NEW - What if you could continuously review your IT operations throughout the year, for less than five dollars a week? You can - by relying on The Weekly IT Security Review by Yennik, Inc.  Readers have been asking us for a method that would allow them to continuously review their IT operations throughout the year.  We have responded by using our expertise to develop The Weekly IT Security Review - and we’re offering it to you for a limited time at the inaugural price of $245, which is 50% off the regular annual price of $490.  Designed especially for IT professionals, this new offering from Yennik, Inc. provides a weekly review of information systems security issues.  For more information and to subscribe visit http://www.yennik.com/it-review/index.html.

FYI - Heartland pays Amex $3.6M over 2008 data breach - Heartland Payment Systems will pay American Express $3.6 million to settle charges relating to the 2008 hacking of its payment system network. http://www.computerworld.com/s/article/9142448/Heartland_pays_Amex_3.6M_over_2008_data_breach?source=rss_security

FYI - U.S. House to toughen internal cybersecurity policy - Congressional leaders on Tuesday accepted five new cybersecurity policy recommendations aimed at protecting sensitive information belonging to the U.S. House and securing its IT systems from attack. http://www.scmagazineus.com/us-house-to-toughen-internal-cybersecurity-policy/article/159785/

FYI - The 2009 data breach hall of shame - A review of the companies that made headlines for all the wrong reasons - If there was anything even vaguely comforting about the data breaches that were announced this year, it was that many of them stemmed from familiar and downright mundane security failures. http://www.computerworld.com/s/article/9142407/The_2009_data_breach_hall_of_shame?source=CTWNLE_nlt_security_2009-12-17

FYI - How one lost laptop can have a giant impact - As the CTO of a data protection and encryption company, I hear many a tale of woe as other CTOs and CEOs confess to me the stories of how various laptops within their companies have gone astray and the destruction these lost laptops have caused in their wake. With this in mind, here is one such tale of woe, albeit fictional, that I have heard time and time again. http://www.scmagazineus.com/how-one-lost-laptop-can-have-a-giant-impact/article/160070/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Computer virus cripples Waikato DHB - Waikato District Health Board has been crippled by a computer worm which has seen every PC in the organisation shut down. http://www.nzherald.co.nz/compute/news/article.cfm?c_id=1501832&objectid=10616074

FYI - FBI investigating Citibank cyberattack - Citigroup denies it, but its Citibank unit was reportedly robbed of tens of millions of dollars, the victim of a cyberattack by members of a Russian criminal gang, says Tuesday's Wall Steet Journal. http://news.cnet.com/8301-1009_3-10420308-83.html

FYI - Thief steals U.S. Army laptop from employee's home - A laptop containing the personal information of tens of thousands of U.S. Army soldiers, family members and U.S. Department of Defense employees was recently stolen. http://www.scmagazineus.com/thief-steals-us-army-laptop-from-employees-home/article/159875/

FYI - Data collector threatens scribe who reported breach - Shoot the messenger, Texas-style - A Texas company is threatening to press criminal and civil charges against a Minnesota Public Radio reporter after she uncovered a security lapse that exposed sensitive data for at least 500 people. http://www.theregister.co.uk/2009/12/15/lookout_services_security_breach/

FYI - North Carolina community college library users' data exposed - Sensitive data belonging to the library users at a number of North Carolina state-run community colleges may have been compromised when a server was hacked. http://www.scmagazineus.com/north-carolina-community-college-library-users-data-exposed/article/160027/

FYI - N.Korea 'Hacks into S.Korea-U.S. Defense Plans' - Suspected North Korean hackers may have gained access to a war plan devised by South Korea and the U.S. in preparation for an emergency, including details of specific operational scenarios, intelligence agencies believe. http://english.chosun.com/site/data/html_dir/2009/12/18/2009121800317.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - Sound Capacity, Business Continuity and Contingency Planning Practices for E-Banking

1. All e-banking services and applications, including those provided by third-party service providers, should be identified and assessed for criticality.

2. A risk assessment for each critical e-banking service and application, including the potential implications of any business disruption on the bank's credit, market, liquidity, legal, operational and reputation risk should be conducted.

3. Performance criteria for each critical e-banking service and application should be established, and service levels should be monitored against such criteria.  Appropriate measures should be taken to ensure that e-banking systems can handle high and low transaction volume and that systems performance and capacity is consistent with the bank's expectations for future growth in e-banking.

4. Consideration should be given to developing processing alternatives for managing demand when e-banking systems appear to be reaching defined capacity checkpoints.

5. E-banking business continuity plans should be formulated to address any reliance on third-party service providers and any other external dependencies required achieving recovery.

6. E-banking contingency plans should set out a process for restoring or replacing e-banking processing capabilities, reconstructing supporting transaction information, and include measures to be taken to resume availability of critical e-banking systems and applications in the event of a business disruption.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our coverage of the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."

Risk Mitigation Components - Wireless Internet Devices

For wireless customer access, the financial institution should institute policies and standards requiring that information and transactions be encrypted throughout the link between the customer and the institution. Financial institutions should carefully consider the impact of implementing technologies requiring that a third party have control over unencrypted customer information and transactions.

As wireless application technologies evolve, new security and control weaknesses will likely be identified in the wireless software and security protocols. Financial institutions should actively monitor security alert organizations for notices related to their wireless application services. They should also consider informing customers when wireless Internet devices that require the use of communications protocols deemed insecure will no longer be supported by the institution.

The financial institution should consider having regular independent security testing performed on its wireless customer access application. Specific testing goals would include the verification of appropriate security settings, the effectiveness of the wireless application security implementation and conformity to the institution's stated standards. The security testing should be performed by an organization that is technically qualified to perform wireless testing and demonstrates appropriate ethical behavior.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

43.  Does the institution allow the consumer to select certain nonpublic personal information or certain nonaffiliated third parties with respect to which the consumer wishes to opt out? [§10(c)]

(Note: an institution may allow partial opt outs in addition to, but may not allow them instead of, a comprehensive opt out.)