REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

Examiner HOT topic - Must Read - Vendor Risk Management - Financial institutions are increasingly relying on third-party vendors to perform vital functions. While beneficial in many ways, outsourcing presents various risks. This FRB article discusses these risks and best practices to mitigate them. http://www.philadelphiafed.org/bank-resources/publications/consumer-compliance-outlook/2011/first-quarter/vendor-risk-management.cfm

FYI - For small businesses, average cost of cyber attacks close to $9,000, survey finds - A recent study revealed that small business owners are stuck with major costs as a result of cyber attacks. http://www.scmagazine.com/for-small-businesses-average-cost-of-cyber-attacks-close-to-9000-survey-finds/article/312706/?DCMP=EMC-SCUS_Newswire

FYI - Brazil data plan aims to keep US spies at bay - Brazil is considering ways to make local use of the internet less dependent on US-based services, following leaks about Washington's cyberspy operations. http://www.bbc.co.uk/news/technology-24145662

FYI - Barclays Bank computer theft: Eight held over £1.3m haul - Eight men have been arrested in connection with a £1.3m theft by a gang who took control of a Barclays Bank computer. The money was transferred from the branch in Swiss Cottage in north London in April, a Met Police spokesman said. http://www.bbc.co.uk/news/uk-england-24172305

FYI - Cybersecurity Field Not Ready to Be Professionalized, Study Finds - The time is not yet ripe to begin introducing professionalization standards into the rapidly changing and diverse field of cybersecurity, particularly given the staffing shortages that already exist in the field. http://www.nextgov.com/cybersecurity/2013/09/cybersecurity-field-not-ready-be-professionalized-study-finds/70488/?oref=ng-channeltopstory

FYI - Record number of students to fight off hackers, try to keep computer systems safe - More than 200 Iowa State University students will spend a Saturday beating back eight hours of computer attacks. http://www.news.iastate.edu/news/2013/09/17/cyberdefense13

FYI - Compliance deadline on HIPAA rules brings expanded responsibilities for third parties handling data - Updated rules to the Health Insurance Portability and Accountability Act (HIPAA) expand the legal responsibilities of third-party organizations handling protected health information. http://www.scmagazine.com/compliance-deadline-on-hipaa-rules-brings-expanded-responsibilities-for-third-parties-handling-data/article/313079/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - FBI arrests hacker who may have ties to Anonymous - A nearly two-year FBI investigation into a cyber attack against the Hidalgo County website in Texas has resulted in the arrest of a 27-year-old man. http://www.scmagazine.com/fbi-arrests-hacker-who-may-have-ties-to-anonymous/article/312259/#

FYI - KVM device used in widening plot to steal from London banks - Police may have thwarted one cyber heist on a London bank, but criminals using a similar scheme found success, allegedly stealing more than a million pounds from another financial institution in the city. http://www.scmagazine.com/kvm-device-used-in-widening-plot-to-steal-from-london-banks/article/312768/?DCMP=EMC-SCUS_Newswire

FYI - Web server intrusion puts advisory clients at risk - An undisclosed number of accounts with Boston-based Windhaven Investment Management may have been compromised after an intruder accessed a web server maintained by a third-party. http://www.scmagazine.com/web-server-intrusion-puts-advisory-clients-at-risk/article/312705/?DCMP=EMC-SCUS_Newswire

FYI - Energy Industry Website Hacks Resemble Compromises to a Labor Site for Nuclear Workers - Computer breaches that are infecting visitors on energy sector websites might be linked to a May compromise of a Labor Department webpage that attracts former Energy Department nuclear personnel. http://www.nextgov.com/cybersecurity/2013/09/energy-industry-website-hacks-resemble-compromises-labor-site-nuclear-workers/70630/?oref=ng-HPtopstory

FYI - University employee fired for inadvertently emailing student data - An employee at San Francisco-based Atlius University was fired after an email containing personal data on nearly 200 enrollees was inadvertently sent to a student. http://www.scmagazine.com/university-employee-fired-for-inadvertently-emailing-student-data/article/313152/?DCMP=EMC-SCUS_Newswire

FYI - State Farm employee uses customer credit cards, gets fired - An employee of automobile insurer State Farm was fired after making purchases with customer credit cards, ultimately compromising their personal data. http://www.scmagazine.com/state-farm-employee-uses-customer-credit-cards-gets-fired/article/313412/?DCMP=EMC-SCUS_Newswire

