REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - How to perform a SaaS inventory in five simple steps - According to a recent survey, 71 percent of respondents admitted to using software-as-a-service (SaaS) apps that were not blessed by IT. http://www.scmagazine.com/how-to-perform-a-saas-inventory-in-five-simple-steps/article/309446/?DCMP=EMC-SCUS_Newswire

FYI - Feds developing guidelines to help businesses to better secure their IT systems - Following through on an order earlier this year from U.S. President Barack Obama, the National Institute of Standards and Technology (NIST) is rapidly developing a set of guidelines and best practices to help organizations better secure their IT systems. http://www.pcworld.com/article/2047778/nist-subjects-draft-cybersecurity-framework-to-more-public-scrutiny.html

FYI - Three Charged With Stealing Flow Traders Trading Software - Two men who were employed by Flow Traders were charged in New York with stealing the firm’s electronic trading software by e-mailing it to themselves from their work accounts. http://www.bloomberg.com/news/2013-08-26/three-charged-with-stealing-flow-traders-trading-software.html

FYI - Compliance and security vulnerabilities are top concerns for POS systems - Without adequate controls to manage store systems and the increase in number and variety of devices - retailers can expect security costs to continue to increase rapidly. http://www.net-security.org/secworld.php?id=15475

FYI - India will reportedly ban use of US e-mail services - The government is said to be planning a formal notification to employees banning them from using e-mail providers with servers in the U.S. such as Gmail, to increase the security of confidential government information. http://www.zdnet.com/in/india-will-reportedly-ban-use-of-us-e-mail-services-7000020059/

FYI - Banks' resilience to cyber crime to be tested by Government - Banks’ resilience to cyber attacks are being rated by government officials for the first time amid concerns about the increasing risks to the financial system from electronic criminals and terrorists. http://www.telegraph.co.uk/finance/newsbysector/banksandfinance/10278187/Banks-resilience-to-cyber-crime-to-be-tested-by-Government.html

FYI - Scots council cops £100K fine for spaffing vulnerable kids' data ONLINE - UK data privacy watchdogs have fined Aberdeen City Council £100,000 after a council employee published vulnerable children's details online. http://www.theregister.co.uk/2013/09/02/aberdeen_ico_fine/

FYI - Exclusive: Army Admits To Major Computer Security Flaw - Army’s Deputy of Cybersecurity told BuzzFeed a security failure can allow unauthorized access to computer files. Instead of fixing it, they are telling soldiers to be more careful. http://www.buzzfeed.com/justinesharrock/exclusive-army-admits-to-major-computer-security-flaw

FYI - State-sponsored attacks worsen, but security pros unequipped to spot threat - A majority of IT security professionals said they were unsure whether their own corporate networks had fallen victim to state-sponsored attackers. http://www.scmagazine.com/study-state-sponsored-attacks-worsen-but-security-pros-unequipped-to-spot-threat/article/310267/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Hacker group takes responsiblity for DNS attack on major media sites - That's what the Syrian Electronic Army (SEA) tweeted Tuesday, as the pro-Assad hacker collective announced domains belonging to The New York Times, Huffington Post U.K., and Twitter were compromised. http://www.scmagazine.com/hacker-group-takes-responsiblity-for-dns-attack-on-major-media-sites/article/309132/

FYI - Supercomputer hacker coughs to flogging DoE logins to FBI agent - The US hacker caught after trying to sell Department of Energy supercomputer logins to an undercover FBI agent has pleaded guilty in a deal that could see him go to jail for up to 18 months. http://www.theregister.co.uk/2013/08/28/hacker_plea_deal/

FYI - Five arrested after HMRC finds £500,000 online tax fraud - Police have arrested five members of a criminal cyber gang on suspicion of tax fraud, after they allegedly attempted to steal £500,000 by falsely claiming rebates using the identities of 700 British citizens. http://www.computerworlduk.com/news/security/3465705/five-arrested-after-hmrc-finds-500000-online-tax-fraud/

FYI - Citibank to pay CT fine for website vulnerability - Citibank N.A. will pay $55,000 to the state and undergo a third-party security audit for failing to act quickly enough to fix a known security vulnerability on its website. http://www.hartfordbusiness.com/article/20130829/NEWS01/130829864

