Your Financial Institution need an affordable Internet security
Yennik, Inc. has clients in 42 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The penetration audit and
Internet security testing is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give
R. Kinney Williams a call
today at 806-798-7119 or visit
FYI - Woman Sues Best
Buy For $54 Million Over Lost Notebook - Raelyn Campbell says she
filed the suit and started a blog to bring attention to the
"reprehensible state of consumer property and privacy protection
practices" at Best Buy.
FYI - Data Breach
Notification Laws, State By State - Five years after California's
landmark SB 1386, our interactive map shows you which 38 states have
passed laws requiring companies to notify consumers whose personal
information has been compromised. Part of an in-depth series about
disclosing security breaches.
FYI - San Jose
councilman's former intern accused of hacking into city e-mail - An
18-year-old former intern to San Jose Councilman Sam Liccardo is
facing a felony charge that he illegally hacked into the city's
e-mail system more than 100 times looking for political dirt to
spread about his former boss's girlfriend.
FYI - GAO Information
Security: Although Progress Reported, Federal Agencies Need to
Resolve Significant Deficiencies.
FYI - Société Générale
trader hacked into computers - The rogue trader accused of the
biggest fraud in banking history stayed "invisible" for weeks by
hacking into his bank's computer system and removing all traces of
his multi-billion pound losses, it has been claimed.
FYI - Security policies?
Workers ignore them, survey says - Even IT types disregard policies
designed to protect corporate data - It's one thing to have a
companywide information security policy in place. But it's a whole
different ballgame to get employees to actually follow the policies
-- even those that are IT types.
FYI - CMS to check
hospitals for HIPAA security compliance - The Centers for Medicare
and Medicaid Services will begin on-site reviews of hospitals'
compliance with security rules mandated by the Health Insurance
Portability and Accountability Act of 1996.
FYI - The hands-free way
to steal a credit card - Adam Laurie, an RFID security expert, used
the Black Hat DC 2008 conference here, to demonstrate a new Python
script he's working on to read the contents of smart-chip-enabled
credit cards. Without taking the card out of the volunteer's wallet,
Laurie both read and displayed its contents on the presentation
screen--the person's name, account number, and expiration clearly
FYI - GAO Information
Security: Protecting Personally Identifiable Information.
FYI - Researchers Find
Way to Steal Encrypted Data - Princeton-based researchers broke the
encryption system by freezing memory chips, permitting them to read
the software. A group led by a Princeton University computer
security researcher has developed a simple method to steal encrypted
information stored on computer hard disks.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
FYI - Tenet Healthcare
warns 37,000 patients of data compromise - A former employee pleaded
guilty to fraudulent use of patient information - Dallas-based Tenet
Healthcare Corp. last week sent out notices to about 37,000 patients
informing them about the potential compromise of their personal and
FYI - 320,000 IDs on
blood bank's missing laptops - Two laptop computers containing data
on 320,000 donors to Lifeblood, the Memphis region's blood bank,
have gone missing and are presumed stolen, officials said.
FYI - Harvard grad
school site hacked, files distributed on BitTorrent network - The
website of Harvard University's Graduate School of Arts and Sciences
(GSAS) apparently was hacked on Monday, with some of its database
files made available on a peer-to-peer file sharing network by
someone who said they wanted to "demonstrate" the alleged lack of
security on the university's server.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Role Of Consumer Compliance In Developing And Implementing
Electronic Services from FDIC:
When violations of the consumer protection laws regarding a
financial institution's electronic services have been cited,
generally the compliance officer has not been involved in the
development and implementation of the electronic services.
Therefore, it is suggested that management and system
designers consult with the compliance officer during the development
and implementation stages in order to minimize compliance risk.
The compliance officer should ensure that the proper controls
are incorporated into the system so that all relevant compliance
issues are fully addressed. This
level of involvement will help decrease an institution's compliance
risk and may prevent the need to delay deployment or redesign
programs that do not meet regulatory requirements.
The compliance officer should develop a compliance risk profile as a
component of the institution's online banking business and/or
technology plan. This
profile will establish a framework from which the compliance officer
and technology staff can discuss specific technical elements that
should be incorporated into the system to ensure that the online
system meets regulatory requirements.
For example, the compliance officer may communicate with the
technology staff about whether compliance disclosures/notices on a
web site should be indicated or delivered by the use of
"pointers" or "hotlinks" to ensure that required
disclosures are presented to the consumer. The compliance officer can also be an ongoing resource to
test the system for regulatory compliance.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security
INFORMATION SECURITY RISK ASSESSMENT
This phase ranks the risk (outcomes and probabilities) presented
by various scenarios produced in the analysis phase to prioritize
management's response. Management may decide that since some risks
do not meet the threshold set in their security requirement, they
will accept those risks and not proceed with a mitigation strategy.
Other risks may require immediate corrective action. Still others
may require mitigation, either fully or partially, over time. Risks
that warrant action are addressed in the information security
In some borderline instances, or if planned controls cannot fully
mitigate the risk, management may need to review the risk assessment
and risk ranking with the board of directors or a delegated
committee. The board should then document its acceptance of the risk
or authorize other risk mitigation measures.
the top of the newsletter
IT SECURITY QUESTION:
A. AUTHENTICATION AND ACCESS CONTROLS
5. Determine if passwords are stored on any
machine that is directly or easily accessible from outside the
institution, and if passwords are stored in programs on machines,
which query customer information databases.
Evaluate the appropriateness of such storage and the
associated protective mechanisms.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
17. Does the institution provide consumers who receive the
short-form initial notice with a reasonable means of obtaining the
longer initial notice, such as:
a. a toll-free telephone number that the consumer may call to
request the notice; [§6(d)(4)(i)] or
b. for the consumer who conducts business in person at the
institution's office, having copies available to provide immediately
by hand-delivery? [§6(d)(4)(ii)]