REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - U.S. companies seek cyber experts for top jobs, board seats - Some of the largest U.S. companies are looking to hire cybersecurity experts in newly elevated positions and bring technologists on to their boards, a sign that corporate America is increasingly worried about hacking threats. http://www.reuters.com/article/2014/05/30/us-usa-companies-cybersecurity-exclusive-idUSKBN0EA0BX20140530

FYI - Large Electric Utilities Earn High Security Scores - Critical infrastructure is a big target for attack, but new data shows some operators in that industry suffer fewer security incidents than other industries. It may sound counterintuitive, but major utilities rank as one of the most secure organizations, according to a new study. http://www.darkreading.com/vulnerabilities---threats/large-electric-utilities-earn-high-security-scores/d/d-id/1269299

FYI - Agencies Seek Better DHS Incident Response Aid - A number of large federal agencies would like to see the Department of Homeland Security, including its U.S. CERT unit, enhance services to help them address cyber-incidents, according to a Government Accountability Office report. http://www.govinfosecurity.com/agencies-seek-better-dhs-incident-response-aid-a-6896

FYI - GAO - Information Security: Agencies Need to Improve Cyber Incident Response Practices - http://www.gao.gov/products/GAO-14-354

FYI - VA Failed to Protect Critical Computer Systems, Audit Finds - In another blow to the beleaguered Veterans Affairs Department, the VA inspector general reported today that an audit by an outside accounting firm revealed continuing problems protecting mission critical systems. http://www.nextgov.com/defense/whats-brewin/2014/05/va-failed-protect-critical-computer-systems-audit-finds/85429/

FYI - Police in Europe arrest 11 in skimming op takedown - International law enforcement agents arrested 11 individuals for their alleged involvement in a organized crime group, whose illegal activities included carding operations. http://www.scmagazine.com/police-in-europe-arrest-11-in-skimming-op-takedown/article/348895/

FYI - Hackers face life sentences under planned UK law - To say the British government is cracking down on computer hackers is an understatement. The UK revealed plans, alluded to in Queen Elizabeth's speech before Parliament Wednesday, to confer life sentences on those committing the newly defined offense of “unauthorised access to a computer,” according to a report in the Daily Mail. http://www.scmagazine.com/hackers-face-life-sentences-under-planned-uk-law/article/351279/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Avast support forum hack snags usernames, passwords - The security company has taken down its support forum following a hack that compromised usernames, email addresses, and encrypted passwords. Security vendor Avast is dealing with its own security problem. http://www.cnet.com/news/avast-support-forum-hack-snags-usernames-passwords/

FYI - Home Depot staffer fired, tapped 30,000 accounts, shared card data - Home Depot, which last experienced an insider breach in February, has fired and is prosecuting an employee who, for two weeks in May, accessed information on more than 30,000 customer accounts. http://www.scmagazine.com/home-depot-staffer-fired-tapped-30000-accounts-shared-card-data/article/349253/

FYI - Breach impacts customers of Precision Planting, a Monsanto subsidiary - Farm equipment and services provider Precision Planting, an Illinois-based subsidiary of chemical and agricultural biotechnology corporation Monsanto, is notifying customers that unauthorized access was gained to their personal information. http://www.scmagazine.com/breach-impacts-customers-of-precision-planting-a-monsanto-subsidiary/article/349245/

FYI - Washington AG: DSHS worker committed ID theft, stole more than $150k - Washington's Attorney General has filed charges against Timothy Darrell Fultz, a former state Department of Social and Health Services employee accused of accessing state databases and stealing $150,000 from the ClaimYourCash.org website run by Washington's Department of Revenue. http://www.scmagazine.com/washington-ag-dshs-worker-committed-id-theft-stole-more-than-150k/article/349162/

FYI - Arkansas State Univ. notifies 50K of Social Security number breach - At Arkansas State University (A-State), full and partial Social Security numbers were compromised for about 50,000 early childhood practitioners after unauthorized access was gained to databases related to the Traveling Arkansas Professional Pathways (TAPP) Registry. http://www.scmagazine.com/arkansas-state-univ-notifies-50k-of-social-security-number-breach/article/349384/

FYI - Office website HACKED: Passwords, addresses, phone numbers slurped - Good thing you used a unique password, right? Right? British shoe shop chain Office is the latest corp to cop to a computer security breach - one that's leaked names, addresses, phone numbers, emails and passwords of its customers. http://www.theregister.co.uk/2014/05/30/office_shoes_breach_passwords_stolen/

FYI - English soccer team's passport numbers exposed in sponsor photo tweet - Members of England's football squad, vying for the World Cup, have more to think about than just winning soccer games after a security breach blunder exposed their passport numbers yesterday. http://www.scmagazine.com/english-soccer-teams-passport-numbers-exposed-in-sponsor-photo-tweet/article/351293/

FYI - U.S. military database hacks impact about 16K in South Korea - Individuals employed by the United States military in South Korea may have had data compromised in a hacking incident, according to a Thursday AP report. http://www.scmagazine.com/us-military-database-hacks-impact-about-16k-in-south-korea/article/351241/

Return to the top of the newsletter

WEB SITE COMPLIANCE -

 Over the next few weeks, we will cover some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Executive Summary

Continuing technological innovation and competition among existing banking organizations and new entrants have allowed for a much wider array of banking products and services to become accessible and delivered to retail and wholesale customers through an electronic distribution channel collectively referred to as e-banking. However, the rapid development of e-banking capabilities carries risks as well as benefits. 

