R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

February 6, 2011

CONTENT Internet Compliance Information Systems Security
IT Security Question
Internet Privacy
Website for Penetration Testing
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

- Banks may soon require new online authentication steps - The Federal Financial Institutions Examination Council (FFIEC) could soon release new guidelines for banks to use when authenticating users to online banking transactions. http://www.computerworld.com/s/article/9206158/Banks_may_soon_require_new_online_authentication_steps?taxonomyId=82

FYI - Court orders seizure of PS3 hacker's computers - A federal judge ordered prolific hacker Geohot to turn over his computers and hard drives and to stop publishing the tools used to root Sony's PlayStation 3 after finding his hack was likely a violation of US copyright law. http://www.theregister.co.uk/2011/01/27/sony_ps3_tro_awarded/

FYI - Showing how security is a value-add to the organization - The past two years have transformed the way the world does business. The global economic crisis has led to many transformations in the way businesses operate both here and abroad. http://www.scmagazineus.com/showing-how-security-is-a-value-add-to-the-organization/article/195202/?DCMP=EMC-SCUS_Newswire

FYI - Out of the woods - Resources running low is not something one usually associates with the state of Alaska, but that is exactly what happened at the third largest credit union in the state. It wasn't a shortage of fish, game, oil or natural beauty that the full-service financial institution was faced with. Rather, it had outgrown the capabilities of its existing log management and security information event management (SIEM) system. http://www.scmagazineus.com/financial-services-out-of-the-woods/article/195201/?DCMP=EMC-SCUS_Newswire

FYI - FBI serves 40 search warrants in Anonymous crackdown - Worldwide DDoS dragnet - FBI agents executed more than 40 search warrants on Thursday as part of an investigation into coordinated web attacks carried out by the hacking collective known as Anonymous. http://www.theregister.co.uk/2011/01/28/fbi_crackdown_on_anonymous/


FYI - Newspaper site pulls plug after 'sustained' hack attack - South African newspaper The Mail & Guardian pulled down its website to protect readers against “sustained attacks” that attempted to infect them with malware. http://www.theregister.co.uk/2011/01/26/mail_and_guardian_hack_attack/

FYI - U.S. Can’t Link Bradley Manning to Julian Assange - After months of investigation, U.S. authorities have apparently been unable to find any independent evidence that a jailed Army private accused of leaking classified documents gave them to the secret-spilling site WikiLeaks, according to a news report. http://www.wired.com/threatlevel/2011/01/manning-and-assange/

FYI - Drive-by exploit slurps sensitive data from Android phones - A computer scientist has found a vulnerability in the latest version of Google's Android operating system that can be exploited to disclose sensitive user information. http://www.theregister.co.uk/2011/01/29/android_data_disclosure_bug/

FYI - London Stock Exchange under cyber attack - Report suggests hackers are trying to disrupt UK's critical infrastructure - The London Stock Exchange (LSE) has reportedly been investigating a suspected cyber attack on its systems designed to disrupt and spread panic across the markets. http://www.v3.co.uk/v3/news/2274505/london-stock-exchange-cyber

FYI - SourceForge applies global password reset after hack attack - Just a precaution, you understand - Open-source code repository SourceForge has advised users to change their passwords following a concerted hacking attack. http://www.theregister.co.uk/2011/01/31/sorceforge_hack_response/

FYI - Online Dating Site Breached - PlentyOfFish.com has been compromised and the company is blaming the messenger. Online dating Web site PlentyOfFish.com has been hacked, exposing the personal information and passwords associated with almost 30 million accounts. However, the site's founder Markus Frind claims that only 345 accounts were successfully stolen.

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services ( Part 1 of 4)

Purpose and Background

This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the risks associated with outsourcing technology services.1 Financial institutions should consider the guidance outlined in this statement and the attached appendix in managing arrangements with their technology service providers.  While this guidance covers a broad range of issues that financial institutions should address, each financial institution should apply those elements based on the scope and importance of the outsourced services as well as the risk to the institution from the services.

Financial institutions increasingly rely on services provided by other entities to support an array of technology-related functions. While outsourcing to affiliated or nonaffiliated entities can help financial institutions manage costs, obtain necessary expertise, expand customer product offerings, and improve services, it also introduces risks that financial institutions should address.  This guidance covers four elements of a risk management process: risk assessment, selection of
service providers, contract review, and monitoring of service providers.

Return to the top of the newsletter
We continue our series on the FFIEC interagency Information Security Booklet.  



The goal of logical and administrative access control is to restrict access to system resources. Access should be provided only to authorized individuals whose identity is established, and their activities should be limited to the minimum required for business purposes. Authorized individuals (users) may be employees, TSP employees, vendors, contractors, customers, or visitors.

An effective control mechanism includes numerous controls to safeguard and limit access to key information system assets. This section addresses logical and administrative controls, including access rights administration and authentication through network, operating system, application, and remote access. A subsequent section addresses physical security controls.


Action Summary - Financial institutions should have an effective process to administer access rights. The process should include the following controls:

1)  Assign users and system resources only the access required to perform their required functions,

2)  Update access rights based on personnel or system changes,

3)  Periodically review users' access rights at an appropriate frequency based on the risk to the application or system, and

4)  Design appropriate acceptable-use policies and require users to sign them.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

22. Does the institution provide the consumer with at least one of the following reasonable means of opting out, or with another reasonable means:

a. check-off boxes prominently displayed on the relevant forms with the opt out notice; [§7(a)(2)(ii)(A)]

b. a reply form included with the opt out notice; [§7(a)(2)(ii)(B)]

c. an electronic means to opt out, such as a form that can be sent via electronic mail or a process at the institution's web site, if the consumer agrees to the electronic delivery of information; [§7(a)(2)(ii)(C)] or

d. a toll-free telephone number? [§7(a)(2)(ii)(D)]

Note: the institution may require the consumer to use one specific means, as long as that means is reasonable for that consumer. [§7(a)(iv)])


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

NEW The Weekly IT Security Review NEW
A weekly email that lets you continuously review
your IT operations throughout the year.

Purchase now for the special inaugural price.

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated