REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- How to perform a SaaS inventory in five simple steps - According
to a recent survey, 71 percent of respondents admitted to using
software-as-a-service (SaaS) apps that were not blessed by IT.
- Feds developing guidelines to help businesses to better secure
their IT systems - Following through on an order earlier this year
from U.S. President Barack Obama, the National Institute of
Standards and Technology (NIST) is rapidly developing a set of
guidelines and best practices to help organizations better secure
their IT systems.
- Three Charged With Stealing Flow Traders Trading Software - Two
men who were employed by Flow Traders were charged in New York with
stealing the firm’s electronic trading software by e-mailing it to
themselves from their work accounts.
- Compliance and security vulnerabilities are top concerns for POS
systems - Without adequate controls to manage store systems and the
increase in number and variety of devices - retailers can expect
security costs to continue to increase rapidly.
- India will reportedly ban use of US e-mail services - The
government is said to be planning a formal notification to employees
banning them from using e-mail providers with servers in the U.S.
such as Gmail, to increase the security of confidential government
- Banks' resilience to cyber crime to be tested by Government -
Banks’ resilience to cyber attacks are being rated by government
officials for the first time amid concerns about the increasing
risks to the financial system from electronic criminals and
- Scots council cops £100K fine for spaffing vulnerable kids' data
ONLINE - UK data privacy watchdogs have fined Aberdeen City Council
£100,000 after a council employee published vulnerable children's
- Exclusive: Army Admits To Major Computer Security Flaw - Army’s
Deputy of Cybersecurity told BuzzFeed a security failure can allow
unauthorized access to computer files. Instead of fixing it, they
are telling soldiers to be more careful.
- State-sponsored attacks worsen, but security pros unequipped to
spot threat - A majority of IT security professionals said they were
unsure whether their own corporate networks had fallen victim to
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Hacker group takes responsiblity for DNS attack on major media
sites - That's what the Syrian Electronic Army (SEA) tweeted
Tuesday, as the pro-Assad hacker collective announced domains
belonging to The New York Times, Huffington Post U.K., and Twitter
- Supercomputer hacker coughs to flogging DoE logins to FBI agent -
The US hacker caught after trying to sell Department of Energy
supercomputer logins to an undercover FBI agent has pleaded guilty
in a deal that could see him go to jail for up to 18 months.
- Five arrested after HMRC finds £500,000 online tax fraud - Police
have arrested five members of a criminal cyber gang on suspicion of
tax fraud, after they allegedly attempted to steal £500,000 by
falsely claiming rebates using the identities of 700 British
- Citibank to pay CT fine for website vulnerability - Citibank N.A.
will pay $55,000 to the state and undergo a third-party security
audit for failing to act quickly enough to fix a known security
vulnerability on its website.
- Home brewing and wine making company website cracked open by
hackers - Alcohol aficionados who made purchases with home brewing
and wine making company Midwest Supplies may have had their credit
card details compromised in a website breach.
- Hacktivists take claim for defacement of Marines site - A hacker
collective that has previously taken responsibility for a series of
high-profile attacks, including those against The New York Times,
now claims it defaced a Marine Corps recruiting website.
- Military employee "dealt with" for emailing personnel data home -
An unidentified Hill Air Force Base employee was looking to work
from home, but instead had to be “dealt with” after he emailed
personal information on hundreds of colleagues to an unprotected
personal email address.
- Unencrypted medical laptop goes missing, compromising patients -
Information may have been compromised for patients of UT Physicians
– the medical practice at University of Texas Health Science Center
at Houston (UTHealth) – after an unencrypted laptop containing the
data was reported missing.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
This week continues our series on the FDIC's Supervisory Policy on
2 of 6)
Characteristics of Identity Theft
At this time, the majority of identity theft is committed using
hard-copy identification or other documents obtained from the victim
without his or her permission. A smaller, but significant, amount of
identity theft is committed electronically via phishing, spyware,
hacking and computer viruses. Financial institutions are among
the most frequent targets of identity thieves since they store
sensitive information about their customers and hold customer funds
in accounts that can be accessed remotely and transferred
Identity theft may harm consumers in several ways. First, an
identity thief may gain access to existing accounts maintained by
consumers and either transfer funds out of deposit accounts or incur
charges to credit card accounts. Identity thieves may also open new
accounts in the consumer's name, incur expenses, and then fail to
pay. This is likely to prompt creditors to attempt to collect
payment from the consumer for debts the consumer did not incur. In
addition, inaccurate adverse information about the consumer's
payment history may prevent the consumer from obtaining legitimate
credit when he or she needs it. An identity theft victim can spend
months or years attempting to correct errors in his or her credit
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
our series on the FFIEC interagency Information Security Booklet.
SECURITY CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Access Rights Administration (2 of 5)
System devices, programs, and data are system resources. Each system
resource may need to be accessed by other system resources and
individuals in order for work to be performed. Access beyond the
minimum required for work to be performed exposes the institution's
systems and information to a loss of confidentiality, integrity, and
availability. Accordingly, the goal of access rights administration
is to identify and restrict access to any particular system resource
to the minimum required for work to be performed. The
financial institution's security policy should address access rights
to system resources and how those rights are to be administered.
Management and information system administrators should critically
evaluate information system access privileges and establish access
controls to prevent unwarranted access. Access rights should be
based upon the needs of the applicable user or system resource to
carry out legitimate and approved activities on the financial
institution's information systems. Policies, procedures, and
criteria need to be established for both the granting of appropriate
access rights and for the purpose of establishing those legitimate
activities. Formal access rights administration for users consists
of four processes:
! An enrollment process to add new users to the system;
! An authorization process to add, delete, or modify authorized user
access to operating systems, applications, directories, files, and
specific types of information;
! An authentication process to identify the user during subsequent
! A monitoring process to oversee and manage the access rights
granted to each user on the system.
Return to the top of
INTERNET PRIVACY - We continue our
series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
9) Does the institution list the following categories of
nonpublic personal information that it collects, as applicable:
a) information from the consumer; [§6(c)(1)(i)]
b) information about the consumer's transactions with the
institution or its affiliates; [§6(c)(1)(ii)]
c) information about the consumer's transactions with
nonaffiliated third parties; [§6(c)(1)(iii)] and
d) information from a consumer reporting agency?