REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Microsoft, IT Industry Push Software Security Standard - Microsoft announced its support for an international standard on secure software development, while an industry group offered a free training program for developers. http://www.eweek.com/security/microsoft-it-industry-push-software-security-standard/

FYI - Cops Should Get Warrants to Read Your E-Mail, Attorney General Says - Attorney General Eric Holder became the White House’s highest ranking official to support sweeping privacy protections requiring the government, for the first time, to get a probable-cause warrant to obtain e-mail and other content stored in the cloud. http://www.wired.com/threatlevel/2013/05/holder-email-warrants/

FYI - FBI Briefs Bank Executives On DDoS Attack Campaign - The FBI recently granted one-day clearances to security officers and executives at numerous banks so it could share classified intelligence on the Operation Ababil campaign that's been disrupting U.S. financial websites for almost a year. http://www.informationweek.com/security/attacks/fbi-briefs-bank-executives-on-ddos-attac/240154858

FYI - First California lawsuit over mobile privacy issues crashes - Court rules that federal airline laws preempt state statutes in suit seeking to force Delta Air Lines to notify mobile app users about data collection plans.  http://www.computerworld.com/s/article/9239193/First_California_lawsuit_over_mobile_privacy_issues_crashes?taxonomyId=17

FYI - Google security: You (still) are the weakest link - At its I/O conference, two of Google's top-level security experts say the company is intensely focused on the issue, but passwords remain a thorny problem. http://news.cnet.com/8301-1009_3-57584971-83/google-security-you-still-are-the-weakest-link/?tag=nl.e757&s_cid=e757&ttag=e757

FYI - S3 announces DX10-capable Chrome 4 series - S3 has announced plans to introduce a new series of DX10-compatible video cards by the end of the year. It's not yet known whether the new Chrome 4 designs will be a continuing evolution of S3's aging DeltaChrome technology, (currently represented by the Chrome S27) or will represent an entirely new architecture, but there should be two flavors of the card available by Christmas. http://arstechnica.com/gadgets/2007/09/s3-announces-dx10-capable-chrome-4-series/

FYI - California law would require breach notice if online account information is stolen - The state Senate in California unanimously has passed a law that would require organizations that are breached to alert victims when intruders access online account information belonging to consumers. http://www.scmagazine.com/california-law-would-require-breach-notice-if-online-account-information-is-stolen/article/294296/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Lawsuit Says IRS Illegally Seized 60 Million Health Records - A lawsuit filed in California accuses the Internal Revenue Service of illegal seizure of 60 million electronic health care records belonging to 10 million Americans. http://www.nextgov.com/health/2013/05/lawsuit-says-irs-illegally-seized-60-million-health-records/63179/?oref=ng-HPtopstory

FYI - Why the AP phone records seizure and the LulzSec sentences are related - Earlier this week, The Associated Press stunningly revealed that the U.S. Department of Justice secretly obtained "records for more than 20 separate telephone lines assigned to the AP and its journalists" covering "a full two-month period in early 2012." http://www.scmagazine.com/why-the-ap-phone-records-seizure-and-the-lulzsec-sentences-are-related/article/293726/?DCMP=EMC-SCUS_Newswire

FYI - Espionage hacking campaign "Operation Hangover" originates in India - Move over China. India is fast becoming a hotbed of advanced persistent threat (APT) activity. http://www.scmagazine.com/espionage-hacking-campaign-operation-hangover-originates-in-india/article/294135/?DCMP=EMC-SCUS_Newswire

FYI - 22M accounts exposed in Yahoo Japan breach - A breach at Yahoo Japan, the most visited website in the country, may have exposed up to 22 million user login names. http://www.scmagazine.com/22m-accounts-exposed-in-yahoo-japan-breach/article/294139/?DCMP=EMC-SCUS_Newswire

FYI - Data on patients may be exposed after X-rays go missing - X-rays that also contained sensitive personal information belonging to California-based El Centro Regional Medical Center (ECRMC) patients have gone missing from a third-party vendor's warehouse. http://www.scmagazine.com/data-on-patients-may-be-exposed-after-x-rays-go-missing/article/294145/?DCMP=EMC-SCUS_Newswire

FYI - Chinese hackers who breached Google gained access to sensitive data, U.S. officials say - Chinese hackers who breached Google’s servers several years ago gained access to a sensitive database with years’ worth of information about U.S. surveillance targets, according to current and former government officials. http://www.washingtonpost.com/world/national-security/chinese-hackers-who-breached-google-gained-access-to-sensitive-data-us-officials-say/2013/05/20/51330428-be34-11e2-89c9-3be8095fe767_story.html

FYI - China's 'state-sponsored hackers renew attacks on US' - State-sponsored hackers have renewed attacks on the US after a three-month hiatus, the New York Times reports. http://www.bbc.co.uk/news/technology-22594140

FYI - Idaho State University to pay HHS $400K after investigation reveals shoddy security - Idaho State University (ISU) this week settled (PDF) with the U.S. Department of Health and Human Services (HHS) for $400,000 in the wake of a data breach that exposed the personal information of 17,500 patients. http://www.scmagazine.com//idaho-state-university-to-pay-hhs-400k-after-investigation-reveals-shoddy-security/article/294679/?DCMP=EMC-SCUS_Newswire

