REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Court Rebukes DOJ, Says Hacking Required to Be Prosecuted as Hacker - Employees may not be prosecuted under a federal anti-hacking statute for simply violating their employer’s computer use policy, a federal appeals court ruled Tuesday. http://www.wired.com/threatlevel/2012/04/computer-fraud-and-abuse-act/

FYI - Energy Companies Need Continuous Monitoring Practices - Utility companies managing the nation’s critical infrastructure should regularly check for security gaps within their delivery systems, according to the White House’s cybersecurity head. http://www.executivegov.com/2012/04/howard-schmidt-energy-companies-need-continuous-monitoring-practices/

FYI - Military finds IT security certification difficulties - The U.S. Army is having a hard time manning its IT staff because it cannot find military personnel with the right networking and IT security qualifications. http://www.computerworld.com/s/article/9226053/US_Army_Military_finds_IT_security_certification_difficulties?taxonomyId=17

FYI - Two arrests over Scotland Yard terror line hack - Two teenage boys have been arrested in connection with an investigation into reports that hackers accessed Scotland Yard's anti-terror hotline. http://www.bbc.co.uk/news/uk-17698528

FYI - Los Alamos subjected to ‘maelstrom’ of simulated cyberattacks - Los Alamos National Laboratory, the government lab responsible for the security of the US nuclear stockpile, recently conducted a vigorous cyber exercise involving more 100 participants from a number of federal agencies. http://www.infosecurity-magazine.com/view/25142/los-alamos-subjected-to-maelstrom-of-simulated-cyberattacks

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Smart Meter Hacks Likely to Spread - A series of hacks perpetrated against so-called “smart meter” installations over the past several years may have cost a single U.S. electric utility hundreds of millions of dollars annually, the FBI said in a cyber intelligence bulletin. http://krebsonsecurity.com/2012/04/fbi-smart-meter-hacks-likely-to-spread/

FYI - Connecticut community college hit with "zero-day" malware - A Connecticut community college reported the potential exposure of confidential records following a malware infection. http://www.scmagazine.com/connecticut-community-college-hit-with-zero-day-malware/article/236504/?DCMP=EMC-SCUS_Newswire

FYI - Ohio man charged in Utah police hacks - Said to be a member of hacker activist group Anonymous, the man is alleged to have been involved in bringing down police Web sites. An Ohio man has been indicted in connection with attacks that brought down the Web sites of police agencies in Utah.
http://news.cnet.com/8301-1009_3-57414740-83/ohio-man-charged-in-utah-police-hacks/
http://www.scmagazine.com/alleged-cabincr3w-member-denies-hacking-police-sites/article/237191/?DCMP=EMC-SCUS_Newswire

FYI - Securities fraud hacker charged after $1 million heist - A Russian national is in custody in Newark, N.J., facing charges of hacking into the web accounts of several brokerages to initiate sham stock trades that allegedly netted $1 million. http://www.scmagazine.com/securities-fraud-hacker-charged-after-1-million-heist/article/237126/?DCMP=EMC-SCUS_Newswire

FYI - Hospital workers access patient data with fraud in mind - Thousands of patients of Memorial Healthcare System in Hollywood, Fla. may be at risk for identity theft after two former employees improperly accessed their records. http://www.scmagazine.com/hospital-workers-access-patient-data-with-fraud-in-mind/article/237188/?DCMP=EMC-SCUS_Newswire |

FYI - Trojan designed to take screenshots of hotel payment apps - Researchers warned this week of a trojan that is being hawked, on black market websites, as a way to steal customer credit card information from hotels. http://www.scmagazine.com/trojan-designed-to-take-screenshots-of-hotel-payment-apps/article/237341/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Board and Management Oversight - Principle 1: The Board of Directors and senior management should establish effective management oversight over the risks associated with e-banking activities, including the establishment of specific accountability, policies and controls to manage these risks. (Part 1 of 2)

Vigilant management oversight is essential for the provision of effective internal controls over e-banking activities. In addition to the specific characteristics of the Internet distribution channel discussed in the Introduction, the following aspects of e-banking may pose considerable challenge to traditional risk management processes:

1) Major elements of the delivery channel (the Internet and related technologies) are outside of the bank's direct control.

2) The Internet facilitates delivery of services across multiple national jurisdictions, including those not currently served by the institution through physical locations.

3) The complexity of issues that are associated with e-banking and that involve highly technical language and concepts are in many cases outside the traditional experience of the Board and senior management.

In light of the unique characteristics of e-banking, new e-banking projects that may have a significant impact on the bank's risk profile and strategy should be reviewed by the Board of Directors and senior management and undergo appropriate strategic and cost/reward analysis. Without adequate up-front strategic review and ongoing performance to plan assessments, banks are at risk of underestimating the cost and/or overestimating the payback of their e-banking initiatives.

In addition, the Board and senior management should ensure that the bank does not enter into new e-banking businesses or adopt new technologies unless it has the necessary expertise to provide competent risk management oversight. Management and staff expertise should be commensurate with the technical nature and complexity of the bank's e-banking applications and underlying technologies. Adequate expertise is essential regardless of whether the bank's e-banking systems and services are managed in-house or outsourced to third parties. Senior management oversight processes should operate on a dynamic basis in order to effectively intervene and correct any material e-banking systems problems or security breaches that may occur. The increased reputational risk associated with e-banking necessitates vigilant monitoring of systems operability and customer satisfaction as well as appropriate incident reporting to the Board and senior management.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SERVICE PROVIDER OVERSIGHT

Many financial institutions outsource some aspect of their operations. Although outsourcing arrangements often provide a cost - effective means to support the institution's technology needs, the ultimate responsibility and risk rests with the institution. Financial institutions are required under Section 501(b) of the GLBA to ensure service providers have implemented adequate security controls to safeguard customer information. Supporting interagency guidelines require institutions to:

! Exercise appropriate due diligence in selecting service providers,
! Require service providers by contract to implement appropriate security controls to comply with the guidelines, and
! Monitor service providers to confirm that they are maintaining those controls when indicated by the institution's risk assessment.

Financial institutions should implement these same precautions in all TSP relationships based on the level of access to systems or data for safety and soundness reasons, in addition to the privacy requirements.

Financial institutions should determine the following security considerations when selecting or monitoring a service provider:
! Service provider references and experience,
! Security expertise of TSP personnel,
! Background checks on TSP personnel,
! Contract assurances regarding security responsibilities and controls,
! Nondisclosure agreements covering the institution's systems and data,
! Ability to conduct audit coverage of security controls or provisions for reports of security testing from independent third parties, and
! Clear understanding of the provider's security incidence response policy and assurance that the provider will communicate security incidents promptly to the institution when its systems or data were potentially compromised.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

11. Does the institution list the following categories of affiliates and nonaffiliated third parties to whom it discloses information, as applicable, and a few examples to illustrate the types of the third parties in each category:

a. financial service providers; [§6(c)(3)(i)]

b. non-financial companies; [§6(c)(3)(ii)] and

c. others? [§6(c)(3)(iii)]