REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - U.S. and Russia sign pact to create communication link on cyber security - The United States and Russia have signed a landmark agreement to reduce the risk of conflict in cyberspace through real-time communications about incidents of national security concern. http://www.washingtonpost.com/world/national-security/us-and-russia-sign-pact-to-create-communication-link-on-cyber-security/2013/06/17/ca57ea04-d788-11e2-9df4-895344c13c30_story.html

FYI - Microsoft offers hefty bounties to thwart hackers - Microsoft Corp is looking to recruit computer geeks in its ongoing efforts to protect Windows PCs from attacks, offering rewards of as much as $150,000 to anybody who helps identify and fix major security holes in its software. http://www.reuters.com/article/2013/06/19/us-microsoft-bounties-idUSBRE95I1AZ20130619

FYI - An IT superpower, India has just 556 cyber security experts - The world may acknowledge India as an information technology superpower, but its very own official cyber security workforce comprises a mere 556 experts deployed in various government agencies. http://www.thehindu.com/todays-paper/an-it-superpower-india-has-just-556-cyber-security-experts/article4828521.ece

FYI - Expanded '2-person rule' could help plug NSA leaks - NSA, FBI, DOJ officials tell Congress secret programs are vital to U.S. security; outline ways to keep sysadmins from leaking classified data - The National Security Agency is creating new processes aimed at making it harder for systems administrators to misuse privileged access to agency systems, NSA officials told the U.S. House Intelligence Committee Tuesday. http://www.computerworld.com/s/article/9240151/Expanded_2_person_rule_could_help_plug_NSA_leaks

FYI - Risks of Default Passwords on the Internet - Any system using password authentication accessible from the internet may be affected. Critical infrastructure and other important embedded systems, appliances, and devices are of particular concern. http://www.us-cert.gov/ncas/alerts/TA13-175A

FYI - Using encryption? That means the US spooks have you on file - By my order for the good of the state, the bearer has done what has been done - Anyone who encrypts their emails or uses secure instant message services runs the risk of having their communications stored by the US National Security Agency, according to the latest leaks from former NSA sysadmin. http://www.theregister.co.uk/2013/06/21/nsa_spooks_can_pry_on_your_encrypted_emails/

FYI - What CSOs should look for in new hires - Last month, college graduations were celebrated throughout the country, springing the class of 2013 on the working world. http://www.scmagazine.com//what-csos-should-look-for-in-new-hires/article/300191/?DCMP=EMC-SCUS_Newswire

FYI - Mobile devices call for security solutions that don't apply to the PC world - Information security is an ongoing game of cat and mouse between IT organizations and hackers. The way that organizations consume and protect information changes as frequently as the methods hackers use to attack it. http://www.scmagazine.com//mobile-devices-call-for-security-solutions-that-dont-apply-to-the-pc-world/article/300386/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - LinkedIn outage prompts security concerns - The website's domain name was temporarily redirected to a different server - LinkedIn's domain name was temporarily redirected to a third-party server Thursday, which resulted in a service outage and potentially put user accounts at risk of compromise. http://www.computerworld.com/s/article/9240212/LinkedIn_outage_prompts_security_concerns?taxonomyId=17

FYI - Facebook bug exposed contact info of 6M users - The social network is embarrassed by a glitch in its "Download Your Information" tool that unintentionally shared some members' phone numbers and e-mail addresses. http://news.cnet.com/8301-1009_3-57590528-83/facebook-bug-exposed-contact-info-of-6m-users/?tag=nl.e757&s_cid=e757&ttag=e757&ftag=

FYI - Southwest cancels 67 flights after computer glitch - Southwest Airlines' operations returned to normal Saturday afternoon after a system-wide computer failure caused it to ground 250 flights for nearly three hours late Friday night. http://www.usatoday.com/story/travel/flights/2013/06/22/southwest-flights-airline-dallas/2448291/

FYI - British intelligence tapping fiber-optic cables for massive amounts of data - The GCHQ surveillance program is even bigger than NSA s, The Guardian says - More secret National Security Agency documents leaked to The Guardian suggest that the U.S. agency's British counterpart intercepts petabytes worth of communication data daily from fiber-optic cables. http://www.computerworld.com/s/article/9240254/British_intelligence_tapping_fiber_optic_cables_for_massive_amounts_of_data?taxonomyId=17

FYI - Millions exposed by Facebook data glitch - Personal details of about six million people have been inadvertently exposed by a bug in Facebook's data archive. http://www.bbc.co.uk/news/technology-23027643

FYI - Data of 47K training to become Florida teachers exposed - The sensitive information of several thousand individuals training to become Florida teachers was inadvertently made available online by a university that was handling the data. http://www.scmagazine.com//data-of-47k-training-to-become-florida-teachers-exposed/article/300098/?DCMP=EMC-SCUS_Newswire

