|
 ®
Yennik, Inc.
|
Internet Banking
News
Brought to you by
Yennik, Inc. the acknowledged leader in Internet auditing for financial
institutions.
|
|
February 11, 2007
|
Does
Your Financial Institution need an affordable Internet security
audit?
Yennik, Inc. has clients in 41 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
to
meet the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
compliance with
Gramm-Leach Bliley Act 501(b).
The penetration audit and
Internet security testing is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports. The audit
focuses on
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give
R. Kinney Williams a call
today at 806-798-7119 or visit
http://www.internetbankingaudits.com/. |
FYI -
Compliance Examination Handbook Revised Handbook Now
Available - The FDIC has revised its Compliance Examination
Handbook. The new handbook contains the FDIC's compliance
examination policies and procedures in effect as of June 2006. It
also includes revised Community Reinvestment Act examination
procedures and performance evaluations.
www.fdic.gov/news/news/financial/2007/fil07010.html
FYI -
Official Charged With Embezzling To Pay Nigerian Scammers -
Michigan's AG claims a former county treasurer siphoned off $1.2
million from county coffers, some of which went overseas to
fraudsters. The former treasurer for Michigan's Alcona County has
been arrested and charged with allegedly embezzling $1.2 million in
public funds, some of which he sent to Nigerian-style "419" e-mail
scammers.
http://www.informationweek.com/showArticle.jhtml;jsessionid=UKVFNGXFCRYXIQSNDLPCKH0CJUNN2JVN?articleID=197000242
FYI -
Russians target Net bankers - Syndicate's software used by SA
hackers to hit Internet cafés - A Russian cyber-criminal syndicate,
specialising in the development of software to hack into bank
accounts, is selling its software to South Africans.
http://www.thestar.co.za/index.php?fArticleId=3642294
FYI -
UK firms naive to USB stick dangers - Half of UK companies inserted
USB stick from unknown source - Half of UK companies are prepared to
put their network security at risk by inserting a USB stick posing
as a party invitation, according to research published this week.
http://www.vnunet.com/computing/news/2173365/uk-firms-naive-usb-stick
FYI -
Social Security numbers of 1.3 million Chicago voters distributed to
candidates - The Social Security numbers (SSNs) of 1.3 million
Chicago voters were compromised when they were distributed to city
aldermen and ward committeemen this month. The whereabouts of six
CDs containing the personal information, which were distributed by
the Chicago Board of Elections, are unknown, according to a report
this week in the Chicago Sun-Times.
http://www.scmagazine.com/us/newsletter/dailyupdate/article/20070129/628319/
FYI -
CAC use nearly halves DOD network intrusions - Although there are 6
million probes of Defense Department networks a day, successful
intrusions have declined 46 percent in the past year because of a
requirement that all DOD personnel log on to unclassified networks
using Common Access Cards, Air Force Lt. Gen. Charles Croom, said in
a speech at the AFCEA SpaceComm 2007 conference.
http://www.fcw.com/article97480-01-25-07-Web&printLayout
MISSING COMPUTERS/DATA
FYI -
Bankers Detect Fraud From TJX Hack - Customer data stolen
from TJX Cos. by computer hackers has been used to make fraudulent
debit card and credit card purchases in the United States and
overseas, the Massachusetts Bankers Association said Wednesday.
http://www.forbes.com/feeds/ap/2007/01/24/ap3359602.html
FYI -
Xerox employees fear ID theft after laptop stolen - Some employees
at a local Xerox plant are worried about identity theft at a laptop
was stolen from a manager's car. The UniteHere Local 14Z Union said
a computer containing employee's personal information was stolen
from a human resources manager's car in August.
http://www.kgw.com/news-local/stories/kgw_012207_news_xerox_theft.cde8339.html
FYI -
Insurer's customer data was swiped - Identity-theft concern is low,
Nationwide says - The personal information of tens of thousands of
Nationwide customers has been stolen. The company said that a
lockbox of backup tapes containing the personal data of 28,279
Nationwide Health Plans customers, most in central Ohio, was stolen
from the Waymouth, Mass., office of Concentra Preferred Systems.
http://www.columbusdispatch.com/business/business.php?story=241942
FYI -
IRS, Kansas City officials search for lost computer tapes - The
Internal Revenue Service (IRS) and Kansas City officials are
searching for lost agency computer tapes that may have been missing
for as long as two months.
http://www.scmagazine.com/us/newsletter/dailyupdate/article/20070129/627802/
FYI -
Patients' personal information threatened with computer theft - Some
patients of SRHC could be at risk for identity theft - A laptop
computer containing the names, social security numbers and medical
history of up to 1,100 patients is missing, putting them at risk for
identity theft, and Salina Regional Health Center officials are
offering a $2,000 reward for the laptop's return.
http://www.saljournal.com/?module=displaystory&story_id=9386&format=print
FYI -
EIU computer, IDs stolen - Letters have been distributed to
approximately 1,400 Eastern Illinois University students, notifying
them that confidential information, including their Social Security
numbers, were stored on a desktop computer recently stolen from the
university's Student Life office. The stolen files include the
membership rosters and other data from the university's 23
fraternities and sororities.
http://www.jg-tc.com/articles/2007/01/28/news/news001.prt
FYI -
Computers stolen from college financial aid office - Thousands of
Vanguard University students are at risk for identity theft and
fraud. Two computers stolen from Vanguard University earlier this
month have put more than 5,000 financial aid applicants at risk for
identity theft, authorities said today.
