REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Is the Information Technology Revolution Over? - David M. Byrne, Stephen D. Oliner, and Daniel E. Sichel - Given the slowdown in labor productivity growth in the mid-2000s, some have argued that the boost to labor productivity from IT may have run its course. This paper contributes three types of evidence to this debate. First, we show that since 2004, IT has continued to make a significant contribution to labor productivity growth in the United States, though it is no longer providing the boost it did during the productivity resurgence from 1995 to 2004. www.federalreserve.gov/pubs/feds/2013/201336/201336pap.pdf 

FYI - Analyzing The Cost of a HIPAA-related Breach Through the Lens of the Critical Security Controls - Idaho State University (ISU) recently agreed to pay $400,000 to the U.S. Department of Health Human Services (HHS) to settle violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule discovered after ISU notificed HHS of the breach of unsecured electronic protected health information (ePHI) of approximately 17,500 patients at ISU's Pocatello Family Medicine Clinic. http://www.sans.org/security-trends/2013/05/30/analyzing-the-cost-of-a-hipaa-related-breach-through-the-lens-of-the-critical-security-controls

FYI - Unprecedented e-mail privacy bill sent to Texas governor’s desk - While reform languishes in Congress, Austin moves to protect Texans' inboxes. Assuming that Texas Governor Rick Perry does not veto it, the Lone Star State appears set to enact the nation’s strongest e-mail privacy bill. The proposed legislation requires state law enforcement agencies to get a warrant for all e-mails regardless of the age of the e-mail. http://arstechnica.com/tech-policy/2013/05/unprecedented-e-mail-privacy-bill-sent-to-texas-governors-desk/

FYI - Decryption disclosure doesn't violate Fifth Amendment, judge rules - Subject of investigation had claimed forced disclosure of encrypted content violated self-incrimination protections - A federal judge in Wisconsin has ordered a suspect in an investigation to either provide prosecutors with the passwords to several encrypted storage devices of his that are thought to contain incriminating evidence or to provide them with a decrypted copy of the contents of the drives. http://www.computerworld.com/s/article/9239612/Decryption_disclosure_doesn_t_violate_Fifth_Amendment_judge_rules_in_child_porn_case?taxonomyId=17

FYI - China's military to train on digital warfare - Amid rising concern in the U.S. over China's role in cyberattacks, the latter is expanding its focus on virtual combat. China, often linked to alleged cyberattacks, is apparently training military forces on digital combat and "informationalized" war. http://news.cnet.com/8301-1009_3-57586569-83/chinas-military-to-train-on-digital-warfare/

FYI - Judge orders Google to comply with FBI's secret NSL demands - A federal judge tells the company to comply with the FBI's warrantless National Security Letter requests for user details, despite ongoing concerns about their constitutionality. http://news.cnet.com/8301-13578_3-57587003-38/judge-orders-google-to-comply-with-fbis-secret-nsl-demands/

FYI - France removes Internet cut-off threat from its anti-piracy law - French digital minister says "it’s like cutting off someone’s water.” France finally put an end to the most extreme measure of its famous “three strikes” anti-piracy regime: no one will face being cut off from the Internet. http://arstechnica.com/tech-policy/2013/06/france-removes-internet-cut-off-threat-from-its-anti-piracy-law/

FYI - Maine may be first state to require a warrant for cell-phone tracking - Bill sought by privacy groups passes legislature, headed for state Senate, governor's signature - Maine is one step closer to becoming the first state in the nation with a law that would require police to obtain a court-issued search warrant in order to obtain a person's cell-phone location data. http://www.computerworld.com/s/article/9239749/Maine_may_be_first_state_to_require_a_warrant_for_cell_phone_tracking?taxonomyId=17

FYI - Megaupload wins access to data seized in police raid - Megaupload founder Kim Dotcom has won access to evidence seized during raids on the file storage service. The decision to grant access was made by the New Zealand high court which said warrants used to grab the material were illegal. http://www.bbc.co.uk/news/technology-22716718

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Drupal issues password reset after servers compromised - A vulnerability in a third-party application used on Drupal's servers have allowed attackers to access customer data, prompting the CMS developer to reset user passwords. Content management system software developer Drupal is recommending that its customers reset their Drupal.org passwords after it was discovered that account information on its servers had been compromised. http://www.zdnet.com/drupal-issues-password-reset-after-servers-compromised-7000016067/

FYI - Harvard dean who okayed secret faculty email search steps down - Evelynn Hammonds admitted she authorized search, but said it was limited - a Harvard College Dean, who last month acknowledged authorizing a secret search of email belonging to several residential deans at the university, will step down from her position July 1. http://www.computerworld.com/s/article/9239574/Harvard_dean_who_okayed_secret_faculty_email_search_steps_down?taxonomyId=17

FYI - Unattended hard drive may have led to exposure of 14k Social Security numbers - The personal information of students applying to attend Champlain College in Burlington, Vt., may have been accessed after a portable hard drive containing their data was found in a campus computer lab. http://www.scmagazine.com//unattended-hard-drive-may-have-led-to-exposure-of-14k-social-security-numbers/article/296323/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Oversight of Service Provider

Assess Quality of Service and Support

• Regularly review reports documenting the service provider’s performance. Determine if the reports are accurate and allow for a meaningful assessment of the service provider’s performance.
• Document and follow up on any problem in service in a timely manner. Assess service provider plans to enhance service levels.
• Review system update procedures to ensure appropriate change controls are in effect, and ensure authorization is established for significant system changes.
• Evaluate the provider’s ability to support and enhance the institution’s strategic direction including anticipated business development goals and objectives, service delivery requirements, and technology initiatives.
• Determine adequacy of training provided to financial institution employees.
• Review customer complaints on the products and services provided by the service provider.
• Periodically meet with contract parties to discuss performance and operational issues.
• Participate in user groups and other forums.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  This booklet is required reading for anyone involved in information systems security, such as the Network Administrator, Information Security Officer, members of the IS Steering Committee, and most important your outsourced network security consultants.  Your outsourced network security consultants can receive the "Internet Banking News" by completing the subscription for at https://yennik.com/newletter_page.htm.  There is no charge for the e-newsletter. 

ROLES AND RESPONSIBILITIES (1 of 2)

Information security is the responsibility of everyone at the institution, as well as the institution's service providers and contractors. The board, management, and employees all have different roles in developing and implementing an effective security process. The board of directors is responsible for overseeing the development, implementation, and maintenance of the institution's information security program. Oversight requires the board to provide management with guidance and receive reports on the effectiveness of management's response. The board should approve written information security policies and the information security program at least annually. The board should provide management with its expectations and requirements for:

1)  Central oversight and coordination,
2)  Areas of responsibility,
3)  Risk measurement,
4)  Monitoring and testing,
5)  Reporting, and
6)  Acceptable residual risk.

Senior management's attitude towards security affects the entire organization's commitment to security. For example, the failure of a financial institution president to comply with security policies could undermine the entire organization's commitment to security.

Senior management should designate one or more individuals as information security officers. Security officers should be responsible and accountable for security administration. At a minimum, they should directly manage or oversee risk assessment, development of policies, standards, and procedures, testing, and security reporting processes. Security officers should have the authority to respond to a security event by ordering emergency actions to protect the financial institution and its customers from an imminent loss of information or value. They should have sufficient knowledge, background, and training, as well as an organizational position, to enable them to perform their assigned tasks.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Sharing nonpublic personal information with nonaffiliated third parties only under Sections 14 and/or 15.

Note: This module applies only to customers.

A. Disclosure of Nonpublic Personal Information

1)  Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of data shared between the institution and the third party.

a.  Compare the data shared and with whom the data were shared to ensure that the institution accurately states its information sharing practices and is not sharing nonpublic personal information outside the exceptions. 

B. Presentation, Content, and Delivery of Privacy Notices

1)  Obtain and review the financial institution's initial and annual notices, as well as any simplified notice that the institution may use. Note that the institution may only use the simplified notice when it does not also share nonpublic personal information with affiliates outside of Section 14 and 15 exceptions. Determine whether or not these notices: 

a.  Are clear and conspicuous (§§3(b), 4(a), 5(a)(1));

b.  Accurately reflect the policies and practices used by the institution (§§4(a), 5(a)(1)). Note, this includes practices disclosed in the notices that exceed regulatory requirements; and

c.  Include, and adequately describe, all required items of information (§6).

2)  Through discussions with management, review of the institution's policies and procedures, and a sample of electronic or written customer records where available, determine if the institution has adequate procedures in place to provide notices to customers, as appropriate. Assess the following:

a)  Timeliness of delivery (§§4(a), 4(d), 4(e), 5(a)); and

b.  Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the customer agrees; or as a necessary step of a transaction) (§9) and accessibility of or ability to retain the notice (§9(e)).