FYI - Hackers crack major data firms, sell info to ID thieves, says report - An illegal, hacker-helmed identity-theft service called SSNDOB -- as in Social Security Number and date of birth -- compromises servers at several major US data brokers, according to a report. http://news.cnet.com/8301-1009_3-57604633-83/hackers-crack-major-data-firms-sell-info-to-id-thieves-says-report/?tag=nl.e757&s_cid=e757&ttag=e757&ftag=CAD2e9d5b9

FYI - Hacker video shows how to thwart Apple's Touch ID - The video details how the hacker scans and manipulates someone's fingerprint to fool the Touch ID on the iPhone 5S. http://news.cnet.com/8301-1009_3-57604554-83/hacker-video-shows-how-to-thwart-apples-touch-id/?tag=nl.e757&s_cid=e757&ttag=e757&ftag=CAD2e9d5b9

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week continues our series on the FDIC's Supervisory Policy on Identity Theft.  (Part 5 of  6)

Consumer Education

The FDIC believes that consumers have an important role to play in protecting themselves from identity theft. As identity thieves become more sophisticated, consumers can benefit from accurate, up-to-date information designed to educate them concerning steps they should take to reduce their vulnerability to this type of fraud. The financial services industry, the FDIC and other federal regulators have made significant efforts to raise consumers' awareness of this type of fraud and what they can do to protect themselves.

In 2005, the FDIC sponsored four identity theft symposia entitled Fighting Back Against Phishing and Account-Hijacking. At each symposium (held in Washington, D.C., Atlanta, Los Angeles and Chicago), panels of experts from government, the banking industry, consumer organizations and law enforcement discussed efforts to combat phishing and account hijacking, and to educate consumers on avoiding scams that can lead to account hijacking and other forms of identity theft. Also in 2006, the FDIC sponsored a symposia series entitled Building Confidence in an E-Commerce World. Sessions were held in San Francisco, Phoenix and Miami. Further consumer education efforts are planned for 2007.

In 2006, the FDIC released a multi-media educational tool, Don't Be an On-line Victim, to help online banking customers avoid common scams. It discusses how consumers can secure their computer, how they can protect themselves from electronic scams that can lead to identity theft, and what they can do if they become the victim of identity theft. The tool is being distributed through the FDIC's web site and via CD-ROM. Many financial institutions also now display anti-fraud tips for consumers in a prominent place on their public web site and send customers informational brochures discussing ways to avoid identity theft along with their account statements. Financial institutions are also redistributing excellent educational materials from the Federal Trade Commission, the federal government's lead agency for combating identity theft.
 
Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

Access Rights Administration (5 of 5)

The access rights process also constrains user activities through an acceptable - use policy (AUP). Users who can access internal systems typically are required to agree to an AUP before using a system. An AUP details the permitted system uses and user activities and the consequences of noncompliance. AUPs can be created for all categories of system users, from internal programmers to customers. An AUP is a key control for user awareness and administrative policing of system activities. Examples of AUP elements for internal network and stand - alone users include:

! The specific access devices that can be used to access the network;

! Hardware and software changes the user can make to their access device;

! The purpose and scope of network activity;

! Network services that can be used, and those that cannot be used;

! Information that is allowable and not allowable for transmission using each allowable service;

! Bans on attempting to break into accounts, crack passwords, or disrupt service;

! Responsibilities for secure operation; and

! Consequences of noncompliance.

Depending on the risk associated with the access, authorized internal users should generally receive a copy of the policy and appropriate training, and signify their understanding and agreement with the policy before management grants access to the system.

Customers may be provided with a Web site disclosure as their AUP. Based on the nature of the Web site, the financial institution may require customers to demonstrate knowledge of and agreement to abide by the terms of the AUP. That evidence can be paper based or electronic.

Authorized users may seek to extend their activities beyond what is allowed in the AUP, and unauthorized users may seek to gain access to the system and move within the system. Network security controls provide the protection necessary to guard against those threats.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

12. Does the institution make the following disclosures regarding service providers and joint marketers to whom it discloses nonpublic personal information under §13:

a. as applicable, the same categories and examples of nonpublic personal information disclosed as described in paragraphs (a)(2) and (c)(2) of section six (6) (see questions 8b and 10); and [§6(c)(4)(i)]

b. that the third party is a service provider that performs marketing on the institution's behalf or on behalf of the institution and another financial institution; [§6(c)(4)(ii)(A)] or

c. that the third party is a financial institution with which the institution has a joint marketing agreement? [§6(c)(4)(ii)(B)]