REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - America is losing the cybersecurity war; China hacked every major US company - Gloom and doom is the predicted forecast, but that is in regard to U.S. cybersecurity instead of the weather. Four top government cybersecurity officials have basically come out to say America is getting her hiney kicked in cyberattacks by nation state hackers. http://blogs.computerworld.com/19951/cybersecurity_america_is_losing_the_war_china_hacked_every_major_us_company?source=CTWNLE_nlt_security_2012-03-29

FYI - Counterterrorism Czar: China's Hacked Every Major U.S. Firm - Legendary spook Richard A. Clarke's gone on the record claiming Chinese hackers have infiltrated every major American corporation. He warns that the effects for American innovation--and especially corporate R&D--will be brutal. http://www.fastcompany.com/1826665/counterterrorism-czar-chinas-hacked-every-major-us-firm?partner=rss&utm_medium=referral&utm_source=pulsenews

FYI - Shutting access to passwords - Mobile devices free us from being tied to an office computer when accessing personal information: web logins, passwords, PINs, account numbers, etc. Imagine a mobile device falling into the wrong hands – resulting in the draining of bank accounts co-opting of identities. http://www.scmagazine.com/shutting-access-to-passwords/article/232591/?DCMP=EMC-SCUS_Newswire

FYI - Most police departments track cellphones without warrants - A "disturbing" number of law enforcement agencies track cell phones without a warrant, the American Civil Liberties said on Monday, citing documents gathered from across the United States. http://www.nextgov.com/nextgov/ng_20120402_7520.php?oref=topnews

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Laptop with patient data stolen from Howard University Hospital contractor - Letters have gone out to patients of Howard University Hospital in Washington, D.C., after their personal information was exposed when a laptop was stolen from the car of a contractor. http://www.scmagazine.com/laptop-with-patient-data-stolen-from-howard-university-hospital-contractor/article/234291/?DCMP=EMC-SCUS_Newswire

FYI - Military dating website says LulzSec hack didn't happen - A military dating website, which a band of hackers claimed this week to successfully infiltrate to pillage members' personal information, was not actually hacked, according to its administrator. http://www.scmagazine.com/military-dating-website-says-lulzsec-hack-didnt-happen/article/234201/?DCMP=EMC-SCUS_Newswire

FYI - NSA's top spook blames China for RSA hack - Says People's Republic trousers loads of US military IP - The director of the US National Security Agency has named China as the country behind last year's high profile hack against RSA that resulted in the extraction of data related to SecurID tokens. http://www.theregister.co.uk/2012/03/29/nsa_blames_china_rsa_hack/

FYI - Devices lost containing data on 800K users of child support services - A number of unencrypted storage devices belonging to the California Department of Child Support Services went missing. http://www.scmagazine.com/devices-lost-containing-data-on-800k-users-of-child-support-services/article/234498/?DCMP=EMC-SCUS_Newswire

FYI - Visa confirms processor credit card breach - Visa and MasterCard are investigating a major breach of credit card numbers at a payment processor, the size of which may exceed anything seen in at least three years. http://www.scmagazine.com/visa-confirms-processor-credit-card-breach/article/234478/?DCMP=EMC-SCUS_Newswire

FYI - Global Payments Says 1.5 Million Cards Stolen; Won’t Discuss Details of Breach - About 1.5 million cards were potentially stolen by hackers in the recent breach of Atlanta-based card processor Global Payments Inc, according to a statement released by the company on Sunday. http://www.wired.com/threatlevel/2012/04/global-payments-breach/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Risk Management Principles for Electronic Banking

The e-banking risk management principles identified in this Report fall into three broad, and often overlapping, categories of issues. However, these principles are not weighted by order of preference or importance. If only because such weighting might change over time, it is preferable to remain neutral and avoid such prioritization.

A. Board and Management Oversight (Principles 1 to 3): 

1. Effective management oversight of e-banking activities. 
2. Establishment of a comprehensive security control process. 
3. Comprehensive due diligence and management oversight process for outsourcing relationships and other third-party dependencies. 

B. Security Controls (Principles 4 to 10):

4. Authentication of e-banking customers. 
5. Non-repudiation and accountability for e-banking transactions. 
6. Appropriate measures to ensure segregation of duties. 
7. Proper authorization controls within e-banking systems, databases and applications. 
8. Data integrity of e-banking transactions, records, and information. 
9. Establishment of clear audit trails for e-banking transactions. 
10. Confidentiality of key bank information.

C. Legal and Reputational Risk Management (Principles 11 to 14):

11. Appropriate disclosures for e-banking services. 
12. Privacy of customer information. 
13. Capacity, business continuity and contingency planning to ensure availability of e-banking systems and services. 
14. Incident response planning.

Each of the above principles will be cover over the next few weeks, as they relate to e-banking and the underlying risk management principles that should be considered by banks to address these issues.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY -  We continue our series on the FFIEC interagency Information Security Booklet.  

LOGGING AND DATA COLLECTION (Part 1 of 2)

Financial institutions should take reasonable steps to ensure that sufficient data is collected from secure log files to identify and respond to security incidents and to monitor and enforce policy compliance. Appropriate logging controls ensure that security personnel can review and analyze log data to identify unauthorized access attempts and security violations, provide support for personnel actions, and aid in reconstructing compromised systems.

An institution's ongoing security risk assessment process should evaluate the adequacy of the system logging and the type of information collected. Security policies should address the proper handling and analysis of log files. Institutions have to make risk-based decisions on where and when to log activity. The following data are typically logged to some extent including

! Inbound and outbound Internet traffic,
! Internal network traffic,
! Firewall events,
! Intrusion detection system events,
! Network and host performance,
! Operating system access (especially high - level administrative or root access),
! Application access (especially users and objects with write - and execute privileges), and
! Remote access.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

9)  Does the institution list the following categories of nonpublic personal information that it collects, as applicable:

a)  information from the consumer; [§6(c)(1)(i)]

b)  information about the consumer's transactions with the institution or its affiliates; [§6(c)(1)(ii)]

c)  information about the consumer's transactions with nonaffiliated third parties; [§6(c)(1)(iii)] and

d)  information from a consumer reporting agency? [§6(c)(1)(iv)]