FYI - Info of nearly 3K University of Illinois dorm residents stolen - Thousands of University of Illinois at Urbana–Champaign (UIUC) students, who lived in campus housing called the Hendrick House between 1997 and the spring of 2011, had their information uploaded to a thumb drive. http://www.scmagazine.com//info-of-nearly-3k-university-of-illinois-dorm-residents-stolen/article/300393/?DCMP=EMC-SCUS_Newswire

FYI - Maker of Opera browser said its network was hacked to steal code-signing certificate - Opera Software, maker of the Opera browser, disclosed Wednesday that its internal network was targeted in a heist in which the attackers made off with at least one certificate that they used to sign malware. http://www.scmagazine.com/maker-of-opera-browser-said-its-network-was-hacked-to-steal-code-signing-certificate/article/300580/?DCMP=EMC-SCUS_Newswire

FYI - Hackers reportedly release data on U.S. troops in Korea - Hackers say they stole the personal details of tens of thousands of American troops and leaked the data to multiple sites. http://news.cnet.com/8301-1009_3-57591048-83/hackers-reportedly-release-data-on-u.s-troops-in-korea/?tag=nl.e757&s_cid=e757&ttag=e757&ftag=

FYI - Iowa Human Services breach places 8,000 personal records at risk - The personal information of former patients and employees at the Mental Health Institute in Independence, Iowa, as well as workers at other state facilities, may have been exposed after a backup computer tape went missing. http://www.scmagazine.com/iowa-human-services-breach-places-8000-personal-records-at-risk/article/300787/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 2 of 10)

A. RISK DISCUSSION

Introduction

Compliance risk arises when the linked third party acts in a manner that does not conform to regulatory requirements. For example, compliance risk could arise from the inappropriate release or use of shared customer information by the linked third party. Compliance risk also arises when the link to a third party creates or affects compliance obligations of the financial institution.

Financial institutions with weblinking relationships are also exposed to other risks associated with the use of technology, as well as certain risks specific to the products and services provided by the linked third parties. The amount of risk exposure depends on several factors, including the nature of the link.

Any link to a third-party website creates some risk exposure for an institution. This guidance applies to links to affiliated, as well as non-affiliated, third parties. A link to a third-party website that provides a customer only with information usually does not create a significant risk exposure if the information being provided is relatively innocuous, for example, weather reports. Alternatively, if the linked third party is providing information or advice related to financial planning, investments, or other more substantial topics, the risks may be greater. Links to websites that enable the customer to interact with the third party, either by eliciting confidential information from the user or allowing the user to purchase a product or service, may expose the insured financial institution to more risk than those that do not have such features.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

INFORMATION SECURITY RISK ASSESSMENT

OVERVIEW

The quality of security controls can significantly influence all categories of risk. Traditionally, examiners and bankers recognize the direct impact on operational/transaction risk from incidents related to fraud, theft, or accidental damage. Many security weaknesses, however, can directly increase exposure in other risk areas. For example, the GLBA introduced additional legal/compliance risk due to the potential for regulatory noncompliance in safeguarding customer information. The potential for legal liability related to customer privacy breaches may present additional risk in the future. Effective application access controls can reduce credit and market risk by imposing risk limits on loan officers or traders. If a trader were to exceed the intended trade authority, the institution may unknowingly assume additional market risk exposure.

A strong security program reduces levels of reputation and strategic risk by limiting the institution's vulnerability to intrusion attempts and maintaining customer confidence and trust in the institution. Security concerns can quickly erode customer confidence and potentially decrease the adoption rate and rate of return on investment for strategically important products or services. Examiners and risk managers should incorporate security issues into their risk assessment process for each risk category. Financial institutions should ensure that security risk assessments adequately consider potential risk in all business lines and risk categories.

Information security risk assessment is the process used to identify and understand risks to the confidentiality, integrity, and availability of information and information systems. An adequate assessment identifies the value and sensitivity of information and system components and then balances that knowledge with the exposure from threats and vulnerabilities. A risk assessment is a necessary pre-requisite to the formation of strategies that guide the institution as it develops, implements, tests, and maintains its information systems security posture. An initial risk assessment may involve a significant one-time effort, but the risk assessment process should be an ongoing part of the information security program.

Risk assessments for most industries focus only on the risk to the business entity. Financial institutions should also consider the risk to their customers' information. For example, section 501(b) of the GLBA requires financial institutions to 'protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer."

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Account number sharing

A. If available, review a sample of telemarketer scripts used when making sales calls to determine whether the scripts indicate that the telemarketers have the account numbers of the institution's consumers (§12).

B. Obtain and review a sample of contracts with agents or service providers to whom the financial institution discloses account numbers for use in connection with marketing the institution's own products or services. Determine whether the institution shares account numbers with nonaffiliated third parties only to perform marketing for the institution's own products and services. Ensure that the contracts do not authorize these nonaffiliated third parties to directly initiate charges to customer's accounts (§12(b)(1)).

C. Obtain a sample of materials and information provided to the consumer upon entering a private label or affinity credit card program. Determine if the participants in each program are identified to the customer when the customer enters into the program (§12(b)(2)).