FYI - Gov't executives cite unstructured data as top concern - More than cloud computing, mobile devices and Web 2.0 applications, unstructured data is the cyberthreat federal government IT executives are most worried about, according to a survey released Wednesday. http://www.scmagazineus.com/govt-executives-cite-unstructured-data-as-top-concern/article/158049/?DCMP=EMC-SCUS_Newswire

FYI - Cyberattacks on U.S. military jump sharply in 2009 - Cyberattacks on the U.S. Department of Defense -- many of them coming from China -- have jumped sharply in 2009, a U.S. congressional committee reported. http://www.computerworld.com/s/article/9141200/Cyberattacks_on_U.S._military_jump_sharply_in_2009?taxonomyId=17

FYI - Virus attacks 'jail broken' iPhones - Hackers targeting devices with disabled pre-installed security for ID theft - Hackers have built a virus that attacks Apple Inc's iPhone by secretly taking control of the devices via their Internet connections, security experts said. http://www.msnbc.msn.com/id/34115776/ns/technology_and_science-security/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Connecticut A.G. calls six-month delay in reporting loss 'incomprehensible' - A hard drive with seven years' worth of personal financial and medical information on about 1.5 million customers of Health Net of the Northeast Inc. was reported missing to state officials yesterday -- six months after the drive went missing. http://www.computerworld.com/s/article/9141172/Health_Net_says_1.5M_medical_records_lost_in_data_breach?source=rss_security

FYI - Spanish payment breach prompts huge German card recall - German authorities have recalled more than 100,000 credit cards over fears that crooks may have obtained details of the cards via an unnamed Spanish payment processing firm. http://www.theregister.co.uk/2009/11/19/spanish_card_payment_breach/

FYI - Second-hand ATM trade opens up fraud risk - Craigslist cash machine contains 1,000 card numbers - Second-hand ATM machines containing sensitive transaction data are easily available for purchase on eBay or even Craiglist, according to an investigation by a US-based security consultant. http://www.theregister.co.uk/2009/11/18/second_hand_atm_fraud_risk/

FYI - T-Mobile criticised by Information Commissioner after rogue employee passes on customer details to third parties - Reports have been made that staff from T-Mobile passed customer details to third party brokers. http://www.scmagazineuk.com/t-mobile-criticised-by-information-commissioner-after-it-is-discovered-for-passing-on-customer-details-to-third-parties/article/157940/

FYI - Hancock Fabrics Linked to Fraud in 3 States - CA, WI and MO Investigators Say Recent Thefts Tied to Retailer's Transactions - Bank customers in California, Wisconsin and Missouri are reporting fraudulent ATM withdrawals that police say are tied to transactions conducted with the Hancock Fabrics retail chain. http://www.bankinfosecurity.com/articles.php?art_id=1961

FYI - FBI looking at UMC records leak - Agent says 'multiple federal laws' might have been violated - The FBI said Friday it may investigate a breach of patient privacy laws at University Medical Center, where hospital officials are reeling with the realization that at least one of their employees has leaked confidential names, birth dates and Social Security numbers. http://www.lasvegassun.com/news/2009/nov/21/fbi-looking-umc-records-leak/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Sound Practices for Managing Outsourced E-Banking Systems and Services (Part 3 of 3)

4. Banks should ensure that periodic independent internal and/or external audits are conducted of outsourced operations to at least the same scope required if such operations were conducted in-house.

a)   For outsourced relationships involving critical or technologically complex e-banking services/applications, banks may need to arrange for other periodic reviews to be performed by independent third parties with sufficient technical expertise.

5. Banks should develop appropriate contingency plans for outsourced e-banking activities.

a)  Banks need to develop and periodically test their contingency plans for all critical e-banking systems and services that have been outsourced to third parties.

b)  Contingency plans should address credible worst-case scenarios for providing continuity of e-banking services in the event of a disruption affecting outsourced operations.

c)   Banks should have an identified team that is responsible for managing recovery and assessing the financial impact of a disruption in outsourced e-banking services.

6. Banks that provide e-banking services to third parties should ensure that their operations, responsibilities, and liabilities are sufficiently clear so that serviced institutions can adequately carry out their own effective due diligence reviews and ongoing oversight of the relationship.

a)   Banks have a responsibility to provide serviced institutions with information necessary to identify, control and monitor any risks associated with the e-banking service arrangement.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our coverage of the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."

Risk Mitigation

Security should not be compromised when offering wireless financial services to customers or deploying wireless internal networks. Financial institutions should carefully consider the risks of wireless technology and take appropriate steps to mitigate those risks before deploying either wireless networks or applications. As wireless technologies evolve, the security and control features available to financial institutions will make the process of risk mitigation easier. Steps that can be taken immediately in wireless implementation include:

1)  Establishing a minimum set of security requirements for wireless networks and applications;

2)  Adopting proven security policies and procedures to address the security weaknesses of the wireless environment;

3)  Adopting strong encryption methods that encompass end-to-end encryption of information as it passes throughout the wireless network;

4)  Adopting authentication protocols for customers using wireless applications that are separate and distinct from those provided by the wireless network operator;

5)  Ensuring that the wireless software includes appropriate audit capabilities (for such things as recording dropped transactions);

6)  Providing appropriate training to IT personnel on network, application and security controls so that they understand and can respond to potential risks; and

9)  Performing independent security testing of wireless network and application implementations.

Return to the top of the newsletter

IT SECURITY QUESTION:  Computer operations:

a. Is the core application in-house or outsourced to a data center?
b. What type of network configuration is used?
c. What are the servers' operating systems?
d. What are the workstations' operating systems?
e. Is there a telephone-banking server?
f.  Is there a server hosting Internet banking?
g. Are there system logs maintained and reviewed regularly?
h. Are there modem connections to the network?
i.  Is a modem log maintained?
j.  Is there IT job descriptions?
k. Is there an anti-virus program on all workstations and is the program current?
l.  Are there software license agreements for all software?
m. Does the IT department program applications?
n. Are programming requirements outsourced? Vender?
o. Are unauthorized programs such as screen savers prohibited?
p. Does the Board of Directors annually approval the IT policies?
q. If individual computers are not backed up, is important data saved to network server?
r. Are stand-alone computers with critical data backed up?
s. Are there written IT procedures?
t. Are there network activity reports?
u. Does the personnel manual inform personnel of the Bank's policies and acceptable computer use?
v. Is a network problem log maintained?

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

39.  Does the institution use an appropriate means to ensure that notices may be retained or obtained later, such as:

a. hand-delivery of a printed copy of the notice; [§9(e)(2)(i)]

b. mailing a printed copy to the last known address of the customer; [§9(e)(2)(ii)] or

c. making the current privacy notice available on the institution's web site (or via a link to the notice at another site) for the customer who agrees to receive the notice at the web site? [§9(e)(2)(iii)]