Yennik, Inc.®
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

February 11, 2007

CONTENT Internet Compliance Information Systems Security
IT Security Question
Internet Privacy
Website for Penetration Testing
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 41 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit

Compliance Examination Handbook Revised Handbook Now Available - The FDIC has revised its Compliance Examination Handbook. The new handbook contains the FDIC's compliance examination policies and procedures in effect as of June 2006. It also includes revised Community Reinvestment Act examination procedures and performance evaluations.

Official Charged With Embezzling To Pay Nigerian Scammers - Michigan's AG claims a former county treasurer siphoned off $1.2 million from county coffers, some of which went overseas to fraudsters. The former treasurer for Michigan's Alcona County has been arrested and charged with allegedly embezzling $1.2 million in public funds, some of which he sent to Nigerian-style "419" e-mail scammers.;jsessionid=UKVFNGXFCRYXIQSNDLPCKH0CJUNN2JVN?articleID=197000242

FYI - Russians target Net bankers - Syndicate's software used by SA hackers to hit Internet cafés - A Russian cyber-criminal syndicate, specialising in the development of software to hack into bank accounts, is selling its software to South Africans.

FYI - UK firms naive to USB stick dangers - Half of UK companies inserted USB stick from unknown source - Half of UK companies are prepared to put their network security at risk by inserting a USB stick posing as a party invitation, according to research published this week.

FYI - Social Security numbers of 1.3 million Chicago voters distributed to candidates - The Social Security numbers (SSNs) of 1.3 million Chicago voters were compromised when they were distributed to city aldermen and ward committeemen this month. The whereabouts of six CDs containing the personal information, which were distributed by the Chicago Board of Elections, are unknown, according to a report this week in the Chicago Sun-Times.

FYI - CAC use nearly halves DOD network intrusions - Although there are 6 million probes of Defense Department networks a day, successful intrusions have declined 46 percent in the past year because of a requirement that all DOD personnel log on to unclassified networks using Common Access Cards, Air Force Lt. Gen. Charles Croom, said in a speech at the AFCEA SpaceComm 2007 conference.


FYI - Bankers Detect Fraud From TJX Hack - Customer data stolen from TJX Cos. by computer hackers has been used to make fraudulent debit card and credit card purchases in the United States and overseas, the Massachusetts Bankers Association said Wednesday. 

FYI - Xerox employees fear ID theft after laptop stolen - Some employees at a local Xerox plant are worried about identity theft at a laptop was stolen from a manager's car. The UniteHere Local 14Z Union said a computer containing employee's personal information was stolen from a human resources manager's car in August.

FYI - Insurer's customer data was swiped - Identity-theft concern is low, Nationwide says - The personal information of tens of thousands of Nationwide customers has been stolen. The company said that a lockbox of backup tapes containing the personal data of 28,279 Nationwide Health Plans customers, most in central Ohio, was stolen from the Waymouth, Mass., office of Concentra Preferred Systems.

FYI - IRS, Kansas City officials search for lost computer tapes - The Internal Revenue Service (IRS) and Kansas City officials are searching for lost agency computer tapes that may have been missing for as long as two months.

FYI - Patients' personal information threatened with computer theft - Some patients of SRHC could be at risk for identity theft - A laptop computer containing the names, social security numbers and medical history of up to 1,100 patients is missing, putting them at risk for identity theft, and Salina Regional Health Center officials are offering a $2,000 reward for the laptop's return.

FYI - EIU computer, IDs stolen - Letters have been distributed to approximately 1,400 Eastern Illinois University students, notifying them that confidential information, including their Social Security numbers, were stored on a desktop computer recently stolen from the university's Student Life office. The stolen files include the membership rosters and other data from the university's 23 fraternities and sororities.

FYI - Computers stolen from college financial aid office - Thousands of Vanguard University students are at risk for identity theft and fraud. Two computers stolen from Vanguard University earlier this month have put more than 5,000 financial aid applicants at risk for identity theft, authorities said today.

FYI - Hackers use trojan to access server with personal information of 70,000 Vermont residents - The hackers may have accessed a server containing the names, Social Security numbers, birth dates and financial records of 12,000 Green Mountain State residents who are at least three months behind on child support payments.

