Brought to you by
Yennik, Inc. the acknowledged leader in Internet auditing for financial
February 18, 2007
Your Financial Institution need an affordable Internet security
Yennik, Inc. has clients in 41 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The penetration audit and
Internet security testing is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give
R. Kinney Williams a call
today at 806-798-7119 or visit
Infrastructure security on GAO's high-risk list - Programs designed
to safeguard the nation's critical infrastructures including federal
computer systems, remain a "continuing concern," the Government
Accountability Office reported today.
TJX Stored Customer Data, Violated Visa Payment Rules - The company,
whose assets include 826 T.J. Maxx, 751 Marshalls, and 271 HomeGoods
locations, was storing customer cardholder information in violation
of Visa and MasterCard's Payment Card Industry Data Security
Standard, according to a number of documents sent during the past
few weeks by Visa to financial institutions that issue cards and
manage credit and debit card transactions.
Former Ark. governor hit with ethics complaint over destroyed hard
drives - Huckabee ordered that drives from 87 state computers be
destroyed - Former Gov. Mike Huckabee, who ordered the destruction
of a number of computer hard drives before leaving office last
month, is now the subject of an ethics complaint because of his
Bank Sends Stephanie 75,000 Other Accounts - A Bank has launched an
investigation after a customer was sent confidential details for
75,000 other accounts. Stephanie McLaughlan received five packages
by post containing the names, sort codes, account numbers and
details of transactions of Halifax Bank of Scotland customers after
requesting her own statement.
I Am a Victim - How Notre Dame put my SSN on the Internet. Last week
I got a letter in the mail from the Mendoza College of Business at
the University of Notre Dame. Apparently, the school had put
information about me, including my social-security number (SSN) and
demographic information, on the Internet. "We have no evidence to
date that this information was used inappropriately," the school
wrote, but I might want to take "prudent ... precautions" by
periodically checking my credit report with the three major bureaus.
Customers upset by online breach - Stacy Cardinal says it's
unsettling that computer hackers might have had access to her bank
account and Social Security numbers. But she's confident her credit
union will protect her from any resulting threat.
More VA data lost... Laptop encryption anyone? - A Portable hard
drive with potentially 48,000 veterans information is missing from a
VA medical facility in Birmingham Alabama. In an interesting
development, Rep Spencer Bachus, R-Ala. said that over half of the
information was not encrypted. This implies that just under half
were... I wonder what solution they are using.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue the series regarding FDIC Supervisory Insights regarding
Programs. (3of 12)
Elements of an Incident Response Program
Although the specific content of an IRP will differ among financial
institutions, each IRP should revolve around the minimum procedural
requirements prescribed by the Federal bank regulatory agencies.
Beyond this fundamental content, however, strong financial
institution management teams also incorporate industry best
practices to further refine and enhance their IRP. In general, the
overall comprehensiveness of an IRP should be commensurate with an
institution's administrative, technical, and organizational
The minimum required procedures addressed in the April 2005
interpretive guidance can be categorized into two broad areas:
"reaction" and "notification." In general, reaction procedures are
the initial actions taken once a compromise has been identified.
Notification procedures are relatively straightforward and involve
communicating the details or events of the incident to interested
parties; however, they may also involve some reporting requirements.
Below lists the minimum required procedures of an IRP as discussed
in the April 2005 interpretive guidance.
Develop reaction procedures for:
1) assessing security incidents that have occurred;
2) identifying the customer information and information systems that
have been accessed or misused; and
3)containing and controlling the security incident.
Establish notification procedures for:
1) the institution's primary Federal regulator;
2) appropriate law enforcement agencies (and filing Suspicious
Activity Reports [SARs], if necessary); and
3) affected customers.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
INTRUSION DETECTION AND RESPONSE
A maxim of security is "prevention is ideal, but detection is a
must." Security systems must both restrict access and protect
against the failure of those access restrictions. When those systems
fail, however, an intrusion occurs and the only remaining protection
is a detection - and - response capability. The earlier an intrusion
is detected, the greater the institution's ability to mitigate the
risk posed by the intrusion. Financial institutions should have a
capability to detect and react to an intrusion into their
Preparation for intrusion detection generally involves identifying
data flows to monitor for clues to an intrusion, deciding on the
scope and nature of monitoring, implementing that monitoring, and
establishing a process to analyze and maintain custody over the
resulting information. Additionally, legal requirements may include
notifications of users regarding the monitoring and the extent to
which monitoring must be performed as an ordinary part of ongoing
Adequate preparation is a key prerequisite to detection. The best
intrusion detection systems will not identify an intrusion if they
are not located to collect the relevant data, do not analyze correct
data, or are not configured properly. Even if they detect an
intrusion, the information gathered may not be usable by law
enforcement if proper notification of monitoring and preservation of
data integrity has not taken place.
Return to the top of the
INTRUSION DETECTION AND RESPONSE
1. Identify controls used to detect and respond to unauthorized
! Review the schematic of the information technology systems
for common intrusion detection systems.
! Review security procedures for daily and periodic report
monitoring to identify unauthorized or unusual activities.
! Identify IT architectural design and intrusion detection
systems that increase management's confidence that security is
maintained (e.g., through the use of routers, host-based security,
data segregation and information flows).
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
41. Does the institution refrain from disclosing any nonpublic
personal information about a consumer to a nonaffiliated third
party, other than as permitted under §§13-15, unless:
a. it has provided the consumer with an initial notice; [§10(a)(1)(i)]
b. it has provided the consumer with an opt out notice; [§10(a)(1)(ii)]
c. it has given the consumer a reasonable opportunity to opt
out before the disclosure; [§10(a)(1)(iii)] and
d. the consumer has not opted out? [§10(a)(1)(iv)]
(Note: this disclosure limitation applies to consumers as
well as to customers [§10(b)(1)], and to all nonpublic personal
information regardless of whether collected before or after
receiving an opt out direction. [§10(b)(2)])
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at firstname.lastname@example.org if we
can be of assistance.