REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - National Security-Related Agencies Need to Better Address Risks - Reliance on a global supply chain introduces multiple risks to federal information systems. These risks include threats posed by actors - such as foreign intelligence services or counterfeiters. http://www.gao.gov/products/GAO-12-361

FYI - Hacktivists 'steal more than criminals' - Hacktivists stole more data from large corporations than cybercriminals in 2011, according to a study of significant security incidents. http://www.bbc.co.uk/news/technology-17428618

FYI - New counterterrorism guidelines permit data on U.S. citizens to be held longer - The Obama administration has approved guidelines that allow counterterrorism officials to lengthen the period of time they retain information about U.S. residents, even if they have no known connection to terrorism. http://www.washingtonpost.com/world/national-security/new-counterterrorism-guidelines-would-permit-data-on-us-citizens-to-be-held-longer/2012/03/21/gIQAFLm7TS_story.html

FYI - Microsoft zaps Zeus command centers used in bank fraud - Microsoft has cast a big blow to one of the most pernicious trojans in existence, responsible for stealing tens of millions of dollars through the keystroke logging of online banking credentials, usually belonging to small and midsize businesses.
http://www.scmagazine.com/microsoft-zaps-zeus-command-centers-used-in-bank-fraud/article/233736/?DCMP=EMC-SCUS_Newswire
http://www.theregister.co.uk/2012/03/26/zeus_botnet_takedown/

FYI - Additional Efforts Needed by National Security-Related Agencies to Address Risks - on a global supply chain introduces multiple risks to federal information systems and underscores the importance of threat assessments and mitigation. http://www.gao.gov/products/GAO-12-579T

FYI - Rejected telco drew US worry for spying - The Chinese telco banned from bidding on the National Broadband Network on the advice of ASIO is being investigated by the US house intelligence committee amid concerns it is an arm of Beijing's cyber-espionage effort. http://www.theaustralian.com.au/national-affairs/rejected-telco-drew-us-worry-for-spying/story-fn59niix-1226310748639

FYI - Senators want ruling on whether Facebook password requests are illegal - Two US Senators asked the Department of Justice and Equal Employment Opportunity Commission to start an investigation into whether employers asking job applicants for usernames and passwords violates federal law. http://arstechnica.com/tech-policy/news/2012/03/senators-want-ruling-on-whether-facebook-password-requests-are-illegal.ars

FYI - Why won’t wireless companies help stop cell phone thefts? - Police say there’s a simple way they could halt epidemic of often violent crime - Violent robberies of iPhones and other smartphones: Authorities say there’s a solution, but the wireless companies won’t do their part to help. http://today.msnbc.msn.com/id/46794322/ns/today-today_rossen_reports/t/rossen-reports-why-wont-wireless-companies-help-stop-cell-phone-thefts/#.T2_bnZh9020

FYI - More Work Remains to Implement Necessary Management Controls - has made progress in implementing prior GAO recommendations on modernizing its IT environment; however more actions are needed. In 2009, GAO reported that HUD lacked key IT management controls; which are essential to achieving successful outcomes. http://www.gao.gov/products/GAO-12-580T

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Univ. of Tampa says student info was exposed for 8 months - Accidental online leak involved more than 6,800 students; another 22K may also be affected - An in-class project on advanced search techniques led to the discovery of a major data breach at the University of Tampa (UT) in Florida earlier this month. http://www.computerworld.com/s/article/9225391/Univ._of_Tampa_says_student_info_was_exposed_for_8_months?taxonomyId=203

FYI - Barclaycard pay-by-bonk fraud risk exposes Amazon's security - NFC cards savaged in privates' slurp probe - Channel 4 News has found out that pay-by-wave phones are compatible with pay-by-wave cards, and wants something done about it, but it's web bazaar Amazon that's lacking basic security. http://www.theregister.co.uk/2012/03/26/nfc_security_amazon/

FYI - Chinese hacker arrested for leaking 6 million logins - Forget the attacks that have compromised thousands of accounts. This Chinese hacker managed to steal and leak the data belonging to 6 million users, before he was arrested of course. http://www.zdnet.com/blog/security/chinese-hacker-arrested-for-leaking-6-million-logins/11064

FYI - Foreign spies 'penetrate' US military networks - Foreign spies should be assumed to have penetrated the computer networks of the US military, American politicians have been told. http://www.bbc.co.uk/news/technology-17486847

FYI - LulzSec redux dumps data after raiding military dating site - Hackers calling themselves "LulzSec Reborn" have claimed responsibility for two breaches that resulted in the dumping of personal information.
http://www.scmagazine.com/lulzsec-redux-dumps-data-after-raiding-military-dating-site/article/233929/?DCMP=EMC-SCUS_Newswire