http://www.dailypilot.com/articles/2007/01/26/front/doc45ba618886459435458713.txt
http://identityalert.vanguard.edu/notification.htm
FYI -
Hackers use trojan to access server with personal information of
70,000 Vermont residents - The hackers may have accessed a server
containing the names, Social Security numbers, birth dates and
financial records of 12,000 Green Mountain State residents who are
at least three months behind on child support payments.
http://www.scmagazine.com/us/newsletter/dailyupdate/article/20070131/629642/
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue the series regarding
FDIC Supervisory Insights regarding
Incident Response
Programs. (2of 12)
The Importance
of an Incident Response Program
A bank's ability to respond to security incidents in a planned and
coordinated fashion is important to the success of its information
security program. While IRPs are important for many reasons, three
are highlighted in this article.
First, though incident prevention is important, focusing solely on
prevention may not be enough to insulate a bank from the effects of
a security breach. Despite the industry's efforts at identifying and
correcting security vulnerabilities, every bank is susceptible to
weaknesses such as improperly configured systems, software
vulnerabilities, and zero-day exploits. Compounding the
problem is the difficulty an organization experiences in sustaining
a "fully secured" posture. Over the long term, a large amount of
resources (time, money, personnel, and expertise) is needed to
maintain security commensurate with all potential vulnerabilities.
Inevitably, an organization faces a point of diminishing returns
whereby the extra resources applied to incident prevention bring a
lesser amount of security value. Even the best information security
program may not identify every vulnerability and prevent every
incident, so banks are best served by incorporating formal incident
response planning to complement strong prevention measures. In the
event management's efforts do not prevent all security incidents
(for whatever reason), IRPs are necessary to reduce the sustained
damage to the bank.
Second, regulatory agencies have recognized the value of IRPs and
have mandated that certain incident response requirements be
included in a bank's information security program. In March 2001,
the FDIC, the Office of the Comptroller of the Currency (OCC), the
Office of Thrift Supervision (OTS), and the Board of Governors of
the Federal Reserve System (FRB) (collectively, the Federal bank
regulatory agencies) jointly issued guidelines establishing
standards for safeguarding customer information, as required by the
Gramm-Leach-Bliley Act of 1999. These standards require banks
to adopt response programs as a security measure. In April 2005, the
Federal bank regulatory agencies issued interpretive guidance
regarding response programs. This additional guidance
describes IRPs and prescribes standard procedures that should be
included in IRPs. In addition to Federal regulation in this area, at
least 32 states have passed laws requiring that individuals be
notified of a breach in the security of computerized personal
information. Therefore, the increased regulatory attention
devoted to incident response has made the development of IRPs a
legal necessity.
Finally, IRPs are in the best interests of the bank. A
well-developed IRP that is integrated into an overall information
security program strengthens the institution in a variety of ways.
Perhaps most important, IRPs help the bank contain the damage
resulting from a security breach and lessen its downstream effect.
Timely and decisive action can also limit the harm to the bank's
reputation, reduce negative publicity, and help the bank identify
and remedy the underlying causes of the security incident so that
mistakes are not destined to be repeated.
Return to
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
Booklet.
SERVICE PROVIDER OVERSIGHT - SAS 70 REPORTS
Frequently TSPs or user groups will contract with an accounting firm
to report on security using Statement on Auditing Standards 70 (SAS
70), an auditing standard developed by the American Institute of
Certified Public Accountants. SAS 70 focuses on controls and control
objectives. It allows for two types of reports. A SAS 70 Type I
report gives the service provider's description of controls at a
specific point in time, and an auditor's report. The auditor's
report will provide an opinion on whether the control description
fairly presents the relevant aspects of the controls, and whether
the controls were suitably designed for their purpose.
A SAS 70 Type II report expands upon a Type I report by addressing
whether the controls were functioning. It provides a description of
the auditor's tests of the controls. It also provides an expanded
auditor's report that addresses whether the controls that were
tested were operating with sufficient effectiveness to provide
reasonable, but not absolute, assurance that the control objectives
were achieved during the specified period.
Financial institutions should carefully evaluate the scope and
findings of any SAS 70 report. The report may be based on different
security requirements than those established by the institution. It
may not provide a thorough test of security controls unless
requested by the TSP or augmented with additional coverage.
Additionally, the report may not address the effectiveness of the
security process in continually mitigating changing risks.
Therefore, financial institutions may require additional reports to
oversee the security program of the service provider.
Return to the top of the
newsletter
IT SECURITY
QUESTION:
BUSINESS CONTINUITY-SECURITY
5. Evaluate the procedure for granting temporary access to personnel
during the implementation of contingency plans.
! Evaluate the extent to which back-up personnel have been
assigned different tasks when contingency planning scenarios are in
effect and the need for different levels of systems, operational,
data and facilities access.
! Review the assignment of authentication and authorization
credentials to see if they are based upon primary job
responsibilities or if they also include contingency planning
responsibilities. (If an employee is permanently assigned access
credential to fill in for another employee who is on vacation or out
the office, this assignment would be a primary job responsibility.)
Return to the top of
the newsletter
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
40. Does the institution provide at least one initial, annual,
and revised notice, as applicable, to joint consumers? [§9(g)] |
|
| PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at examiner@yennik.com if we
can be of assistance. |
|