Internet Banking News

June 16, 2013

CONTENT	Internet Compliance	Web Site Audits
IT Security	Internet Privacy	Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets. Go to the Market Store and search for yennik.

FYI - U.S., British intelligence mining data from nine U.S. Internet companies in broad secret program - The National Security Agency and the FBI are tapping directly into the central servers of nine leading U.S. Internet companies, extracting audio and video chats, photographs, e-mails, documents, and connection logs that enable analysts to track foreign targets, according to a top-secret document obtained by The Washington Post. http://www.washingtonpost.com/www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html

FYI - NSA Was Granted Order to Snag Millions of Verizon Call Records for 3 Months - The National Security Agency obtained a court order to collect the call records of millions of Verizon customers, according to a secret document obtained by the Guardian. http://www.wired.com/threatlevel/2013/06/nsa-verizon-call-records/

FYI - DHS Watchdog: ‘Intuition and Hunch’ Are Enough to Search Your Gadgets at Border - The Department of Homeland Security’s civil rights watchdog has concluded that “intuition and hunch” are among the primary reasons why it is “inadvisable” to establish constitutional safeguards protecting travelers’ electronics from being searched for any reason along the U.S. border. http://www.wired.com/threatlevel/2013/06/border-gadget-searches/

FYI - Judge Blocks Order Demanding Suspect Decrypt Computer Drives or Face Jail - A federal judge today halted an order that a Wisconsin man decrypt 16 computer drives. http://www.wired.com/threatlevel/2013/06/decryption-order-stayed/

FYI - Is your IT department "donating" your attorney-client privilege without your knowledge? - What if an executive of your company came to you and said, “Look, we've got this data about an incident that happened. http://www.scmagazine.com//is-your-it-department-donating-your-attorney-client-privilege-without-your-knowledge/article/296699/?DCMP=EMC-SCUS_Newswire

FYI - GAO - Information Technology: OMB and Agencies Need to Focus Continued Attention on Eliminating Duplicative Investments. http://www.gao.gov/products/GAO-13-685T

FYI - Obama Asked Intel Agencies to Draw Up List of Possible Cyber Targets Overseas - Four years after the U.S. and Israel allegedly launched the first known cyberweapon against Iran, President Barack Obama ordered U.S. intelligence agencies to draw up a list of overseas targets for possible offensive U.S. cyberattacks, according to a top-secret presidential directive obtained by the Guardian. http://www.wired.com/threatlevel/2013/06/presidential-cyber-targets/

FYI - First Lawsuit Over NSA Phone Scandal Targets Obama, Verizon - The first of what likely will be many lawsuits challenging the constitutionality of the NSA’s dragnet phone surveillance program was lodged Sunday, declaring the newly disclosed spy operation an “outrageous breach of privacy.” http://www.wired.com/threatlevel/2013/06/nsa-phone-lawsuit/

FYI - Administration Declassifies Information to Defend Citizen Spying Programs - The director of national intelligence late Thursday night issued statements asserting that recent media reports about federal surveillance of U.S. residents contained inaccuracies and he released previously classified information to demonstrate that the monitoring is legal. http://www.nextgov.com/defense/2013/06/administration-declassifies-information-defend-citizen-spying-programs/64448/?oref=ng-HPtopstory

FYI - Israel accelerates cybersecurity know-how as early as 10th grade - Israel is strengthening cybersecurity recruitment and cooperation between hi-tech, academia, and the military as threats rise. http://www.csmonitor.com/World/Middle-East/2013/0609/Israel-accelerates-cybersecurity-know-how-as-early-as-10th-grade

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Investigators bust hackers that stole and sold credit card data - The conspirators based in Vietnam allegedly had data on over 1.1 million cards - Law enforcement agencies in the U.S., Vietnam and the U.K. have disbanded a ring that allegedly sold online credit card details since 2007. http://www.computerworld.com/s/article/9239860/Investigators_bust_hackers_that_stole_and_sold_credit_card_data?taxonomyId=17

FYI - Police 'stumped' by car thefts using electronic skeleton key - Appeal for the public's help - Police in California have admitted they are baffled by a series of car thefts where robbers use a small hand-held electronic device to unlock supposedly secure car-locking systems. http://www.theregister.co.uk/2013/06/06/electronics_skeleton_key_has_police_stumped/

FYI - Hackers invade Raley's grocery chain - Raley's Family of Fine Stores, a supermarket chain with more than 120 stores in California and Nevada, has been stung by a hack that compromised the credit and debit card information of its customers. http://www.scmagazine.com//hackers-invade-raleys-grocery-chain/article/296778/?DCMP=EMC-SCUS_Newswire

