REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - White House Brainstorms With Businesses On Disaster Recovery - The White House has turned to more than 80 innovators in the private sector to come up with ways that could help the U.S. government improve disaster response and recovery efforts. http://www.informationweek.com/government/policy/white-house-brainstorms-with-businesses/240160813

FYI - FTC slaps TRENDnet with 20 years' probation over webcam spying flaw - The Federal Trade Commission has reached a settlement with US wireless webcam manufacturer TRENDnet that will commit the firm to third-party security audits for the next 20 years, plus two years of free technical support for its customers. http://www.theregister.co.uk/2013/09/05/ftc_slaps_trendnet_with_20_years_probation_over_webcam_spying_flaw/

FYI - Banking trojan now circulating overseas could soon reach U.S. - Researchers at IT security company ESET have discovered a banking trojan that is targeting users who bank online in the Czech Republic, Turkey, Portugal and, most recently, the United Kingdom. http://www.scmagazine.com/banking-trojan-now-circulating-overseas-could-soon-reach-us/article/310632/?DCMP=EMC-SCUS_Newswire

FYI - Indian spooks snooping without ISP knowledge - 'Lawful Intercept and Monitoring' systems don't sound very lawful - India's authorities are carrying out wide-ranging and indiscriminate internet surveillance of their citizens thanks to secret intercept systems located at the international gateways of several large ISPs, according to The Hindu. http://www.theregister.co.uk/2013/09/09/india_surveillance_intercept_isp_covert/

FYI - Medical ID theft victims increasingly report spoofed sites and phishing as cause of fraud - As the number of individuals impacted by medical identity theft continues to climb, so does the number of victims fooled by spurious emails and websites designed to purloin their sensitive information, a study finds. http://www.scmagazine.com/study-medical-id-theft-victims-increasingly-report-spoofed-sites-and-phishing-as-cause-of-fraud/article/311352/?DCMP=EMC-SCUS_Newswire#

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Computer hard drive compromised in hotel burglary - An undisclosed number of guests of the InterContinental Mark Hopkins San Francisco luxury hotel were alerted that personal information may have been accessed by two criminals who burglarized a sales office and compromised a computer hard drive. http://www.scmagazine.com/computer-hard-drive-compromised-in-hotel-burglary/article/310240/?DCMP=EMC-SCUS_Newswire

FYI - Energy Department Updates Breach Count, Says 53,000 Affected - The Department of Energy (DOE) has confirmed reports that it suffered a data breach in July that lead to the theft of employees' personally identifying information (PII). http://www.informationweek.com/security/attacks/energy-department-updates-breach-count-s/240160706

FYI - FTC files complaint against LabMD after investigating its security practices - After a legal back-and-forth to investigate a major breach, the Federal Trade Commission (FTC) has filed a complaint against an Atlanta-based medical testing lab accused of exposing the data of more than 9,000 consumers. http://www.scmagazine.com/ftc-files-complaint-against-labmd-after-investigating-its-security-practices/article/309647/

FYI - Laptop and flash drive stolen from doctor's car - Thousands of patients of St. Anthony's Medical Center long-term care in St. Louis may have had health information compromised after a laptop and flash drive were stolen from the vehicle of a staff doctor. http://www.scmagazine.com/laptop-and-flash-drive-stolen-from-doctors-car/article/310247/?DCMP=EMC-SCUS_Newswire

FYI - State employee error puts thousands at risk - Nearly 5,000 people who filed for unemployment with the Georgia Department of Labor may have had their personal information compromised after an employee inadvertently sent out an email containing the data. http://www.scmagazine.com/state-employee-error-puts-thousands-at-risk/article/310822/?DCMP=EMC-SCUS_Newswire

FYI - Card information stolen in attack on hospital payment vendor - Credit and debit card information for thousands of patients of Medical University of South Carolina (MUSC) may be at risk following a malicious attack on MUSA's third-party card payment vendor, Blackhawk Consulting Group. http://www.scmagazine.com/card-information-stolen-in-attack-on-hospital-payment-vendor/article/311176/?DCMP=EMC-SCUS_Newswire

FYI - Millions in Germany have data compromised in Vodafone hack - Authorities have identified an attacker suspected of carrying out a sophisticated hack against Vodafone Germany. http://www.scmagazine.com/millions-in-germany-have-data-compromised-in-vodafone-hack/article/311347/?DCMP=EMC-SCUS_Newswire

FYI - Unauthorized third party compromises payroll card company data - Florida-based payroll card company Paymast'r Services is sending out letters to an undisclosed number of customers who had personal information compromised in a data breach. http://www.scmagazine.com/unauthorized-third-party-compromises-payroll-card-company-data/article/311431/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week continues our series on the FDIC's Supervisory Policy on Identity Theft.  (Part 3 of  6)

FDIC Response to Identity Theft

The FDIC's supervisory programs include many steps to address identity theft. The FDIC acts directly, often in conjunction with other Federal regulators, by promulgating standards that financial institutions are expected to meet to protect customers' sensitive information and accounts. The FDIC enforces these standards against the institutions under its supervision and encourages all financial institutions to educate their customers about steps they can take to reduce the chances of becoming an identity theft victim. The FDIC also sponsors and conducts a variety of consumer education efforts to make consumers more aware of the ways they can protect themselves from identity thieves.
 
Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

Access Rights Administration (3 of 5)

The enrollment process establishes the user's identity and anticipated business needs to information and systems. New employees, IT outsourcing relationships, and contractors may also be identified, and the business need for access determined during the hiring or contracting process.

During enrollment and thereafter, an authorization process determines user access rights. In certain circumstances the assignment of access rights may be performed only after the manager responsible for each accessed resource approves the assignment and documents the approval. In other circumstances, the assignment of rights may be established by the employee's role or group membership, and managed by pre - established authorizations for that group. Customers, on the other hand, may be granted access based on their relationship with the institution.

Authorization for privileged access should be tightly controlled. Privileged access refers to the ability to override system or application controls. Good practices for controlling privileged access include

! Identifying each privilege associated with each system component,

! Implementing a process to allocate privileges and allocating those privileges either on a need - to - use or an event - by - event basis,! Documenting the granting and administrative limits on privileges,

! Finding alternate ways of achieving the business objectives,

! Assigning privileges to a unique user ID apart from the one used for normal business use,

! Logging and auditing the use of privileged access,

! Reviewing privileged access rights at appropriate intervals and regularly reviewing privilege access allocations, and

! Prohibiting shared privileged access by multiple users.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

10)  Does the institution list the following categories of nonpublic personal information that it discloses, as applicable, and a few examples of each, or alternatively state that it reserves the right to disclose all the nonpublic personal information that it collects:

a)  information from the consumer;

b)  information about the consumer's transactions with the institution or its affiliates;

c)  information about the consumer's transactions with nonaffiliated third parties; and

d)  information from a consumer reporting agency? [§6(c)(2)]