FYI - Financial institutions plan to spend billions more on security in coming years - Financial service companies plan to increase their cybersecurity budgets by about $2 billion over the next two years, according to a PricewaterhouseCoopers survey. http://www.scmagazine.com/survey-shows-financial-institutions-willing-to-spend-money-for-security/article/384246/

FYI - DHS Drafts Blueprints for Self-Repairing Networks as Hacks Mount - The Department of Homeland Security is working with industry to automate cyber defenses inside the government, which will ensure operations continue during and after hack attacks, DHS officials said Wednesday. http://www.nextgov.com/cybersecurity/2014/11/dhs-drafts-blueprints-self-repairing-networks-hacks-mount/98906/?oref=ng-channeltopstory

FYI - FBI defends “ruse” of undercover agents posing as hotel cable guys - FBI cut Internet access, sent agents into hotel rooms to fix it without warrants. The Justice Department says it's perfectly legal for the Federal Bureau of Investigation to cut Internet access of hotel rooms, pose as repairmen, and gather evidence of illegal activity—without a court warrant. http://arstechnica.com/tech-policy/2014/11/fbi-defends-ruse-of-undercover-agents-posing-as-hotels-cable-guys/

FYI - Homeland Security alerts on end of Windows Server 2003 support - An alert from US-CERT (the Computer Emergency Readiness Team) warns of dangerous consequences for organizations that continue to run Windows Server 2003 R2. Microsoft has scheduled the end of support for this operating system on July 14, 2015. This applies to both the initial and R2 editions of Windows Server 2003. http://www.zdnet.com/homeland-security-alerts-on-end-of-windows-server-2003-support-7000035778/

FYI - University of Maryland hosts girls' cybersecurity career workshop - At about 10 a.m. Tuesday, a group of middle school girls wearing matching white T-shirts formed a line leading into the Samuel Riggs IV Alumni Center. The 350 girls from local schools were headed to the Cool Careers in Cybersecurity for Girls Workshop. http://www.diamondbackonline.com/news/article_04d5a9a0-6aea-11e4-b9f3-1bbb47a920b7.html

FYI - GAO - Information Security: VA Needs to Address Identified Vulnerabilities. http://www.gao.gov/products/GAO-15-117

FYI - More than half of UK orgs would hire hackers, ex-convicts, as cyber experts - Professional services firm KPMG surveyed 300 senior IT and HR professionals in UK companies employing more than 500 individuals and learned that more than half would consider hiring a hacker, 53 percent, or person with a criminal record, 52 percent, in order to keep ahead of cyber crooks, according to a news release issued on Sunday. http://www.scmagazine.com/survey-more-than-half-of-uk-orgs-would-hire-hackers-ex-convicts-as-cyber-experts/article/383758/

FYI - Make FBI an ally after breach - While companies may be tempted to remain mum in the aftermath of a breach, “one reason to talk to the FBI is to invoke delayed notification,” Steven Grimes, a partner at the law firm Winston & Strawn LLP, told attendees at SC Congress Chicago Tuesday. http://www.scmagazine.com/sc-congress-chicago-2014-make-fbi-an-ally-after-breach/article/384538/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - NOAA confirms cyberattack on four weather sites - Four websites run by the U.S. National Oceanic and Atmospheric Administration have been compromised in recent weeks, the agency said on Wednesday. http://www.computerworld.com/article/2846978/noaa-confirms-cyberattack-on-four-weather-sites.html

FYI - Data on reported 2.7M HSBC Turkey customers compromised in attack - The card and linked account numbers, card expiry dates and cardholder names of HSBC Turkey customers was compromised in an attack identified in the past week, according to a FAQ issued by HSBC. http://www.scmagazine.com/data-on-reported-27m-hsbc-turkey-customers-compromised-in-attack/article/383222/

FYI - U.S. spy program targeting Americans' mobile phones, report says - To locate criminal suspects, the U.S. Department of Justice is using small devices attached to airplanes that gather data on thousands of mobile phones, including those used by innocent Americans. http://www.scmagazine.com/doj-devices-on-airplanes-gather-mobile-phone-data/article/383474/

FYI - Seattle Public Schools data improperly released, at least 8,000 students affected - Seattle Public Schools is notifying parents that a law firm attained by the district to handle a complaint against the district inadvertently sent personal information on as few as 8,000 special education students to an individual involved in the case. http://www.scmagazine.com/seattle-public-schools-data-improperly-released-at-least-8000-students-affected/article/383418/

FYI - State Department hack may be tied to White House network breach - The Associated Press reported on Sunday that the State Department detected “activity of concern” lurking in its systems since October, around the same time as the White House computer network breach. http://www.scmagazine.com/state-department-reports-breach-of-unclassified-systems/article/383767/

FYI - State Dept shuts off unclassified email after hack. Classified mail? That's CLASSIFIED - Classified systems 'not affected' - but, is this reconnaissance? The State Department has suspended its unclassified email system in response to a suspected hacking attack. http://www.theregister.co.uk/2014/11/17/email_system_suspended_after_us_state_dept_hack_attacks/

FYI - Devices stolen from Boston hospital physician during armed robbery contained patient data - Boston-based Brigham and Women's Hospital (BWH) is notifying roughly 1,000 patients that their personal information may have been on a laptop computer and cell phone stolen from a physician during an armed robbery. http://www.scmagazine.com/devices-stolen-from-boston-hospital-physician-during-armed-robbery-contained-patient-data/article/383893/

FYI - USPS draws ire of Congress over data breach response - The United States Postal Service (USPS) was scolded by members of a congressional subcommittee in a hearing over its response to the recent data breach that impacted its network and employees. http://www.scmagazine.com/congress-criticizes-usps-data-breach-response/article/384520/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
 
 Principle 10: Banks should have effective capacity, business continuity and contingency planning processes to help ensure the availability of e-banking systems and services.
 
 To protect banks against business, legal and reputation risk, e-banking services must be delivered on a consistent and timely basis in accordance with customer expectations. To achieve this, the bank must have the ability to deliver e-banking services to end-users from either primary (e.g. internal bank systems and applications) or secondary sources (e.g. systems and applications of service providers). The maintenance of adequate availability is also dependent upon the ability of contingency back-up systems to mitigate denial of service attacks or other events that may potentially cause business disruption.
 
 The challenge to maintain continued availability of e-banking systems and applications can be considerable given the potential for high transaction demand, especially during peak time periods. In addition, high customer expectations regarding short transaction processing cycle times and constant availability (24 X 7) has also increased the importance of sound capacity, business continuity and contingency planning. To provide customers with the continuity of e-banking services that they expect, banks need to ensure that:
 
 1)  Current e-banking system capacity and future scalability are analyzed in light of the overall market dynamics for e-commerce and the projected rate of customer acceptance of e-banking products and services.
 
 2)  E-banking transaction processing capacity estimates are established, stress tested and periodically reviewed.
 
 3)  Appropriate business continuity and contingency plans for critical e-banking processing and delivery systems are in place and regularly tested.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 SERVICE PROVIDER OVERSIGHT - SAS 70 REPORTS
 
 Frequently TSPs or user groups will contract with an accounting firm to report on security using Statement on Auditing Standards 70 (SAS 70), an auditing standard developed by the American Institute of Certified Public Accountants. SAS 70 focuses on controls and control objectives. It allows for two types of reports. A SAS 70 Type I report gives the service provider's description of controls at a specific point in time, and an auditor's report. The auditor's report will provide an opinion on whether the control description fairly presents the relevant aspects of the controls, and whether the controls were suitably designed for their purpose.
 
 A SAS 70 Type II report expands upon a Type I report by addressing whether the controls were functioning. It provides a description of the auditor's tests of the controls. It also provides an expanded auditor's report that addresses whether the controls that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives were achieved during the specified period.
 
 Financial institutions should carefully evaluate the scope and findings of any SAS 70 report. The report may be based on different security requirements than those established by the institution. It may not provide a thorough test of security controls unless requested by the TSP or augmented with additional coverage. Additionally, the report may not address the effectiveness of the security process in continually mitigating changing risks.  Therefore, financial institutions may require additional reports to oversee the security program of the service provider.

Return to the top of the newsletter

INTERNET PRIVACY - At the end of November 2014, we will discontinue this section on Internet Privacy.  You will find the entire regulation PART 332—PRIVACY OF CONSUMER FINANCIAL INFORMATION at http://www.fdic.gov/regulations/laws/rules/2000-5550.html.

We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.
 
 Redisclosure of nonpublic personal information received from a nonaffiliated financial institution outside of Sections 14 and 15.
 
 A. Through discussions with management and review of the institution's procedures, determine whether the institution has adequate practices to prevent the unlawful redisclosure of the information where the institution is the recipient of nonpublic personal information (§11(b)). 
 
 B. Select a sample of data received from nonaffiliated financial institutions and shared with others to evaluate the financial institution's compliance with redisclosure limitations.
 
 1.  Verify that the institution's redisclosure of the information was only to affiliates of the financial institution from which the information was obtained or to the institution's own affiliates, except as otherwise allowed in the step b below (§11(b)(1)(i) and (ii)).
 
 2.  If the institution shares information with entities other than those under step a above, verify that the institution's information sharing practices conform to those in the nonaffiliated financial institution's privacy notice (§11(b)(1)(iii)).
 
 3.  Also, review the procedures used by the institution to ensure that the information sharing reflects the opt out status of the consumers of the nonaffiliated financial institution (§§10, 11(b)(1)(iii)).

(At the end of November 2014, we will discontinue this section on Internet Privacy.  You will find the entire regulation PART 332—PRIVACY OF CONSUMER FINANCIAL INFORMATION at http://www.fdic.gov/regulations/laws/rules/2000-5550.html.)