www.telegraph.co.uk/news/worldnews/asia/china/8176201/China-arrests-hundreds-of-computer-hackers.html

FYI - China Cracks Down On Software Piracy - Inspectors will sweep local and central government computers to combat rampant illegal copying of software and other goods, including DVDs, CDs and apparel. http://www.informationweek.com/news/government/policy/showArticle.jhtml?articleID=228500001&subSection=Security

FYI - India, firms in talks over BlackBerry security - The Indian government is in talks with companies using Research In Motion's BlackBerry service to gain access to their employees' secure communications. http://news.cnet.com/8301-30686_3-20024694-266.html?tag=mncol;title 

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Hackers poison well of open-source FTP app - ProFTPD backdoored for 3 days - Hackers breached the main server hosting ProFTPD and remained undetected for three days, causing anyone who downloaded the popular open-source file transfer application during that time to be infected with a backdoor that grants unauthorized access to their systems. http://www.theregister.co.uk/2010/12/02/proftpd_backdoored/

FYI - Pro-WikiLeaks hackers target MasterCard, PayPal - A united band of WikiLeaks supporters have knocked offline a number of high-profile websites that have taken a stand against the whistleblower organization and its founder. http://www.scmagazineus.com/pro-wikileaks-hackers-target-mastercard-paypal/article/192415/?DCMP=EMC-SCUS_Newswire

FYI - Colorado county files mistakenly posted online - More than 20 years worth of personal and investigative Sheriff's Department records from Mesa County, Colo. were inadvertently posted online, where they remained for several months. http://www.scmagazineus.com/colorado-county-files-mistakenly-posted-online/article/192373/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - Reserve Requirements of Depository Institutions (Regulation D)

Pursuant to the withdrawal and transfer restrictions imposed on savings deposits, electronic transfers, electronic withdrawals (paid electronically) or payments to third parties initiated by a depositor from a personal computer are included as a type of transfer subject to the six transaction limit imposed on passbook savings and MMDA accounts.

Institutions also should note that, to the extent stored value or other electronic money represents a demand deposit or transaction account, the provisions of Regulation D would apply to such obligations. 

Consumer Leasing Act (Regulation M)

The regulation provides examples of advertisements that clarify the definition of an advertisement under Regulation M. The term advertisement includes messages inviting, offering, or otherwise generally announcing to prospective customers the availability of consumer leases, whether in visual, oral, print, or electronic media. Included in the examples are on-line messages, such as those on the Internet. Therefore, such messages are subject to the general advertising requirements.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

INFORMATION SECURITY RISK ASSESSMENT

KEY STEPS

Common elements of risk assessment approaches involve three phases: information gathering, analysis, and prioritizing responses. Vendor concerns add additional elements to the process.

INFORMATION GATHERING

Identifying and understanding risk requires the analysis of a wide range of information relevant to the particular institution's risk environment. Once gathered, the information can be catalogued to facilitate later analysis. Information gathering generally includes the following actions:

1)  Obtaining listings of information system assets (e.g., data, software, and hardware). Inventories on a device - by - device basis can be helpful in risk assessment as well as risk mitigation. Inventories should consider whether data resides in house or at a TSP.

2)  Determining threats to those assets, resulting from people with malicious intent, employees and others who accidentally cause damage, and environmental problems that are outside the control of the organization (e.g., natural disasters, failures of interdependent infrastructures such as power, telecommunications, etc.).

3)  Identifying organizational vulnerabilities (e.g., weak senior management support, ineffective training, inadequate expertise or resource allocation, and inadequate policies, standards, or procedures).

4)  Identifying technical vulnerabilities (e.g., vulnerabilities in hardware and software, configurations of hosts, networks, workstations, and remote access).

5)  Documenting current controls and security processes, including both information technology and physical security.

6)  Identifying security requirements and considerations (e.g., GLBA).

7)  Maintaining the risk assessment process requires institutions to review and update their risk assessment at least once a year, or more frequently in response to material changes in any of the six actions above.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

14. Does the institution describe the following about its policies and practices with respect to protecting the confidentiality and security of nonpublic personal information:

a. who is authorized to have access to the information; and [§6(c)(6)(i)]

b. whether security practices and policies are in place to ensure the confidentiality of the information in accordance with the institution's policy?  [§6(c)(6)(ii)]

(Note: the institution is not required to describe technical information about the safeguards used in this respect.)