REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - The argument continues on the effects and costs of social engineering testing - Some IT departments in businesses are leveraging innovative ways to prove a point to their employees about information security, but debate still rages over the value of some of these efforts. A a noted technologist and cryptographer finds training and awareness programs to be a waste of time for employees and waste of money for companies. http://www.scmagazine.com/cto-of-media-company-faked-out-employees-with-phishing-emails/article/301603/

FYI - Children's Online Privacy Protection Act of 1998 expands to regulate behavioral tracking, plus geolocation data, photos, videos and audio recordings made by kids under 13. The Federal Trade Commission said this week that revised rules for the Children's Online Privacy Protection Act of 1998 (COPPA) have taken effect. http://www.informationweek.com/security/privacy/child-privacy-online-ftc-updates-coppa-r/240157734

FYI - Federal Standards Body Proposes Cyber Protocols for Private Sector - The U.S. government has released preliminary guidelines for key industries on how to shield company systems from destructive attacks that could, for example, knock out electricity or halt transportation. http://www.nextgov.com/cybersecurity/2013/07/federal-standards-body-proposes-cyber-regulations-private-sector/66005/?oref=ng-channeltopstory

FYI - S. Korea defense bans internal smartphone usage - Government agency unveils a mobile device management plan where staff will be required to install a smartphone app deactivating functions such as Internet connectivity and the camera, to prevent data leaks. http://www.zdnet.com/s-korea-defense-bans-internal-smartphone-usage-7000017613/

FYI - Web monitoring devices made by U.S. firm detected in Iran, Sudan - American-made devices used for Internet monitoring have been detected on government and commercial computer networks in Iran and Sudan, in apparent violation of U.S. sanctions that ban the sale of goods, services or technology to the autocratic states, according to new research. http://www.washingtonpost.com/world/national-security/report-web-monitoring-devices-made-by-us-firm-blue-coat-detected-in-iran-sudan/2013/07/08/09877ad6-e7cf-11e2-a301-ea5a8116d211_story.html

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Ubisoft warns of account database breach after website attack - User names, email addresses and encrypted passwords were accessed, the company said - Game maker Ubisoft said on Tuesday an account database was breached due to unauthorized access of one of its websites, revealing users' personal information. http://www.computerworld.com/s/article/9240542/Ubisoft_warns_of_account_database_breach_after_website_attack?taxonomyId=17

FYI - More details emerge on extent of ticketing company breach - After filing a Freedom of Information Act (FOIA) request, a researcher has uncovered more details on the extent of a breach impacting a third-party ticketing service provider. http://www.scmagazine.com/more-details-emerge-on-extent-of-ticketing-company-breach/article/301777/?DCMP=EMC-SCUS_Newswire

FYI - Malware hunts for South Korean military secrets - Hackers who wiped tens of thousands of PC hard drives in South Korea earlier this year also appear to be targeting the country's military secrets, according to a report. http://www.bbc.co.uk/news/technology-23227543

FYI - Data of 50K Michigan residents compromised after website hack - A website hack led to the exposure of sensitive files of tens of thousands of people in Michigan. http://www.scmagazine.com//data-of-50k-michigan-residents-compromised-after-website-hack/article/302298/?DCMP=EMC-SCUS_Newswire

FYI - IRS leaks tens of thousands of Social Security numbers - Social Security numbers for thousands of U.S. citizens were made publicly available online after the Internal Revenue Service (IRS) posted them to a government website. http://www.scmagazine.com//irs-leaks-tens-of-thousands-of-social-security-numbers/article/302212/?DCMP=EMC-SCUS_Newswire

FYI - Hack exposes Morningstar data on 182k investors, including some credit card numbers - Chicago-based investment research firm Morningstar announced that the personal data for tens of thousands of clients was compromised in an "intrusion" dating back to April 2012. http://www.scmagazine.com//hack-exposes-morningstar-data-on-182k-investors-including-some-credit-card-numbers/article/302318/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 4 of 10)

A. RISK DISCUSSION

Reputation Risk

Trade Names

If the third party has a name similar to that of the financial institution, there is an increased likelihood of confusion for the customer and increased exposure to reputation risk for the financial institution. For example, if customers access a similarly named broker from the financial institution's website, they may believe that the financial institution is providing the brokerage service or that the broker's products are federally insured.

