REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Cybersecurity order 'close to completion' - A White House executive order on cybersecurity is “close to completion,” but Congress will still need to act to ensure security for American networks, Homeland Security Secretary Janet Napolitano said on Wednesday. http://www.nextgov.com/cybersecurity/2012/09/cybersecurity-order-close-completion/58255/

FYI - New FERC Office to Focus on Cyber Security - Federal Energy Regulatory Commission Chairman Jon Wellinghoff today announced the creation of a new FERC office that will help the Commission focus on potential cyber and physical security risks to energy facilities under its jurisdiction. http://www.ferc.gov/media/news-releases/2012/2012-3/09-20-12.asp

FYI - Agencies likely to miss network upgrade deadline - Agencies probably will not meet a Sept. 30 deadline to upgrade their publically facing external servers to Internet protocol version 6, according to Federal News Radio. http://www.nextgov.com/emerging-tech/2012/09/agencies-likely-miss-network-upgrade-deadline/58314/

FYI - AvMed data breach case opens door for ID theft claims - A recent federal appeals court ruling may narrow the burden for plaintiffs to prove that they are victims of identity theft as result of a data breach. http://www.scmagazine.com/avmed-data-breach-case-opens-door-for-id-theft-claims/article/260545/?DCMP=EMC-SCUS_Newswire

FYI - GAO - Medical Devices: FDA Should Expand Its Consideration of Information Security for Certain Types of Devices. http://www.gao.gov/products/GAO-12-816 

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - U.S. banks on high alert against cyberattacks - Hackers engaging in wire fraud by gaining access to bank networks, FS-ISAC says - The Financial Services Information Sharing and Analysis Center (FS-ISAC) has put U.S. banks on high alert against cyberattackers seeking to steal employee network login credentials to conduct extensive wire transfer fraud. http://www.computerworld.com/s/article/9231515/U.S._banks_on_high_alert_against_cyberattacks?taxonomyId=17

FYI - "High" threat alert issued in midst of bank site incidents - In the wake of issues affecting Bank of America and JPMorgan Chase's websites, the Financial Services Information Sharing and Analysis Center (FS-ISAC) raised the financial industry's cyber threat level to “high.” http://www.scmagazine.com/high-threat-alert-issued-in-midst-of-bank-site-incidents/article/260204/?DCMP=EMC-SCUS_Newswire

FYI - Massachusetts hospital to pay HIPAA fine - Following the theft of a doctor's unencrypted personal laptop storing data on patients and research subjects, Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates (collectively MEEI) have agreed to pay the U.S. Department of Health and Human Services (HHS) $1.5 million to settle potential violations of the Security Rule within the Health Insurance Portability and Accountability Act of 1996 (HIPAA). http://www.scmagazine.com/massachusetts-hospital-to-pay-hipaa-fine/article/260192/?DCMP=EMC-SCUS_Newswire

FYI - Chinese hacktivists launch cyber attack on Japan - Chinese hackers have taken up cyber arms and followed up widespread anti-Japan protests in the People’s Republic over a set of disputed islands by attacking at least 19 Japanese government and other web sites. http://www.theregister.co.uk/2012/09/21/japan_china_attack_sites_senkaku/

FYI - Iran's top brass deny nuking US bank websites - Iran has denied computers on its soil were behind denial-of-service attacks against American banks. US national security officials allege the websites of JPMorgan Chase, Citigroup and Bank of America were slowed by assaults launched from Iran. The G-men didn't say whether the attackers were backed by the Middle Eastern nation's government or patriotic Iranian citizens. http://www.theregister.co.uk/2012/09/24/iran_denies_us_bank_ddos_attacks/

FYI - Kentucky health agency breached after worker falls for phish ploy - Thousands of individuals may have had their personal information exposed after hackers used a successful phishing attack to springboard to an email server belonging the Kentucky Department for Community Based Services. http://www.scmagazine.com/kentucky-health-agency-breached-after-worker-falls-for-phish-ploy/article/260618/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Sound Capacity, Business Continuity and Contingency Planning Practices for E-Banking

1. All e-banking services and applications, including those provided by third-party service providers, should be identified and assessed for criticality.

2. A risk assessment for each critical e-banking service and application, including the potential implications of any business disruption on the bank's credit, market, liquidity, legal, operational and reputation risk should be conducted.

3. Performance criteria for each critical e-banking service and application should be established, and service levels should be monitored against such criteria.  Appropriate measures should be taken to ensure that e-banking systems can handle high and low transaction volume and that systems performance and capacity is consistent with the bank's expectations for future growth in e-banking.

4. Consideration should be given to developing processing alternatives for managing demand when e-banking systems appear to be reaching defined capacity checkpoints.

5. E-banking business continuity plans should be formulated to address any reliance on third-party service providers and any other external dependencies required achieving recovery.

6. E-banking contingency plans should set out a process for restoring or replacing e-banking processing capabilities, reconstructing supporting transaction information, and include measures to be taken to resume availability of critical e-banking systems and applications in the event of a business disruption.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - Over the next few weeks, we will cover the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."

Financial institutions are actively evaluating and implementing wireless technology as a means to reach customers and reduce the costs of implementing new networks. In light of this fast-developing trend, the Federal Deposit Insurance Corporation (FDIC) is providing financial institutions with the following information about the risks associated with wireless technology and suggestions on managing those risks. Please share this information with your Chief Information Officer.

Wireless Technology and the Risks of Implementation

Wireless networks are rapidly becoming a cost-effective alternative for providing network connectivity to financial institution information systems. Institutions that are installing new networks are finding the installation costs of wireless networks competitive compared with traditional network wiring. Performance enhancements in wireless technology have also made the adoption of wireless networks attractive to institutions. Wireless networks operate at speeds that are sufficient to meet the needs of many institutions and can be seamlessly integrated into existing networks. Wireless networks can also be used to provide connectivity between geographically close locations without having to install dedicated lines.

Wireless Internet access to banking applications is also becoming attractive to financial institutions. It offers customers the ability to perform routine banking tasks while away from the bank branch, automated teller machines or their own personal computers. Wireless Internet access is a standard feature on many new cellular phones and hand-held computers.

Many of the risks that financial institutions face when implementing wireless technology are risks that exist in any networked environment (see FIL-67-2000, "Security Monitoring of Computer Networks," dated October 3, 2000, and the 1996 FFIEC Information Systems Examination Handbook, Volume 1, Chapter 15). However, wireless technology carries additional risks that financial institutions should consider when designing, implementing and operating a wireless network. Common risks include the potential:

1)  Compromise of customer information and transactions over the wireless network;

2)  Disruption of wireless service from radio transmissions of other wireless devices;

3)  Intrusion into the institution's network through wireless network connections; and

4)  Obsolescence of current systems due to rapidly changing standards.

These risks could ultimately compromise the bank's computer system, potentially causing:

1)  Financial loss due to the execution of unauthorized transactions;

2)  Disclosure of confidential customer information, resulting in - among other things - identity theft (see FIL-39-2001, "Guidance on Identity Theft and Pretext Calling," dated May 9, 2001, and FIL-22-2001, "Guidelines Establishing Standards for Safeguarding Customer Information," dated March 14, 2001);

3)  Negative media attention, resulting in harm to the institution's reputation; and

4)  Loss of customer confidence.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

38. For customers only, does the institution ensure that the initial, annual, and revised notices may be retained or obtained later by the customer in writing, or if the customer agrees, electronically? [§9(e)(1)]