REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
Is the Information Technology Revolution Over? - David M. Byrne,
Stephen D. Oliner, and Daniel E. Sichel - Given the slowdown in
labor productivity growth in the mid-2000s, some have argued that
the boost to labor productivity from IT may have run its course.
This paper contributes three types of evidence to this debate.
First, we show that since 2004, IT has continued to make a
significant contribution to labor productivity growth in the United
States, though it is no longer providing the boost it did during the
productivity resurgence from 1995 to 2004.
- Analyzing The Cost of a HIPAA-related Breach Through the Lens of
the Critical Security Controls - Idaho State University (ISU)
recently agreed to pay $400,000 to the U.S. Department of Health
Human Services (HHS) to settle violations of the Health Insurance
Portability and Accountability Act of 1996 (HIPAA) Security Rule
discovered after ISU notificed HHS of the breach of unsecured
electronic protected health information (ePHI) of approximately
17,500 patients at ISU's Pocatello Family Medicine Clinic.
- Unprecedented e-mail privacy bill sent to Texas governor’s desk -
While reform languishes in Congress, Austin moves to protect Texans'
inboxes. Assuming that Texas Governor Rick Perry does not veto it,
the Lone Star State appears set to enact the nation’s strongest
e-mail privacy bill. The proposed legislation requires state law
enforcement agencies to get a warrant for all e-mails regardless of
the age of the e-mail.
- Decryption disclosure doesn't violate Fifth Amendment, judge rules
- Subject of investigation had claimed forced disclosure of
encrypted content violated self-incrimination protections - A
federal judge in Wisconsin has ordered a suspect in an investigation
to either provide prosecutors with the passwords to several
encrypted storage devices of his that are thought to contain
incriminating evidence or to provide them with a decrypted copy of
the contents of the drives.
- China's military to train on digital warfare - Amid rising concern
in the U.S. over China's role in cyberattacks, the latter is
expanding its focus on virtual combat. China, often linked to
alleged cyberattacks, is apparently training military forces on
digital combat and "informationalized" war.
- Judge orders Google to comply with FBI's secret NSL demands - A
federal judge tells the company to comply with the FBI's warrantless
National Security Letter requests for user details, despite ongoing
concerns about their constitutionality.
- France removes Internet cut-off threat from its anti-piracy law -
French digital minister says "it’s like cutting off someone’s
water.” France finally put an end to the most extreme measure of its
famous “three strikes” anti-piracy regime: no one will face being
cut off from the Internet.
- Maine may be first state to require a warrant for cell-phone
tracking - Bill sought by privacy groups passes legislature, headed
for state Senate, governor's signature - Maine is one step closer to
becoming the first state in the nation with a law that would require
police to obtain a court-issued search warrant in order to obtain a
person's cell-phone location data.
- Megaupload wins access to data seized in police raid - Megaupload
founder Kim Dotcom has won access to evidence seized during raids on
the file storage service. The decision to grant access was made by
the New Zealand high court which said warrants used to grab the
material were illegal.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Drupal issues password reset after servers compromised - A
vulnerability in a third-party application used on Drupal's servers
have allowed attackers to access customer data, prompting the CMS
developer to reset user passwords. Content management system
software developer Drupal is recommending that its customers reset
their Drupal.org passwords after it was discovered that account
information on its servers had been compromised.
- Harvard dean who okayed secret faculty email search steps down -
Evelynn Hammonds admitted she authorized search, but said it was
limited - a Harvard College Dean, who last month acknowledged
authorizing a secret search of email belonging to several
residential deans at the university, will step down from her
position July 1.
- Unattended hard drive may have led to exposure of 14k Social
Security numbers - The personal information of students applying to
attend Champlain College in Burlington, Vt., may have been accessed
after a portable hard drive containing their data was found in a
campus computer lab.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of
Outsourced Technology Services
Due Diligence in Selecting a Service Provider - Oversight of
Assess Quality of Service and Support
• Regularly review reports
documenting the service provider’s performance. Determine if the
reports are accurate and allow for a meaningful assessment of
the service provider’s performance.
