Internet Banking News

October 26, 2014

CONTENT	Internet Compliance	Web Site Audits
IT Security	Internet Privacy	Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets. Go to the Market Store and search for yennik.

FYI - NIST finalizes cloud computing roadmap - The National Institute of Standards and Technology (NIST) has finalized the first two volumes of its U.S. Government Cloud Computing Technology Roadmap, laying critical requirements for security, interoperability and portability, addressing cloud migration challenges and defining priority action plans (PAPs) for each requirement. http://www.scmagazine.com/nist-finalized-requirements-and-action-plans/article/379043/

FYI - ISA president urges state AGs to expand understanding of cybercrime - There's more to cybercrime than breaches and personal data theft, Larry Clinton, president of the Internet Security Alliance (ISA) said at the National Association of State Attorneys General's conference on consumer protection this week. http://www.scmagazine.com/internet-security-alliances-larry-clinton-told-state-attorneys-general-to-improve-understanding-of-cybercrime/article/378871/

FYI - Pentagon Needs to Build Cybersecurity into the Acquisition Process - If you were asked to name one of the most pressing issues facing the Pentagon in the next five years, chances are you wouldn’t specify the intersection of cybersecurity, acquisition and the sometimes small but always vital electronic components that make up battlefield systems. http://www.nextgov.com/cybersecurity/2014/10/pentagon-needs-build-cybersecurity-acquisition-process/96461/?oref=ng-channelriver

FYI - South Korea mulls replacing nat'l ID cards after breach - To counter the effects of a recent massive data breach, South Korea is mulling issuing new national ID numbers to all 50 million of it citizens – a project that would cost the government an estimated $650 million. http://www.scmagazine.com/replacing-cards-after-breach-could-cost-govt-650m/article/377721/

FYI - FBI warns of cyberattacks linked to China - The U.S. Federal Bureau of Investigation issued a warning to companies and organizations on Wednesday of cyberattacks by people linked with the Chinese government. http://www.computerworld.com/article/2834496/fbi-warns-of-cyberattacks-linked-to-china.html

FYI - The Number of Industries Getting Classified Cyberthreat Tips from DHS Has Doubled Since July - Firms from half of the nation’s 16 key industries, including wastewater and banking, have paid for special technology to join a Department of Homeland Security program that shares classified cyberthreat intelligence, in hopes of protecting society from a catastrophic cyberattack. http://www.nextgov.com/cybersecurity/2014/10/number-industries-getting-classified-cyberthreat-tips-dhs-has-doubled-july/96923/?oref=ng-HPtopstory

FYI - DHS investigates possible vulnerabilities in medical devices, report indicates - Citing an unnamed senior official at the U.S. Department of Homeland Security (DHS), Reuters reported on Wednesday that the agency is investigating roughly 24 cases of suspected vulnerabilities in medical devices and hospital equipment. http://www.scmagazine.com/dhs-investigates-possible-vulnerabilities-in-medical-devices-report-indicates/article/378735/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Cyberswim notifies customers that payment card data may be at risk - Cyberswim, Inc. is notifying an undisclosed number of customers that unauthorized individuals or entities installed malicious software on the computer server hosting its website and may have compromised their personal information, including payment card data. http://www.scmagazine.com/cyberswim-notifies-customers-that-payment-card-data-may-be-at-risk/article/377958/

FYI - Sourcebooks payment card breach impacts more than 5,000 customers - Illinois-based publisher Sourcebooks has notified roughly 9,000 customers that a security vulnerability in its shopping cart software may have enabled criminals to obtain their personal information, including payment card data. http://www.scmagazine.com/sourcebooks-payment-card-breach-impacts-more-than-5000-customers/article/378253/

FYI - Credit Card Breach at Staples Stores - Multiple banks say they have identified a pattern of credit and debit card fraud suggesting that several Staples Inc. office supply locations in the Northeastern United States are currently dealing with a data breach. Staples says it is investigating “a potential issue” and has contacted law enforcement. http://krebsonsecurity.com/2014/10/banks-credit-card-breach-at-staples-stores/

FYI - Staples is investigating a potential issue involving credit card data - Office supplies retailer Staples is “in the process of investigating a potential issue involving credit card data,” according to a statement emailed to SCMagazine.com on Tuesday. http://www.scmagazine.com/staples-is-investigating-a-potential-issue-involving-credit-card-data/article/378482/

FYI - Transcript website flaw exposed personal data on 98k users - A website that helps students obtain past transcripts might have exposed the personal information of close to 100,000 users. At least one user was able to access the information after a flaw in NeedMyTranscript.com's design led to a site subdirectory, according to The Washington Post. The transcript site covers more than 18,000 high schools in all 50 states. http://www.scmagazine.com/transcript-website-flaw-exposed-personal-data-on-98k-users/article/378787/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Principle 6: Banks should ensure that clear audit trails exist for all e-banking transactions.

Delivery of financial services over the Internet can make it more difficult for banks to apply and enforce internal controls and maintain clear audit trails if these measures are not adapted to an e-banking environment. Banks are not only challenged to ensure that effective internal control can be provided in highly automated environments, but also that the controls can be independently audited, particularly for all critical e-banking events and applications.

A bank's internal control environment may be weakened if it is unable to maintain clear audit trails for its e-banking activities. This is because much, if not all, of its records and evidence supporting e-banking transactions are in an electronic format. In making a determination as to where clear audit trails should be maintained, the following types of e-banking transactions should be considered:

1) The opening, modification or closing of a customer's account.

2) Any transaction with financial consequences.

3) Any authorization granted to a customer to exceed a limit.

4) Any granting, modification or revocation of systems access rights or privileges.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

ELECTRONIC AND PAPER - BASED MEDIA HANDLING

DISPOSAL

Financial institutions need appropriate disposal procedures for both electronic and paper based media. Policies should prohibit employees from discarding sensitive media along with regular garbage to avoid accidental disclosure. Many institutions shred paper - based media on site and others use collection and disposal services to ensure the media is rendered unreadable and unreconstructable before disposal. Institutions that contract with third parties should use care in selecting vendors to ensure adequate employee background checks, controls, and experience.

Computer - based media presents unique disposal problems. Residual data frequently remains on media after erasure. Since that data can be recovered, additional disposal techniques should be applied to sensitive data. Physical destruction of the media, for instance by subjecting a compact disk to microwaves, can make the data unrecoverable. Additionally, data can sometimes be destroyed after overwriting. Overwriting may be preferred when the media will be re - used. Institutions should base their disposal policies on the sensitivity of the information contained on the media and, through policies, procedures, and training, ensure that the actions taken to securely dispose of computer-based media adequately protect the data from the risks of reconstruction. Where practical, management should log the disposal of sensitive media, especially computer - based media.

TRANSIT

Financial institutions should maintain the security of media while in transit or when shared with third parties. Policies should include:

! Restrictions on the carriers used and procedures to verify the identity of couriers,
! Requirements for appropriate packaging to protect the media from damage,
! Use of encryption for transmission of sensitive information,
! Security reviews or independent security reports of receiving companies, and
! Use of nondisclosure agreements between couriers and third parties.

Financial institutions should address the security of their back - up tapes at all times, including when the tapes are in transit from the data center to off - site storage.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Sharing nonpublic personal information with nonaffiliated third parties under Sections 13=, 14, and/or 15 but outside of these exceptions (Part 1 of 2)

A. Disclosure of Nonpublic Personal Information

1) Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of data shared between the institution and the third party. The sample should include a cross-section of relationships but should emphasize those that are higher risk in nature as determined by the initial procedures. Perform the following comparisons to evaluate the financial institution's compliance with disclosure limitations.

a. Compare the data shared and with whom the data were shared to ensure that the institution accurately categorized its information sharing practices and is not sharing nonpublic personal information outside the exceptions (§§13, 14, 15).

b. Compare the categories of data shared and with whom the data were shared to those stated in the privacy notice and verify that what the institution tells consumers in its notices about its policies and practices in this regard and what the institution actually does are consistent (§§10, 6).

2) Review contracts with nonaffiliated third parties that perform services for the financial institution not covered by the exceptions in section 14 or 15. Determine whether the contracts adequately prohibit the third party from disclosing or using the information other than to carry out the purposes for which the information was disclosed. Note that the "grandfather" provisions of Section 18 apply to certain of these contracts. (§13(a)).