REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
Examiner HOT topic - Must Read -
Vendor Risk Management - Financial institutions are increasingly
relying on third-party vendors to perform vital functions. While
beneficial in many ways, outsourcing presents various risks. This
FRB article discusses these risks and best practices to mitigate
- For small businesses, average cost of cyber attacks close to
$9,000, survey finds - A recent study revealed that small business
owners are stuck with major costs as a result of cyber attacks.
- Brazil data plan aims to keep US spies at bay - Brazil is
considering ways to make local use of the internet less dependent on
US-based services, following leaks about Washington's cyberspy
- Barclays Bank computer theft: Eight held over £1.3m haul - Eight
men have been arrested in connection with a £1.3m theft by a gang
who took control of a Barclays Bank computer. The money was
transferred from the branch in Swiss Cottage in north London in
April, a Met Police spokesman said.
- Cybersecurity Field Not Ready to Be Professionalized, Study Finds
- The time is not yet ripe to begin introducing professionalization
standards into the rapidly changing and diverse field of
cybersecurity, particularly given the staffing shortages that
already exist in the field.
- Record number of students to fight off hackers, try to keep
computer systems safe - More than 200 Iowa State University students
will spend a Saturday beating back eight hours of computer attacks.
- Compliance deadline on HIPAA rules brings expanded
responsibilities for third parties handling data - Updated rules to
the Health Insurance Portability and Accountability Act (HIPAA)
expand the legal responsibilities of third-party organizations
handling protected health information.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- FBI arrests hacker who may have ties to Anonymous - A nearly
two-year FBI investigation into a cyber attack against the Hidalgo
County website in Texas has resulted in the arrest of a 27-year-old
- KVM device used in widening plot to steal from London banks -
Police may have thwarted one cyber heist on a London bank, but
criminals using a similar scheme found success, allegedly stealing
more than a million pounds from another financial institution in the
- Web server intrusion puts advisory clients at risk - An
undisclosed number of accounts with Boston-based Windhaven
Investment Management may have been compromised after an intruder
accessed a web server maintained by a third-party.
- Energy Industry Website Hacks Resemble Compromises to a Labor Site
for Nuclear Workers - Computer breaches that are infecting visitors
on energy sector websites might be linked to a May compromise of a
Labor Department webpage that attracts former Energy Department
- University employee fired for inadvertently emailing student data
- An employee at San Francisco-based Atlius University was fired
after an email containing personal data on nearly 200 enrollees was
inadvertently sent to a student.
- State Farm employee uses customer credit cards, gets fired - An
employee of automobile insurer State Farm was fired after making
purchases with customer credit cards, ultimately compromising their
- Hackers crack major data firms, sell info to ID thieves, says
report - An illegal, hacker-helmed identity-theft service called
SSNDOB -- as in Social Security Number and date of birth --
compromises servers at several major US data brokers, according to a
- Hacker video shows how to thwart Apple's Touch ID - The video
details how the hacker scans and manipulates someone's fingerprint
to fool the Touch ID on the iPhone 5S.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
This week continues our series on
the FDIC's Supervisory Policy on Identity Theft.
5 of 6)
The FDIC believes that consumers have an important role to play in
protecting themselves from identity theft. As identity thieves
become more sophisticated, consumers can benefit from accurate,
up-to-date information designed to educate them concerning steps
they should take to reduce their vulnerability to this type of
fraud. The financial services industry, the FDIC and other federal
regulators have made significant efforts to raise consumers'
awareness of this type of fraud and what they can do to protect
In 2005, the FDIC sponsored four identity theft symposia entitled
Fighting Back Against Phishing and Account-Hijacking. At each
symposium (held in Washington, D.C., Atlanta, Los Angeles and
Chicago), panels of experts from government, the banking industry,
consumer organizations and law enforcement discussed efforts to
combat phishing and account hijacking, and to educate consumers on
avoiding scams that can lead to account hijacking and other forms of
identity theft. Also in 2006, the FDIC sponsored a symposia series
entitled Building Confidence in an E-Commerce World. Sessions were
held in San Francisco, Phoenix and Miami. Further consumer education
efforts are planned for 2007.
In 2006, the FDIC released a multi-media educational tool, Don't Be
an On-line Victim, to help online banking customers avoid common
scams. It discusses how consumers can secure their computer, how
they can protect themselves from electronic scams that can lead to
identity theft, and what they can do if they become the victim of
identity theft. The tool is being distributed through the FDIC's web
site and via CD-ROM. Many financial institutions also now display
anti-fraud tips for consumers in a prominent place on their public
web site and send customers informational brochures discussing ways
to avoid identity theft along with their account statements.
Financial institutions are also redistributing excellent educational
materials from the Federal Trade Commission, the federal
government's lead agency for combating identity theft.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Access Rights Administration (5 of 5)
The access rights process also constrains user activities through an
acceptable - use policy (AUP). Users who can access internal systems
typically are required to agree to an AUP before using a system. An
AUP details the permitted system uses and user activities and the
consequences of noncompliance. AUPs can be created for all
categories of system users, from internal programmers to customers.
An AUP is a key control for user awareness and administrative
policing of system activities. Examples of AUP elements for internal
network and stand - alone users include:
! The specific access devices that can be used to access the
! Hardware and software changes the user can make to their access
! The purpose and scope of network activity;
! Network services that can be used, and those that cannot be used;
! Information that is allowable and not allowable for transmission
using each allowable service;
! Bans on attempting to break into accounts, crack passwords, or
! Responsibilities for secure operation; and
! Consequences of noncompliance.
Depending on the risk associated with the access, authorized
internal users should generally receive a copy of the policy and
appropriate training, and signify their understanding and agreement
with the policy before management grants access to the system.
Customers may be provided with a Web site disclosure as their AUP.
Based on the nature of the Web site, the financial institution may
require customers to demonstrate knowledge of and agreement to abide
by the terms of the AUP. That evidence can be paper based or
Authorized users may seek to extend their activities beyond what is
allowed in the AUP, and unauthorized users may seek to gain access
to the system and move within the system. Network security controls
provide the protection necessary to guard against those threats.
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Content of Privacy Notice
12. Does the institution make the following disclosures regarding
service providers and joint marketers to whom it discloses nonpublic
personal information under §13:
a. as applicable, the same categories and examples of nonpublic
personal information disclosed as described in paragraphs (a)(2) and
(c)(2) of section six (6) (see questions 8b and 10); and [§6(c)(4)(i)]
b. that the third party is a service provider that performs
marketing on the institution's behalf or on behalf of the
institution and another financial institution; [§6(c)(4)(ii)(A)] or
c. that the third party is a financial institution with which the
institution has a joint marketing agreement? [§6(c)(4)(ii)(B)]