Website Appearance

The use of frame technology and other similar technologies may confuse customers about which products and services the financial institution provides and which products and services third parties, including affiliates, provide. If frames are used, when customers link to a third-party website through the institution-provided link, the third-party webpages open within the institution's master webpage frame. For example, if a financial institution provides links to a discount broker and the discount broker's webpage opens within the institution's frame, the appearance of the financial institution's logo on the frame may give the impression that the financial institution is providing the brokerage service or that the two entities are affiliated. Customers may believe that their funds are federally insured, creating potential reputation risk to the financial institution in the event the brokerage service should fail or the product loses value.

Compliance Risk

The compliance risk to an institution linking to a third-party's website depends on several factors. These factors include the nature of the products and services provided on the third-party's website, and the nature of the institution's business relationship with the third party. This is particularly true with respect to compensation arrangements for links. For example, a financial institution that receives payment for offering advertisement-related weblinks to a settlement service provider's website should carefully consider the prohibition against kickbacks, unearned fees, and compensated referrals under the Real Estate Settlement Procedures Act (RESPA).

The financial institution has compliance risk as well as reputation risk if linked third parties offer less security and privacy protection than the financial institution. Third-party sites may have less secure encryption policies, or less stringent policies regarding the use and security of their customer's information. The customer may be comfortable with the financial institution's policies for privacy and security, but not with those of the linked third party. If the third-party's policies and procedures create security weaknesses or apply privacy standards that permit the third party to release confidential customer information, customers may blame the financial institution.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

INFORMATION SECURITY RISK ASSESSMENT

ANALYZE INFORMATION (1 of 2)

The information gathered is used to characterize the system, to identify and measure threats to the system and the data it contains and transmits, and to estimate the likelihood that a threat will take action against the system or data.

System characterization articulates the understanding of the system, including the boundaries of the system being assessed, the system's hardware and software, and the information that is stored, processed, and transmitted. Since operational systems may have changed since they were last documented, a current review of the system should be performed. Developmental systems, on the other hand, should be analyzed to determine their key security rules and attributes. Those rules and attributes should be documented as part of the systems development lifecycle process. System characterization also requires the cross-referencing of vulnerabilities to current controls to identify those that mitigate specific threats, and to assist in highlighting the control areas that should be improved.

A key part of system characterization is the ranking of data and system components according to their sensitivity and importance to the institution's operations. Additionally, consistent with the GLBA, the ranking should consider the potential harm to customers of unauthorized access and disclosure of customer non - public personal information. Ranking allows for a reasoned and measured analysis of the relative outcome of various attacks, and the limiting of the analysis to sensitive information or information and systems that may materially affect the institution's condition and operations.

Threats are identified and measured through the creation and analysis of threat scenarios. Threat scenarios should be comprehensive in their scope (e.g., they should consider reasonably foreseeable threats and possible attacks against information and systems that may affect the institution's condition and operations or may cause data disclosures that could  result in substantial harm or inconvenience to customers). They should consider the potential effect and likelihood for failure within the control environment due to non-malicious or malicious events. They should also be coordinated with business continuity planning to include attacks performed when those plans are implemented. Non-malicious scenarios typically involve accidents related to inadequate access controls and natural disasters. Malicious scenarios, either general or specific, typically involve a motivated attacker (i.e., threat) exploiting a vulnerability to gain access to an asset to create an outcome that has an impact.

An example of a general malicious threat scenario is an unskilled attacker using a program script to exploit a vulnerable Internet-accessible Web server to extract customer information from the institution's database. Assuming the attacker's motivation is to seek recognition from others, the attacker publishes the information, causing the financial institution to suffer damage to its reputation. Ultimately, customers are likely to be victims of identity theft.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice

2)  Does the institution provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to all consumers, who are not customers, before any nonpublic personal information about the consumer is disclosed to a nonaffiliated third party, other than under an exception in §§14 or 15? [§4(a)(2)]?