FYI - Corporate bank accounts targeted in online fraud - Criminals have tried to steal an estimated $100 million from corporate bank accounts using targeted malware and money mules, the FBI said.
http://news.cnet.com/8301-27080_3-10390118-245.html?part=rss&subj=news&tag=2547-1009_3-0-20
http://www.ic3.gov/media/2009/091103-1.aspx

FYI - Judge spanks lawyer for leaking personal details in brief - 'Negligent, inattentive electronic filing' - A judge has chastised a lawyer for including the social security numbers and birthdays of 179 individuals in an electronic court brief, ordering him to pay a $5,000 sanction and provide credit monitoring. http://www.theregister.co.uk/2009/11/05/judge_sanctions_attorney/

FYI - Browser cookie handling could widen web attack space - Attacker could gain free reign over principal production domain. A web security researcher has revealed a major new threat to most websites due to the contradictory way that cookies and the domain name system (DNS) act. http://www.securecomputing.net.au/News/159809,browser-cookie-handling-could-widen-web-attack-space.aspx

FYI - Corporate Breaches Increase Chances Of Consumer ID Theft, Study Says - When their data is leaked by a business, individuals are four times more likely to suffer identity theft - Consumers who have received data breach notifications within the past year are at a much greater risk for fraud than typical consumers, according to a new study. http://www.darkreading.com/security/privacy/showArticle.jhtml?articleID=221600348

FYI - Apple iPhones hit by major worm attack after a Rick Astley 'joke' spirals out of control - Users of the Apple iPhone have been warned of the first major worm to hit the handset. http://www.scmagazineuk.com/Apple-iPhones-hit-by-major-worm-attack-after-a-Rick-Astley-joke-spirals-out-of-control/article/157359/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Men allegedly broke into computers of former employer - Poor password hygiene indictment - Federal authorities on Wednesday filed intrusion charges against two men accused of accessing the computer systems of their former employer. http://www.theregister.co.uk/2009/11/05/computer_intrusion_charges_filed/

FYI - Computer theft suit bites feds for $751K - The federal government paid out $751,750 to avoid a class action lawsuit after personal information was stolen from a Canada Revenue Agency office. http://www.edmontonsun.com/news/canada/2009/11/07/11668041-sun.html

FYI - Bord Gáis implements new security regime after major data breach - Encryption is to be deployed on all Bord Gáis laptops and workers are to receive classroom training and awareness on data protection following an investigation on the loss of laptops containing details of 75,000 customers. http://www.siliconrepublic.com/news/article/14343/cio/bord-gais-implements-new-security-regime-after-major-data-breach

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Sound Practices for Managing Outsourced E-Banking Systems and Services (Part 1 of 3)

1. Banks should adopt appropriate processes for evaluating decisions to outsource e-banking systems or services.

a)  Bank management should clearly identify the strategic purposes, benefits and costs associated with entering into outsourcing arrangements for e-banking with third parties.
b)  The decision to outsource a key e-banking function or service should be consistent with the bank's business strategies, be based on a clearly defined business need, and recognize the specific risks that outsourcing entails.
c)  All affected areas of the bank need to understand how the service provider(s) will support the bank's e-banking strategy and fit into its operating structure.

2. Banks should conduct appropriate risk analysis and due diligence prior to selecting an e-banking service provider and at appropriate intervals thereafter.

a)  Banks should consider developing processes for soliciting proposals from several e-banking service providers and criteria for choosing among the various proposals.
b)  Once a potential service provider has been identified, the bank should conduct an appropriate due diligence review, including a risk analysis of the service provider's financial strength, reputation, risk management policies and controls, and ability to fulfill its obligations.
c)  Thereafter, banks should regularly monitor and, as appropriate, conduct due diligence reviews of the ability of the service provider to fulfill its service and associated risk management obligations throughout the duration of the contract.
d)  Banks need to ensure that adequate resources are committed to overseeing outsourcing arrangements supporting e-banking.
e)  Responsibilities for overseeing e-banking outsourcing arrangements should be clearly assigned.
f)  An appropriate exit strategy for the bank to manage risks should it need to terminate the outsourcing relationship.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We conclude our series on the FFIEC interagency Information Security Booklet. 

MONITORING AND UPDATING - UPDATING

Financial institutions should evaluate the information gathered to determine the extent of any required adjustments to the various components of their security program. The institution will need to consider the scope, impact, and urgency of any new threat. Depending on the new threat or vulnerability, the institution will need to reassess the risk and make changes to its security process (e.g., the security strategy, the controls implementation, or the security testing requirements).

Institution management confronts routine security issues and events on a regular basis. In many cases, the issues are relatively isolated and may be addressed through an informal or targeted risk assessment embedded within an existing security control process. For example, the institution might assess the risk of a new operating system vulnerability before testing and installing the patch. More systemic events like mergers, acquisitions, new systems, or system conversions, however, would warrant a more extensive security risk assessment. Regardless of the scope, the potential impact and the urgency of the risk exposure will dictate when and how controls are changed.

Return to the top of the newsletter

IT SECURITY QUESTION:  DATA SECURITY

4. Determine whether, where appropriate, the system securely links the receipt of information with the originator of the information and other identifying information, such as date, time, address, and other relevant factors.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

37.  For annual notices only, if the institution does not employ one of the methods described in question 36, does the institution employ one of the following reasonable means of delivering the notice such as:

a. for the customer who uses the institution's web site to access products and services electronically and who agrees to receive notices at the web site, continuously posting the current privacy notice on the web site in a clear and conspicuous manner; [§9(c)(1)] or

b. for the customer who has requested the institution refrain from sending any information about the customer relationship, making copies of the current privacy notice available upon customer request? [§9(c)(2)]