Security report finds Chinese cyberspying threat growing - A new
report prepared for the U.S.-China Economic and Security Review
Commission has concluded that the Asian nation is likely using his
sophisticated IT systems to spy on America.
New ID theft rules may not pertain to small businesses - The U.S.
House of Representatives this week unanimously passed legislation
that would exempt certain small organizations from complying with
the Red Flags Rules.
Pizza-making ATM hacker avoids jail - An Australian pizza store
worker turned hacker has avoided prison after he was convicted of
stealing A$30,000 ($28,000) from ATMs using computer hacking.
Identity theft is too easy and can even be automated says IT
security expert - The realities of identity theft and the modus
operandi of cybercriminals were explained to delegates at this
week's RSA Security conference in London.
New data shows website hacks continue to grow unabated - More than
two million more web pages were infected with malware during the
third quarter of 2009 compared to the same quarter last year,
according to data gathered by a web anti-malware vendor.
Internet phone systems become the fraudster's tool - Cybercriminals
have found a new launching pad for their scams: the phone systems of
small and medium-sized businesses across the U.S.
GAO - Information Security - Concerted Effort Needed to Improve
Federal Performance Measures.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Cyber crooks stole $40M from U.S. small, mid-sized firms - Cyber
criminals have stolen at least $40 million from small to mid-sized
companies across America in a sophisticated but increasingly common
form of online banking fraud, the FBI said.
CalOptima says data on 68,000 members may be compromised - Plans
notification after loss of disks containing the info - Personally
identifiable information on about 68,000 members of CalOptima, a
Medicaid managed care plan serving Orange County, Calif., may have
been compromised after several CDs containing the information went
missing earlier this month.
Guardian loses half a million CVs - Police probe massive hack - The
Guardian newspaper's jobs website has warned 500,000 users that
hackers may have got hold of private information held on the site
after a "sophisticated and deliberate" attack.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Principle 11: Banks should develop appropriate incident response
plans to manage, contain and minimize problems arising from
unexpected events, including internal and external attacks, that may
hamper the provision of e-banking systems and services.
Effective incident response mechanisms are critical to minimize
operational, legal and reputational risks arising from unexpected
events such as internal and external attacks that The current and
future capacity of critical e-banking delivery systems should be
assessed on an ongoing basis may affect the provision of e-banking
systems and services. Banks should develop appropriate incident
response plans, including communication strategies, that ensure
business continuity, control reputation risk and limit liability
associated with disruptions in their e-banking services, including
those originating from outsourced systems and operations.
To ensure effective response to unforeseen incidents, banks should
1) Incident response plans to address recovery of e-banking systems
and services under various scenarios, businesses and geographic
locations. Scenario analysis should include consideration of the
likelihood of the risk occurring and its impact on the bank.
E-banking systems that are outsourced to third-party service
providers should be an integral part of these plans.
2) Mechanisms to identify an incident or crisis as soon as it
occurs, assess its materiality, and control the reputation risk
associated with any disruption in service.
3) A communication strategy to adequately address external market
and media concerns that may arise in the event of security breaches,
online attacks and/or failures of e-banking systems.
4) A clear process for alerting the appropriate regulatory
authorities in the event of material security breaches or disruptive
5) Incident response teams with the authority to act in an
emergency and sufficiently trained in analyzing incident
detection/response systems and interpreting the significance of
6) A clear chain of command, encompassing both internal as well as
outsourced operations, to ensure that prompt action is taken
appropriate for the significance of the incident. In addition,
escalation and internal communication procedures should be developed
and include notification of the Board where appropriate.
7) A process to ensure all relevant external parties, including
bank customers, counterparties and the media, are informed in a
timely and appropriate manner of material e-banking disruptions and
business resumption developments.
8) A process for collecting and preserving forensic evidence to
facilitate appropriate post-mortem reviews of any e-banking
incidents as well as to assist in the prosecution of attackers.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security Booklet.
MONITORING AND UPDATING
A static security program provides a false sense of security and
will become increasingly ineffective over time. Monitoring and
updating the security program is an important part of the ongoing
cyclical security process. Financial institutions should treat
security as dynamic with active monitoring; prompt, ongoing risk
assessment; and appropriate updates to controls. Institutions should
continuously gather and analyze information regarding new threats
and vulnerabilities, actual attacks on the institution or others,
and the effectiveness of the existing security controls. They should
use that information to update the risk assessment, strategy, and
implemented controls. Monitoring and updating the security program
begins with the identification of the potential need to alter
aspects of the security program and then recycles through the
security process steps of risk assessment, strategy, implementation,
the top of the newsletter
IT SECURITY QUESTION:
2. Verify that data is protected consistent with the
financial institution's risk assessment.
• Identify controls used to protect data and determine if the data
is protected throughout its life cycle (i.e., creation, storage,
maintenance, transmission, and disposal) in a manner consistent with
the risk assessment.
• Consider data security controls in effect at key stages such as
data creation/acquisition, storage, transmission, maintenance, and
• Review audit and security review reports that summarize if data is
protected consistent with the risk assessment.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
35. Does the institution deliver
the privacy and opt out notices, including the short-form notice, so
that the consumer can reasonably be expected to receive actual
notice in writing or, if the consumer agrees, electronically? [§9(a)]