REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- U.S. and Russia sign pact to create communication link on cyber
security - The United States and Russia have signed a landmark
agreement to reduce the risk of conflict in cyberspace through
real-time communications about incidents of national security
Microsoft offers hefty bounties to thwart hackers - Microsoft Corp
is looking to recruit computer geeks in its ongoing efforts to
protect Windows PCs from attacks, offering rewards of as much as
$150,000 to anybody who helps identify and fix major security holes
in its software.
An IT superpower, India has just 556 cyber security experts - The
world may acknowledge India as an information technology superpower,
but its very own official cyber security workforce comprises a mere
556 experts deployed in various government agencies.
- Expanded '2-person rule' could help plug NSA leaks - NSA, FBI, DOJ
officials tell Congress secret programs are vital to U.S. security;
outline ways to keep sysadmins from leaking classified data - The
National Security Agency is creating new processes aimed at making
it harder for systems administrators to misuse privileged access to
agency systems, NSA officials told the U.S. House Intelligence
- Risks of Default Passwords on the Internet - Any system using
password authentication accessible from the internet may be
affected. Critical infrastructure and other important embedded
systems, appliances, and devices are of particular concern.
- Using encryption? That means the US spooks have you on file - By
my order for the good of the state, the bearer has done what has
been done - Anyone who encrypts their emails or uses secure instant
message services runs the risk of having their communications stored
by the US National Security Agency, according to the latest leaks
from former NSA sysadmin.
- What CSOs should look for in new hires - Last month, college
graduations were celebrated throughout the country, springing the
class of 2013 on the working world.
- Mobile devices call for security solutions that don't apply to the
PC world - Information security is an ongoing game of cat and mouse
between IT organizations and hackers. The way that organizations
consume and protect information changes as frequently as the methods
hackers use to attack it.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
LinkedIn outage prompts security concerns - The website's domain
name was temporarily redirected to a different server - LinkedIn's
domain name was temporarily redirected to a third-party server
Thursday, which resulted in a service outage and potentially put
user accounts at risk of compromise.
Facebook bug exposed contact info of 6M users - The social network
is embarrassed by a glitch in its "Download Your Information" tool
that unintentionally shared some members' phone numbers and e-mail
Southwest cancels 67 flights after computer glitch - Southwest
Airlines' operations returned to normal Saturday afternoon after a
system-wide computer failure caused it to ground 250 flights for
nearly three hours late Friday night.
intelligence tapping fiber-optic cables for massive amounts of data
- The GCHQ surveillance program is even bigger than NSA s, The
Guardian says - More secret National Security Agency documents
leaked to The Guardian suggest that the U.S. agency's British
counterpart intercepts petabytes worth of communication data daily
from fiber-optic cables.
exposed by Facebook data glitch - Personal details of about six
million people have been inadvertently exposed by a bug in
Facebook's data archive.
Data of 47K
training to become Florida teachers exposed - The sensitive
information of several thousand individuals training to become
Florida teachers was inadvertently made available online by a
university that was handling the data.
nearly 3K University of Illinois dorm residents stolen - Thousands
of University of Illinois at Urbana–Champaign (UIUC) students, who
lived in campus housing called the Hendrick House between 1997 and
the spring of 2011, had their information uploaded to a thumb drive.
Opera browser said its network was hacked to steal code-signing
certificate - Opera Software, maker of the Opera browser, disclosed
Wednesday that its internal network was targeted in a heist in which
the attackers made off with at least one certificate that they used
to sign malware.
reportedly release data on U.S. troops in Korea - Hackers say they
stole the personal details of tens of thousands of American troops
and leaked the data to multiple sites.
Services breach places 8,000 personal records at risk - The personal
information of former patients and employees at the Mental Health
Institute in Independence, Iowa, as well as workers at other state
facilities, may have been exposed after a backup computer tape went
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the
FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
2 of 10)
A. RISK DISCUSSION
Compliance risk arises when the linked third party acts in a manner
that does not conform to regulatory requirements. For example,
compliance risk could arise from the inappropriate release or use of
shared customer information by the linked third party. Compliance
risk also arises when the link to a third party creates or affects
compliance obligations of the financial institution.
Financial institutions with weblinking relationships are also
exposed to other risks associated with the use of technology, as
well as certain risks specific to the products and services provided
by the linked third parties. The amount of risk exposure depends on
several factors, including the nature of the link.
Any link to a third-party website creates some risk exposure for an
institution. This guidance applies to links to affiliated, as well
as non-affiliated, third parties. A link to a third-party website
that provides a customer only with information usually does not
create a significant risk exposure if the information being provided
is relatively innocuous, for example, weather reports.
Alternatively, if the linked third party is providing information or
advice related to financial planning, investments, or other more
substantial topics, the risks may be greater. Links to websites that
enable the customer to interact with the third party, either by
eliciting confidential information from the user or allowing the
user to purchase a product or service, may expose the insured
financial institution to more risk than those that do not have such
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
INFORMATION SECURITY RISK ASSESSMENT
The quality of security controls can significantly influence all
categories of risk. Traditionally, examiners and bankers recognize
the direct impact on operational/transaction risk from incidents
related to fraud, theft, or accidental damage. Many security
weaknesses, however, can directly increase exposure in other risk
areas. For example, the GLBA introduced additional legal/compliance
risk due to the potential for regulatory noncompliance in
safeguarding customer information. The potential for legal liability
related to customer privacy breaches may present additional risk in
the future. Effective application access controls can reduce credit
and market risk by imposing risk limits on loan officers or traders.
If a trader were to exceed the intended trade authority, the
institution may unknowingly assume additional market risk exposure.
A strong security program reduces levels of reputation and strategic
risk by limiting the institution's vulnerability to intrusion
attempts and maintaining customer confidence and trust in the
institution. Security concerns can quickly erode customer confidence
and potentially decrease the adoption rate and rate of return on
investment for strategically important products or services.
Examiners and risk managers should incorporate security issues into
their risk assessment process for each risk category. Financial
institutions should ensure that security risk assessments adequately
consider potential risk in all business lines and risk categories.
Information security risk assessment is the process used to identify
and understand risks to the confidentiality, integrity, and
availability of information and information systems. An adequate
assessment identifies the value and sensitivity of information and
system components and then balances that knowledge with the exposure
from threats and vulnerabilities. A risk assessment is a necessary
pre-requisite to the formation of strategies that guide the
institution as it develops, implements, tests, and maintains its
information systems security posture. An initial risk assessment may
involve a significant one-time effort, but the risk assessment
process should be an ongoing part of the information security
Risk assessments for most industries focus only on the risk to the
business entity. Financial institutions should also consider the
risk to their customers' information. For example, section 501(b) of
the GLBA requires financial institutions to 'protect against
unauthorized access to or use of customer information that could
result in substantial harm or inconvenience to any customer."
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Account number sharing
A. If available, review a sample of telemarketer scripts used
when making sales calls to determine whether the scripts indicate
that the telemarketers have the account numbers of the institution's
B. Obtain and review a sample of contracts with agents or service
providers to whom the financial institution discloses account
numbers for use in connection with marketing the institution's own
products or services. Determine whether the institution shares
account numbers with nonaffiliated third parties only to perform
marketing for the institution's own products and services. Ensure
that the contracts do not authorize these nonaffiliated third
parties to directly initiate charges to customer's accounts
C. Obtain a sample of materials and information provided to the
consumer upon entering a private label or affinity credit card
program. Determine if the participants in each program are
identified to the customer when the customer enters into the program