REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- S. Korea banks to segment network, establish data backup -
Financial regulator to instruct local banks to separate their
network systems into two, for internal and external usage, and is
pushing to set up a consolidated backup center, as part of measures
to beef up defenses against cyberattacks.
- India's BlackBerry monitoring system 'ready for use' - Smartphone
maker has successfully developed a lawful interception system
allowing the Indian government to track e-mail and intercept Web
browsing in real-time.
- DEF CON To Feds: We Need Some Time Apart - One of the more
time-honored traditions at DEF CON - the massive hacker convention
held each year in Las Vegas - is “Spot-the-Fed,” a playful and
mostly harmless contest to out undercover government agents who
attend the show.
- DoJ Limits Seizure Of Reporters' Data - The U.S. Department of
Justice on Friday published new guidelines intended to limit
government access to journalists' records, unless the records at
issue belong to a journalist facing a criminal investigation.
- California data breach study indicates lack of encryption - A
recent study by the California attorney general indicates that 2.5
million residents of the Golden State had their personal information
exposed in the 131 online data breaches reported to her office in
- Sony abandons appeal over PSN security-breach fine - Sony has
dropped its appeal against a £250,000 penalty imposed after its
PlayStation Network was hacked in 2011.
- Hospital fined £200,000 after hard drive full of patient data
bought on eBay - The ICO has hit NHS Surrey with a £200,000
($300,000) fine after a “shocking” lapse allowed a member of the
public to buy a hard drive containing the records of 3,000 patients
that had supposedly been sent for secure destruction.
- WellPoint settles following government investigation in wake of
breach - After being ordered to pay $100,000 to the state of Indiana
after a major breach of customer data, an Indianapolis-based health
insurer faces another costly payout - a $1.7 million settlement with
the U.S. Department of Health and Human Services (HHS).
- Health insurance credentials fetch high prices in the online black
market - Here's to your health...your health insurance credentials,
that is. An information security service provider has uncovered in a
new report that buyers are dropping big bucks for health insurance
documents that are being hawked on the internet underground with the
goal of using them to commit fraud.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
breach strikes Roy's Restaurants in Hawaii - The computer network of
Roy's Restaurants was compromised by malware, exposing the credit
card data of its customers.
- U.K. Ministry of Defence hit by cyberattack, data stolen - The
U.K. government department was victim of a cyber-espionage attack
that saw sensitive data stolen by unnamed hackers, a parliamentary
- Commerce Trashes $170,000 Worth of Tech to Disinfect Imaginary
Viruses - After detecting malicious software in system components at
Commerce Department headquarters, federal officials in 2012
disconnected the Economic Development Administration's computer
Class-action filed against convenience store over breach - A man in
Northport, Ala. is suing a convenience store chain that experienced
a credit card breach this spring.
patient records turn up in Dallas park after contractors fails to
destroy them - Hundreds of thousands of patients may have had
personal information exposed after medical records from Texas Health
Harris Methodist Hospital Fort Worth turned up in a Dallas park in
employees fired at LA hospital for accessing patient records - Six
employees were fired after more than a dozen confidential patient
files, including those belonging to at least one celebrity, were
accessed at Cedars-Sinai Medical Center in Los Angeles.
group says it acquired databases of global phone directory
More than a million Truecaller accounts were compromised in a recent
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the
FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 5 of 10)
B. RISK MANAGEMENT TECHNIQUES
Management must effectively plan, implement, and monitor the
financial institution's weblinking relationships. This includes
situations in which the institution has a third-party service
provider create, arrange, or manage its website. There are several
methods of managing a financial institution's risk exposure from
third-party weblinking relationships. The methods adopted to manage
the risks of a particular link should be appropriate to the level of
risk presented by that link as discussed in the prior section.
Planning Weblinking Relationships
In general, a financial institution planning the use of weblinks
should review the types of products or services and the overall
website content made available to its customers through the
weblinks. Management should consider whether the links support the
institution's overall strategic plan. Tools useful in planning
weblinking relationships include:
1) due diligence with respect to third parties to which the
financial institution is considering links; and
2) written agreements with significant third parties.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
INFORMATION SECURITY RISK ASSESSMENT
ANALYZE INFORMATION (2 of 2)
Since specific scenarios can become too numerous for financial
institutions to address individually, various techniques are used to
generalize and extend the scenarios. For instance, one technique
starts with a specific scenario and looks at additional damage that
could occur if the attacker had different knowledge or motivation.
This technique allows the reviewers to see the full extent of risk
that exists from a given vulnerability. Another technique aggregates
scenarios by high-value system components.
Scenarios should consider attacks against the logical security,
physical security, and combinations of logical and physical attacks.
In addition, scenarios could consider social engineering, which
involves manipulation of human trust by an attacker to obtain access
to computer systems. It is often easier for an attacker to obtain
access through manipulation of one or more employees than to perform
a logical or physical intrusion.
The risk from any given scenario is a function of the probability of
the event occurring and the impact on the institution. The
probability and impact are directly influenced by the financial
institution's business profile, the effectiveness of the financial
institution's controls, and the relative strength of controls when
compared to other industry targets.
The probability of an event occurring is reflected in one of two
ways. If reliable and timely probability data is available,
institutions can use it. Since probability data is often limited,
institutions can assign a qualitative probability, such as frequent,
occasional, remote, and improbable.
Frequently, TSPs perform some or all of the institution's
information processing and storage. Reliance on a third party for
hosting systems or processing does not remove the institution's
responsibility for securing the information. It does change how the
financial institution will fulfill its role. Accordingly, risk
assessments should evaluate the sensitivity of information
accessible to or processed by TSPs, the importance of the processing
conducted by TSPs, communications between the TSP's systems and the
institution, contractually required controls, and the testing of
those controls. Additional vendor management guidance is contained
in the FFIEC's statement on "Risk Management of Outsourced
Technology Services," dated November 28, 2000.
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Initial Privacy Notice
3) Does the institution provide to existing customers, who obtain a
new financial product or service, an initial privacy notice that
covers the customer's new financial product or service, if the most
recent notice provided to the customer was not accurate with respect
to the new financial product or service? [§4(d)(1)]