REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Energy lab releases open-source tool for tracking cyberattacks - Researchers at an Energy Department lab have released an open-source tool to spot the source of malicious activity inside the enterprise more quickly. http://gcn.com/articles/2012/05/07/feature-1-tool-spots-net-breach-sidebar.aspx

FYI - Judges Drive Truck Through Loophole in Supreme Court GPS Ruling - A federal judge in Iowa has ruled that evidence gathered through the warrantless use of covert GPS vehicle trackers can be used to prosecute a suspected drug trafficker, despite a Supreme Court decision this year that found such tracking unconstitutional without a warrant. http://www.wired.com/threatlevel/2012/04/dea-use-of-gps-tracker/

FYI - FBI Seizes Anonymizing Email Service Server - Privacy activists criticize the FBI's anonymous remailer server takedown that resulted from a bomb threat investigation. Did an FBI server seizure go too far? http://www.informationweek.com/news/security/government/232900643

FYI - TSA Tests Identity Verification System - In wake of invalid boarding pass scares, Transportation Security Agency seeks to automate the process of authenticating travel documents and matching them to IDs. The Transportation Security Administration (TSA) has begun testing a new system that verifies an air traveler's identity by matching photo IDs to boarding passes and ensures that boarding passes are authentic. http://www.informationweek.com/news/government/security/232900686

FYI - Russian cyber crime market more organized, lucrative - When it comes to information sharing, the cyber crime community in Russia is way ahead of the game. According to a report (PDF) released Tuesday by Russian security firm Group-IB, the value of the country's cyber crime market is now $2.3 billion, nearly doubling last year's $1.2 billion total.

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Seventeen years worth of Emory patient data missing - Emory Healthcare in Atlanta lost the personal information of surgery patients treated at its three hospitals when 10 backup discs went missing. http://www.scmagazine.com/seventeen-years-worth-of-emory-patient-data-missing/article/237554/?DCMP=EMC-SCUS_Newswire

FYI - Iranian oil terminal 'offline' after 'malware attack' - Iran has been forced to disconnect key oil facilities after suffering a malware attack on Sunday, say reports. http://www.bbc.co.uk/news/technology-17811565

FYI - US charges Russian over $1.45 million hacking scheme - A Russian national has been charged in the U.S. for allegedly hacking into brokerage accounts and executing fraudulent trades. Four brokerage firms claim caused combined $1 million in losses. http://www.zdnet.com/blog/security/us-charges-russian-over-145-million-hacking-scheme/11631?tag=mantle_skin;content

FYI - Austrian police task force arrests "country's youngest hacker" - Austrian federal police have arrested a 15-year-old student who allegedly cracked the servers of 259 companies during a three-month hacking spree. http://www.h-online.com/security/news/item/Austrian-police-task-force-arrests-country-s-youngest-hacker-1541837.html

FYI - FBI suspects student candidate of hacking his own election - Campaign season can make presidential candidates do crazy things, but it's not often one resorts to hacking into a computer and stealing 700 voters' passwords and IDs to alter the electronic polling results. http://www.technolog.msnbc.msn.com/technology/technolog/fbi-suspects-student-candidate-hacking-his-own-election-726362

FYI - South Carolina Medicaid employee leaks recipient data - South Carolina Medicaid data was leaked after the information was transferred to a personal email account. http://www.scmagazine.com/south-carolina-medicaid-employee-leaks-recipient-data/article/238060/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Board and Management Oversight - Principle 1: The Board of Directors and senior management should establish effective management oversight over the risks associated with e-banking activities, including the establishment of specific accountability, policies and controls to manage these risks. (Part 2 of 2)

Finally, the Board and senior management should ensure that its risk management processes for its e-banking activities are integrated into the bank's overall risk management approach. The bank's existing risk management policies and processes should be evaluated to ensure that they are robust enough to cover the new risks posed by current or planned e-banking activities. Additional risk management oversight steps that the Board and senior management should consider taking include:

1) Clearly establishing the banking organization's risk appetite in relation to e-banking.

2) Establishing key delegations and reporting mechanisms, including the necessary escalation procedures for incidents that impact the bank's safety, soundness or reputation (e.g. networks penetration, employee security infractions and any serious misuse of computer facilities).

3) Addressing any unique risk factors associated with ensuring the security, integrity and availability of e-banking products and services, and requiring that third parties to whom the banks has outsourced key systems or applications take similar measures.

4) Ensuring that appropriate due diligence and risk analysis are performed before the bank conducts cross-border e-banking activities.

The Internet greatly facilitates a bank's ability to distribute products and services over virtually unlimited geographic territory, including across national borders. Such cross-border e-banking activity, particularly if conducted without any existing licensed physical presence in the "host country," potentially subjects banks to increased legal, regulatory and country risk due to the substantial differences that may exist between jurisdictions with respect to bank licensing, supervision and customer protection requirements. Because of the need to avoid inadvertent non-compliance with a foreign country's laws or regulations, as well as to manage relevant country risk factors, banks contemplating cross-border e-banking operations need to fully explore these risks before undertaking such operations and effectively manage them.

Depending on the scope and complexity of e-banking activities, the scope and structure of risk management programs will vary across banking organizations. Resources required to oversee e-banking services should be commensurate with the transactional functionality and criticality of systems, the vulnerability of networks and the sensitivity of information being transmitted.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SERVICE PROVIDER OVERSIGHT - SAS 70 REPORTS

Frequently TSPs or user groups will contract with an accounting firm to report on security using Statement on Auditing Standards 70 (SAS 70), an auditing standard developed by the American Institute of Certified Public Accountants. SAS 70 focuses on controls and control objectives. It allows for two types of reports. A SAS 70 Type I report gives the service provider's description of controls at a specific point in time, and an auditor's report. The auditor's report will provide an opinion on whether the control description fairly presents the relevant aspects of the controls, and whether the controls were suitably designed for their purpose.

A SAS 70 Type II report expands upon a Type I report by addressing whether the controls were functioning. It provides a description of the auditor's tests of the controls. It also provides an expanded auditor's report that addresses whether the controls that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives were achieved during the specified period.

Financial institutions should carefully evaluate the scope and findings of any SAS 70 report. The report may be based on different security requirements than those established by the institution. It may not provide a thorough test of security controls unless requested by the TSP or augmented with additional coverage. Additionally, the report may not address the effectiveness of the security process in continually mitigating changing risks.  Therefore, financial institutions may require additional reports to oversee the security program of the service provider.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

12. Does the institution make the following disclosures regarding service providers and joint marketers to whom it discloses nonpublic personal information under §13:

a. as applicable, the same categories and examples of nonpublic personal information disclosed as described in paragraphs (a)(2) and (c)(2) of section six (6) (see questions 8b and 10); and [§6(c)(4)(i)]

b. that the third party is a service provider that performs marketing on the institution's behalf or on behalf of the institution and another financial institution; [§6(c)(4)(ii)(A)] or

c. that the third party is a financial institution with which the institution has a joint marketing agreement? [§6(c)(4)(ii)(B)]