REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
Community Bank Technology Conference -
If you have nothing on your plate, plan to attend the Independent
Community Bankers of America’s Community Bank Technology Conference,
September 12-14, 2012 in Las Vegas. I will be speaking Thursday on
auditing community banks. For more information please visit
- California Starts Up a Privacy Enforcement Unit - Watch out,
Silicon Valley, there’s a new startup in town and its gunning for
you. California Attorney General Kamala Harris announced Thursday
she’s created a unit intended to actually enforce federal and state
Justice Department Sues Telecom for Challenging National Security
Letter - Last year, when a telecommunications company received an
ultra-secret demand letter from the FBI seeking information about a
customer or customers, the telecom took an extraordinary step — it
challenged the underlying authority of the FBI’s National Security
Letter, as well as the legitimacy of the gag order that came with
Government reach for secure electric grid exceeds its grasp -
Government efforts to ensure the cybersecurity of the nation’s
increasingly networked electric grid are hampered by a cumbersome
regulatory process and a lack of enforcement, government and
industry witnesses told a Senate panel.
Russian Parliament's upper house approves Internet 'censorship' bill
- Russia's government will gain the power to blacklist websites
without a court's consent - The upper house of the Russian
Parliament passed a bill on Wednesday that the nation's IT industry
believes has high potential to lead to Internet censorship.
- GCHQ ‘3 times more likely’ to lose cyber security skills than
private sector - The UK's communications spying centre can't compete
with high salaries offered by industry - GCHQ's difficulty in
retaining the IT skills needed to respond to the cyber security
threat is a real and growing concern, according to a report from the
UK's Intelligence and Security Committee (ISC), a group of senior
parliamentarians appointed by the Prime Minister.
- GAO - Information Technology: DHS Needs to Further Define and
Implement Its New Governance Process.
- Security pros must evolve their defensive strategy - Security
professionals must update and address their defensive strategies to
be proactive against cyber threats, a researcher said Wednesday.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Fear of drone GPS hacking raised by Congress as FAA deadline looms
- After pushing FAA to allow UAVs, Congress now has second thoughts
on safety. In a House Homeland Security oversight subcommittee
hearing late this week, members of Congress raised concerns over the
potential security risks posed by jamming and electronic hijacking
of unmanned aerial systems, and the potential use of drones by
- Hackers loot German gaming site Gamigo of 8m passwords - More than
eight million passwords have been stolen from German gaming website
Gamigo and published online more than four months after hackers
broke into the network.
- Laptop containing health data stolen from Boston hospital - Beth
Israel Deaconess Medical Center (BIDMC) in Boston is warning
thousands of patients that their personal health information was
contained on a laptop that was stolen.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Principle 10: Banks should have effective capacity,
business continuity and contingency planning processes to help
ensure the availability of e-banking systems and services.
To protect banks against business, legal and reputation risk,
e-banking services must be delivered on a consistent and timely
basis in accordance with customer expectations. To achieve this, the
bank must have the ability to deliver e-banking services to
end-users from either primary (e.g. internal bank systems and
applications) or secondary sources (e.g. systems and applications of
service providers). The maintenance of adequate availability is also
dependent upon the ability of contingency back-up systems to
mitigate denial of service attacks or other events that may
potentially cause business disruption.
The challenge to maintain continued availability of e-banking
systems and applications can be considerable given the potential for
high transaction demand, especially during peak time periods. In
addition, high customer expectations regarding short transaction
processing cycle times and constant availability (24 X 7) has also
increased the importance of sound capacity, business continuity and
contingency planning. To provide customers with the continuity of
e-banking services that they expect, banks need to ensure that:
1) Current e-banking system capacity and future scalability are
analyzed in light of the overall market dynamics for e-commerce and
the projected rate of customer acceptance of e-banking products and
2) E-banking transaction processing capacity estimates are
established, stress tested and periodically reviewed.
3) Appropriate business continuity and contingency plans for
critical e-banking processing and delivery systems are in place and
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
Information security is an integrated process that reduces
information security risks to acceptable levels. The entire process,
including testing, is driven by an assessment of risks. The greater
the risk, the greater the need for the assurance and validation
provided by effective information security testing.
In general, risk increases with system accessibility and the
sensitivity of data and processes. For example, a high-risk system
is one that is remotely accessible and allows direct access to
funds, fund transfer mechanisms, or sensitive customer data.
Information only Web sites that are not connected to any internal
institution system or transaction capable service are lower-risk
systems. Information systems that exhibit high risks should be
subject to more frequent and rigorous testing than low-risk systems.
Because tests only measure the security posture at a point in time,
frequent testing provides increased assurance that the processes
that are in place to maintain security over time are functioning.
A wide range of tests exists. Some address only discrete controls,
such as password strength. Others address only technical
configuration, or may consist of audits against standards. Some
tests are overt studies to locate vulnerabilities. Other tests can
be designed to mimic the actions of attackers. In many situations,
management may decide to perform a range of tests to give a complete
picture of the effectiveness of the institution's security
processes. Management is responsible for selecting and designing
tests so that the test results, in total, support conclusions about
whether the security control objectives are being met.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
27. If each joint consumer may
opt out separately, does the institution permit:
a. one joint consumer to opt out on behalf of all of the joint
b. the joint consumers to notify the institution in a single
response; [§7(d)(5)] and
c. each joint consumer to opt out either for himself or herself,
and/or for another joint consumer? [§7(d)(5)]