REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- What's wrong with cybersecurity training? - Are we training our
cybersecurity professionals in all the wrong ways? Agencies have
been ramping up efforts in training, education, recruiting and
hiring, and still the government faces a shortage of skilled cyber
- Why business is losing the war against cybercrime - New State of
Cybercrime survey finds lack of risk awareness means poor defenses
in the enterprise - The good guys are losing the cybercrime war. One
major reason is that they don't understand their enemies, and
therefore are not fighting back effectively.
- Defense Department building its own secure 4G network - The
department hopes new network will improve collaboration among
separate branches of the military, the chairman of the Joint Chiefs
of Staff says.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Chinese malware attack affected dozens of South Korean
organizations, researchers say - Over 1,000 computers were recently
infected with a piece of malware used by Chinese-speaking hackers,
researchers from Seculert said.
- South Korea govt site hacking sees massive data breach - Summary:
Presidential office says personal information of approximately
100,000 people was leaked in last week's attack on its Web site, but
user passwords and identification numbers were not stolen.
- Opera code-signing certificate abused in failed breach - Summary:
Opera has managed to detect and stop an attack on its internal
systems, but not before potentially a few thousand Windows users
were put in harm's way.
- Detective's stolen laptop risks data of 2,300 in Washington state
- An unencrypted laptop was stolen from a Washington state
detective's vehicle, exposing the data of thousands of people,
including crime victims, witnesses, suspects and police.
- More than 6K personal records compromised in university breach -
The personal information of thousands of students at the University
of South Carolina (USC) in Columbus is at risk after a laptop was
stolen from the school.
- Document management error exposes data on 187,500 Indiana
residents - A contractor serving the Indiana Family and Social
Services Administration (FSSA) committed a programming error, which
led to private documents being sent to the wrong people.
- Lost thumb drive leads to compromised patient data - A lost thumb
drive containing thousands of patient records went missing from a
Nebraska doctor's office.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the
FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 3 of 10)
Customers may be confused about whether the financial institution or
a third party is supplying the product, service, or other website
content available through the link. The risk of customer confusion
can be affected by a number of factors:
- nature of the
third-party product or service;
- trade name of the
third party; and
- website appearance.
Nature of Product or
When a financial institution provides links to third parties that
sell financial products or services, or provide information relevant
to these financial products and services, the risk is generally
greater than if third parties sell non-financial products and
services due to the greater potential for customer confusion. For
example, a link from a financial institution's website to a mortgage
bank may expose the financial institution to greater reputation risk
than a link from the financial institution to an online clothing
The risk of customer confusion with respect to links to firms
selling financial products is greater for two reasons. First,
customers are more likely to assume that the linking financial
institution is providing or endorsing financial products rather than
non-financial products. Second, products and services from certain
financial institutions often have special regulatory features and
protections, such as federal deposit insurance for qualifying
deposits. Customers may assume that these features and protections
also apply to products that are acquired through links to
third-party providers, particularly when the products are financial
When a financial institution links to a third party that is
providing financial products or services, management should consider
taking extra precautions to prevent customer confusion. For example,
a financial institution linked to a third party that offers
nondeposit investment products should take steps to prevent customer
confusion specifically with respect to whether the institution or
the third party is offering the products and services and whether
the products and services are federally insured or guaranteed by the
Financial institutions should recognize, even in the case of
non-financial products and services, that customers may have
expectations about an institution's due diligence and its selection
of third parties to which the financial institution links its
website. Should customers experience dissatisfaction as a result of
poor quality products or services, or loss as a result of their
transactions with those companies, they may consider the financial
institution responsible for the perceived deficiencies of the
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
INFORMATION SECURITY RISK ASSESSMENT
Common elements of risk assessment approaches involve three phases:
information gathering, analysis, and prioritizing responses. Vendor
concerns add additional elements to the process.
Identifying and understanding risk requires the analysis of a
wide range of information relevant to the particular institution's
risk environment. Once gathered, the information can be catalogued
to facilitate later analysis. Information gathering generally
includes the following actions:
1) Obtaining listings of information system assets (e.g., data,
software, and hardware). Inventories on a device - by - device basis
can be helpful in risk assessment as well as risk mitigation.
Inventories should consider whether data resides in house or at a
2) Determining threats to those assets, resulting from people with
malicious intent, employees and others who accidentally cause
damage, and environmental problems that are outside the control of
the organization (e.g., natural disasters, failures of
interdependent infrastructures such as power, telecommunications,
3) Identifying organizational vulnerabilities (e.g., weak senior
management support, ineffective training, inadequate expertise or
resource allocation, and inadequate policies, standards, or
4) Identifying technical vulnerabilities (e.g., vulnerabilities in
hardware and software, configurations of hosts, networks,
workstations, and remote access).
5) Documenting current controls and security processes, including
both information technology and physical security.
6) Identifying security requirements and considerations (e.g.,
7) Maintaining the risk assessment process requires institutions to
review and update their risk assessment at least once a year, or
more frequently in response to material changes in any of the six
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Initial Privacy Notice
1) Does the institution provide a clear and conspicuous notice
that accurately reflects its privacy policies and practices to all
customers not later than when the customer relationship is
established, other than as allowed in paragraph (e) of section four
(4) of the regulation? [§4(a)(1))]?
(Note: no notice is required if nonpublic personal information is
disclosed to nonaffiliated third parties only under an exception in
Sections 14 and 15, and there is no customer relationship. [§4(b)]
With respect to credit relationships, an institution establishes a
customer relationship when it originates a consumer loan. If the
institution subsequently sells the servicing rights to the loan to
another financial institution, the customer relationship transfers
with the servicing rights. [§4(c)])