REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

Out of the office - I will be at the ICBA’s Community Bank Technology Conference being held this week in Las Vegas. I will be speaking on auditing community banks and look forward to see you there.

FYI - Data breaches 10 times worse, say ICO figures - Data breaches in the UK have increased tenfold in the past five years, figures from the Information Commissioner's Office (ICO) reveal. In local government the increase was 1,609% and within the NHS 935%. http://www.bbc.com/news/technology-19424197

FYI - Cybercrooks fool financial advisers to steal from clients - In a new twist, cyber-robbers are using ginned-up e-mail messages in attempts to con financial advisers into wiring cash out of their clients' online investment accounts. http://www.usatoday.com/tech/news/story/2012-08-26/wire-transfer-fraud/57335540/1

FYI - Judge dismisses BancorpSouth defense in online theft suit - Bank contended that Choice Escrow's failure to secure online credentials caused $440,000 online heist - A federal judge has rejected BancorpSouth's plan to use contractual agreements with customers as a shield against liability claims stemming from an online heist of some $440,000 that was illegally wire-transferred from the account of one of the bank's commercial customers in March 2010. http://www.computerworld.com/s/article/9230730/Judge_dismisses_BancorpSouth_defense_in_online_theft_suit?taxonomyId=17

FYI - Interior seeks to safeguard mobile devices - Interior Department officials are seeking ideas to protect the agency's mobile devices while they’re being used on trips outside of the country. http://fcw.com/articles/2012/08/28/interior-mobile-device-international-travel.aspx

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Toyota Contractor Accused of Sabotaging Company Network, Stealing Data - A former programmer for Toyota has been accused of sabotaging applications on the car company’s network and stealing data after he was fired from his job last week, according to a civil complaint filed by the company. http://www.wired.com/threatlevel/2012/08/toyota-alleges-sabotage/

FYI - Julius Baer Says Employee Stole German Offshore Client Data - Julius Baer Group Ltd., the Swiss wealth manager established in 1890, is contacting German customers after an employee stole information on their offshore bank accounts in Switzerland. http://www.bloomberg.com/news/2012-08-27/julius-baer-says-employee-stole-data-on-german-offshore-clients.html

FYI - Natural gas giant RasGas targeted in cyber attack - Reports have surfaced that liquified natural gas (LNG) producer RasGas, based in the Persian Gulf nation of Qatar, has been struck by an unidentified virus, this time shutting down its website and email servers. http://www.scmagazine.com/natural-gas-giant-rasgas-targeted-in-cyber-attack/article/257050/?DCMP=EMC-SCUS_Newswire

FYI - Hackers leak '1 MILLION records' on Apple fanbois from FEDS - FBI laptop with data on 12m iThings 'pwned via Java hole' - Hackers have dumped online the unique identification codes for one million Apple iPhones and iPads allegedly lifted from an FBI agent's laptop. The leak, if genuine, proves Feds are walking around with data on at least 12 million iOS devices. http://www.theregister.co.uk/2012/09/04/antisec_hackers_fbi_laptop_hack/

FYI - 6.46 million LinkedIn passwords leaked online - More than 6.4 million LinkedIn passwords have leaked to the Web after an apparent hack. Though some login details are encrypted, all users are advised to change their passwords. http://www.zdnet.com/blog/btl/6-46-million-linkedin-passwords-leaked-online/79290

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Sound Authorization Practices for E-Banking Applications

1. Specific authorization and access privileges should be assigned to all individuals, agents or systems, which conduct e-banking activities.

2. All e-banking systems should be constructed to ensure that they interact with a valid authorization database.

3. No individual agent or system should have the authority to change his or her own authority or access privileges in an e-banking authorization database.

4. Any addition of an individual, agent or system or changes to access privileges in an e-banking authorization database should be duly authorized by an authenticated source empowered with the adequate authority and subject to suitable and timely oversight and audit trails.

5. Appropriate measures should be in place in order to make e-banking authorization databases reasonably resistant to tampering. Any such tampering should be detectable through ongoing monitoring processes. Sufficient audit trails should exist to document any such tampering.

6. Any e-banking authorization database that has been tampered with should not be used until replaced with a validated database.

7. Controls should be in place to prevent changes to authorization levels during e-banking transaction sessions and any attempts to alter authorization should be logged and brought to the attention of management.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

MONITORING AND UPDATING

A static security program provides a false sense of security and will become increasingly ineffective over time. Monitoring and updating the security program is an important part of the ongoing cyclical security process. Financial institutions should treat security as dynamic with active monitoring; prompt, ongoing risk assessment; and appropriate updates to controls. Institutions should continuously gather and analyze information regarding new threats and vulnerabilities, actual attacks on the institution or others, and the effectiveness of the existing security controls. They should use that information to update the risk assessment, strategy, and implemented controls. Monitoring and updating the security program begins with the identification of the potential need to alter aspects of the security program and then recycles through the security process steps of risk assessment, strategy, implementation, and testing.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

35. Does the institution deliver the privacy and opt out notices, including the short-form notice, so that the consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically? [§9(a)]