Does Your Financial Institution need an
affordable Internet security audit? Yennik, Inc. has clients in 42 states
that rely on our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test requirements of
FDIC, OCC, FRB, and NCUA, which provides compliance with
Gramm-Leach Bliley Act 501(b).
The penetration audit and Internet security testing is an
affordable-sophisticated process than goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses.
For more information, give R. Kinney Williams a call today at
806-798-7119 or visit
Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
- Bank lobby warns Cambridge over IT security thesis - Seeks
censorship of student's work on chip and pin vulnerabilities. Bank
lobby group The UK Cards Association has written to Cambridge
University requesting the censorship of a student thesis concerned
with vulnerabilities in the "chip and pin" transaction card systems
used by the majority of the world's banks.
- Feds raid server farms in bid to root out PayPal DDoS perps - On
the trail of Anonymous - Federal investigators have seized servers
allegedly abused to launch a denial of service attack against PayPal
earlier this month.
- Web attack takes Anonymous activists offline - The notorious
message board 4Chan has been taken offline by an overwhelming web
- Nationwide employee sentenced to 2 1/2 years for counterfeit video
games - New monitoring software at Nationwide Insurance spelled the
beginning of the end for an employee who had been counterfeiting and
selling computer games for five years.
- ‘White House’ eCard Dupes Dot-Gov Geeks - A malware-laced e-mail
that spoofed seasons greetings from The White House siphoned
gigabytes of sensitive documents from dozens of victims over the
holidays, including a number of government employees and contractors
who work on cybersecurity matters.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Russian e-Payment Giant ChronoPay Hacked - Criminals this week
hijacked ChronoPay.com, the domain name for Russia’s largest online
payment processor, redirecting hundreds of unsuspecting visitors to
a fake ChronoPay page that stole customer financial data.
- Charges filed in high-tech insider trading case - Federal
authorities have charged a California woman with securities fraud
for allegedly passing detailed financial information on Nvidia and
Marvell Technologies to portfolio managers at two hedge funds.
- Honda warns customers of email database breach - Hackers have
compromised the email addresses of millions of Honda Motor Co.
customers in an incident likely linked to a recently announced
breach at an email marketing solutions provider.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Non-Deposit Investment Products
Financial institutions advertising or selling non-deposit investment
products on-line should ensure that consumers are informed of the
risks associated with non-deposit investment products as discussed
in the "Interagency Statement on Retail Sales of Non Deposit
Investment Products." On-line systems should comply with
this Interagency Statement, minimizing the possibility of customer
confusion and preventing any inaccurate or misleading impression
about the nature of the non-deposit investment product or its lack
of FDIC insurance.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
INFORMATION SECURITY RISK ASSESSMENT
KEY RISK ASSESSMENT PRACTICES (1 of 2)
A risk assessment is the key driver of the information security
process. Its effectiveness is directly related to the following key
1) Multidisciplinary and Knowledge - based Approach - A consensus
evaluation of the risks and risk mitigation practices followed by
the institution requires the involvement of a broad range of users,
with a range of expertise and business knowledge. Not all users may
have the same opinion of the severity of various attacks, the
importance of various controls, and the importance of various data
elements and information system components. Management should apply
a sufficient level of expertise to the assessment.
2) Systematic and Central Control - Defined procedures and central
control and coordination help to ensure standardization,
consistency, and completeness of risk assessment policies and
procedures, as well as coordination in planning and performance.
Central control and coordination will also facilitate an
organizational view of risks and lessons learned from the risk
3) Integrated Process - A risk assessment provides a foundation for
the remainder of the security process by guiding the selection and
implementation of security controls and the timing and nature of
testing those controls. Testing results, in turn, provide evidence
to the risk assessment process that the controls selected and
implemented are achieving their intended purpose. Testing can also
validate the basis for accepting risks.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
18. If the institution, in its privacy policies, reserves the
right to disclose nonpublic personal information to nonaffiliated
third parties in the future, does the privacy notice include, as
a. categories of nonpublic personal information that the financial
institution reserves the right to disclose in the future, but does
not currently disclose; [§6(e)(1)] and
b. categories of affiliates or nonaffiliated third parties to whom
the financial institution reserves the right in the future to
disclose, but to whom it does not currently disclose, nonpublic
personal information? [§6(e)(2)]