FYI - Event ticketing company hacked, at least tens of thousands affected - After a server attack, tens of thousands of customers, who used the services of Boston-based online ticketing company Vendini, had their financial and other sensitive information exposed. http://www.scmagazine.com//event-ticketing-company-hacked-at-least-tens-of-thousands-affected/article/294677/?DCMP=EMC-SCUS_Newswire

FYI - NYPD detective charged with hiring hackers so he could spy on ex-girlfriend - A New York Police Department (NYPD) detective was charged Tuesday with accessing a restricted federal database and using an email hacking service to pry into the business of other officers. http://www.scmagazine.com//nypd-detective-charged-with-hiring-hackers-so-he-could-spy-on-ex-girlfriend/article/294567/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Contract Issues

Termination

The extent and flexibility of termination rights sought can vary depending upon the service. Contracts for technologies subject to rapid change, for example, may benefit from greater flexibility in termination rights. Termination rights may be sought for a variety of conditions including change in control (e.g., acquisitions and mergers), convenience, substantial increase in cost, repeated failure to meet service levels, failure to provide critical services, bankruptcy,
company closure, and insolvency.

Institution management should consider whether or not the contract permits the institution to terminate the contract in a timely manner and without prohibitive expense (e.g., reasonableness of cost or penalty provisions). The contract should state termination and notification requirements with time frames to allow the orderly conversion to another provider. The contract must provide for return of the institution’s data, as well as other institution resources, in a timely manner and in machine readable format. Any costs associated with transition assistance should be clearly stated.

Assignment

The institution should consider contract provisions that prohibit assignment of the contract to a third party without the institution’s consent, including changes to subcontractors.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We begin our series on the FFIEC interagency Information Security Booklet.  This booklet is required reading for anyone involved in information systems security, such as the Network Administrator, Information Security Officer, members of the IS Steering Committee, and most important your outsourced network security consultants.  Your outsourced network security consultants can receive the "Internet Banking News" by completing the subscription for at https://yennik.com/newletter_page.htm.  There is no charge for the e-newsletter. 

SECURITY OBJECTIVES

Information security enables a financial institution to meet its business objectives by implementing business systems with due consideration of information technology (IT) -  related risks to the organization, business and trading partners, technology service providers, and customers. Organizations meet this goal by striving to accomplish the following objectives.

1)  Availability - The ongoing availability of systems addresses the processes, policies, and controls used to ensure authorized users have prompt access to information. This objective protects against intentional or accidental attempts to deny legitimate users access to information and/or systems.

2)  Integrity of Data or Systems - System and data integrity relate to the processes, policies, and controls used to ensure information has not been altered in an unauthorized manner and that systems are free from unauthorized manipulation that will compromise accuracy, completeness, and reliability.

3)  Confidentiality of Data or Systems - Confidentiality covers the processes, policies, and controls employed to protect information of customers and the institution against unauthorized access or use.

4)  Accountability - Clear accountability involves the processes, policies, and controls necessary to trace actions to their source. Accountability directly supports non-repudiation, deterrence, intrusion prevention, intrusion detection, recovery, and legal admissibility of records.

5)  Assurance - Assurance addresses the processes, policies, and controls used to develop confidence that technical and operational security measures work as intended. Assurance levels are part of the system design and include availability, integrity, confidentiality, and accountability. Assurance highlights the notion that secure systems provide the intended functionality while preventing undesired actions.

Appropriate security controls are necessary for financial institutions to challenge potential customer or user claims that they did not initiate a transaction. Financial institutions can accomplish this by achieving both integrity and accountability to produce what is known as non-repudiation. Non-repudiation occurs when the financial institution demonstrates that the originators who initiated the transaction are who they say they are, the recipient is the intended counter party, and no changes occurred in transit or storage. Non-repudiation can reduce fraud and promote the legal enforceability of electronic agreements and transactions. While non-repudiation is a goal and is conceptually clear, the manner in which non-repudiation can be achieved for electronic systems in a practical, legal sense may have to wait for further judicial clarification.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Sharing nonpublic personal information with nonaffiliated third parties under Sections 13=, 14, and/or 15 but outside of these exceptions (Part 1 of 2)

A. Disclosure of Nonpublic Personal Information

1)  Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of data shared between the institution and the third party. The sample should include a cross-section of relationships but should emphasize those that are higher risk in nature as determined by the initial procedures. Perform the following comparisons to evaluate the financial institution's compliance with disclosure limitations.

a.  Compare the data shared and with whom the data were shared to ensure that the institution accurately categorized its information sharing practices and is not sharing nonpublic personal information outside the exceptions (§§13, 14, 15).

b.  Compare the categories of data shared and with whom the data were shared to those stated in the privacy notice and verify that what the institution tells consumers in its notices about its policies and practices in this regard and what the institution actually does are consistent (§§10, 6).

2)  Review contracts with nonaffiliated third parties that perform services for the financial institution not covered by the exceptions in section 14 or 15. Determine whether the contracts adequately prohibit the third party from disclosing or using the information other than to carry out the purposes for which the information was disclosed. Note that the "grandfather" provisions of Section 18 apply to certain of these contracts. (§13(a)).