Yennik, Inc.
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

February 18, 2007

CONTENT Internet Compliance Information Systems Security
IT Security Question
Internet Privacy
Website for Penetration Testing
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 41 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit

- Infrastructure security on GAO's high-risk list - Programs designed to safeguard the nation's critical infrastructures including federal computer systems, remain a "continuing concern," the Government Accountability Office reported today.

FYI - TJX Stored Customer Data, Violated Visa Payment Rules - The company, whose assets include 826 T.J. Maxx, 751 Marshalls, and 271 HomeGoods locations, was storing customer cardholder information in violation of Visa and MasterCard's Payment Card Industry Data Security Standard, according to a number of documents sent during the past few weeks by Visa to financial institutions that issue cards and manage credit and debit card transactions.

FYI - Former Ark. governor hit with ethics complaint over destroyed hard drives - Huckabee ordered that drives from 87 state computers be destroyed - Former Gov. Mike Huckabee, who ordered the destruction of a number of computer hard drives before leaving office last month, is now the subject of an ethics complaint because of his actions.


FYI - Bank Sends Stephanie 75,000 Other Accounts - A Bank has launched an investigation after a customer was sent confidential details for 75,000 other accounts. Stephanie McLaughlan received five packages by post containing the names, sort codes, account numbers and details of transactions of Halifax Bank of Scotland customers after requesting her own statement.

FYI - I Am a Victim - How Notre Dame put my SSN on the Internet. Last week I got a letter in the mail from the Mendoza College of Business at the University of Notre Dame. Apparently, the school had put information about me, including my social-security number (SSN) and demographic information, on the Internet. "We have no evidence to date that this information was used inappropriately," the school wrote, but I might want to take "prudent ... precautions" by periodically checking my credit report with the three major bureaus.

FYI - Customers upset by online breach - Stacy Cardinal says it's unsettling that computer hackers might have had access to her bank account and Social Security numbers. But she's confident her credit union will protect her from any resulting threat.

FYI - More VA data lost... Laptop encryption anyone? - A Portable hard drive with potentially 48,000 veterans information is missing from a VA medical facility in Birmingham Alabama. In an interesting development, Rep Spencer Bachus, R-Ala. said that over half of the information was not encrypted. This implies that just under half were... I wonder what solution they are using.

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding
Incident Response Programs.  (3of 12)

Elements of an Incident Response Program

Although the specific content of an IRP will differ among financial institutions, each IRP should revolve around the minimum procedural requirements prescribed by the Federal bank regulatory agencies. Beyond this fundamental content, however, strong financial institution management teams also incorporate industry best practices to further refine and enhance their IRP. In general, the overall comprehensiveness of an IRP should be commensurate with an institution's administrative, technical, and organizational complexity.

Minimum Requirements

The minimum required procedures addressed in the April 2005 interpretive guidance can be categorized into two broad areas: "reaction" and "notification." In general, reaction procedures are the initial actions taken once a compromise has been identified. Notification procedures are relatively straightforward and involve communicating the details or events of the incident to interested parties; however, they may also involve some reporting requirements.  Below lists the minimum required procedures of an IRP as discussed in the April 2005 interpretive guidance.

Develop reaction procedures for:

1) assessing security incidents that have occurred;
2) identifying the customer information and information systems that have been accessed or misused; and
3)containing and controlling the security incident.

Establish notification procedures for:

1) the institution's primary Federal regulator;
2) appropriate law enforcement agencies (and filing Suspicious Activity Reports [SARs], if necessary); and
3) affected customers.

Return to the top of the newsletter

We continue our series on the FFIEC interagency Information Security Booklet.  


A maxim of security is "prevention is ideal, but detection is a must."  Security systems must both restrict access and protect against the failure of those access restrictions. When those systems fail, however, an intrusion occurs and the only remaining protection is a detection - and - response capability. The earlier an intrusion is detected, the greater the institution's ability to mitigate the risk posed by the intrusion. Financial institutions should have a capability to detect and react to an intrusion into their information systems.


Preparation for intrusion detection generally involves identifying data flows to monitor for clues to an intrusion, deciding on the scope and nature of monitoring, implementing that monitoring, and establishing a process to analyze and maintain custody over the resulting information. Additionally, legal requirements may include notifications of users regarding the monitoring and the extent to which monitoring must be performed as an ordinary part of ongoing operations.

Adequate preparation is a key prerequisite to detection. The best intrusion detection systems will not identify an intrusion if they are not located to collect the relevant data, do not analyze correct data, or are not configured properly. Even if they detect an intrusion, the information gathered may not be usable by law enforcement if proper notification of monitoring and preservation of data integrity has not taken place.

Return to the top of the newsletter


1. Identify controls used to detect and respond to unauthorized activities.

!  Review the schematic of the information technology systems for common intrusion detection systems.
!  Review security procedures for daily and periodic report monitoring to identify unauthorized or unusual activities.
!  Identify IT architectural design and intrusion detection systems that increase management's confidence that security is maintained (e.g., through the use of routers, host-based security, data segregation and information flows).

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

41. Does the institution refrain from disclosing any nonpublic personal information about a consumer to a nonaffiliated third party, other than as permitted under 13-15, unless:

a.  it has provided the consumer with an initial notice; [10(a)(1)(i)]

b.  it has provided the consumer with an opt out notice; [10(a)(1)(ii)]

c.  it has given the consumer a reasonable opportunity to opt out before the disclosure; [10(a)(1)(iii)] and

d.  the consumer has not opted out? [10(a)(1)(iv)]

(Note: this disclosure limitation applies to consumers as well as to customers [10(b)(1)], and to all nonpublic personal information regardless of whether collected before or after receiving an opt out direction. [10(b)(2)])


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated