R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

February 3, 2008

CONTENT Internet Compliance Information Systems Security
IT Security Question
 		 Internet Privacy
 		 Website for Penetration Testing
 
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.


FYI - CMS to check hospitals for HIPAA security compliance - The Centers for Medicare and Medicaid Services will begin on-site reviews of hospitals' compliance with security rules mandated by the Health Insurance Portability and Accountability Act of 1996. http://www.govhealthit.com/online/news/350176-1.html?type=pf

FYI - Foreign hackers seek to steal Americans' health records - Foreign hackers, primarily from Russia and China, are increasingly seeking to steal Americans' health care records, according to a Department of Homeland Security analyst. http://www.fcw.com/online/news/151334-1.html?type=pf

FYI - FERC approves cybersecurity standards for power grid - The Federal Energy Regulatory Commission (FERC) today approved eight mandatory cybersecurity standards that extend to all entities connected to the nation's power grid.
http://www.scmagazineus.com/FERC-approves-cybersecurity-standards-for-power-grid/article/104324/
http://www.ferc.gov/news/news-releases/2008/2008-1/01-17-08-E-2.asp

FYI - Cyber Espionage: A Growing Threat to Business - Cyber espionage is getting renewed attention as fresh evidence emerges of online break-ins at U.S. research labs and targeted phishing against corporations and government agencies here and abroad. http://www.pcworld.com/businesscenter/article/141474/cyber_espionage_a_growing_threat_to_business.html

FYI - Kansas City, Mo., lost IRS data - Federal investigators blame city officials for the loss in 2006 of 26 IRS computer tapes containing taxpayer information. http://www.chron.com/disp/story.mpl/ap/nation/5469430.html

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - "Major Retailer's" Data Breach Results In Wave Of Credit Card Fraud? - Anecdotal evidence suggests that a recently reported data breach by an undisclosed "major retailer" has resulted in a jump in consumers having their debit cards forcibly reissued, or calls from their bank to verify their recent purchase history. http://consumerist.com/345016/major-retailers-data-breach-results-in-wave-of-credit-card-fraud

FYI - Carphone Warehouse in 'serious' data breach - The company may face an unlimited fine after it exposed the personal details of thousands of customers online - Carphone Warehouse has been warned it could face prosecution for exposing the personal details of thousands of customers online and, in some cases, inadvertently setting debt collectors on them. http://www.zdnet.co.uk/misc/print/0,1000000169,39292224-39001093c,00.htm

FYI - Personal info lost in Oldham - SENSITIVE personal information on almost 150 NHS patients in the Oldham area has been `lost', health bosses admitted. The Oldham NHS Primary Care Trust says two data sticks containing highly personal assessment notes of 148 clients who have been in contact with the trust's continuing care service have been reported missing. http://www.manchestereveningnews.co.uk/news/s/1031694_personal_info_lost_in_oldham

FYI - Credit issuer says data lost for 650,000 customers - Backup computer tape stored by an information protection and storage company is missing; customers of 230 retailers could be affected. A computer tape containing personal data of 650,000 customers of about 230 retailers including J.C. Penney is missing, credit card issuer GE Money said.
http://www.news.com/Credit-issuer-says-data-lost-for-650%2C000-customers/2100-1029_3-6226913.html?tag=nefd.top
http://www.theregister.co.uk/2008/01/18/jc_penney_customer_data_lost/print.html

FYI - Election Commission laptop harddrive found - Metro Police confirmed late Thursday they have recovered the hard drive from the laptop computer, containing names and complete Social Security numbers for 337,000 registered voters, that was stolen from the Election Commission in December. http://www.nashvillecitypaper.com/news.php?viewStory=58576

Return to the top of the newsletter

WEB SITE COMPLIANCE - Disclosures and Notices

Several consumer regulations provide for disclosures and/or notices to consumers.  The compliance officer should check the specific regulations to determine whether the disclosures/notices can be delivered via electronic means.  The delivery of disclosures via electronic means has raised many issues with respect to the format of the disclosures, the manner of delivery, and the ability to ensure receipt by the appropriate person(s).  The following highlights some of those issues and offers guidance and examples that may be of use to institutions in developing their electronic services.

Disclosures are generally required to be "clear and conspicuous."  Therefore, compliance officers should review the web site to determine whether the disclosures have been designed to meet this standard. Institutions may find that the format(s) previously used for providing paper disclosures may need to be redesigned for an electronic medium. Institutions may find it helpful to use "pointers " and "hotlinks" that will automatically present the disclosures to customers when selected.  A financial institution's use solely of asterisks or other symbols as pointers or hotlinks would not be as clear as descriptive references that specifically indicate the content of the linked material.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

INFORMATION SECURITY RISK ASSESSMENT

OVERVIEW

The quality of security controls can significantly influence all categories of risk. Traditionally, examiners and bankers recognize the direct impact on operational/transaction risk from incidents related to fraud, theft, or accidental damage. Many security weaknesses, however, can directly increase exposure in other risk areas. For example, the GLBA introduced additional legal/compliance risk due to the potential for regulatory noncompliance in safeguarding customer information. The potential for legal liability related to customer privacy breaches may present additional risk in the future. Effective application access controls can reduce credit and market risk by imposing risk limits on loan officers or traders. If a trader were to exceed the intended trade authority, the institution may unknowingly assume additional market risk exposure.

A strong security program reduces levels of reputation and strategic risk by limiting the institution's vulnerability to intrusion attempts and maintaining customer confidence and trust in the institution. Security concerns can quickly erode customer confidence and potentially decrease the adoption rate and rate of return on investment for strategically important products or services. Examiners and risk managers should incorporate security issues into their risk assessment process for each risk category. Financial institutions should ensure that security risk assessments adequately consider potential risk in all business lines and risk categories.

Information security risk assessment is the process used to identify and understand risks to the confidentiality, integrity, and availability of information and information systems. An adequate assessment identifies the value and sensitivity of information and system components and then balances that knowledge with the exposure from threats and vulnerabilities. A risk assessment is a necessary pre-requisite to the formation of strategies that guide the institution as it develops, implements, tests, and maintains its information systems security posture. An initial risk assessment may involve a significant one-time effort, but the risk assessment process should be an ongoing part of the information security program.

Risk assessments for most industries focus only on the risk to the business entity. Financial institutions should also consider the risk to their customers' information. For example, section 501(b) of the GLBA requires financial institutions to 'protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer."

Return to the top of the newsletter

IT SECURITY QUESTION:  A. AUTHENTICATION AND ACCESS CONTROLS - Access Rights Administration

8. Determine if users are aware of the authorized uses of the system.

• Do internal users receive a copy of the authorized-use policy, appropriate training, and signify understanding and agreement before usage rights are granted?

• Is contractor usage appropriately detailed and controlled through the contract?

• Do customers and Web site visitors either explicitly agree to usage terms or are provided a disclosure, as appropriate?
Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

 Content of Privacy Notice

13. If the institution does not disclose nonpublic personal information, and does not reserve the right to do so, other than under exceptions in §14 and §15, does the institution provide a simplified privacy notice that contains at a minimum: 

a. a statement to this effect;

b. the categories of nonpublic personal information it collects;

c. the policies and practices the institution uses to protect the confidentiality and security of nonpublic personal information; and

d. a general statement that the institution makes disclosures to other nonaffiliated third parties as permitted by law? [§6(c)(5)]

(Note: use of this type of simplified notice is optional; an institution may always use a full notice.)

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.
4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

  

Please visit our other web sites:
 VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated