Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and best practices.  For more information visit http://www.yennik.com/it-review/.

FYI - Backdoor Vulnerability Discovered on HP MSA2000 Storage Systems - A hardcoded password-related security vulnerability has been discovered which apparently affects every HP MSA2000 G3 modular storage array shipped to date. http://www.securityweek.com/backdoor-vulnerability-discovered-hp-msa2000-storage-systems

FYI - Air Force blocks access to sites that covered WikiLeaks - The US Air Force is barring its personnel from using government computers to view The New York Times and 25 other websites that posted diplomatic memos released by WikiLeaks, according to news reports. http://www.theregister.co.uk/2010/12/15/air_force_blocks_wikileaks/

FYI - Commerce Dept. suggests online "privacy Bill of Rights" - The U.S. Department of Commerce on Thursday issued a report outlining a new proposed approach for addressing online privacy issues, recommending that a “privacy Bill of Rights” for online consumers be established. http://www.scmagazineus.com/commerce-dept-suggests-online-privacy-bill-of-rights/article/193027/?DCMP=EMC-SCUS_Newswire

FYI - Gawker tech boss admits site security was lax - 'We lost your trust and don't deserve it back' - Gawker Media plans to overhaul its web infrastructure and require employees to use two-factor authentication when accessing sensitive documents stored online, following an embarrassing attack that completely rooted the publisher's servers.
http://www.theregister.co.uk/2010/12/18/gawker_hack_aftermath/ 
http://www.computerworld.com/s/article/9201719/Gawker_CTO_outlines_post_hack_security_changes?taxonomyId=17 

FYI - Bank of America stops handling Wikileaks payments - Bank of America has stopped handling payments for whistle-blowing website Wikileaks, joining several other major financial institutions. http://www.bbc.co.uk/news/world-us-canada-12028084 

FYI - Executives at Dell, AMD sold inside information - Four executives at publicly traded technology companies have been arrested on charges they sold inside information about their employers, sometimes for hundreds of thousands of dollars. http://www.computerworld.com/s/article/9201427/FBI_Executives_at_Dell_AMD_sold_inside_information 

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Exposed McDonald's data may be linked to third-party - The recent theft of customer information belonging to McDonald's is thought to be part of a larger security breach that may affect more than 105 companies that contract with Atlanta-based email marketing services firm Silverpop Systems. http://www.scmagazineus.com/exposed-mcdonalds-data-may-be-linked-to-third-party/article/192885/

FYI - Ohio State Deals With Massive Data Breach - More than 760,000 current and former Ohio State University students, faculty and staff this week are being notified that their personal information was repeatedly compromised earlier this year by hackers who managed to access an unsecured university server.
http://www.esecurityplanet.com/news/article.php/3917501/Ohio-State-Deals-With-Massive-Data-Breach.htm
http://www.scmagazineus.com/hundreds-of-thousands-affected-in-latest-ohio-state-breach/article/192908/?DCMP=EMC-SCUS_Newswire

FYI - SQL Injection Blamed for New Breach - Stronger App Security Could Have Prevented Online Hack - The breach of a Web server that housed payment card data for a New York tourism company's website highlights security gaps in cardholder data protection. http://www.bankinfosecurity.com/articles.php?art_id=3195 

Return to the top of the newsletter

WEB SITE COMPLIANCE - "Member FDIC" Logo - When is it required?

The FDIC believes that every bank's home page is to some extent an advertisement. Accordingly, bank web site home pages should contain the official advertising statement unless the advertisement is subject to exceptions such as advertisements for loans, securities, trust services and/or radio or television advertisements that do not exceed thirty seconds. 

Whether subsidiary web pages require the official advertising statement will depend upon the content of the particular page.  Subsidiary web pages that advertise deposits must contain the official advertising statement.  Conversely, subsidiary web pages that relate to loans do not require the official advertising statement.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

INFORMATION SECURITY RISK ASSESSMENT

ANALYZE INFORMATION (2 of 2)

Since specific scenarios can become too numerous for financial institutions to address individually, various techniques are used to generalize and extend the scenarios. For instance, one technique starts with a specific scenario and looks at additional damage that could occur if the attacker had different knowledge or motivation. This technique allows the reviewers to see the full extent of risk that exists from a given vulnerability. Another technique aggregates scenarios by high-value system components.

Scenarios should consider attacks against the logical security, physical security, and combinations of logical and physical attacks. In addition, scenarios could consider social engineering, which involves manipulation of human trust by an attacker to obtain access to computer systems. It is often easier for an attacker to obtain access through manipulation of one or more employees than to perform a logical or physical intrusion.

The risk from any given scenario is a function of the probability of the event occurring and the impact on the institution. The probability and impact are directly influenced by the financial institution's business profile, the effectiveness of the financial institution's controls, and the relative strength of controls when compared to other industry targets.

The probability of an event occurring is reflected in one of two ways. If reliable and timely probability data is available, institutions can use it. Since probability data is often limited, institutions can assign a qualitative probability, such as frequent, occasional, remote, and improbable.

Frequently, TSPs perform some or all of the institution's information processing and storage. Reliance on a third party for hosting systems or processing does not remove the institution's responsibility for securing the information. It does change how the financial institution will fulfill its role. Accordingly, risk assessments should evaluate the sensitivity of information accessible to or processed by TSPs, the importance of the processing conducted by TSPs, communications between the TSP's systems and the institution, contractually required controls, and the testing of those controls. Additional vendor management guidance is contained in the FFIEC's statement on "Risk Management of Outsourced Technology Services," dated November 28, 2000.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

16. If the institution provides a short-form initial privacy notice according to §6(d)(1), does the short-form initial notice:

a. conform to the definition of "clear and conspicuous"; [§6(d)(2)(i)]

b. state that the institution's full privacy notice is available upon request; [§6(d)(2)(ii)] and

c. explain a reasonable means by which the consumer may obtain the notice?  [§6(d)(2)(iii)]

(Note: the institution is not required to deliver the full privacy notice with the shortform initial notice. [§6(d)(3)])