REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - FDA issues encryption, authentication rules for medical devices - The Food and Drug Administration (FDA) has issued new guidance on the radio frequencies of wireless medical devices, including recommendations for authentication and encryption measures to ensure the security of the device and the safety of the patient.
http://healthitsecurity.com/2013/08/16/fda-issues-encryption-authentication-rules-for-medical-devices/
Wireless Guidance - http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm077210.htm

FYI - Trustworthiness can't guarantee security, but it's indispensable - The unfortunate reality today is that some of the most brilliant minds in computing have dedicated themselves to creating innovative ways of attacking IT infrastructures. http://www.scmagazine.com/trustworthiness-cant-guarantee-security-but-its-indispensable/article/309089/?DCMP=EMC-SCUS_Newswire

FYI - Stern new data breach reporting requirement takes hold in EU - Data breaches are reported nearly every day and one noticeable trend is the occasional delay between when the breach is discovered and when authorities and affected people are notified. http://www.scmagazine.com/stern-new-data-breach-reporting-requirement-takes-hold-in-eu/article/308530/?DCMP=EMC-SCUS_Newswire

FYI - For network managers, security the top "pain" - Concerns about security have become the greatest source of worry among network managers, a recent study has found. http://www.scmagazine.com/for-network-managers-security-the-top-pain/article/308962/?DCMP=EMC-SCUS_Newswire

FYI - Fraudsters target "wire payment switch" at banks to steal millions - Instead of targeting the bank accounts of individuals or organizations, criminals recently took over the wire payment switch at several U.S. banks to steal millions from their choice of accounts, according to a security analyst. http://www.scmagazine.com/fraudsters-target-wire-payment-switch-at-banks-to-steal-millions/article/307755/#

FYI - Insurer to Schnucks: We won't pay for lawsuits related to your breach - The insurer for Midwestern supermarket chain Schnucks, whose systems were hacked last winter to steal 2.4 million credit card numbers, is claiming in court that the grocer's policy doesn't cover the cost of lawsuits arising from the breach. http://www.scmagazine.com/insurer-to-schnucks-we-wont-pay-for-lawsuits-related-to-your-breach/article/307960/

FYI - Defense Hires Cyber Chief for Industry Information-sharing Program - The U.S. military has tapped an IBM executive to encourage Pentagon contractors to come clean about network breaches that might compromise government data, Defense Department officials said on Wednesday. http://www.nextgov.com/cybersecurity/2013/08/defense-hires-cyber-chief-industry-information-sharing-program/69122/?oref=ng-HPtopstory

FYI - Groklaw news website abandoned over US surveillanceBy Pia Gadkari - An award-winning legal news website has stopped work, saying it cannot operate under current US surveillance policies. http://www.bbc.co.uk/news/technology-23768810

FYI - EU 24-hour breach disclosure laws to come into force - European Union regulations designed to force telecom operators and internet service providers (ISPs) to notify national authorities within 24 hours of detecting a data breach are set to take effect on 25 August, despite widespread criticism from numerous UK government bodies. http://www.v3.co.uk/v3-uk/news/2290763/eu-24hour-breach-disclosure-laws-to-come-into-force

FYI - Sept. 23 deadline looms for business compliance with HITECH Act on patient privacy - Organizations handling healthcare data have a month to comply with new security and privacy requirements under the Health Information Technology for Economic and Clinical Health (HITECH) Act. http://www.computerworld.com/s/article/9241913/Sept._23_deadline_looms_for_business_compliance_with_HITECH_Act_on_patient_privacy?taxonomyId=17

FYI - Snowden suspected of bypassing electronic logs - The U.S. government's efforts to determine which highly classified materials leaker Edward Snowden took from the National Security Agency have been frustrated by Snowden's sophisticated efforts to cover his digital trail by deleting or bypassing electronic logs, government officials told The Associated Press. Such logs would have showed what information Snowden viewed or downloaded. http://www.nbcnews.com/technology/snowden-suspected-bypassing-electronic-logs-8C10995684

FYI - School district hires company to follow kids' Facebook, Twitter - The Glendale Unified School District in Southern California outsources keeping tabs on troublemakers as well as identifying kids in trouble. At least these are its justifications. http://news.cnet.com/8301-1009_3-57600251-83/school-district-hires-company-to-follow-kids-facebook-twitter/?tag=nl.e757&s_cid=e757&ttag=e757&ftag=CAD2e9d5b9

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Nasdaq Stock Exchange Goes Dark After Tech Glitch - A technical glitch has been cited as the cause of an unprecedented halt of trading on the Nasdaq stock exchange today. http://www.wired.com/threatlevel/2013/08/nasdaq-outage/

FYI - 'Hacked' estate agency Foxtons breaks glass, pulls password reset cord - 10,000 account logins feared leaked all over the web - Trendy UK estate agency Foxtons pushed the big red password reset button, as a precaution, after it appeared hackers lifted thousands of clients' usernames and passwords from its systems. http://www.theregister.co.uk/2013/08/21/foxtons_password_reset/

