REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
Community Bank Technology Conference -
If you have nothing on your plate, plan to attend the Independent
Community Bankers of America’s Community Bank Technology Conference,
September 12-14, 2012 in Las Vegas. I will be speaking Thursday on
auditing community banks. For more information please visit
- Hackers Linked to China’s Army Seen From EU to D.C. - And the
spies were themselves being watched. Working together in secret,
some 30 North American private security researchers were tracking
one of the biggest and busiest hacking groups in China.
- Air Traffic Controllers Pick the Wrong Week to Quit Using Radar -
It’s a Twilight Zone episode waiting to happen. A commercial pilot
at 30,000 feet gets sudden instructions from air traffic control on
the ground that another plane is headed his way.
- UK.gov warned: Halt exports of spyware to brutal regimes - The
grubby practice of allowing UK-stamped surveillance tech to be
shipped to brutal regimes could land the British government in court
to answer allegations of aiding human rights breaches.
- GAO - Privacy: Federal Law Should Be Updated to Address Changing
- Two men sentenced in Michaels breach after looting ATMs - Two men
each have been sentenced to 36 months in prison for withdrawing tens
of thousands of dollars from ATMs with credit card information that
was stolen from craft-store retail chain Michaels Stores.
- NIST Updates Computer Security Guides - Guidelines focus on
wireless security and protecting mobile devices from intrusion. The
National Institute of Standards and Technology has released updated
guidance on how federal agencies and businesses can deal with
network attacks and malware.
- Singapore selected as CSA’s corporate headquarters - The Cloud
Security Alliance (CSA) is establishing its corporate headquarters
in Singapore, under an effort led by the Infocomm Development
Authority of Singapore (IDA), Singapore Economic Development Board (EDB),
and Trend Micro.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Global Payments says breach will cost $85 million - The
Atlanta-based company revealed in March that its systems were raided
of no more than 1.5 million credit and debit card numbers.
- Netflix punters told of privacy change, get 3 months to object -
Accept, and you opt in to class-action settlement - Netflix is
legal settlement that would put an end to a class action suit
launched against the company last year.
- Data breach to cost $84M for Global Payments - After a security
breach that took place months ago, Global Payments is now left with
a hefty surcharge. Hoping to reassure customers and analysts as soon
as possible, Global Payments has released a detailed statement about
the data breach that it incurred months ago.
- Computer with patient data stolen from NYC hospital - A desktop
computer storing personal health information was stolen from NYU
Langone Medical Center.
- Unencrypted EMC laptop stolen containing patient data - An
unencrypted laptop containing the personal data of roughly 10,000
medical patients in Connecticut was stolen from a hospital vendor
- EPA security breach exposes 8,000 people’s personal information -
The Environmental Protection Agency has experienced a computer
security breach exposing personal information - such as Social
Security numbers and banking info - of nearly 8,000 people, mostly
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Principle 11: Banks should develop appropriate incident response
plans to manage, contain and minimize problems arising from
unexpected events, including internal and external attacks, that may
hamper the provision of e-banking systems and services.
Effective incident response mechanisms are critical to minimize
operational, legal and reputational risks arising from unexpected
events such as internal and external attacks that The current and
future capacity of critical e-banking delivery systems should be
assessed on an ongoing basis may affect the provision of e-banking
systems and services. Banks should develop appropriate incident
response plans, including communication strategies, that ensure
business continuity, control reputation risk and limit liability
associated with disruptions in their e-banking services, including
those originating from outsourced systems and operations.
To ensure effective response to unforeseen incidents, banks should
1) Incident response plans to address recovery of e-banking systems
and services under various scenarios, businesses and geographic
locations. Scenario analysis should include consideration of the
likelihood of the risk occurring and its impact on the bank.
E-banking systems that are outsourced to third-party service
providers should be an integral part of these plans.
2) Mechanisms to identify an incident or crisis as soon as it
occurs, assess its materiality, and control the reputation risk
associated with any disruption in service.
3) A communication strategy to adequately address external market
and media concerns that may arise in the event of security breaches,
online attacks and/or failures of e-banking systems.
4) A clear process for alerting the appropriate regulatory
authorities in the event of material security breaches or disruptive
5) Incident response teams with the authority to act in an
emergency and sufficiently trained in analyzing incident
detection/response systems and interpreting the significance of
6) A clear chain of command, encompassing both internal as well as
outsourced operations, to ensure that prompt action is taken
appropriate for the significance of the incident. In addition,
escalation and internal communication procedures should be developed
and include notification of the Board where appropriate.
7) A process to ensure all relevant external parties, including
bank customers, counterparties and the media, are informed in a
timely and appropriate manner of material e-banking disruptions and
business resumption developments.
8) A process for collecting and preserving forensic evidence to
facilitate appropriate post-mortem reviews of any e-banking
incidents as well as to assist in the prosecution of attackers.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
SECURITY TESTING - TESTING CONCEPTS AND APPLICATION
Testing Risks to Data Integrity, Confidentiality, and Availability.
Management is responsible for carefully controlling information
security tests to limit the risks to data integrity,
confidentiality, and system availability. Because testing may
uncover nonpublic customer information, appropriate safeguards to
protect the information must be in place. Contracts with third
parties to provide testing services should require that the third
parties implement appropriate measures to meet the objectives of
section 501(b) of the GLBA. Management also is responsible for
ensuring that employee and contract personnel who perform the tests
or have access to the test results have passed appropriate
background checks, and that contract personnel are appropriately
bonded. Because certain tests may pose more risk to system
availability than other tests, management is responsible for
considering whether to require the personnel performing those tests
to maintain logs of their testing actions. Those logs can be helpful
should the systems react in an unexpected manner.
Confidentiality of Test Plans and Data. Since knowledge of test
planning and results may facilitate a security breach, institutions
should carefully limit the distribution of their testing
information. Management is responsible for clearly identifying the
individuals responsible for protecting the data and provide guidance
for that protection, while making the results available in a useable
form to those who are responsible for following up on the tests.
Management also should consider requiring contractors to sign
nondisclosure agreements and to return to the institution
information they obtained in their testing.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
28. Does the institution refrain from
requiring all joint consumers to opt out before implementing any opt
out direction with respect to the joint account? [§7(d)(4)]
29. Does the institution comply with a consumer's direction to opt
out as soon as is reasonably practicable after receiving it? [§7(e)]