FYI - RockYou to pay FTC $250K after breach of 32M passwords - RockYou, a company that makes games and other applications for use on social networking sites, must pay $250,000 following a settlement with the Federal Trade Commission over a massive 2009 breach. http://www.scmagazine.com/rockyou-to-pay-ftc-250k-after-breach-of-32m-passwords/article/233992/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Risk management principles (Part 2 of 2)

The Committee recognizes that banks will need to develop risk management processes appropriate for their individual risk profile, operational structure and corporate governance culture, as well as in conformance with the specific risk management requirements and policies set forth by the bank supervisors in their particular jurisdiction(s). Further, the numerous e-banking risk management practices identified in this Report, while representative of current industry sound practice, should not be considered to be all-inclusive or definitive, since many security controls and other risk management techniques continue to evolve rapidly to keep pace with new technologies and business applications.

This Report does not attempt to dictate specific technical solutions to address particular risks or set technical standards relating to e-banking. Technical issues will need to be addressed on an on-going basis by both banking institutions and various standards-setting bodies as technology evolves. Further, as the industry continues to address e-banking technical issues, including security challenges, a variety of innovative and cost efficient risk management solutions are likely to emerge. These solutions are also likely to address issues related to the fact that banks differ in size, complexity and risk management culture and that jurisdictions differ in their legal and regulatory frameworks.

For these reasons, the Committee does not believe that a "one size fits all" approach to e-banking risk management is appropriate, and it encourages the exchange of good practices and standards to address the additional risk dimensions posed by the e-banking delivery channel. In keeping with this supervisory philosophy, the risk management principles and sound practices identified in this Report are expected to be used as tools by national supervisors and implemented with adaptations to reflect specific national requirements where necessary, to help promote safe and secure e-banking activities and operations.

The Committee recognizes that each bank's risk profile is different and requires a risk mitigation approach appropriate for the scale of the e-banking operations, the materiality of the risks present, and the willingness and ability of the institution to manage these risks. These differences imply that the risk management principles presented in this Report are intended to be flexible enough to be implemented by all relevant institutions across jurisdictions. National supervisors will assess the materiality of the risks related to e-banking activities present at a given bank and whether, and to what extent, the risk management principles for e-banking have been adequately met by the bank's risk management framework.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY -  We continue our series on the FFIEC interagency Information Security Booklet.  

ELECTRONIC AND PAPER - BASED MEDIA HANDLING

DISPOSAL

Financial institutions need appropriate disposal procedures for both electronic and paper based media. Policies should prohibit employees from discarding sensitive media along with regular garbage to avoid accidental disclosure. Many institutions shred paper - based media on site and others use collection and disposal services to ensure the media is rendered unreadable and unreconstructable before disposal. Institutions that contract with third parties should use care in selecting vendors to ensure adequate employee background checks, controls, and experience.

Computer - based media presents unique disposal problems. Residual data frequently remains on media after erasure. Since that data can be recovered, additional disposal techniques should be applied to sensitive data. Physical destruction of the media, for instance by subjecting a compact disk to microwaves, can make the data unrecoverable. Additionally, data can sometimes be destroyed after overwriting. Overwriting may be preferred when the media will be re - used. Institutions should base their disposal policies on the sensitivity of the information contained on the media and, through policies, procedures, and training, ensure that the actions taken to securely dispose of computer-based media adequately protect the data from the risks of reconstruction. Where practical, management should log the disposal of sensitive media, especially computer - based media.

TRANSIT

Financial institutions should maintain the security of media while in transit or when shared with third parties. Policies should include:

! Restrictions on the carriers used and procedures to verify the identity of couriers,
! Requirements for appropriate packaging to protect the media from damage,
! Use of encryption for transmission of sensitive information,
! Security reviews or independent security reports of receiving companies, and
! Use of nondisclosure agreements between couriers and third parties.

Financial institutions should address the security of their back - up tapes at all times, including when the tapes are in transit from the data center to off - site storage.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice (Part 2 of 2)

8)  Do the initial, annual, and revised privacy notices include each of the following, as applicable: (Part 2 of 2)

e)  if the institution discloses nonpublic personal information to a nonaffiliated third party under §13, and no exception under §14 or §15 applies, a separate statement of the categories of information the institution discloses and the categories of third parties with whom the institution has contracted; [§6(a)(5)]

f)  an explanation of the opt out right, including the method(s) of opt out that the consumer can use at the time of the notice; [§6(a)(6)]

g)  any disclosures that the institution makes under §603(d)(2)(A)(iii) of the Fair Credit Reporting Act (FCRA); [§6(a)(7)]

h)  the institution's policies and practices with respect to protecting the confidentiality and security of nonpublic personal information; [§6(a)(8)] and

i)  a general statement--with no specific reference to the exceptions or to the third parties--that the institution makes disclosures to other nonaffiliated third parties as permitted by law? [§6(a)(9), (b)]