FYI - Microsoft recovers most Sidekick data - Only a small number of Sidekick users will suffer permanent data loss - Microsoft has good news for most Sidekick users: The company says it has recovered most of the data for T-Mobile Sidekick users who saw personal information accidentally wiped from their devices. http://www.computerworld.com/s/article/9139407/Microsoft_recovers_most_Sidekick_data?taxonomyId=17

FYI - Fugitive hacker headed back to U.S. for arraignment - Edwin Pena faces 20 federal charges related to hacking and wire fraud in VoIP theft scam - A Miami man who for three years had evaded prosecution in connection with the theft and reselling of VoIP services is being extradited to Newark from Mexico today and is set to be arraigned in a New Jersey federal courthouse. http://www.computerworld.com/s/article/9139434/Fugitive_hacker_headed_back_to_U.S._for_arraignment?source=rss_security

FYI - Michigan airport grounds website over malware risk - An airport in Michigan reportedly took down its website late on Monday in response to a computer virus risk. http://www.theregister.co.uk/2009/10/13/airport_malware_infection/

FYI - FTC increases security obligations of ChoicePoint - The Federal Trade Commission has punished ChoicePoint for another data breach after the agency concluded the data broker failed to properly implement security measures as prescribed in the wake of its watershed 2005 incident.
http://www.scmagazineus.com/FTC-increases-security-obligations-of-ChoicePoint/article/155800/?DCMP=EMC-SCUS_Newswire
http://www.pcworld.com/article/173902/choicepoint_to_pay_fine_for_second_data_breach.html

FYI - Survey finds lax health care privacy in United States - More than half of American hospitals fail to take appropriate steps to protect the privacy of patients, according to a new survey of health care IT security professionals. http://www.scmagazineus.com/Survey-finds-lax-health-care-privacy-in-United-States/article/155795/?DCMP=EMC-SCUS_Newswire

FYI - ID theft tops list of American's security concerns - More than the H1N1 flu or their ability to meet financial obligations, Americans are most concerned about identity theft, according to the latest Unisys Security Index released Tuesday. http://www.scmagazineus.com/Survey-ID-theft-tops-list-of-Americans-security-concerns/article/155766/?DCMP=EMC-SCUS_Newswire

FYI - NASA must fix cyber vulnerabilities - A new report from the Government Accountability Office (GAO) found that NASA has multiple cybersecurity problems. http://www.scmagazineus.com/GAO-NASA-must-fix-cyber-vulnerabilities/article/155738/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Trojan plunders $480k from online bank account - A Pennsylvania organization that helps develop affordable housing learned a painful lesson about the hazards of online banking using the Windows operating system when a notorious trojan siphoned almost $480,000 from its account. http://www.theregister.co.uk/2009/10/14/microsoft_windows_bank_thefts/

FYI - Data on 103,000 Students Misplaced - A flash drive containing the personal information of more than 103,000 former adult education students in Virginia was misplaced last month, state education officials reported. http://www.washingtonpost.com/wp-dyn/content/article/2009/10/14/AR2009101402118.html

FYI - Ex-Ford engineer charged with trade secret theft - Suspect allegedly stole trade secrets after accepting job with a competing Chinese company - A former product engineer at Ford Motor Co. has been charged with stealing sensitive design documents from the auto maker worth millions of dollars. http://www.computerworld.com/s/article/9139472/Ex_Ford_engineer_charged_with_trade_secret_theft?source=rss_security

FYI - Time Warner Cable Exposes 65,000 Customer Routers to Remote Hacks - A vulnerability in a Time Warner cable modem and Wi-Fi router deployed to 65,000 customers would allow a hacker to remotely access the device's administrative menu over the internet, and potentially change the settings to intercept traffic, according to a blogger who discovered the issue. http://www.wired.com/threatlevel/2009/10/time-warner-cable/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Principle 10: Banks should have effective capacity, business continuity and contingency planning processes to help ensure the availability of e-banking systems and services.

To protect banks against business, legal and reputation risk, e-banking services must be delivered on a consistent and timely basis in accordance with customer expectations. To achieve this, the bank must have the ability to deliver e-banking services to end-users from either primary (e.g. internal bank systems and applications) or secondary sources (e.g. systems and applications of service providers). The maintenance of adequate availability is also dependent upon the ability of contingency back-up systems to mitigate denial of service attacks or other events that may potentially cause business disruption.

The challenge to maintain continued availability of e-banking systems and applications can be considerable given the potential for high transaction demand, especially during peak time periods. In addition, high customer expectations regarding short transaction processing cycle times and constant availability (24 X 7) has also increased the importance of sound capacity, business continuity and contingency planning. To provide customers with the continuity of e-banking services that they expect, banks need to ensure that:

1)  Current e-banking system capacity and future scalability are analyzed in light of the overall market dynamics for e-commerce and the projected rate of customer acceptance of e-banking products and services.

2)  E-banking transaction processing capacity estimates are established, stress tested and periodically reviewed.

3)  Appropriate business continuity and contingency plans for critical e-banking processing and delivery systems are in place and regularly tested.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY TESTING - OUTSOURCED SYSTEMS

Management is responsible for ensuring institution and customer data is protected, even when that data is transmitted, processed, or stored by a service provider. Service providers should have appropriate security testing based on the risk to their organization, their customer institutions, and the institution's customers. Accordingly, management and auditors evaluating TSPs providers should use the above testing guidance in performing initial due diligence, constructing contracts, and exercising ongoing oversight or audit responsibilities. Where indicated by the institution's risk assessment, management is responsible for monitoring the testing performed at the service provider through review of timely audits and test results or other equivalent evaluations.

Return to the top of the newsletter

IT SECURITY QUESTION:  DATA SECURITY

1. Obtain an understanding of the data security strategy.

• Identify the financial institution's approach to protecting data (e.g., protect all data similarly, protect data based upon risk of loss).
• Obtain and review the risk assessment covering financial institution data.  Determine if the risk assessment classifies data sensitivity in a reasonable manner and consistent with the financial institution's strategic and business objectives.
• Consider whether policies and procedures address the protections for data that is sent outside the institution.
• Identify processes to periodically review data sensitivity and update corresponding risk assessments.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

34. Does the institution deliver a revised privacy notice when it: 

a. discloses a new category of nonpublic personal information to a nonaffiliated third party; [§8(b)(1)(i)]

b. discloses nonpublic personal information to a new category of nonaffiliated third party; [§8(b)(1)(ii)] or

c. discloses nonpublic personal information about a former customer to a nonaffiliated third party, if that former customer has not had the opportunity to exercise an opt out right regarding that disclosure? [§8(b)(1)(iii)]

(Note: a revised notice is not required if the institution adequately described the nonaffiliated third party or information to be disclosed in the prior privacy notice. [§8(b)(2)])