The Basel Committee on Banking Supervision expects such risks to be recognized, addressed and managed by banking institutions in a prudent manner according to the fundamental characteristics and challenges of e-banking services. These characteristics include the unprecedented speed of change related to technological and customer service innovation, the ubiquitous and global nature of open electronic networks, the integration of e-banking applications with legacy computer systems and the increasing dependence of banks on third parties that provide the necessary information technology. While not creating inherently new risks, the Committee noted that these characteristics increased and modified some of the traditional risks associated with banking activities, in particular strategic, operational, legal and reputational risks, thereby influencing the overall risk profile of banking. 

Based on these conclusions, the Committee considers that while existing risk management principles remain applicable to e-banking activities, such principles must be tailored, adapted and, in some cases, expanded to address the specific risk management challenges created by the characteristics of e-banking activities. To this end, the Committee believes that it is incumbent upon the Boards of Directors and banks' senior management to take steps to ensure that their institutions have reviewed and modified where necessary their existing risk management policies and processes to cover their current or planned e-banking activities. The Committee also believes that the integration of e-banking applications with legacy systems implies an integrated risk management approach for all banking activities of a banking institution.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - DATA CENTER SECURITY

When selecting a site for the most important information systems components, one major objective is to limit the risk of exposure from internal and external sources. The selection process should include a review of the surrounding area to determine if it is relatively safe from exposure to fire, flood, explosion, or similar environmental hazards. Outside intruders can be deterred through the use of guards, fences, barriers, surveillance equipment, or other similar devices. Since access to key information system hardware and software should be limited, doors and windows must be secure. Additionally, the location should not be identified or advertised by signage or other indicators.

Detection devices, where applicable, should be utilized to prevent theft and safeguard the equipment. They should provide continuous coverage. Detection devices have two purposes - to alarm when a response is necessary and to support subsequent forensics. The alarm capability is only useful when a response will occur. Some intruder detection devices available include:

! Switches that activate an alarm when an electrical circuit is broken;
! Light and laser beams, ultraviolet beams and sound or vibration detectors that are invisible to the intruder, and ultrasonic and radar devices that detect movement in a room; and
! Closed-circuit television that allows visual observation and recording of actions.

Risks from environmental threats can be addressed somewhat through devices such as halon gas, smoke alarms, raised flooring, heat sensors, and the like.

Physical security devices frequently need preventive maintenance to function properly. Maintenance logs are one control the institution can use to determine whether the devices are appropriately maintained. Periodic testing of the devices provides assurance that they are operating correctly.

Security guards should be properly instructed about their duties. The employees who access secured areas should have proper identification and authorization to enter the area. All visitors should sign in and wear proper IDs so that they can be identified easily. Security guards should be trained to restrict the removal of assets from the premises and to record the identity of anyone removing assets. Consideration should be given to implementing a specific and formal authorization process for the removal of hardware and software from premises.

The following security zones should have access restricted to a need basis:

! Operations center
! Uninterrupted power supply
! Telecommunications equipment
! Media library

CABINET AND VAULT SECURITY

Protective containers are designed to meet either fire-resistant or burglar-resistant standards. Labels describing expected tolerance levels are usually attached to safes and vault doors. An institution should select the tolerance level based on the sensitivity and importance of the information being protected.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our review of the issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies.

Definitions and Key Concepts

In discussing the duties and limitations imposed by the regulations, a number of key concepts are used. These concepts include "financial institution"; "nonpublic personal information"; "nonaffiliated third party"; the "opt out" right and the exceptions to that right; and "consumer" and "customer." Each concept is briefly discussed below. A more complete explanation of each appears in the regulations.

Financial Institution:

A "financial institution" is any institution the business of which is engaging in activities that are financial in nature or incidental to such financial activities, as determined by section 4(k) of the Bank Holding Company Act of 1956. Financial institutions can include banks, securities brokers and dealers, insurance underwriters and agents, finance companies, mortgage bankers, and travel agents.

Nonaffiliated Third Party:

A "nonaffiliated third party" is any person except a financial institution's affiliate or a person employed jointly by a financial institution and a company that is not the institution's affiliate. An "affiliate" of a financial institution is any company that controls, is controlled by, or is under common control with the financial institution.