• Document and follow up on any problem in service in a timely
manner. Assess service provider plans to enhance service levels.
• Review system update procedures to ensure appropriate change
controls are in effect, and ensure authorization is established
for significant system changes.
• Evaluate the provider’s ability to support and enhance the
institution’s strategic direction including anticipated business
development goals and objectives, service delivery requirements,
and technology initiatives.
• Determine adequacy of training provided to financial
• Review customer complaints on the products and services
provided by the service provider.
• Periodically meet with contract parties to discuss performance
and operational issues.
• Participate in user groups and other forums.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet. This booklet is
required reading for anyone involved in information systems
security, such as the Network Administrator, Information Security
Officer, members of the IS Steering Committee, and most important
your outsourced network security consultants. Your outsourced
network security consultants can receive the "Internet Banking News"
by completing the subscription for at
https://yennik.com/newletter_page.htm. There is no charge for
ROLES AND RESPONSIBILITIES (1 of 2)
Information security is the responsibility of everyone at the
institution, as well as the institution's service providers and
contractors. The board, management, and employees all have different
roles in developing and implementing an effective security process.
The board of directors is responsible for overseeing the
development, implementation, and maintenance of the institution's
information security program. Oversight requires the board to
provide management with guidance and receive reports on the
effectiveness of management's response. The board should approve
written information security policies and the information security
program at least annually. The board should provide management with
its expectations and requirements for:
1) Central oversight and coordination,
2) Areas of responsibility,
3) Risk measurement,
4) Monitoring and testing,
5) Reporting, and
6) Acceptable residual risk.
Senior management's attitude towards security affects the entire
organization's commitment to security. For example, the failure of a
financial institution president to comply with security policies
could undermine the entire organization's commitment to security.
Senior management should designate one or more individuals as
information security officers. Security officers should be
responsible and accountable for security administration. At a
minimum, they should directly manage or oversee risk assessment,
development of policies, standards, and procedures, testing, and
security reporting processes. Security officers should have the
authority to respond to a security event by ordering emergency
actions to protect the financial institution and its customers from
an imminent loss of information or value. They should have
sufficient knowledge, background, and training, as well as an
organizational position, to enable them to perform their assigned
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Sharing nonpublic personal information with nonaffiliated
third parties only under Sections 14 and/or 15.
Note: This module applies only to customers.
A. Disclosure of Nonpublic Personal Information
1) Select a sample of third party relationships with nonaffiliated
third parties and obtain a sample of data shared between the
institution and the third party.
a. Compare the data shared and with whom the data were shared to
ensure that the institution accurately states its information
sharing practices and is not sharing nonpublic personal information
outside the exceptions.
B. Presentation, Content, and Delivery of Privacy Notices
1) Obtain and review the financial institution's initial and annual
notices, as well as any simplified notice that the institution may
use. Note that the institution may only use the simplified notice
when it does not also share nonpublic personal information with
affiliates outside of Section 14 and 15 exceptions. Determine
whether or not these notices:
a. Are clear and conspicuous (§§3(b), 4(a), 5(a)(1));
b. Accurately reflect the policies and practices used by the
institution (§§4(a), 5(a)(1)). Note, this includes practices
disclosed in the notices that exceed regulatory requirements; and
c. Include, and adequately describe, all required items of
2) Through discussions with management, review of the institution's
policies and procedures, and a sample of electronic or written
customer records where available, determine if the institution has
adequate procedures in place to provide notices to customers, as
appropriate. Assess the following:
a) Timeliness of delivery (§§4(a), 4(d), 4(e), 5(a)); and
b. Reasonableness of the method of delivery (e.g., by hand; by
mail; electronically, if the customer agrees; or as a necessary step
of a transaction) (§9) and accessibility of or ability to retain the