REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
The Federal Financial Institutions Examination Council has
recently upgraded the functions and features of the InfoBase for the
FFIEC Information Technology Examination Handbook.
Pentagon nears expansion of cyber information sharing effort -
Defense Department officials said a pilot program that lets them
share cyber threat information with the private sector has been a
success story, and more firms are clamoring to join.
Digital Economy Act's anti-piracy measures are delayed - The
controversial piracy law, the Digital Economy Act, has again been
delayed, the Department for Culture, Media and Sport has confirmed.
GAO - Electronic Health Records: First Year of CMS's Incentive
Programs Shows Opportunities to Improve Processes to Verify
Providers Met Requirements.
In U.S.-Russia deal, nuclear communication system may be used
for cybersecurity - A secure communications channel set up to
prevent misunderstandings that might lead to nuclear war is likely
to expand to handling new kinds of conflict - in cyberspace.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
VMware Breached, More Hypervisor Source Code To Come - Hacker
Hardcore Charlie reveals stolen VMware source code and documents
from Asian defense contractors, promises more disclosures in May.
Feds Seize 36 Criminal Carding Sites - Three dozen criminal
carding sites were seized on Wednesday by the FBI, as part of a
two-year investigation conducted with authorities in Europe and
14,000 students' information placed on insecure server - The
personal information of 14,000 students, former students and faculty
at Volunteer Community College in Gallatin, Tenn., was placed on a
web server that was not secure. http://www.scmagazine.com/14000-students-information-placed-on-insecure-server/article/239187/?DCMP=EMC-SCUS_Newswire
I still have a full list of projects working this weekend. I can
take a break for lunch on Monday, but I'm gone from 5/8 - 5/15. I'll
be around for lunch the week after the 15th, but on the 21st, I'll
be in Amarillo, OKC, the Amarillo again. Call me if you want to do
lunch at the Lone Star Oyster Bar again.
Wrigley Field fans targeted by skimming scam - A group of six
has been charged in the latest scam to defraud bank customers
through the use of skimming devices, a trend that has seen a
noticeable uptick in arrests and prosecutions over the past year.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Board and Management Oversight -
Principle 2: The Board of Directors and senior management should
review and approve the key aspects of the bank's security control
The Board of Directors and senior management should oversee
the development and continued maintenance of a security control
infrastructure that properly safeguards e-banking systems and data
from both internal and external threats. This should include
establishing appropriate authorization privileges, logical and
physical access controls, and adequate infrastructure security to
maintain appropriate boundaries and restrictions on both internal
and external user activities.
Safeguarding of bank assets is one of the Board's fiduciary duties
and one of senior management's fundamental responsibilities.
However, it is a challenging task in a rapidly evolving e-banking
environment because of the complex security risks associated with
operating over the public Internet network and using innovative
To ensure proper security controls for e-banking activities, the
Board and senior management need to ascertain whether the bank has a
comprehensive security process, including policies and procedures,
that addresses potential internal and external security threats both
in terms of incident prevention and response. Key elements of an
effective e-banking security process include:
1) Assignment of explicit management/staff responsibility for
overseeing the establishment and maintenance of corporate security
2) Sufficient physical controls to prevent unauthorized physical
access to the computing environment.
3) Sufficient logical controls and monitoring processes to prevent
unauthorized internal and external access to e-banking applications
4) Regular review and testing of security measures and controls,
including the continuous tracking of current industry security
developments and installation of appropriate software upgrades,
service packs and other required measures.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
INTRUSION DETECTION AND RESPONSE
A maxim of security is "prevention is ideal, but detection is a
must." Security systems must both restrict access and protect
against the failure of those access restrictions. When those systems
fail, however, an intrusion occurs and the only remaining protection
is a detection - and - response capability. The earlier an intrusion
is detected, the greater the institution's ability to mitigate the
risk posed by the intrusion. Financial institutions should have a
capability to detect and react to an intrusion into their
Preparation for intrusion detection generally involves identifying
data flows to monitor for clues to an intrusion, deciding on the
scope and nature of monitoring, implementing that monitoring, and
establishing a process to analyze and maintain custody over the
resulting information. Additionally, legal requirements may include
notifications of users regarding the monitoring and the extent to
which monitoring must be performed as an ordinary part of ongoing
Adequate preparation is a key prerequisite to detection. The best
intrusion detection systems will not identify an intrusion if they
are not located to collect the relevant data, do not analyze correct
data, or are not configured properly. Even if they detect an
intrusion, the information gathered may not be usable by law
enforcement if proper notification of monitoring and preservation of
data integrity has not taken place.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
13. If the institution does not disclose nonpublic personal
information, and does not reserve the right to do so, other than
under exceptions in §14 and §15, does the institution provide a
simplified privacy notice that contains at a minimum:
a. a statement to this effect;
b. the categories of nonpublic personal information it collects;
c. the policies and practices the institution uses to protect the
confidentiality and security of nonpublic personal information; and
d. a general statement that the institution makes disclosures to
other nonaffiliated third parties as permitted by law? [§6(c)(5)]
(Note: use of this type of simplified notice is optional; an
institution may always use a full notice.)