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding
FDIC Supervisory Insights regarding
Incident Response Programs.  (2of 12)

The Importance of an Incident Response Program

A bank's ability to respond to security incidents in a planned and coordinated fashion is important to the success of its information security program. While IRPs are important for many reasons, three are highlighted in this article.

First, though incident prevention is important, focusing solely on prevention may not be enough to insulate a bank from the effects of a security breach. Despite the industry's efforts at identifying and correcting security vulnerabilities, every bank is susceptible to weaknesses such as improperly configured systems, software vulnerabilities, and zero-day exploits.  Compounding the problem is the difficulty an organization experiences in sustaining a "fully secured" posture. Over the long term, a large amount of resources (time, money, personnel, and expertise) is needed to maintain security commensurate with all potential vulnerabilities. Inevitably, an organization faces a point of diminishing returns whereby the extra resources applied to incident prevention bring a lesser amount of security value. Even the best information security program may not identify every vulnerability and prevent every incident, so banks are best served by incorporating formal incident response planning to complement strong prevention measures. In the event management's efforts do not prevent all security incidents (for whatever reason), IRPs are necessary to reduce the sustained damage to the bank.

Second, regulatory agencies have recognized the value of IRPs and have mandated that certain incident response requirements be included in a bank's information security program. In March 2001, the FDIC, the Office of the Comptroller of the Currency (OCC), the Office of Thrift Supervision (OTS), and the Board of Governors of the Federal Reserve System (FRB) (collectively, the Federal bank regulatory agencies) jointly issued guidelines establishing standards for safeguarding customer information, as required by the Gramm-Leach-Bliley Act of 1999.  These standards require banks to adopt response programs as a security measure. In April 2005, the Federal bank regulatory agencies issued interpretive guidance regarding response programs.  This additional guidance describes IRPs and prescribes standard procedures that should be included in IRPs. In addition to Federal regulation in this area, at least 32 states have passed laws requiring that individuals be notified of a breach in the security of computerized personal information.  Therefore, the increased regulatory attention devoted to incident response has made the development of IRPs a legal necessity.

Finally, IRPs are in the best interests of the bank. A well-developed IRP that is integrated into an overall information security program strengthens the institution in a variety of ways. Perhaps most important, IRPs help the bank contain the damage resulting from a security breach and lessen its downstream effect. Timely and decisive action can also limit the harm to the bank's reputation, reduce negative publicity, and help the bank identify and remedy the underlying causes of the security incident so that mistakes are not destined to be repeated.

Return to the top of the newsletter

We continue our series on the FFIEC interagency Information Security Booklet.  


Frequently TSPs or user groups will contract with an accounting firm to report on security using Statement on Auditing Standards 70 (SAS 70), an auditing standard developed by the American Institute of Certified Public Accountants. SAS 70 focuses on controls and control objectives. It allows for two types of reports. A SAS 70 Type I report gives the service provider's description of controls at a specific point in time, and an auditor's report. The auditor's report will provide an opinion on whether the control description fairly presents the relevant aspects of the controls, and whether the controls were suitably designed for their purpose.

A SAS 70 Type II report expands upon a Type I report by addressing whether the controls were functioning. It provides a description of the auditor's tests of the controls. It also provides an expanded auditor's report that addresses whether the controls that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives were achieved during the specified period.

Financial institutions should carefully evaluate the scope and findings of any SAS 70 report. The report may be based on different security requirements than those established by the institution. It may not provide a thorough test of security controls unless requested by the TSP or augmented with additional coverage. Additionally, the report may not address the effectiveness of the security process in continually mitigating changing risks.  Therefore, financial institutions may require additional reports to oversee the security program of the service provider.

Return to the top of the newsletter


5. Evaluate the procedure for granting temporary access to personnel during the implementation of contingency plans.

!  Evaluate the extent to which back-up personnel have been assigned different tasks when contingency planning scenarios are in effect and the need for different levels of systems, operational, data and facilities access.
!  Review the assignment of authentication and authorization credentials to see if they are based upon primary job responsibilities or if they also include contingency planning responsibilities. (If an employee is permanently assigned access credential to fill in for another employee who is on vacation or out the office, this assignment would be a primary job responsibility.)

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

40.  Does the institution provide at least one initial, annual, and revised notice, as applicable, to joint consumers? [§9(g)]


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated