FYI - Is your web site compliant with the Americans with Disabilities Act?  For the past 20 years, our bank web site audits have covered the ADA guidelines.  Help reduce any liability, please contact me for more information at examiner@yennik.com. 

FYI - The FDIC, NCUA, and the OCC do not have a requirement that financial institutions change third-party vendors on a periodic basis.  Any such decision would be up to bank management.  Refer to http://www.yennik.com/fdic_10-18-16_rotation_letter.pdf, http://www.yennik.com/ncua_12-21-16_rotation_letter.pdf, and at http://www.yennik.com/occ_10-12-16_rotation_letter.pdf.

EU's privacy statutes preclude U.K.'s data retention legislation, court rules - The European Court of Justice ruled on Wednesday that the U.K.'s Data Retention and Investigatory Powers Act (DRIPA) of 2014 is effectively invalidated by European Union statutes that protect citizens from the indiscriminate collection and retention of electronic data. https://www.scmagazine.com/eus-privacy-statutes-preclude-uks-data-retention-legislation-court-rules/article/627639/

The year of ransomware, data breaches and Brad Pitt - It would appear SC Media's readers are a rather eclectic bunch. Not in their personal habits, of which I have no knowledge, but in what everyone in webland found interesting on the site during 2016. https://www.scmagazine.com/2016-the-year-of-ransomware-data-breaches-and-brad-pitt/article/580454/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - FBI probing hack of FDIC credited to China - The FBI is investigating a hack into the network of the Federal Deposit Insurance Corporation (FDIC), which is said to have lasted years. https://www.scmagazine.com/fbi-probing-hack-of-fdic-credited-to-china/article/628131/

Fraudsters target Groupon users in the UK: losses add up in the £100s - In recent weeks, fraudsters have managed to hack into a number of Groupon accounts in the UK. Users have seen hundreds of pounds siphoned from their banks. https://www.scmagazine.com/fraudsters-target-groupon-users-in-the-uk-losses-add-up-in-the-100s/article/627723/

Data exposed of 15K clients of New Hampshire DHHS - A former patient of the New Hampshire Department of Health and Human Services (DHHS) posted data of patients, including Social Security numbers, to social media. https://www.scmagazine.com/data-exposed-of-15k-clients-of-new-hampshire-dhhs/article/628367/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
  
  Board and Management Oversight - Principle 3: The Board of Directors and senior management should establish a comprehensive and ongoing due diligence and oversight process for managing the bank's outsourcing relationships and other third-party dependencies supporting e-banking.
  
  Increased reliance upon partners and third party service providers to perform critical e-banking functions lessens bank management's direct control. Accordingly, a comprehensive process for managing the risks associated with outsourcing and other third-party dependencies is necessary. This process should encompass the third-party activities of partners and service providers, including the sub-contracting of outsourced activities that may have a material impact on the bank.
  
  Historically, outsourcing was often limited to a single service provider for a given functionality. However, in recent years, banks' outsourcing relationships have increased in scale and complexity as a direct result of advances in information technology and the emergence of e-banking. Adding to the complexity is the fact that outsourced e-banking services can be sub-contracted to additional service providers and/or conducted in a foreign country. Further, as e-banking applications and services have become more technologically advanced and have grown in strategic importance, certain e-banking functional areas are dependent upon a small number of specialized third-party vendors and service providers. These developments may lead to increased risk concentrations that warrant attention both from an individual bank as well as a systemic industry standpoint.
  
  Together, these factors underscore the need for a comprehensive and ongoing evaluation of outsourcing relationships and other external dependencies, including the associated implications for the bank's risk profile and risk management oversight abilities. Board and senior management oversight of outsourcing relationships and third-party dependencies should specifically focus on ensuring that:
  
  1) The bank fully understands the risks associated with entering into an outsourcing or partnership arrangement for its e-banking systems or applications.
  
  2) An appropriate due diligence review of the competency and financial viability of any third-party service provider or partner is conducted prior to entering into any contract for e-banking services.
  
  3) The contractual accountability of all parties to the outsourcing or partnership relationship is clearly defined. For instance, responsibilities for providing information to and receiving information from the service provider should be clearly defined.
  
  4) All outsourced e-banking systems and operations are subject to risk management, security and privacy policies that meet the bank's own standards.
  
