REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- NIST finalizes cloud computing roadmap - The National Institute of
Standards and Technology (NIST) has finalized the first two volumes
of its U.S. Government Cloud Computing Technology Roadmap, laying
critical requirements for security, interoperability and
portability, addressing cloud migration challenges and defining
priority action plans (PAPs) for each requirement.
- ISA president urges state AGs to expand understanding of
cybercrime - There's more to cybercrime than breaches and personal
data theft, Larry Clinton, president of the Internet Security
Alliance (ISA) said at the National Association of State Attorneys
General's conference on consumer protection this week.
- Pentagon Needs to Build Cybersecurity into the Acquisition Process
- If you were asked to name one of the most pressing issues facing
the Pentagon in the next five years, chances are you wouldn’t
specify the intersection of cybersecurity, acquisition and the
sometimes small but always vital electronic components that make up
- South Korea mulls replacing nat'l ID cards after breach - To
counter the effects of a recent massive data breach, South Korea is
mulling issuing new national ID numbers to all 50 million of it
citizens – a project that would cost the government an estimated
- FBI warns of cyberattacks linked to China - The U.S. Federal
Bureau of Investigation issued a warning to companies and
organizations on Wednesday of cyberattacks by people linked with the
- The Number of Industries Getting Classified Cyberthreat Tips from
DHS Has Doubled Since July - Firms from half of the nation’s 16 key
industries, including wastewater and banking, have paid for special
technology to join a Department of Homeland Security program that
shares classified cyberthreat intelligence, in hopes of protecting
society from a catastrophic cyberattack.
- DHS investigates possible vulnerabilities in medical devices,
report indicates - Citing an unnamed senior official at the U.S.
Department of Homeland Security (DHS), Reuters reported on Wednesday
that the agency is investigating roughly 24 cases of suspected
vulnerabilities in medical devices and hospital equipment.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Cyberswim notifies customers that payment card data may be at risk
- Cyberswim, Inc. is notifying an undisclosed number of customers
that unauthorized individuals or entities installed malicious
software on the computer server hosting its website and may have
compromised their personal information, including payment card data.
- Sourcebooks payment card breach impacts more than 5,000 customers
- Illinois-based publisher Sourcebooks has notified roughly 9,000
customers that a security vulnerability in its shopping cart
software may have enabled criminals to obtain their personal
information, including payment card data.
- Credit Card Breach at Staples Stores - Multiple banks say they
have identified a pattern of credit and debit card fraud suggesting
that several Staples Inc. office supply locations in the
Northeastern United States are currently dealing with a data breach.
Staples says it is investigating “a potential issue” and has
contacted law enforcement.
- Staples is investigating a potential issue involving credit card
data - Office supplies retailer Staples is “in the process of
investigating a potential issue involving credit card data,”
according to a statement emailed to SCMagazine.com on Tuesday.
- Transcript website flaw exposed personal data on 98k users - A
website that helps students obtain past transcripts might have
exposed the personal information of close to 100,000 users. At least
one user was able to access the information after a flaw in
NeedMyTranscript.com's design led to a site subdirectory, according
to The Washington Post. The transcript site covers more than 18,000
high schools in all 50 states.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Principle 6: Banks should ensure that clear audit trails exist
for all e-banking transactions.
Delivery of financial services over the Internet can make it more
difficult for banks to apply and enforce internal controls and
maintain clear audit trails if these measures are not adapted to an
e-banking environment. Banks are not only challenged to ensure that
effective internal control can be provided in highly automated
environments, but also that the controls can be independently
audited, particularly for all critical e-banking events and
A bank's internal control environment may be weakened if it is
unable to maintain clear audit trails for its e-banking activities.
This is because much, if not all, of its records and evidence
supporting e-banking transactions are in an electronic format. In
making a determination as to where clear audit trails should be
maintained, the following types of e-banking transactions should be
1) The opening, modification or closing of a customer's account.
2) Any transaction with financial consequences.
3) Any authorization granted to a customer to exceed a limit.
4) Any granting, modification or revocation of systems access
rights or privileges.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
ELECTRONIC AND PAPER - BASED MEDIA HANDLING
Financial institutions need appropriate disposal procedures for
both electronic and paper based media. Policies should prohibit
employees from discarding sensitive media along with regular garbage
to avoid accidental disclosure. Many institutions shred paper -
based media on site and others use collection and disposal services
to ensure the media is rendered unreadable and unreconstructable
before disposal. Institutions that contract with third parties
should use care in selecting vendors to ensure adequate employee
background checks, controls, and experience.
Computer - based media presents unique disposal problems. Residual
data frequently remains on media after erasure. Since that data can
be recovered, additional disposal techniques should be applied to
sensitive data. Physical destruction of the media, for instance by
subjecting a compact disk to microwaves, can make the data
unrecoverable. Additionally, data can sometimes be destroyed after
overwriting. Overwriting may be preferred when the media will be re
- used. Institutions should base their disposal policies on the
sensitivity of the information contained on the media and, through
policies, procedures, and training, ensure that the actions taken to
securely dispose of computer-based media adequately protect the data
from the risks of reconstruction. Where practical, management should
log the disposal of sensitive media, especially computer - based
Financial institutions should maintain the security of media while
in transit or when shared with third parties. Policies should
! Restrictions on the carriers used and procedures to verify the
identity of couriers,
! Requirements for appropriate packaging to protect the media from
! Use of encryption for transmission of sensitive information,
! Security reviews or independent security reports of receiving
! Use of nondisclosure agreements between couriers and third
Financial institutions should address the security of their back -
up tapes at all times, including when the tapes are in transit from
the data center to off - site storage.
Return to the top of
INTERNET PRIVACY -
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Sharing nonpublic personal information with nonaffiliated third
parties under Sections 13=, 14, and/or 15 but outside of these
exceptions (Part 1 of 2)
A. Disclosure of Nonpublic Personal Information
1) Select a sample of third party relationships with nonaffiliated
third parties and obtain a sample of data shared between the
institution and the third party. The sample should include a
cross-section of relationships but should emphasize those that are
higher risk in nature as determined by the initial procedures.
Perform the following comparisons to evaluate the financial
institution's compliance with disclosure limitations.
a. Compare the data shared and with whom the data were shared to
ensure that the institution accurately categorized its information
sharing practices and is not sharing nonpublic personal information
outside the exceptions (§§13, 14, 15).
b. Compare the categories of data shared and with whom the data
were shared to those stated in the privacy notice and verify that
what the institution tells consumers in its notices about its
policies and practices in this regard and what the institution
actually does are consistent (§§10, 6).
2) Review contracts with nonaffiliated third parties that perform
services for the financial institution not covered by the exceptions
in section 14 or 15. Determine whether the contracts adequately
prohibit the third party from disclosing or using the information
other than to carry out the purposes for which the information was
disclosed. Note that the "grandfather" provisions of Section 18
apply to certain of these contracts. (§13(a)).