R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

January 9, 2011

CONTENT Internet Compliance Information Systems Security
IT Security Question
Internet Privacy
Website for Penetration Testing
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

FYI - Bank lobby warns Cambridge over IT security thesis - Seeks censorship of student's work on chip and pin vulnerabilities. Bank lobby group The UK Cards Association has written to Cambridge University requesting the censorship of a student thesis concerned with vulnerabilities in the "chip and pin" transaction card systems used by the majority of the world's banks. http://www.securecomputing.net.au/News/242795,bank-lobby-warns-cambridge-over-it-security-thesis.aspx

FYI - Feds raid server farms in bid to root out PayPal DDoS perps - On the trail of Anonymous - Federal investigators have seized servers allegedly abused to launch a denial of service attack against PayPal earlier this month. http://www.theregister.co.uk/2010/12/30/avenge_assange_server_raids/

FYI - Web attack takes Anonymous activists offline - The notorious message board 4Chan has been taken offline by an overwhelming web attack. http://www.bbc.co.uk/news/technology-12090245

FYI - Nationwide employee sentenced to 2 1/2 years for counterfeit video games - New monitoring software at Nationwide Insurance spelled the beginning of the end for an employee who had been counterfeiting and selling computer games for five years. http://www.dispatch.com/live/content/local_news/stories/2010/12/30/nationwide-employee-sentenced-to-212-years.html?sid=101

FYI - ‘White House’ eCard Dupes Dot-Gov Geeks - A malware-laced e-mail that spoofed seasons greetings from The White House siphoned gigabytes of sensitive documents from dozens of victims over the holidays, including a number of government employees and contractors who work on cybersecurity matters. http://krebsonsecurity.com/2011/01/white-house-ecard-dupes-dot-gov-geeks/


FYI - Russian e-Payment Giant ChronoPay Hacked - Criminals this week hijacked ChronoPay.com, the domain name for Russia’s largest online payment processor, redirecting hundreds of unsuspecting visitors to a fake ChronoPay page that stole customer financial data. http://krebsonsecurity.com/2010/12/russian-e-payment-giant-chronopay-hacked/

FYI - Charges filed in high-tech insider trading case - Federal authorities have charged a California woman with securities fraud for allegedly passing detailed financial information on Nvidia and Marvell Technologies to portfolio managers at two hedge funds. http://www.computerworld.com/s/article/9202730/Charges_filed_in_high_tech_insider_trading_case?taxonomyId=82

FYI - Honda warns customers of email database breach - Hackers have compromised the email addresses of millions of Honda Motor Co. customers in an incident likely linked to a recently announced breach at an email marketing solutions provider.

Return to the top of the newsletter

WEB SITE COMPLIANCE - Non-Deposit Investment Products

Financial institutions advertising or selling non-deposit investment products on-line should ensure that consumers are informed of the risks associated with non-deposit investment products as discussed in the "Interagency Statement on Retail Sales of Non Deposit Investment Products."  On-line systems should comply with this Interagency Statement, minimizing the possibility of customer confusion and preventing any inaccurate or misleading impression about the nature of the non-deposit investment product or its lack of FDIC insurance.

Return to the top of the newsletter
We continue our series on the FFIEC interagency Information Security Booklet.  



A risk assessment is the key driver of the information security process. Its effectiveness is directly related to the following key practices:

1)  Multidisciplinary and Knowledge - based Approach - A consensus evaluation of the risks and risk mitigation practices followed by the institution requires the involvement of a broad range of users, with a range of expertise and business knowledge. Not all users may have the same opinion of the severity of various attacks, the importance of various controls, and the importance of various data elements and information system components. Management should apply a sufficient level of expertise to the assessment.

2)  Systematic and Central Control - Defined procedures and central control and coordination help to ensure standardization, consistency, and completeness of risk assessment policies and procedures, as well as coordination in planning and performance. Central control and coordination will also facilitate an organizational view of risks and lessons learned from the risk assessment process.

3)  Integrated Process - A risk assessment provides a foundation for the remainder of the security process by guiding the selection and implementation of security controls and the timing and nature of testing those controls. Testing results, in turn, provide evidence to the risk assessment process that the controls selected and implemented are achieving their intended purpose. Testing can also validate the basis for accepting risks.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

18. If the institution, in its privacy policies, reserves the right to disclose nonpublic personal information to nonaffiliated third parties in the future, does the privacy notice include, as applicable, the:

a. categories of nonpublic personal information that the financial institution reserves the right to disclose in the future, but does not currently disclose;  [§6(e)(1)] and

b. categories of affiliates or nonaffiliated third parties to whom the financial institution reserves the right in the future to disclose, but to whom it does not currently disclose, nonpublic personal information? [§6(e)(2)]


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

NEW The Weekly IT Security Review NEW
A weekly email that lets you continuously review
your IT operations throughout the year.

Purchase now for the special inaugural price.

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated