REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

Community Bank Technology Conference - If you have nothing on your plate, plan to attend the Independent Community Bankers of America’s Community Bank Technology Conference, September 12-14, 2012 in Las Vegas. I will be speaking Thursday on auditing community banks.  For more information please visit http://www.icba.org/events/eventdetail.cfm?EventID=199421. 

FYI - US boardrooms wake up to data security - But work still needs to be done by businesses to be fully protected - corporate America says data security is now the main concern in the boardroom when it comes to legal considerations. http://www.computerworlduk.com/news/it-business/3376626/us-boardrooms-wake-up-data-security/

FYI - California approves Location Privacy Act: 'Get a warrant' - Summary: A new privacy bill, forcing police and law enforcement to obtain a warrant before gathering cellphone GPS or location data, has been passed by California state legislators. http://www.zdnet.com/california-approves-location-privacy-act-get-a-warrant-7000003050/

FYI - GAO Questions EPA's Ability to Secure Data - Audit: Security Control Weaknesses Pervade IT Systems - Environmental Protection Agency, jeopardizing the agency's ability to sufficiently protect the confidentiality, integrity and availability of its information and systems, the Government Accountability Office said in an audit made public Aug. 21. http://www.govinfosecurity.com/gao-questions-epas-ability-to-secure-data-a-5051

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Siemens 'flaw' claim sparks US power plant security probe -The US government is investigating claims that a flaw in Siemens' networking equipment could enable hackers to attack power plants and other critical systems. http://www.bbc.com/news/technology-19343131

FYI - Researchers consider threat of car hacking -McAfee's year-old team of elite hackers has been researching a place many people wouldn't think is vulnerable to attack - the automobile. http://www.scmagazine.com/researchers-consider-threat-of-car-hacking/article/255698/?DCMP=EMC-SCUS_Newswire

FYI - Students improperly view file that contained personal data - A file containing the personal information of current and former Colorado State University-Pueblo students was accessed last spring by unauthorized users. http://www.scmagazine.com/students-improperly-view-file-that-contained-personal-data/article/256047/?DCMP=EMC-SCUS_Newswire

FYI - Riding low and slow, Hikit targets U.S. defense contractors - Researchers at security firm Mandiant have identified a backdoor trojan, called Hikit, which has targeted a small number of defense contractors in the United States. http://www.scmagazine.com/riding-low-and-slow-hikit-targets-us-defense-contractors/article/256332/?DCMP=EMC-SCUS_Newswire

FYI - Saudi oil company back online after cyber sabotage attempt - Saudi Arabia-based oil company Saudi Aramco said it has restored internal network services after about 30,000 workstations were infected earlier this month with an unknown piece of sabotage malware.
http://www.scmagazine.com/saudi-oil-company-back-online-after-cyber-sabotage-attempt/article/256313/?DCMP=EMC-SCUS_Newswire
http://www.bbc.com/news/technology-19389401

FYI - University of Rhode Island server breach exposes staff and student data - University of Rhode Island (URI) officials disabled the school's College of Business Administration computer server, after the personal information of more than 1,000 faculty and students, as well as students from another school, was publicly available. http://www.scmagazine.com/university-of-rhode-island-server-breach-exposes-staff-and-student-data/article/256398/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Sound Practices for Managing Outsourced E-Banking Systems and Services (Part 3 of 3)

4. Banks should ensure that periodic independent internal and/or external audits are conducted of outsourced operations to at least the same scope required if such operations were conducted in-house.

a)   For outsourced relationships involving critical or technologically complex e-banking services/applications, banks may need to arrange for other periodic reviews to be performed by independent third parties with sufficient technical expertise.

5. Banks should develop appropriate contingency plans for outsourced e-banking activities.

a)  Banks need to develop and periodically test their contingency plans for all critical e-banking systems and services that have been outsourced to third parties.

b)  Contingency plans should address credible worst-case scenarios for providing continuity of e-banking services in the event of a disruption affecting outsourced operations.

c)   Banks should have an identified team that is responsible for managing recovery and assessing the financial impact of a disruption in outsourced e-banking services.

6. Banks that provide e-banking services to third parties should ensure that their operations, responsibilities, and liabilities are sufficiently clear so that serviced institutions can adequately carry out their own effective due diligence reviews and ongoing oversight of the relationship.

a)   Banks have a responsibility to provide serviced institutions with information necessary to identify, control and monitor any risks associated with the e-banking service arrangement.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY TESTING - OUTSOURCED SYSTEMS

Management is responsible for ensuring institution and customer data is protected, even when that data is transmitted, processed, or stored by a service provider. Service providers should have appropriate security testing based on the risk to their organization, their customer institutions, and the institution's customers. Accordingly, management and auditors evaluating TSPs providers should use the above testing guidance in performing initial due diligence, constructing contracts, and exercising ongoing oversight or audit responsibilities. Where indicated by the institution's risk assessment, management is responsible for monitoring the testing performed at the service provider through review of timely audits and test results or other equivalent evaluations.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

34. Does the institution deliver a revised privacy notice when it: 

a. discloses a new category of nonpublic personal information to a nonaffiliated third party; [§8(b)(1)(i)]

b. discloses nonpublic personal information to a new category of nonaffiliated third party; [§8(b)(1)(ii)] or

c. discloses nonpublic personal information about a former customer to a nonaffiliated third party, if that former customer has not had the opportunity to exercise an opt out right regarding that disclosure? [§8(b)(1)(iii)]

(Note: a revised notice is not required if the institution adequately described the nonaffiliated third party or information to be disclosed in the prior privacy notice. [§8(b)(2)])