REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- U.S., British intelligence mining data from nine U.S. Internet
companies in broad secret program - The National Security Agency and
the FBI are tapping directly into the central servers of nine
leading U.S. Internet companies, extracting audio and video chats,
photographs, e-mails, documents, and connection logs that enable
analysts to track foreign targets, according to a top-secret
document obtained by The Washington Post.
NSA Was Granted Order to Snag Millions of Verizon Call Records for 3
Months - The National Security Agency obtained a court order to
collect the call records of millions of Verizon customers, according
to a secret document obtained by the Guardian.
DHS Watchdog: ‘Intuition and Hunch’ Are Enough to Search Your
Gadgets at Border - The Department of Homeland Security’s civil
rights watchdog has concluded that “intuition and hunch” are among
the primary reasons why it is “inadvisable” to establish
constitutional safeguards protecting travelers’ electronics from
being searched for any reason along the U.S. border.
Judge Blocks Order Demanding Suspect Decrypt Computer Drives or Face
Jail - A federal judge today halted an order that a Wisconsin man
decrypt 16 computer drives.
Is your IT department "donating" your attorney-client privilege
without your knowledge? - What if an executive of your company came
to you and said, “Look, we've got this data about an incident that
GAO - Information Technology: OMB and Agencies Need to Focus
Continued Attention on Eliminating Duplicative Investments.
Obama Asked Intel Agencies to Draw Up List of Possible Cyber Targets
Overseas - Four years after the U.S. and Israel allegedly launched
the first known cyberweapon against Iran, President Barack Obama
ordered U.S. intelligence agencies to draw up a list of overseas
targets for possible offensive U.S. cyberattacks, according to a
top-secret presidential directive obtained by the Guardian.
First Lawsuit Over NSA Phone Scandal Targets Obama, Verizon - The
first of what likely will be many lawsuits challenging the
constitutionality of the NSA’s dragnet phone surveillance program
was lodged Sunday, declaring the newly disclosed spy operation an
“outrageous breach of privacy.”
Administration Declassifies Information to Defend Citizen Spying
Programs - The director of national intelligence late Thursday night
issued statements asserting that recent media reports about federal
surveillance of U.S. residents contained inaccuracies and he
released previously classified information to demonstrate that the
monitoring is legal.
Israel accelerates cybersecurity know-how as early as 10th grade -
Israel is strengthening cybersecurity recruitment and cooperation
between hi-tech, academia, and the military as threats rise.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Investigators bust hackers that stole and sold credit card data -
The conspirators based in Vietnam allegedly had data on over 1.1
million cards - Law enforcement agencies in the U.S., Vietnam and
the U.K. have disbanded a ring that allegedly sold online credit
card details since 2007.
Police 'stumped' by car thefts using electronic skeleton key -
Appeal for the public's help - Police in California have admitted
they are baffled by a series of car thefts where robbers use a small
hand-held electronic device to unlock supposedly secure car-locking
Hackers invade Raley's grocery chain - Raley's Family of Fine
Stores, a supermarket chain with more than 120 stores in California
and Nevada, has been stung by a hack that compromised the credit and
debit card information of its customers.
Bank employee accidently transfers millions after he falls asleep -
A German bank employee got a rude awakening after he "fell asleep
for an instant" on his keyboard and accidently transferred $293
million into a bank account.
Pirate Bay founder accused of Denmark hack - Danish police accused
him of helping an unnamed Danish hacker gain illegal access to a
number of databases holding sensitive information.
- Revealed: U.S. compiled secret cybertargets list - Top-secret list
of potential international cybertargets written by the Obama
administration is the latest in a series of high-profile leaks.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of Outsourced
Due Diligence in Selecting a Service Provider - Oversight of
Monitor Contract Compliance and Revision Needs
• Review invoices to assure
proper charges for services rendered, the appropriateness of
rate changes and new service charges.
• Periodically, review the service provider’s performance
relative to service level agreements, determine whether other
contractual terms and conditions are being met, and whether any
revisions to service level expectations or other terms are
needed given changes in the institution’s needs and
• Maintain documents and records regarding contract compliance,
revision and dispute resolution.
Resumption Contingency Plans
• Review the service provider’s
business resumption contingency plans to ensure that any
services considered mission critical for the institution can be
restored within an acceptable timeframe.
• Review the service provider’s program for contingency plan
testing. For many critical services, annual or more frequent
tests of the contingency plan are typical.
• Ensure service provider interdependencies are considered for
mission critical services and applications.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet. This booklet is
required reading for anyone involved in information systems
security, such as the Network Administrator, Information Security
Officer, members of the IS Steering Committee, and most important
your outsourced network security consultants. Your outsourced
network security consultants can receive the "Internet Banking News"
by completing the subscription for at
https://yennik.com/newletter_page.htm. There is no charge for
ROLES AND RESPONSIBILITIES (2 of 2)
Senior management should enforce its security program by clearly
communicating responsibilities and holding appropriate individuals
accountable for complying with these requirements. A central
authority should be responsible for establishing and monitoring the
security program. Security management responsibilities, however, may
be distributed throughout the institution from the IT department to
various lines of business depending on the institution's size,
complexity, culture, nature of operations, and other factors. The
distribution of duties should ensure an appropriate segregation of
duties between individuals or organizational groups.
Senior management also has the responsibility to ensure integration
of security controls throughout the organization. To support
integration, senior management should
1) Ensure the security process is governed by organizational
policies and practices that are consistently applied,
2) Require that data with similar criticality and sensitivity
characteristics be protected consistently regardless of where in the
organization it resides,
3) Enforce compliance with the security program in a balanced and
consistent manner across the organization, and
Coordinate information security with physical security.
Senior management should make decisions regarding the acceptance of
security risks and the performance of risk mitigation activities
using guidance approved by the board of directors.
Employees should know, understand, and be held accountable for
fulfilling their security responsibilities. Institutions should
define these responsibilities in their security policy. Job
descriptions or contracts should specify any additional security
responsibilities beyond the general policies. Financial institutions
can achieve effective employee awareness and understanding through
security training, employee certifications of compliance, self -
assessments, audits, and monitoring.
Management also should consider the roles and responsibilities of
external parties. Technology service providers (TSPs), contractors,
customers, and others who have access to the institution's systems
and data should have their security responsibilities clearly
delineated and documented in contracts.
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Reuse & Redisclosure of nonpublic
personal information received from a nonaffiliated financial
institution under Sections 14 and/or 15.
A. Through discussions with management and review of the
institution's procedures, determine whether the institution has
adequate practices to prevent the unlawful redisclosure and reuse of
the information where the institution is the recipient of nonpublic
personal information (§11(a)).
B. Select a sample of data received from nonaffiliated financial
institutions, to evaluate the financial institution's compliance
with reuse and redisclosure limitations.
1. Verify that the institution's redisclosure of the information
was only to affiliates of the financial institution from which the
information was obtained or to the institution's own affiliates,
except as otherwise allowed in the step b below (§11(a)(1)(i) and
2. Verify that the institution only uses and shares the data
pursuant to an exception in Sections 14 and 15 (§11(a)(1)(iii)).