REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Microsoft, IT Industry Push Software Security Standard - Microsoft
announced its support for an international standard on secure
software development, while an industry group offered a free
training program for developers.
- Cops Should Get Warrants to Read Your E-Mail, Attorney General
Says - Attorney General Eric Holder became the White House’s highest
ranking official to support sweeping privacy protections requiring
the government, for the first time, to get a probable-cause warrant
to obtain e-mail and other content stored in the cloud.
- FBI Briefs Bank Executives On DDoS Attack Campaign - The FBI
recently granted one-day clearances to security officers and
executives at numerous banks so it could share classified
intelligence on the Operation Ababil campaign that's been disrupting
U.S. financial websites for almost a year.
- First California lawsuit over mobile privacy issues crashes -
Court rules that federal airline laws preempt state statutes in suit
seeking to force Delta Air Lines to notify mobile app users about
data collection plans.
- Google security: You (still) are the weakest link - At its I/O
conference, two of Google's top-level security experts say the
company is intensely focused on the issue, but passwords remain a
- S3 announces DX10-capable Chrome 4 series - S3 has announced plans
to introduce a new series of DX10-compatible video cards by the end
of the year. It's not yet known whether the new Chrome 4 designs
will be a continuing evolution of S3's aging DeltaChrome technology,
(currently represented by the Chrome S27) or will represent an
entirely new architecture, but there should be two flavors of the
card available by Christmas.
- California law would require breach notice if online account
information is stolen - The state Senate in California unanimously
has passed a law that would require organizations that are breached
to alert victims when intruders access online account information
belonging to consumers.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Lawsuit Says IRS Illegally Seized 60 Million Health Records - A
lawsuit filed in California accuses the Internal Revenue Service of
illegal seizure of 60 million electronic health care records
belonging to 10 million Americans.
- Why the AP phone records seizure and the LulzSec sentences are
related - Earlier this week, The Associated Press stunningly
revealed that the U.S. Department of Justice secretly obtained
"records for more than 20 separate telephone lines assigned to the
AP and its journalists" covering "a full two-month period in early
- Espionage hacking campaign "Operation Hangover" originates in
India - Move over China. India is fast becoming a hotbed of advanced
persistent threat (APT) activity.
- 22M accounts exposed in Yahoo Japan breach - A breach at Yahoo
Japan, the most visited website in the country, may have exposed up
to 22 million user login names.
- Data on patients may be exposed after X-rays go missing - X-rays
that also contained sensitive personal information belonging to
California-based El Centro Regional Medical Center (ECRMC) patients
have gone missing from a third-party vendor's warehouse.
- Chinese hackers who breached Google gained access to sensitive
data, U.S. officials say - Chinese hackers who breached Google’s
servers several years ago gained access to a sensitive database with
years’ worth of information about U.S. surveillance targets,
according to current and former government officials.
- China's 'state-sponsored hackers renew attacks on US' -
State-sponsored hackers have renewed attacks on the US after a
three-month hiatus, the New York Times reports.
- Idaho State University to pay HHS $400K after investigation
reveals shoddy security - Idaho State University (ISU) this week
settled (PDF) with the U.S. Department of Health and Human Services
(HHS) for $400,000 in the wake of a data breach that exposed the
personal information of 17,500 patients.
- Event ticketing company hacked, at least tens of thousands
affected - After a server attack, tens of thousands of customers,
who used the services of Boston-based online ticketing company
Vendini, had their financial and other sensitive information
- NYPD detective charged with hiring hackers so he could spy on
ex-girlfriend - A New York Police Department (NYPD) detective was
charged Tuesday with accessing a restricted federal database and
using an email hacking service to pry into the business of other
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of
Outsourced Technology Services
Due Diligence in Selecting a Service Provider - Contract Issues
The extent and flexibility of termination rights sought can vary
depending upon the service. Contracts for technologies subject to
rapid change, for example, may benefit from greater flexibility in
termination rights. Termination rights may be sought for a variety
of conditions including change in control (e.g., acquisitions and
mergers), convenience, substantial increase in cost, repeated
failure to meet service levels, failure to provide critical
company closure, and insolvency.