FYI - Bank employee accidently transfers millions after he falls asleep - A German bank employee got a rude awakening after he "fell asleep for an instant" on his keyboard and accidently transferred $293 million into a bank account. http://now.msn.com/banker-falls-asleep-on-keyboard-and-accidently-transfers-millions?GT1=50501

FYI - Pirate Bay founder accused of Denmark hack - Danish police accused him of helping an unnamed Danish hacker gain illegal access to a number of databases holding sensitive information. http://www.bbc.co.uk/news/technology-22812394

FYI - Revealed: U.S. compiled secret cybertargets list - Top-secret list of potential international cybertargets written by the Obama administration is the latest in a series of high-profile leaks. http://news.cnet.com/8301-1009_3-57588291-83/revealed-u.s-compiled-secret-cybertargets-list/?tag=nl.e757&s_cid=e757&ttag=e757&ftag=

Return to the top of the newsletter

WEB SITE COMPLIANCE -

Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Oversight of Service Provider

Monitor Contract Compliance and Revision Needs

• Review invoices to assure proper charges for services rendered, the appropriateness of rate changes and new service charges.
• Periodically, review the service provider’s performance relative to service level agreements, determine whether other contractual terms and conditions are being met, and whether any revisions to service level expectations or other terms are needed given changes in the institution’s needs and technological developments.
• Maintain documents and records regarding contract compliance, revision and dispute resolution.

Maintain Business Resumption Contingency Plans

• Review the service provider’s business resumption contingency plans to ensure that any services considered mission critical for the institution can be restored within an acceptable timeframe.
• Review the service provider’s program for contingency plan testing. For many critical services, annual or more frequent tests of the contingency plan are typical.
• Ensure service provider interdependencies are considered for mission critical services and applications.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet. This booklet is required reading for anyone involved in information systems security, such as the Network Administrator, Information Security Officer, members of the IS Steering Committee, and most important your outsourced network security consultants. Your outsourced network security consultants can receive the "Internet Banking News" by completing the subscription for at https://yennik.com/newletter_page.htm. There is no charge for the e-newsletter.

ROLES AND RESPONSIBILITIES (2 of 2)

Senior management should enforce its security program by clearly communicating responsibilities and holding appropriate individuals accountable for complying with these requirements. A central authority should be responsible for establishing and monitoring the security program. Security management responsibilities, however, may be distributed throughout the institution from the IT department to various lines of business depending on the institution's size, complexity, culture, nature of operations, and other factors. The distribution of duties should ensure an appropriate segregation of duties between individuals or organizational groups.

Senior management also has the responsibility to ensure integration of security controls throughout the organization. To support integration, senior management should

1) Ensure the security process is governed by organizational policies and practices that are consistently applied,
2) Require that data with similar criticality and sensitivity characteristics be protected consistently regardless of where in the organization it resides,
3) Enforce compliance with the security program in a balanced and consistent manner across the organization, and
4) Coordinate information security with physical security.

Senior management should make decisions regarding the acceptance of security risks and the performance of risk mitigation activities using guidance approved by the board of directors.

Employees should know, understand, and be held accountable for fulfilling their security responsibilities. Institutions should define these responsibilities in their security policy. Job descriptions or contracts should specify any additional security responsibilities beyond the general policies. Financial institutions can achieve effective employee awareness and understanding through security training, employee certifications of compliance, self - assessments, audits, and monitoring.

Management also should consider the roles and responsibilities of external parties. Technology service providers (TSPs), contractors, customers, and others who have access to the institution's systems and data should have their security responsibilities clearly delineated and documented in contracts.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Reuse & Redisclosure of nonpublic personal information received from a nonaffiliated financial institution under Sections 14 and/or 15.

A. Through discussions with management and review of the institution's procedures, determine whether the institution has adequate practices to prevent the unlawful redisclosure and reuse of the information where the institution is the recipient of nonpublic personal information (§11(a)).

B. Select a sample of data received from nonaffiliated financial institutions, to evaluate the financial institution's compliance with reuse and redisclosure limitations.

1. Verify that the institution's redisclosure of the information was only to affiliates of the financial institution from which the information was obtained or to the institution's own affiliates, except as otherwise allowed in the step b below (§11(a)(1)(i) and (ii)).

2. Verify that the institution only uses and shares the data pursuant to an exception in Sections 14 and 15 (§11(a)(1)(iii)).