Yennik, Inc.
Yennik, Inc.

Internet Banking News
brought to you by Yennik, Inc.
The acknowledged leader in independent Internet audits for financial institutions.

January 14, 2007

CONTENT Internet Compliance Information Systems Security
IT Security Question
Internet Privacy
Website for Penetration Testing
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 41 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit

FYI - FDIC's Supervisory Insights Reports How Banks can Effectively Handle Security Breaches Through Incident Response Programs - Other supervisory "hot topics" covered - best practices for identifying and controlling risk in commercial real estate lending, how examiners identify and address unfair or deceptive acts or practices, and understanding Bank Secrecy Act violations.

- Breach of county bank account likely identity theft - The theft of an undisclosed amount of money from Oceana County accounts with Fifth Third Bank was likely the result of someone responding to a fraudulent e-mail called "phishing."

FYI - From SANS - What is an IT Security Manager's Responsibility with Phishing?

FYI - China's Internet expected to be back to normal by Jan. 15 - Internet services in China will not be back to normal until mid-January after being disrupted by a powerful earthquake off Taiwan, a news report Sunday quoted the country's biggest telephone company as saying.

FYI - Seven steps for a more secure network - IT security professionals should rely on personal vigilance and implemented methodologies - not just the slew of new products hitting the marketplace - to protect their networks in 2007.


FYI - Patients warned of possible identity theft - A Deaconess Hospital laptop that contained private information on up to 128 patients has been missing for at least a month, a hospital spokesman.

FYI - A major health insurer has delivered a gloomy holiday message to 42,000 city employees, warning that their personal data may have been compromised during a burglary in Massachusetts, The Post has learned. Group Health Insurance Inc. reported that thieves made off with computer tapes containing the names, Social Security numbers "as well as other data" in a break-in at the office of one of its vendors, Concentra Preferred Systems, on Oct. 26.

FYI - Personal data of 15,000 TWU students made vulnerable - In the wake of this recent potential personal data nightmare at UT Dallas, comes one at Texas Woman's University. Texas Woman's University is notifying approximately 15,000 students that their personal data has been exposed to potential identity theft.

Return to the top of the newsletter

Electronic Fund Transfer Act, Regulation E (Part 1 of 2)

Generally, when online banking systems include electronic fund transfers that debit or credit a consumer's account, the requirements of the Electronic Fund Transfer Act and Regulation E apply.  A transaction involving stored value products is covered by Regulation E when the transaction accesses a consumer's account (such as when value is "loaded" onto the card from the consumer's deposit account at an electronic terminal or personal computer).

Financial institutions must provide disclosures that are clear and readily understandable, in writing, and in a form the consumer may keep.  An Interim rule was issued on March 20, 1998 that allows depository institutions to satisfy the requirement to deliver by electronic communication any of these disclosures and other information required by the act and regulations, as long as the consumer agrees to such method of delivery.

Financial institutions must ensure that consumers who sign up for a new banking service are provided with disclosures for the new service if the service is subject to terms and conditions different from those described in the initial disclosures.  Although not specifically mentioned in the commentary, this applies to all new banking services including electronic financial services.

The Federal Reserve Board Official Staff Commentary (OSC) also clarifies that terminal receipts are unnecessary for transfers initiated online. Specifically, OSC regulations provides that, because the term "electronic terminal" excludes a telephone operated by a consumer, financial institutions need not provide a terminal receipt when a consumer initiates a transfer by a means analogous in function to a telephone, such as by a personal computer or a facsimile machine.

Return to the top of the newsletter

- We continue our series on the FFIEC interagency Information Security Booklet.  



Financial institutions need appropriate disposal procedures for both electronic and paper based media. Policies should prohibit employees from discarding sensitive media along with regular garbage to avoid accidental disclosure. Many institutions shred paper - based media on site and others use collection and disposal services to ensure the media is rendered unreadable and unreconstructable before disposal. Institutions that contract with third parties should use care in selecting vendors to ensure adequate employee background checks, controls, and experience.

Computer - based media presents unique disposal problems. Residual data frequently remains on media after erasure. Since that data can be recovered, additional disposal techniques should be applied to sensitive data. Physical destruction of the media, for instance by subjecting a compact disk to microwaves, can make the data unrecoverable. Additionally, data can sometimes be destroyed after overwriting. Overwriting may be preferred when the media will be re - used. Institutions should base their disposal policies on the sensitivity of the information contained on the media and, through policies, procedures, and training, ensure that the actions taken to securely dispose of computer-based media adequately protect the data from the risks of reconstruction. Where practical, management should log the disposal of sensitive media, especially computer - based media.


Financial institutions should maintain the security of media while in transit or when shared with third parties. Policies should include:

! Restrictions on the carriers used and procedures to verify the identity of couriers,
! Requirements for appropriate packaging to protect the media from damage,
! Use of encryption for transmission of sensitive information,
! Security reviews or independent security reports of receiving companies, and
! Use of nondisclosure agreements between couriers and third parties.

Financial institutions should address the security of their back - up tapes at all times, including when the tapes are in transit from the data center to off - site storage.

Return to the top of the newsletter


5. Evaluate whether the software contains appropriate authentication and encryption.

6. Evaluate the adequacy of the change control process.

7. Evaluate the appropriateness of software libraries and their access controls.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

36. Does the institution use a reasonable means for delivering the notices, such as:

a. hand-delivery of a printed copy; [9(b)(1)(i)]

b. mailing a printed copy to the last known address of the consumer; [9(b)(1)(ii)]

c. for the consumer who conducts transactions electronically, clearly and conspicuously posting the notice on the institution's electronic site and requiring the consumer to acknowledge receipt as a necessary step to obtaining a financial product or service; [9(b)(1)(iii)] or 

d. for isolated transactions, such as ATM transactions, posting the notice on the screen and requiring the consumer to acknowledge receipt as a necessary step to obtaining the financial product or service? [9(b)(1)(iv)]

(Note: insufficient or unreasonable means of delivery include: exclusively oral notice, in person or by telephone; branch or office signs or generally published advertisements; and electronic mail to a customer who does not obtain products or services electronically. [9 (b)(2)(i) and (ii), and (d)])


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated