REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Pentagon cyberdefenses weak, report warns - A new report for the
Pentagon concludes that the nationís military is unprepared for a
full-scale cyber-conflict with a top-tier adversary and must ramp up
its offensive prowess.
White House puts report on cybersecurity on hold - The Obama
administration is sitting on a report about the security of federal
government computer networks because it is embarrassing, a senior
Republican senator said Thursday.
EU feeling pressure to tweak data, privacy legislation - Some
European Union member states want the European Commission to ease
off certain elements of proposed legislation concerning data
protection and privacy.
VA disputes charge that it transmits unencrypted personal data over
public Internet - Investigation by Inspector General's office finds
that VA centers don't encrypt personal data during transmission to
Appeals Court Curbs Border Agentsí Carte Blanche Power to Search
Your Gadgets - A federal appeals court for the first time ruled
Friday that U.S. border agents do not have carte blanche authority
to search the cellphones, tablets and laptops of travelers entering
Is Carhacking a Serious Threat? Some Analysts Think So. - A U.S.
senator drives from Capitol Hill to her home in Virginia, listening
to the CD a constituent gave her. Going with the speed of traffic at
60 miles per hour, her brakes suddenly engage.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Ex-Exel president found guilty of hacking former employers - Turns
out you really can't trust the boss - The former president of
transportation logistics firm Exel has been found guilty of hacking
into the servers of his former employer to glean secrets for his new
Hacktivists plan to resume DDoS campaign against U.S. banks - Citing
inadequate efforts to remove an anti-Muslim video from the web, a
hacktivist group is calling for more distributed denial-of-service (DDoS)
attacks to be launched against U.S. bank sites.
Australia's central bank targeted by hackers - Australia's central
bank has confirmed that it has been targeted by hackers. The Reserve
Bank of Australia (RBA) said it had "on occasion been the target of
cyber attacks", following a report in an Australian newspaper.
Harvard University administrators secretly searched deansí email
accounts, hunting for media leak - Harvard University central
administrators secretly searched the email accounts of 16 resident
deans last fall, looking for a leak to the media about the schoolís
sprawling cheating case, according to several Harvard officials
interviewed by the Globe.
- DDoS attack strikes JPMorgan Chase website - A representative of
JPMorgan Chase confirmed to CNET Tuesday that its consumer banking
website had suffered a distributed denial-of-service (DDoS) attack.
- Celebrity data stolen from online credit report service - Some of
the private information belonging to high-profile government
officials and celebrities recently hacked was stolen from
AnnualCreditReport.com, a website that allows consumers free access
to their own credit reports.
social media editor indicted for conspiring with Anonymous - A
deputy social media editor at Thomson Reuters has been indicted in
California for conspiring with members of the hacktivist group
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of
Outsourced Technology Services ( Part 4 of 4)
Service Provider Oversight
Institutions should implement an oversight program to monitor each
service providerís controls, condition, and performance.
Responsibility for the administration of the service provider
relationship should be assigned to personnel with appropriate
expertise to monitor and manage the relationship. The number of
personnel, functional responsibilities, and the amount of time
devoted to oversight activities will depend, in part, on the scope
and complexity of the services outsourced. Institutions should
document the administration of the service provider relationship.
Documenting the process is important for contract negotiations,
termination issues, and contingency planning.
The board of directors and management are responsible for ensuring
adequate risk mitigation practices are in place for effective
oversight and management of outsourcing relationships. Financial
institutions should incorporate an outsourcing risk management
process that includes a risk assessment to identify the
institutionís needs and requirements; proper due diligence to
identify and select a provider; written contracts that clearly
outline duties, obligations and responsibilities of the parties
involved; and ongoing oversight of outsourcing technology services.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
Over the next few weeks, we will cover the OCC
Bulletin about Infrastructure Threats and Intrusion Risks.
This bulletin provides guidance to financial institutions on how to
prevent, detect, and respond to intrusions into bank computer
systems. Intrusions can originate either inside or outside of the
bank and can result in a range of damaging outcomes, including the
theft of confidential information, unauthorized transfer of funds,
and damage to an institution's reputation.
The prevalence and risk of computer intrusions are increasing as
information systems become more connected and interdependent and as
banks make greater use of Internet banking services and other remote
access devices. Recent e-mail-based computer viruses and the
distributed denial of service attacks earlier this year revealed
that the security of all Internet-connected networks are
increasingly intertwined. The number of reported incidences of
intrusions nearly tripled from 1998 to 1999, according to Carnegie
Mellon University's CERT/CC.
Management can reduce a bank's risk exposure by adopting and
regularly reviewing its risk assessment plan, risk mitigation
controls, intrusion response policies and procedures, and testing
processes. This bulletin provides guidance in each of these critical
areas and also highlights information-sharing mechanisms banks can
use to keep abreast of current attack techniques and potential
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Financial Institution Duties ( Part 5 of 6)
Limitations on Disclosure of Account Numbers:
A financial institution must not disclose an account number or
similar form of access number or access code for a credit card,
deposit, or transaction account to any nonaffiliated third party
(other than a consumer reporting agency) for use in telemarketing,
direct mail marketing, or other marketing through electronic mail to
The disclosure of encrypted account numbers without an accompanying
means of decryption, however, is not subject to this prohibition.
The regulation also expressly allows disclosures by a financial
institution to its agent to market the institution's own products or
services (although the financial institution must not authorize the
agent to directly initiate charges to the customer's account). Also
not barred are disclosures to participants in private-label or
affinity card programs, where the participants are identified to the
customer when the customer enters the program.