REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- FDA issues encryption, authentication rules for medical devices -
The Food and Drug Administration (FDA) has issued new guidance on
the radio frequencies of wireless medical devices, including
recommendations for authentication and encryption measures to ensure
the security of the device and the safety of the patient.
Wireless Guidance -
- Trustworthiness can't guarantee security, but it's indispensable -
The unfortunate reality today is that some of the most brilliant
minds in computing have dedicated themselves to creating innovative
ways of attacking IT infrastructures.
- Stern new data breach reporting requirement takes hold in EU -
Data breaches are reported nearly every day and one noticeable trend
is the occasional delay between when the breach is discovered and
when authorities and affected people are notified.
- For network managers, security the top "pain" - Concerns about
security have become the greatest source of worry among network
managers, a recent study has found.
- Fraudsters target "wire payment switch" at banks to steal millions
- Instead of targeting the bank accounts of individuals or
organizations, criminals recently took over the wire payment switch
at several U.S. banks to steal millions from their choice of
accounts, according to a security analyst.
- Insurer to Schnucks: We won't pay for lawsuits related to your
breach - The insurer for Midwestern supermarket chain Schnucks,
whose systems were hacked last winter to steal 2.4 million credit
card numbers, is claiming in court that the grocer's policy doesn't
cover the cost of lawsuits arising from the breach.
- Defense Hires Cyber Chief for Industry Information-sharing Program
- The U.S. military has tapped an IBM executive to encourage
Pentagon contractors to come clean about network breaches that might
compromise government data, Defense Department officials said on
- Groklaw news website abandoned over US surveillanceBy Pia Gadkari
- An award-winning legal news website has stopped work, saying it
cannot operate under current US surveillance policies.
- EU 24-hour breach disclosure laws to come into force - European
Union regulations designed to force telecom operators and internet
service providers (ISPs) to notify national authorities within 24
hours of detecting a data breach are set to take effect on 25
August, despite widespread criticism from numerous UK government
- Sept. 23 deadline looms for business compliance with HITECH Act on
patient privacy - Organizations handling healthcare data have a
month to comply with new security and privacy requirements under the
Health Information Technology for Economic and Clinical Health (HITECH)
- Snowden suspected of bypassing electronic logs - The U.S.
government's efforts to determine which highly classified materials
leaker Edward Snowden took from the National Security Agency have
been frustrated by Snowden's sophisticated efforts to cover his
digital trail by deleting or bypassing electronic logs, government
officials told The Associated Press. Such logs would have showed
what information Snowden viewed or downloaded.
- School district hires company to follow kids' Facebook, Twitter -
The Glendale Unified School District in Southern California
outsources keeping tabs on troublemakers as well as identifying kids
in trouble. At least these are its justifications.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Nasdaq Stock Exchange Goes Dark After Tech Glitch - A technical
glitch has been cited as the cause of an unprecedented halt of
trading on the Nasdaq stock exchange today.
- 'Hacked' estate agency Foxtons breaks glass, pulls password reset
cord - 10,000 account logins feared leaked all over the web - Trendy
UK estate agency Foxtons pushed the big red password reset button,
as a precaution, after it appeared hackers lifted thousands of
clients' usernames and passwords from its systems.
- University attaches spreadsheet containing personal data to emails
- Thousands of students are at risk after a spreadsheet containing
their personal information was inadvertently attached to a
campus-wide email sent out by the University of Mississippi Medical
Center (UMC) Accounting Department.
- Data of millions at risk after Illinois medical group burglary -
Millions of patients of the largest physician group in Chicago had
their personal data stolen in an apparent burglary.
- Major DDoS attacks .cn domain; disrupts Internet in China - It's
still unclear where the DDoS attack originated from - China's
Internet was hit with a major distributed denial of service (DDoS)
attack Sunday morning that briefly disrupted and slowed access to
sites in the .cn domain.
- Instagram, Vine and Netflix hit by Amazon glitch - Software
problems at one of Amazon's data centres have knocked out several
high profile web services.
- Hacker group takes responsiblity for DNS attack on major media
sites - That's what the Syrian Electronic Army (SEA) tweeted
Tuesday, as the pro-Assad hacker collective announced domains
belonging to The New York Times, Huffington Post U.K., Twitter were
- Email asking how health care nonprofit handles personal data
contained personal data - A document inadvertently attached to a
Hope Community Resources (HCR) email survey contained the personal
information for thousands of people.
- Internet in China shaken by biggest-ever DDoS attacks - The
Chinese government is reporting that it experienced its largest-ever
distributed denial-of-service (DDoS) attacks over the weekend.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
This week begins our series on the FDIC's Supervisory Policy on
1 of 6)
Supervisory Policy on Identity Theft
Identity theft is fraud committed or attempted by using the
identifying information of another person without his or her
authority. Identifying information may include such things as a
Social Security number, account number, date of birth, driver's
license number, passport number, biometric data and other unique
electronic identification numbers or codes. As more financial
transactions are done electronically and remotely, and as more
sensitive information is stored in electronic form, the
opportunities for identity theft have increased significantly. This
policy statement describes the characteristics of identity theft and
emphasizes the FDIC's well-defined expectations that institutions
under its supervision detect, prevent and mitigate the effects of
identity theft in order to protect consumers and help ensure safe
and sound operations.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
The goal of logical and administrative access control is to restrict
access to system resources. Access should be provided only to
authorized individuals whose identity is established, and their
activities should be limited to the minimum required for business
purposes. Authorized individuals (users) may be employees, TSP
employees, vendors, contractors, customers, or visitors.
An effective control mechanism includes numerous controls to
safeguard and limit access to key information system assets. This
section addresses logical and administrative controls, including
access rights administration and authentication through network,
operating system, application, and remote access. A subsequent
section addresses physical security controls.
ACCESS RIGHTS ADMINISTRATION (1 of 5)
Action Summary - Financial institutions should have an effective
process to administer access rights. The process should include the
1) Assign users and system resources only the access required to
perform their required functions,
2) Update access rights based on personnel or system changes,
3) Periodically review users' access rights at an appropriate
frequency based on the risk to the application or system, and
4) Design appropriate acceptable-use policies and require users to
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Content of Privacy
Notice (Part 2 of 2)
8) Do the initial, annual, and revised privacy notices include each
of the following, as applicable: (Part 2 of 2)
e) if the institution discloses nonpublic personal information to a
nonaffiliated third party under §13, and no exception under §14 or
§15 applies, a separate statement of the categories of information
the institution discloses and the categories of third parties with
whom the institution has contracted; [§6(a)(5)]
f) an explanation of the opt out right, including the method(s) of
opt out that the consumer can use at the time of the notice;
g) any disclosures that the institution makes under §603(d)(2)(A)(iii)
of the Fair Credit Reporting Act (FCRA); [§6(a)(7)]
h) the institution's policies and practices with respect to
protecting the confidentiality and security of nonpublic personal
information; [§6(a)(8)] and
i) a general statement--with no specific reference to the
exceptions or to the third parties--that the institution makes
disclosures to other nonaffiliated third parties as permitted by
law? [§6(a)(9), (b)]