  5)  Periodic independent internal and/or external audits are conducted of outsourced operations to at least the same scope required if such operations were conducted in-house.
  
  This is the last of three principles regarding Board and Management Oversight.  Next week we will begin the series on the principles of security controls, which include Authentication, Non-repudiation, Data and transaction integrity, Segregation of duties, Authorization controls, Maintenance of audit trails, and Confidentiality of key bank information.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 SECURITY CONTROLS - IMPLEMENTATION - DATA CENTER SECURITY
 
 When selecting a site for the most important information systems components, one major objective is to limit the risk of exposure from internal and external sources. The selection process should include a review of the surrounding area to determine if it is relatively safe from exposure to fire, flood, explosion, or similar environmental hazards. Outside intruders can be deterred through the use of guards, fences, barriers, surveillance equipment, or other similar devices. Since access to key information system hardware and software should be limited, doors and windows must be secure. Additionally, the location should not be identified or advertised by signage or other indicators.
 
 Detection devices, where applicable, should be utilized to prevent theft and safeguard the equipment. They should provide continuous coverage. Detection devices have two purposes - to alarm when a response is necessary and to support subsequent forensics. The alarm capability is only useful when a response will occur. Some intruder detection devices available include:
 
 ! Switches that activate an alarm when an electrical circuit is broken;
 ! Light and laser beams, ultraviolet beams and sound or vibration detectors that are invisible to the intruder, and ultrasonic and radar devices that detect movement in a room; and
 ! Closed-circuit television that allows visual observation and recording of actions.
 
 Risks from environmental threats can be addressed somewhat through devices such as halon gas, smoke alarms, raised flooring, heat sensors, and the like.
 
 Physical security devices frequently need preventive maintenance to function properly. Maintenance logs are one control the institution can use to determine whether the devices are appropriately maintained. Periodic testing of the devices provides assurance that they are operating correctly.
 
 Security guards should be properly instructed about their duties. The employees who access secured areas should have proper identification and authorization to enter the area. All visitors should sign in and wear proper IDs so that they can be identified easily. Security guards should be trained to restrict the removal of assets from the premises and to record the identity of anyone removing assets. Consideration should be given to implementing a specific and formal authorization process for the removal of hardware and software from premises.
 
 The following security zones should have access restricted to a need basis:
 
 ! Operations center
 ! Uninterrupted power supply
 ! Telecommunications equipment
 ! Media library
 
 CABINET AND VAULT SECURITY
 
 Protective containers are designed to meet either fire-resistant or burglar-resistant standards. Labels describing expected tolerance levels are usually attached to safes and vault doors. An institution should select the tolerance level based on the sensitivity and importance of the information being protected.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 9 - Assurance
 
 9.3.6 Evaluations
 
 A product evaluation normally includes testing. Evaluations can be performed by many types of organizations, including government agencies, both domestic and foreign; independent organizations, such as trade and professional organizations; other vendors or commercial groups; or individual users or user consortia. Product reviews in trade literature are a form of evaluation, as are more formal reviews made against specific criteria. Important factors for using evaluations are the degree of independence of the evaluating group, whether the evaluation criteria reflect needed security features, the rigor of the testing, the testing environment, the age of the evaluation, the competence of the evaluating organization, and the limitations placed on the evaluations by the evaluating group (e.g., assumptions about the threat or operating environment).
 
 9.3.7 Assurance Documentation
 
 The ability to describe security requirements and how they were met can reflect the degree to which a system or product designer understands applicable security issues. Without a good understanding of the requirements, it is not likely that the designer will be able to meet them.
 
 Assurance documentation can address the security either for a system or for specific components. System-level documentation should describe the system's security requirements and how they have been implemented, including interrelationships among applications, the operating system, or networks. System-level documentation addresses more than just the operating system, the security system, and applications; it describes the system as integrated and implemented in a particular environment. Component documentation will generally be an off-the-shelf product, whereas the system designer or implementer will generally develop system documentation.
 
 9.3.8 Accreditation of Product to Operate in Similar Situation
 
 The accreditation of a product or system to operate in a similar situation can be used to provide some assurance. However, it is important to realize that an accreditation is environment- and system-specific. Since accreditation balances risk against advantages, the same product may be appropriately accredited for one environment but not for another, even by the same accrediting official.