Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
launch cloud security standards program - FedRAMP program will
require that all federal agencies only use cloud providers that meet
its security standards - Federal agencies will soon have a
government-wide security standard for assessing, authorizing and
monitoring cloud products and services.
- Criminal Records Bureau checks to go online - Service aimed at
removing need for employees to make multiple applications - The
Criminal Records Bureau (CRB) is to introduce an online status
checking service for employers to verify that potential employees
have been cleared for relevant jobs.
- Four charged with hacking point-of-sale computers - Four residents
of Romania have been charged for their alleged participation in a
multimillion-dollar scheme to remotely access point-of-sale systems
at more than 150 Subway restaurants and other U.S. merchants and
steal payment card data, the U.S. Department of Justice said.
- Man faces felony hacking charge for accessing wife's e-mail - The
Michigan Court of Appeals wrestled Tuesday with the question of
whether the state's computer hacking law allows prosecutors to
charge people who read a spouse's e-mail without permission.
- As few as 12 hacker teams responsible for bulk of China-based data
theft - U.S. cybersecurity analysts and experts say that as few as
12 Chinese groups, largely backed or directed by the government
there, commit the bulk of the China-based cyberattacks stealing
critical data from U.S. companies and government agencies.
- Court dismisses most breach claims against Heartland by banks - Nine
banks want Heartland to pay for damages related to 2008 breach - A
U.S. district court in Texas has dismissed all but one of the claims
brought by several banks against Heartland Payment Systems over the
massive data breach the payment processor disclosed in January 2009.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Hackers Skim Lucky Supermarket Customers’ Credit Cards via
Self-Checkout - Criminals have tampered with the credit and debit
card readers at self-checkout lanes in more than 20 supermarkets
operated by a California chain, allowing them to steal money from
shoppers who used the compromised machines.
- Anonymous claims new Monsanto-related hack - The Anonymous hacktivist group claims it is responsible for putting a Washington,
D.C. public relations firm out of business.
- Ambulances turned away as computer virus infects Gwinnett Medical
Center computers - Gwinnett Medical Center on Friday confirmed it
has instructed ambulances to take patients to other area hospitals
when possible after discovering a system-wide computer virus that
slowed patient registration and other operations at its campuses in
Lawrenceville and Duluth.
- Telstra resets 60k passwords after privacy gaffe - Telstra has reset
some 60,000 customer passwords after accounts were exposed forcing
services to be quickly shutdown.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Requirements of Depository Institutions (Regulation D)
Pursuant to the withdrawal and transfer restrictions imposed on
savings deposits, electronic transfers, electronic withdrawals (paid
electronically) or payments to third parties initiated by a
depositor from a personal computer are included as a type of
transfer subject to the six transaction limit imposed on passbook
savings and MMDA accounts.
Institutions also should note that, to the extent stored value or
other electronic money represents a demand deposit or transaction
account, the provisions of Regulation D would apply to such
Consumer Leasing Act (Regulation M)
The regulation provides examples of advertisements that clarify the
definition of an advertisement under Regulation M. The term
advertisement includes messages inviting, offering, or otherwise
generally announcing to prospective customers the availability of
consumer leases, whether in visual, oral, print, or electronic
media. Included in the examples are on-line messages, such as those
on the Internet. Therefore, such messages are subject to the general
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
ENCRYPTION KEY MANAGEMENT
Since security is primarily based on the encryption keys, effective
key management is crucial. Effective key management systems are
based on an agreed set of standards, procedures, and secure methods
! Generating keys for different cryptographic systems and different
! Generating and obtaining public keys;
! Distributing keys to intended users, including how keys should be
activated when received;
! Storing keys, including how authorized users obtain access to
! Changing or updating keys including rules on when keys should be
changed and how this will be done;
! Dealing with compromised keys;
! Revoking keys and specifying how keys should be withdrawn or
! Recovering keys that are lost or corrupted as part of business
! Archiving keys;
! Destroying keys;
! Logging the auditing of key management - related activities; and
! Instituting defined activation and deactivation dates, limiting
the usage period of keys.
Secure key management systems are characterized by the following
! Key management is fully automated (e.g. personnel do not have the
opportunity to expose a key or influence the key creation).
! No key ever appears unencrypted.
! Keys are randomly chosen from the entire key space, preferably by
! Key - encrypting keys are separate from data keys. No data ever
appears in clear text that was encrypted using a key - encrypting
key. (A key - encrypting key is used to encrypt other keys, securing
them from disclosure.)
! All patterns in clear text are disguised before encrypting.
! Keys with a long life are sparsely used. The more a key is used,
the greater the opportunity for an attacker to discover the key.
! Keys are changed frequently. The cost of changing keys rises
linearly while the cost of attacking the keys rises exponentially.
Therefore, all other factors being equal, changing keys increases
the effective key length of an algorithm.
! Keys that are transmitted are sent securely to well -
! Key generating equipment is physically and logically secure from
construction through receipt, installation, operation, and removal
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Sharing nonpublic personal information with nonaffiliated third
parties under Sections 14 and/or 15 and outside of exceptions (with
or without also sharing under Section 13). (Part 3 of 3)
C. Opt Out Right
1) Review the financial institution's opt out notices. An opt out
notice may be combined with the institution's privacy notices.
Regardless, determine whether the opt out notices:
a. Are clear and conspicuous (§§3(b) and 7(a)(1));
b. Accurately explain the right to opt out (§7(a)(1));
c. Include and adequately describe the three required items of
information (the institution's policy regarding disclosure of
nonpublic personal information, the consumer's opt out right, and
the means to opt out) (§7(a)(1)); and
d. Describe how the institution treats joint consumers (customers
and those who are not customers), as applicable (§7(d)).
2) Through discussions with management, review of the institution's
policies and procedures, and a sample of electronic or written
records where available, determine if the institution has adequate
procedures in place to provide the opt out notice and comply with
opt out directions of consumers (customers and those who are not
customers), as appropriate. Assess the following:
a. Timeliness of delivery (§10(a)(1));
b. Reasonableness of the method of delivery (e.g., by hand; by
mail; electronically, if the consumer agrees; or as a necessary step
of a transaction) (§9).
c. Reasonableness of the opportunity to opt out (the time allowed
to and the means by which the consumer may opt out)
(§§10(a)(1)(iii), 10(a)(3)); and
d. Adequacy of procedures to implement and track the status of a
consumer's (customers and those who are not customers) opt out
direction, including those of former customers (§7(e), (f), (g)).