FYI - University attaches spreadsheet containing personal data to emails - Thousands of students are at risk after a spreadsheet containing their personal information was inadvertently attached to a campus-wide email sent out by the University of Mississippi Medical Center (UMC) Accounting Department. http://www.scmagazine.com/university-attaches-spreadsheet-containing-personal-data-to-emails/article/308606/?DCMP=EMC-SCUS_Newswire

FYI - Data of millions at risk after Illinois medical group burglary - Millions of patients of the largest physician group in Chicago had their personal data stolen in an apparent burglary. http://www.scmagazine.com/data-of-millions-at-risk-after-illinois-medical-group-burglary/article/308853/?DCMP=EMC-SCUS_Newswire

FYI - Major DDoS attacks .cn domain; disrupts Internet in China - It's still unclear where the DDoS attack originated from - China's Internet was hit with a major distributed denial of service (DDoS) attack Sunday morning that briefly disrupted and slowed access to sites in the .cn domain. http://www.computerworld.com/s/article/9241899/Major_DDoS_attacks_.cn_domain_disrupts_Internet_in_China?taxonomyId=17

FYI - Instagram, Vine and Netflix hit by Amazon glitch - Software problems at one of Amazon's data centres have knocked out several high profile web services. http://www.bbc.co.uk/news/technology-23839901

FYI - Hacker group takes responsiblity for DNS attack on major media sites - That's what the Syrian Electronic Army (SEA) tweeted Tuesday, as the pro-Assad hacker collective announced domains belonging to The New York Times, Huffington Post U.K., Twitter were compromised. http://www.scmagazine.com/hacker-group-takes-responsiblity-for-dns-attack-on-major-media-sites/article/309132/?DCMP=EMC-SCUS_Newswire

FYI - Email asking how health care nonprofit handles personal data contained personal data - A document inadvertently attached to a Hope Community Resources (HCR) email survey contained the personal information for thousands of people. http://www.scmagazine.com/email-asking-how-health-care-nonprofit-handles-personal-data-contained-personal-data/article/309022/?DCMP=EMC-SCUS_Newswire

FYI - Internet in China shaken by biggest-ever DDoS attacks - The Chinese government is reporting that it experienced its largest-ever distributed denial-of-service (DDoS) attacks over the weekend. http://www.scmagazine.com/internet-in-china-shaken-by-biggest-ever-ddos-attacks/article/309124/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week begins our series on the FDIC's Supervisory Policy on Identity Theft.  (Part 1 of  6)

Supervisory Policy on Identity Theft

Identity theft is fraud committed or attempted by using the identifying information of another person without his or her authority. Identifying information may include such things as a Social Security number, account number, date of birth, driver's license number, passport number, biometric data and other unique electronic identification numbers or codes. As more financial transactions are done electronically and remotely, and as more sensitive information is stored in electronic form, the opportunities for identity theft have increased significantly.  This policy statement describes the characteristics of identity theft and emphasizes the FDIC's well-defined expectations that institutions under its supervision detect, prevent and mitigate the effects of identity theft in order to protect consumers and help ensure safe and sound operations.
 
Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

The goal of logical and administrative access control is to restrict access to system resources. Access should be provided only to authorized individuals whose identity is established, and their activities should be limited to the minimum required for business purposes. Authorized individuals (users) may be employees, TSP employees, vendors, contractors, customers, or visitors.

An effective control mechanism includes numerous controls to safeguard and limit access to key information system assets. This section addresses logical and administrative controls, including access rights administration and authentication through network, operating system, application, and remote access. A subsequent section addresses physical security controls.

ACCESS RIGHTS ADMINISTRATION (1 of 5)

Action Summary - Financial institutions should have an effective process to administer access rights. The process should include the following controls:

1)  Assign users and system resources only the access required to perform their required functions,

2)  Update access rights based on personnel or system changes,

3)  Periodically review users' access rights at an appropriate frequency based on the risk to the application or system, and

4)  Design appropriate acceptable-use policies and require users to sign them.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice (Part 2 of 2)

8)  Do the initial, annual, and revised privacy notices include each of the following, as applicable: (Part 2 of 2)

e)  if the institution discloses nonpublic personal information to a nonaffiliated third party under §13, and no exception under §14 or §15 applies, a separate statement of the categories of information the institution discloses and the categories of third parties with whom the institution has contracted; [§6(a)(5)]

f)  an explanation of the opt out right, including the method(s) of opt out that the consumer can use at the time of the notice; [§6(a)(6)]

g)  any disclosures that the institution makes under §603(d)(2)(A)(iii) of the Fair Credit Reporting Act (FCRA); [§6(a)(7)]

h)  the institution's policies and practices with respect to protecting the confidentiality and security of nonpublic personal information; [§6(a)(8)] and

i)  a general statement--with no specific reference to the exceptions or to the third parties--that the institution makes disclosures to other nonaffiliated third parties as permitted by law? [§6(a)(9), (b)]