REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Military Veterans Wanted As Hackers In Cyberwar - A National
Guardsman with an IT background, wants to serve on the front lines
of a new kind of war -- one being fought with bytes instead of
- Google Takes on Rare Fight Against National Security Letters -
Google has filed a rare petition to challenge an ultra-secret
national security letter issued by the government to obtain private
data about one or more of its users. http://www.wired.com/threatlevel/2013/04/google-fight
- FBI Pursuing Real-Time Gmail Spying Powers as “Top Priority” for
2013 - Despite the pervasiveness of law enforcement surveillance of
digital communication, the FBI still has a difficult time monitoring
Gmail, Google Voice, and Dropbox in real time.
- Judge rules hospital can ask ISP for help in ID'ing alleged
hackers - A New Jersey hospital can now pursue a subpoena that would
require an internet service provider (ISP) to hand over information
potentially identifying at least one person accused of hacking into
its email server.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Japanese web portals hacked, up to 100,000 accounts compromised -
Two of Japan's major Internet portals were hacked earlier this week,
with one warning that as many as 100,000 user accounts were
compromised, including financial details.
- Ticket machine card fraud rise in EU A skimming device attached to
a ticket machine, from the East report - Five out of 23 European
countries reported an increase in card-skimming devices attached to
transport ticket machines, according to new research.
- Harvard to review privacy policies in wake of email search scandal
- Lack of standard policies 'highly inadequate,' university
president says - Harvard University President has ordered a
comprehensive review of the university's email privacy polices amid
disclosures that a secret search of some deans' email accounts by
administrators was broader than originally acknowledged.
- Nationwide Insurance uses lawyers to protect details of October
security breach - Nationwide Insurance wants to keep possible
weaknesses in its digital infrastructure under wraps as state and
federal investigators look into its October security breach that
left 1.1 million Americans' information exposed.
- Cyberattacks Seem Meant to Destroy, Not Just Disrupt - American
Express customers trying to gain access to their online accounts
Thursday were met with blank screens or an ominous ancient type
face. The company confirmed that its Web site had come under attack.
- Laptop stolen from S.C. medical center contains data on 7k
veterans - A Department of Veterans Affairs (VA) laptop containing
the sensitive data of several thousand patients was stolen in South
- Up to 1 million Scribd user passwords may have been compromised -
The world's largest document sharing site Scribd says it was hacked
earlier this week and believes up to one percent of its 100 million
users' passwords were compromised due to being stored with an
outdated hashing algorithm.
- Vudu resets user passwords after hard drives lost in office
burglary - Video service says burglars stole hard drives containing
sensitive personal information, including names, e-mail addresses,
phone numbers, and some credit card information.
- Hack of college database jeopardizes sensitive data of 125k
students - An online database containing the personal information of
125,000 students at Kirkwood Community College in Cedar Rapids,
Iowa, was hacked.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of
Outsourced Technology Services
Due Diligence in Selecting a Service Provider - Contract Issues
Some considerations for contracting with service providers are
discussed below. This listing is not all-inclusive and the
institution may need to evaluate other considerations based on its
unique circumstances. The level of detail and relative importance of
contract provisions varies with the scope and risks of the services
Scope of Service
The contract should clearly describe the rights and responsibilities
of parties to the contract.
• Timeframes and activities for
implementation and assignment of responsibility. Implementation
provisions should take into consideration other existing systems
or interrelated systems to be developed by different service
providers (e.g., an Internet banking system being integrated
with existing core applications or systems customization).
• Services to be performed by the service provider including
duties such as software support and maintenance, training of
employees or customer service.
• Obligations of the financial institution.
• The contracting parties’ rights in modifying existing services
performed under the contract.
• Guidelines for adding new or different services and for
Institutions should generally include performance standards defining
minimum service level requirements and remedies for failure to meet
standards in the contract. For example, common service level metrics
include percent system uptime, deadlines for completing batch
processing, or number of processing errors. Industry standards for
service levels may provide a reference point. The institution should
periodically review overall performance standards to ensure
consistency with its goals and objectives.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our review of the OCC Bulletin about
Infrastructure Threats and Intrusion Risks. This week we review the
last of a three part series regarding controls to prevent and detect
8) Encryption. Encryption is a means of securing data. Data can by
encrypted when it is transmitted, and when it is stored. Because
networks are not impervious to penetration, management should
evaluate the need to secure their data as well as their network.
Management's use of encryption should be based on an internal risk
assessment and a classification of data. The strength of encryption
should be proportional to the risk and impact if the data were
9) Employee and Contractor Background Checks. Management should
ensure that information technology staff, contractors, and others
who can make changes to information systems have passed background
checks. Management also should revalidate periodically access lists
and logon IDs.
10) Accurate and Complete Records of Uses and Activities. Accurate
and complete records of users and activities are essential for
analysis, recovery, and development of additional security measures,
as well as possible legal action. Information of primary importance
includes the methods used to gain access, the extent of the
intruder's access to systems and data, and the intruder's past and
current activities. To ensure that adequate records exist,
management should consider collecting information about users and
user activities, systems, networks, file systems, and applications.
Consideration should be given to protecting and securing this
information by locating it in a physical location separate from the
devices generating the records, writing the data to a tamperproof
device, and encrypting the information both in transit and in
storage. The OCC expects banks to limit the use of personally
identifiable information collected in this manner for security
purposes, and to otherwise comply with applicable law and
regulations regarding the privacy of personally identifiable
11) Vendor Management. Banks rely on service providers, software
vendors, and consultants to manage networks and operations. In
outsourcing situations, management should ensure that contractual
agreements are comprehensive and clear with regard to the vendor's
responsibility for network security, including its monitoring and
reporting obligations. Management should monitor the vendor's
performance under the contract, as well as assess the vendor's
financial condition at least annually.
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Examination Procedures (Part 1 of 3)
A. Through discussions with management and review of available
information, identify the institution's information sharing
practices (and changes to those practices) with affiliates and
nonaffiliated third parties; how it treats nonpublic personal
information; and how it administers opt-outs. Consider the following
1) Notices (initial, annual, revised, opt out, short-form, and
2) Institutional privacy policies and procedures, including those
a) process requests for nonpublic personal information,
including requests for aggregated data;
b) deliver notices to consumers; manage consumer opt out
directions (e.g., designating files, allowing a reasonable time to
opt out, providing new opt out and privacy notices when necessary,
receiving opt out directions, handling joint account holders);
c) prevent the unlawful disclosure and use of the information
received from nonaffiliated financial institutions; and
d) prevent the unlawful disclosure of account numbers;
3) Information sharing agreements between the institution and
affiliates and service agreements or contracts between the
institution and nonaffiliated third parties either to obtain or
provide information or services;
4) Complaint logs, telemarketing scripts, and any other information
obtained from nonaffiliated third parties (Note: review
telemarketing scripts to determine whether the contractual terms set
forth under section 13 are met and whether the institution is
disclosing account number information in violation of section 12);
5) Categories of nonpublic personal information collected from or
about consumers in obtaining a financial product or service (e.g.,
in the application process for deposit, loan, or investment
products; for an over-the-counter purchase of a bank check; from
E-banking products or services, including the data collected
electronically through Internet cookies; or through ATM
6) Categories of nonpublic personal information shared with, or
received from, each nonaffiliated third party; and
7) Consumer complaints regarding the treatment of nonpublic
personal information, including those received electronically.
8) Records that reflect the bank's categorization of its
information sharing practices under Sections 13, 14, 15, and outside
of these exceptions.
9) Results of a 501(b) inspection (used to determine the accuracy
of the institution's privacy disclosures regarding data security).