REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Court Grants Feds Warrantless Access to Utility Records -
Utilities must hand over customer records - which include credit
card numbers, phone numbers and power consumption data - to the
authorities without court warrants if drug agents believe they are
“relevant” to an investigation, a federal appeals court says.
- Appeals court dismisses warrantless wiretapping suit - Lawsuit
derailed by government claims of sovereign immunity. - On Tuesday,
the United States Court of Appeals for the Ninth Circuit, in San
Francisco, tossed one of the few remaining lawsuits fighting the
Bush Administration's warrantless wiretapping program.
- Google to pay $22.5M fine over privacy practices- The fine is the
largest ever related to an FTC complaint - Google will pay a
historic fine to settle U.S. government charges that it violated
privacy laws when it tracked via cookies users of Apple's Safari
- Pentagon proposes more robust role for its cyber-specialists - The
Pentagon has proposed that military cyber-specialists be given
permission to take action outside its computer networks to defend
critical U.S. computer systems - a move that officials say would set
a significant precedent.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Amazon fixes security flaw hackers used against a Wired journalist
- Hack exposed shortcomings in Apple, Amazon security. Amazon acted,
but Apple... - Days after a devastating cyber attack on the Wired
journalist that exposed security flaws in Amazon's and Apple's
online services, Amazon has fixed a problem that helped hackers gain
control over the journalist's online accounts.
- Shylock malware injects rogue phone numbers in online banking
websites - Fraudsters attempt to trick victims into contacting them
instead of their banks - New configurations of the Shylock financial
malware inject attacker-controlled phone numbers into the contact
pages of online banking websites, according to security researchers
from antivirus vendor Symantec.
- WikiLeaks undergoing massive denial-of-service attack - The
website for news organization WikiLeaks remains down, the victim of
a week-long and massive distributed denial-of-service attack.
- Personal data on thousands of University of Arizona students
publicly viewable - Students, vendors and others who received
payments from the University of Arizona last year had their personal
data posted to the school's public server.
- Hackers Encrypt Health Records and Hold Data for Ransom - As more
patient records go digital, a recent hacker attack on a small
medical practice shows the big risks involved with electronic files.
- Pro-Hezbollah hacker leaks Israeli credit card info - A
pro-Hezbollah hacker published personal information and credit card
details of dozens of Israelis Wednesday night, all of it apparently
stolen from the online storage company Webgate.
- Airport VPN hacked using Citadel malware - The pervasive Citadel
trojan, typically reserved for financial theft, was used to beat
two-factor authentication and hack into the virtual private network
(VPN) of a major international airport, researchers revealed
- Stolen laptop at Apria Healthcare exposes patient data - The theft
of a laptop of an Apria Healthcare employee could expose health and
personal information of several thousand patients of the
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Sound Practices for Managing Outsourced E-Banking Systems
(Part 1 of 3)
1. Banks should adopt appropriate processes for evaluating decisions
to outsource e-banking systems or services.
a) Bank management should clearly identify the strategic purposes,
benefits and costs associated with entering into outsourcing
arrangements for e-banking with third parties.
b) The decision to outsource a key e-banking function or service
should be consistent with the bank's business strategies, be based
on a clearly defined business need, and recognize the specific risks
that outsourcing entails.
c) All affected areas of the bank need to understand how the
service provider(s) will support the bank's e-banking strategy and
fit into its operating structure.
2. Banks should conduct appropriate risk analysis and due diligence
prior to selecting an e-banking service provider and at appropriate
a) Banks should consider developing processes for soliciting
proposals from several e-banking service providers and criteria for
choosing among the various proposals.
b) Once a potential service provider has been identified, the bank
should conduct an appropriate due diligence review, including a risk
analysis of the service provider's financial strength, reputation,
risk management policies and controls, and ability to fulfill its
c) Thereafter, banks should regularly monitor and, as appropriate,
conduct due diligence reviews of the ability of the service provider
to fulfill its service and associated risk management obligations
throughout the duration of the contract.
d) Banks need to ensure that adequate resources are committed to
overseeing outsourcing arrangements supporting e-banking.
e) Responsibilities for overseeing e-banking outsourcing
arrangements should be clearly assigned.
f) An appropriate exit strategy for the bank to manage risks should
it need to terminate the outsourcing relationship.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
SECURITY TESTING - INDEPENDENT DIAGNOSTIC TESTS
- This is the type of independent diagnostic testing that we
perform. Please refer to
http://www.internetbankingaudits.com/ for information.)
Independent diagnostic tests include penetration tests, audits, and
assessments. Independence provides credibility to the test results.
To be considered independent, testing personnel should not be
responsible for the design, installation, maintenance, and operation
of the tested system, as well as the policies and procedures that
guide its operation. The reports generated from the tests should be
prepared by individuals who also are independent of the design,
installation, maintenance, and operation of the tested system.
Penetration tests, audits, and assessments can
use the same set of tools in their methodologies. The nature of the
tests, however, is decidedly different. Additionally, the
definitions of penetration test and assessment, in particular, are
not universally held and have changed over time.
Penetration Tests. A penetration test subjects a system to
the real - world attacks selected and conducted by the testing
personnel. The benefit of a penetration test is to identify the
extent to which a system can be compromised before the attack is
identified and assess the response mechanism's effectiveness.
Penetration tests generally are not a comprehensive test of the
system's security and should be combined with other independent
diagnostic tests to validate the effectiveness of the security
Audits. Auditing compares current practices against a set of
standards. Industry groups or institution management may create
those standards. Institution management is responsible for
demonstrating that the standards they adopt are appropriate for
Assessments. An assessment is a study to locate security
vulnerabilities and identify corrective actions. An assessment
differs from an audit by not having a set of standards to test
against. It differs from a penetration test by providing the tester
with full access to the systems being tested. Assessments may be
focused on the security process or the information system. They may
also focus on different aspects of the information system, such as
one or more hosts or networks.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
32. When a customer relationship ends, does the institution continue
to apply the customer's opt out direction to the nonpublic personal
information collected during, or related to, that specific customer
relationship (but not to new relationships, if any, subsequently
established by that customer)? [§7(g)(2)]