Your Financial Institution need an affordable Internet security
Yennik, Inc. has clients in 42 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The penetration audit and
Internet security testing is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give
R. Kinney Williams a call
today at 806-798-7119 or visit
FYI - FDIC Bracing for
Bank Failures - From the WSJ - The Federal Deposit Insurance Corp.
is taking steps to brace for an increase in failed financial
institutions as the nation's housing and credit markets continue to
FYI - Banks: Losses From
Computer Intrusions Up in 2007 - U.S. financial institutions
reported a sizable increase last year in the number of computer
intrusions that led to online bank account takeovers and stolen
funds, according to data obtained by Security Fix. The data also
suggest such incidents are becoming far more costly for banks,
businesses and consumers alike.
FYI - Lawsuit targets
Lifeblood - A lawsuit has been filed against Lifeblood, Mid-South
Regional Blood Center, after laptop computers with personal
information of roughly 321,000 blood donors came up missing and are
FYI - Poor IT Security
Blamed for Bank Fraud - Société Générale could have prevented fraud
that cost billions by imposing tighter controls on traders, a report
concluded. Inadequate IT security allowed a trader at French bank
Société Générale to make a series of unauthorized transactions that
ultimately cost the bank €4.9 billion (US$7.2 billion), an internal
investigation has found.
FYI - Missouri AG sues
Texas data broker over ID theft claims - The Missouri Attorney
General's Office has filed a lawsuit against a Texas-based data
broker that contends the company sold the Social Security numbers of
some Missouri residents.
FYI - OKC woman charged
with violating health privacy law - Federal prosecutors have accused
an Oklahoma City woman of violating a federal health privacy law as
part of an identity theft scheme.
FYI - Patients' medical
histories stored on stolen laptop - The computer held "extensive"
data on the psychiatric and personal histories of participants in a
medical study, as well as information on whether they had suffered
physical or sexual abuse.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
FYI - Laptop theft
breaks data protection law But financial firm faced no punishment -
Skipton Financial Services (SFS) has been found to have been in
breach of the Data Protection Act by the Information Commissioner's
Office (ICO) - but has escaped without any punishment.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
FDIC" Logo - When is it required?
The FDIC believes that every bank's home page is to some extent an
advertisement. Accordingly, bank web site home pages should contain
the official advertising statement unless the advertisement is
subject to exceptions such as advertisements for loans, securities,
trust services and/or radio or television advertisements that do not
exceed thirty seconds.
Whether subsidiary web pages require the official advertising
statement will depend upon the content of the particular page.
Subsidiary web pages that advertise deposits must contain the
official advertising statement.
Conversely, subsidiary web pages that relate to loans do not
require the official advertising statement.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security
INFORMATION SECURITY RISK ASSESSMENT
KEY RISK ASSESSMENT PRACTICES (1 of 2)
A risk assessment is the key driver of the information security
process. Its effectiveness is directly related to the following key
and Knowledge - based Approach - A consensus evaluation of the risks
and risk mitigation practices followed by the institution requires
the involvement of a broad range of users, with a range of expertise
and business knowledge. Not all users may have the same opinion of
the severity of various attacks, the importance of various controls,
and the importance of various data elements and information system
components. Management should apply a sufficient level of expertise
to the assessment.
2) Systematic and
Central Control - Defined procedures and central control and
coordination help to ensure standardization, consistency, and
completeness of risk assessment policies and procedures, as well as
coordination in planning and performance. Central control and
coordination will also facilitate an organizational view of risks
and lessons learned from the risk assessment process.
3) Integrated Process -
A risk assessment provides a foundation for the remainder of the
security process by guiding the selection and implementation of
security controls and the timing and nature of testing those
controls. Testing results, in turn, provide evidence to the risk
assessment process that the controls selected and implemented are
achieving their intended purpose. Testing can also validate the
basis for accepting risks.
the top of the newsletter
IT SECURITY QUESTION:
A. AUTHENTICATION AND ACCESS CONTROLS
6. Determine if unauthorized attempts to access
authentication mechanisms (e.g., password storage location) are
appropriately monitored, reported and followed up.
Attacks on shared secret mechanisms, for instance, could
involve multiple log-in attempts using the same username and
multiple passwords or multiple usernames and the same password.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
18. If the institution, in its privacy policies, reserves the
right to disclose nonpublic personal information to nonaffiliated
third parties in the future, does the privacy notice include, as
a. categories of nonpublic personal information that the financial
institution reserves the right to disclose in the future, but does
not currently disclose; [§6(e)(1)] and
b. categories of affiliates or nonaffiliated third parties to whom
the financial institution reserves the right in the future to
disclose, but to whom it does not currently disclose, nonpublic
personal information? [§6(e)(2)]