REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- U.S. appeals court upholds warrantless collection of phone
location data - Court rules that cell site information is business
data collected by the service provider - Warrants are not required
by the U.S. government to access historical cell site information,
an appeals court ruled in an order.
The Untested Mobile Security System Defense Just Bought Isn't
Functioning at USDA - Technology the Pentagon acquired, without
testing, to protect email and Web browsing on military-issued
consumer smartphones is not working at the Agriculture Department,
according to USDA officials.
Wi-Fi routers: More security risks than ever - The research team
that discovered significant security holes in more than a dozen home
Wi-Fi routers adds more devices to that list at Defcon 21.
- Chrome-saved passwords in plain text not a flaw, according to
Google - Go into the password section in Google Chrome's settings
panel and you can see that the popular web browser displays saved
passwords in plain text. Many consider this a flaw – but not Google.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
BGP multiple banking addresses hijacked - On 24 July 2013 a
significant number of Internet Protocol (IP) addresses that belong
to banks suddenly were routed to somewhere else.
Syrian Electronic Army Hacks White House Media Team - Hackers fail
to take over White House website, and then got their Twitter
accounts suspended for boasting about subsequent Thomson Reuters
takeover. Three White House social media staffers had their personal
Gmail accounts compromised by members of the Syrian Electronic Army
Third-party software hole exposes personal info University of
Delaware workers - Tens of thousands of employees of the University
of Delaware in Newark had their personal information compromised in
an attack last month.
High-tech toilet gets hacker warning; nothing is safe - A
vulnerability in a toilet-control app leads to an unusual warning
about potential bathroom hacking hijinks.
- Stolen laptop compromises patients of California medical group -
The California-based Retinal Consultants Medical Group website says
it offers patients “uncompromising care,” but a compromise of data
is exactly what patients got after a laptop containing sensitive
client information was stolen.
- $1.5M cyber heist causes escrow firm to close its doors - A
defunct escrow firm, which failed to recover lost funds after a $1.5
million cyber heist, serves as a grave reminder to businesses to
spot telltale signs left by fraudsters.
- Citizens Bank alerts customers of "DDoS disruption" - Citizens
Bank is alerting its customers that it is experiencing “intermittent
interruption” caused by distributed denial-of-service (DDoS)
- Employee fired for emailing health data to herself - Emailing
protected health information (PHI) to a personal email address cost
one Rocky Mountain Spine Clinic employee her job last week.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the
FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 8 of 10)
B. RISK MANAGEMENT TECHNIQUES
Implementing Weblinking Relationships
The strategy that financial institutions choose when
implementing weblinking relationships should address ways to avoid
customer confusion regarding linked third-party products and
services. This includes disclaimers and disclosures to limit
customer confusion and a customer service plan to address confusion
when it occurs.
Disclaimers and Disclosures
Financial institutions should use clear and conspicuous webpage
disclosures to explain their limited role and responsibility with
respect to products and services offered through linked third-party
websites. The level of detail of the disclosure and its prominence
should be appropriate to the harm that may ensue from customer
confusion inherent in a particular link. The institution might post
a disclosure stating it does not provide, and is not responsible
for, the product, service, or overall website content available at a
third-party site. It might also advise the customer that its privacy
polices do not apply to linked websites and that a viewer should
consult the privacy disclosures on that site for further
information. The conspicuous display of the disclosure, including
its placement on the appropriate webpage, by effective use of size,
color, and graphic treatment, will help ensure that the information
is noticeable to customers. For example, if a financial institution
places an otherwise conspicuous disclosure at the bottom of its
webpage (requiring a customer to scroll down to read it), prominent
visual cues that emphasize the information's importance should point
the viewer to the disclosure.
In addition, the technology used to provide disclosures is
important. While many institutions may simply place a disclaimer
notice on applicable webpages, some institutions use "pop-ups," or
intermediate webpages called "speedbumps," to notify customers they
are leaving the institution's website. For the reasons described
below, financial institutions should use speedbumps rather than
pop-ups if they choose to use this type of technology to deliver
their online disclaimers.
A "pop up" is a screen generated by mobile code, for example Java or
Active X, when the customer clicks on a particular hyperlink. Mobile
code is used to send small programs to the user's browser.
Frequently, those programs cause unsolicited messages to appear
automatically on a user's screen. At times, the programs may be
malicious, enabling harmful viruses or allowing unauthorized access
to a user's personal information. Consequently, customers may
reconfigure their browsers or install software to block disclosures
delivered via mobile codes.
In contrast, an intermediate webpage, or "speedbump," alerts the
customer to the transition to the third-party website. Like a
pop-up, a speedbump is activated when the customer clicks on a
particular weblink. However, use of a speedbump avoids the problems
of pop-up technology, because the speedbump is not generated
externally using mobile code, but is created within the
institution's operating system, and cannot be disabled by the
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
INFORMATION SECURITY RISK ASSESSMENT
KEY RISK ASSESSMENT PRACTICES (2 of 2)
4) Accountable Activities - The responsibility for performing risk
assessments should reside primarily with members of management in
the best position to determine the scope of the assessment, and the
effectiveness of risk reduction techniques. For a mid - sized or
large institution, that organization will likely be the business
unit. The information security officer(s) are responsible for
overseeing the performance of each risk assessment and the
integration of the risk assessments into a cohesive whole. Senior
management is accountable for abiding by the board of directors'
guidance for risk acceptance and mitigation decisions.
5) Documentation - Documentation of the risk assessment process and
procedures assists in ensuring consistency and completeness, as well
as accountability. Documentation of the analysis and results
provides a useful starting point for subsequent assessments,
potentially reducing the effort required in those assessments.
Documentation of risks accepted and risk mitigation decisions is
fundamental to achieving accountability for risk decisions.
6) Enhanced Knowledge - Risk assessment increases management's
knowledge of the institution's mechanisms for storing, processing,
and communicating information, as well as the importance of those
mechanisms to the achievement of the institution's objectives.
Increased knowledge allows management to respond more rapidly to
changes in the environment. Those changes can range from new
technologies and threats to regulatory requirements.
7) Regular Updates - Risk assessments should be updated as new
information affecting information security risks are identified
(e.g., a new threat, vulnerability, adverse test result, hardware
change, software change or configuration change). At least once a
year, senior management should review the entire risk assessment to
ensure relevant information is appropriately considered.
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Initial Privacy Notice
6) Does the institution provide a clear and conspicuous notice that
accurately reflects its privacy policies and practices at least
annually (that is, at least once in any period of 12 consecutive
months) to all customers, throughout the customer relationship?
(Note: annual notices are not required for former customers.