FYI - Home brewing and wine making company website cracked open by hackers - Alcohol aficionados who made purchases with home brewing and wine making company Midwest Supplies may have had their credit card details compromised in a website breach. http://www.scmagazine.com/home-brewing-and-wine-making-company-website-cracked-open-by-hackers/article/309556/?DCMP=EMC-SCUS_Newswire

FYI - Hacktivists take claim for defacement of Marines site - A hacker collective that has previously taken responsibility for a series of high-profile attacks, including those against The New York Times, now claims it defaced a Marine Corps recruiting website. http://www.scmagazine.com/hacktivists-take-claim-for-defacement-of-marines-site/article/310016/?DCMP=EMC-SCUS_Newswire#

FYI - Military employee "dealt with" for emailing personnel data home - An unidentified Hill Air Force Base employee was looking to work from home, but instead had to be “dealt with” after he emailed personal information on hundreds of colleagues to an unprotected personal email address. http://www.scmagazine.com/military-employee-dealt-with-for-emailing-personnel-data-home/article/309443/?DCMP=EMC-SCUS_Newswire

FYI - Unencrypted medical laptop goes missing, compromising patients - Information may have been compromised for patients of UT Physicians – the medical practice at University of Texas Health Science Center at Houston (UTHealth) – after an unencrypted laptop containing the data was reported missing. http://www.scmagazine.com/unencrypted-medical-laptop-goes-missing-compromising-patients/article/309913/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week continues our series on the FDIC's Supervisory Policy on Identity Theft.  (Part 2 of  6)

Characteristics of Identity Theft

At this time, the majority of identity theft is committed using hard-copy identification or other documents obtained from the victim without his or her permission. A smaller, but significant, amount of identity theft is committed electronically via phishing, spyware, hacking and computer viruses.  Financial institutions are among the most frequent targets of identity thieves since they store sensitive information about their customers and hold customer funds in accounts that can be accessed remotely and transferred electronically.

Identity theft may harm consumers in several ways. First, an identity thief may gain access to existing accounts maintained by consumers and either transfer funds out of deposit accounts or incur charges to credit card accounts. Identity thieves may also open new accounts in the consumer's name, incur expenses, and then fail to pay. This is likely to prompt creditors to attempt to collect payment from the consumer for debts the consumer did not incur. In addition, inaccurate adverse information about the consumer's payment history may prevent the consumer from obtaining legitimate credit when he or she needs it. An identity theft victim can spend months or years attempting to correct errors in his or her credit record.
 
Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

Access Rights Administration (2 of 5)

System devices, programs, and data are system resources. Each system resource may need to be accessed by other system resources and individuals in order for work to be performed. Access beyond the minimum required for work to be performed exposes the institution's systems and information to a loss of confidentiality, integrity, and availability. Accordingly, the goal of access rights administration is to identify and restrict access to any particular system resource to the minimum required for work to be performed.  The financial institution's security policy should address access rights to system resources and how those rights are to be administered.

Management and information system administrators should critically evaluate information system access privileges and establish access controls to prevent unwarranted access.  Access rights should be based upon the needs of the applicable user or system resource to carry out legitimate and approved activities on the financial institution's information systems.  Policies, procedures, and criteria need to be established for both the granting of appropriate access rights and for the purpose of establishing those legitimate activities.  Formal access rights administration for users consists of four processes:

! An enrollment process to add new users to the system;

! An authorization process to add, delete, or modify authorized user access to operating systems, applications, directories, files, and specific types of information;

! An authentication process to identify the user during subsequent activities; and

! A monitoring process to oversee and manage the access rights granted to each user on the system.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

9)  Does the institution list the following categories of nonpublic personal information that it collects, as applicable:

a)  information from the consumer; [§6(c)(1)(i)]

b)  information about the consumer's transactions with the institution or its affiliates; [§6(c)(1)(ii)]

c)  information about the consumer's transactions with nonaffiliated third parties; [§6(c)(1)(iii)] and

d)  information from a consumer reporting agency? [§6(c)(1)(iv)]