Institution management should consider whether or not the contract
permits the institution to terminate the contract in a timely manner
and without prohibitive expense (e.g., reasonableness of cost or
penalty provisions). The contract should state termination and
notification requirements with time frames to allow the orderly
conversion to another provider. The contract must provide for return
of the institution’s data, as well as other institution resources,
in a timely manner and in machine readable format. Any costs
associated with transition assistance should be clearly stated.
The institution should consider contract provisions that prohibit
assignment of the contract to a third party without the
institution’s consent, including changes to subcontractors.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We begin our series on the FFIEC
interagency Information Security Booklet. This booklet is
required reading for anyone involved in information systems
security, such as the Network Administrator, Information Security
Officer, members of the IS Steering Committee, and most important
your outsourced network security consultants. Your outsourced
network security consultants can receive the "Internet Banking News"
by completing the subscription for at
https://yennik.com/newletter_page.htm. There is no charge for
Information security enables a financial institution to meet its
business objectives by implementing business systems with due
consideration of information technology (IT) - related risks to the
organization, business and trading partners, technology service
providers, and customers. Organizations meet this goal by striving
to accomplish the following objectives.
1) Availability - The ongoing availability of systems addresses the
processes, policies, and controls used to ensure authorized users
have prompt access to information. This objective protects against
intentional or accidental attempts to deny legitimate users access
to information and/or systems.
2) Integrity of Data or Systems - System and data integrity relate
to the processes, policies, and controls used to ensure information
has not been altered in an unauthorized manner and that systems are
free from unauthorized manipulation that will compromise accuracy,
completeness, and reliability.
3) Confidentiality of Data or Systems - Confidentiality covers the
processes, policies, and controls employed to protect information of
customers and the institution against unauthorized access or use.
4) Accountability - Clear accountability involves the processes,
policies, and controls necessary to trace actions to their source.
Accountability directly supports non-repudiation, deterrence,
intrusion prevention, intrusion detection, recovery, and legal
admissibility of records.
5) Assurance - Assurance addresses the processes, policies, and
controls used to develop confidence that technical and operational
security measures work as intended. Assurance levels are part of the
system design and include availability, integrity, confidentiality,
and accountability. Assurance highlights the notion that secure
systems provide the intended functionality while preventing
Appropriate security controls are necessary for financial
institutions to challenge potential customer or user claims that
they did not initiate a transaction. Financial institutions can
accomplish this by achieving both integrity and accountability to
produce what is known as non-repudiation. Non-repudiation occurs
when the financial institution demonstrates that the originators who
initiated the transaction are who they say they are, the recipient
is the intended counter party, and no changes occurred in transit or
storage. Non-repudiation can reduce fraud and promote the legal
enforceability of electronic agreements and transactions. While
non-repudiation is a goal and is conceptually clear, the manner in
which non-repudiation can be achieved for electronic systems in a
practical, legal sense may have to wait for further judicial
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Sharing nonpublic personal information with nonaffiliated third
parties under Sections 13=, 14, and/or 15 but outside of these
exceptions (Part 1 of 2)
A. Disclosure of Nonpublic Personal Information
1) Select a sample of third party relationships with nonaffiliated
third parties and obtain a sample of data shared between the
institution and the third party. The sample should include a
cross-section of relationships but should emphasize those that are
higher risk in nature as determined by the initial procedures.
Perform the following comparisons to evaluate the financial
institution's compliance with disclosure limitations.
a. Compare the data shared and with whom the data were shared to
ensure that the institution accurately categorized its information
sharing practices and is not sharing nonpublic personal information
outside the exceptions (§§13, 14, 15).
b. Compare the categories of data shared and with whom the data
were shared to those stated in the privacy notice and verify that
what the institution tells consumers in its notices about its
policies and practices in this regard and what the institution
actually does are consistent (§§10, 6).
2) Review contracts with nonaffiliated third parties that perform
services for the financial institution not covered by the exceptions
in section 14 or 15. Determine whether the contracts adequately
prohibit the third party from disclosing or using the information
other than to carry out the purposes for which the information was
disclosed. Note that the "grandfather" provisions of Section 18
apply to certain of these contracts. (§13(a)).