REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - FDA calls on medical device makers to focus on cybersecurity - The agency's recommendations follow reports of vulnerabilities in some medical devices.
http://www.computerworld.com/s/article/9240040/FDA_calls_on_medical_device_makers_to_focus_on_cybersecurity?taxonomyId=17
http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm356423.htm

FYI - DHS warns of vulns in hospital medical equipment - Has your doctor's anasthesia machine been hacked? The US Department of Homeland Security has warned hospitals and health clinics that many of the electronic medical devices in use at their facilities may be vulnerable to cybersecurity attacks. http://www.theregister.co.uk/2013/06/14/medical_device_security_warning/

FYI - IT decision makers are more optimistic about breach detection than they should be - A new McAfee study released Monday said organizations are overwhelmed by Big Data, yet appear to be overvaluing their ability to detect data breaches. http://www.scmagazine.com/it-decision-makers-are-more-optimistic-about-breach-detection-than-they-should-be/article/299103/?DCMP=EMC-SCUS_Newswire

FYI - DHS Does Not Track Security Training of System Administrator Contractors - The Homeland Security Department does not keep tabs on whether contractors that monitor vulnerabilities on federal networks have undergone training, according to a new inspector general audit. http://www.nextgov.com/cybersecurity/2013/06/ig-dhs-does-not-track-security-training-system-administrator-contractors/64976/?oref=ng-HPriver

FYI - Texas becomes first state to require warrant for e-mail snooping - Gov. Rick Perry signed HB 2268 on June 14, and it takes effect immediately. Texas Gov. Rick Perry has signed a bill giving Texans more privacy over their inboxes than anywhere else in the United States. http://arstechnica.com/tech-policy/2013/06/texas-becomes-first-state-to-require-warrant-for-e-mail-snooping/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Prosecutors team up to combat smartphone thefts - Police and other law enforcement officials would be part of a new group dedicated to clamping down on the rise in smartphone thefts, says the Associated Press. http://news.cnet.com/8301-1009_3-57589115-83/prosecutors-team-up-to-combat-smartphone-thefts/

FYI - Laptop stolen from Calif. health care provider exposing data of 1,500 - An unencrypted laptop was stolen from SynerMed, a Monterey Park, Calif.-based practice serving patients using a public health service called the Inland Empire Health Plan (IEHP). http://www.scmagazine.com/laptop-stolen-from-calif-health-care-provider-exposing-data-of-1500/article/298999/?DCMP=EMC-SCUS_Newswire

FYI - Snowden Smuggled Documents From NSA on a Thumb Drive - The dreaded thumb drive has struck the Defense Department again as word comes that NSA whistleblower Edward Snowden smuggled out thousands of classified documents on one of the portable devices, despite the military’s efforts to ban them. http://www.wired.com/threatlevel/2013/06/snowden-thumb-drive/

FYI - Hacker defaces Facebook fan page of children's theme park - The Facebook fan page of a children's theme park located in Hampshire, England was hacked and littered with controversial comments. http://www.scmagazine.com//hacker-defaces-facebook-fan-page-of-childrens-theme-park/article/299430/?DCMP=EMC-SCUS_Newswire

FYI - City of Waukee website pulled offline after hacker defaces site - Hackers defaced an Iowa city's website on Sunday and Monday, causing officials to temporarily take the site offline. http://www.scmagazine.com//city-of-waukee-website-pulled-offline-after-hacker-defaces-site/article/299410/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - We begin this week reviewing the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 1 of 10)

A. RISK DISCUSSION

Introduction

A significant number of financial institutions regulated by the financial institution regulatory agencies (Agencies) maintain sites on the World Wide Web. Many of these websites contain weblinks to other sites not under direct control of the financial institution. The use of weblinks can create certain risks to the financial institution. Management should be aware of these risks and take appropriate steps to address them. The purpose of this guidance is to discuss the most significant risks of weblinking and how financial institutions can mitigate these risks.

When financial institutions use weblinks to connect to third-party websites, the resulting association is called a "weblinking relationship." Financial institutions with weblinking relationships are exposed to several risks associated with the use of this technology. The most significant risks are reputation risk and compliance risk.

Generally, reputation risk arises when a linked third party adversely affects the financial institution's customer and, in turn, the financial institution, because the customer blames the financial institution for problems experienced. The customer may be under a misimpression that the institution is providing the product or service, or that the institution recommends or endorses the third-party provider. More specifically, reputation risk could arise in any of the following ways:

• customer confusion in distinguishing whether the financial institution or the linked third party is offering products and services;
• customer dissatisfaction with the quality of products or services obtained from a third party; and
• customer confusion as to whether certain regulatory protections apply to third-party products or services.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

INFORMATION SECURITY RISK ASSESSMENT

Action Summary -Financial institutions must maintain an ongoing information security risk assessment program that effectively

1)  Gathers data regarding the information and technology assets of the organization, threats to those assets, vulnerabilities, existing security controls and processes, and the current security standards and requirements;

2)  Analyzes the probability and impact associated with the known threats and vulnerabilities to its assets; and

3) Prioritizes the risks present due to threats and vulnerabilities to determine the appropriate level of training, controls, and testing necessary for effective mitigation.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Redisclosure of nonpublic personal information received from a nonaffiliated financial institution outside of Sections 14 and 15.

A. Through discussions with management and review of the institution's procedures, determine whether the institution has adequate practices to prevent the unlawful redisclosure of the information where the institution is the recipient of nonpublic personal information (§11(b)). 

B. Select a sample of data received from nonaffiliated financial institutions and shared with others to evaluate the financial institution's compliance with redisclosure limitations.

1.  Verify that the institution's redisclosure of the information was only to affiliates of the financial institution from which the information was obtained or to the institution's own affiliates, except as otherwise allowed in the step b below (§11(b)(1)(i) and (ii)).

2.  If the institution shares information with entities other than those under step a above, verify that the institution's information sharing practices conform to those in the nonaffiliated financial institution's privacy notice (§11(b)(1)(iii)).

3.  Also, review the procedures used by the institution to ensure that the information sharing reflects the opt out status of the consumers of the nonaffiliated financial institution (§§10, 11(b)(1)(iii)).