R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

March 9, 2008

CONTENT Internet Compliance Information Systems Security
IT Security Question
Internet Privacy
Website for Penetration Testing
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

- FDIC Bracing for Bank Failures - From the WSJ - The Federal Deposit Insurance Corp. is taking steps to brace for an increase in failed financial institutions as the nation's housing and credit markets continue to worsen. http://calculatedrisk.blogspot.com/2008/02/fdic-bracing-for-bank-failures.html

FYI - Banks: Losses From Computer Intrusions Up in 2007 - U.S. financial institutions reported a sizable increase last year in the number of computer intrusions that led to online bank account takeovers and stolen funds, according to data obtained by Security Fix. The data also suggest such incidents are becoming far more costly for banks, businesses and consumers alike.  http://blog.washingtonpost.com/securityfix/2008/02/banks_losses_from_computer_int.html

FYI - Lawsuit targets Lifeblood - A lawsuit has been filed against Lifeblood, Mid-South Regional Blood Center, after laptop computers with personal information of roughly 321,000 blood donors came up missing and are presumed stolen. http://www.commercialappeal.com/news/2008/feb/19/lawsuit-targets-lifeblood/

FYI - Poor IT Security Blamed for Bank Fraud - Société Générale could have prevented fraud that cost billions by imposing tighter controls on traders, a report concluded. Inadequate IT security allowed a trader at French bank Société Générale to make a series of unauthorized transactions that ultimately cost the bank €4.9 billion (US$7.2 billion), an internal investigation has found. http://www.pcworld.com/article/id,142756/article.html?tk=nl_dnxnws

FYI - Missouri AG sues Texas data broker over ID theft claims - The Missouri Attorney General's Office has filed a lawsuit against a Texas-based data broker that contends the company sold the Social Security numbers of some Missouri residents. http://www.scmagazineus.com/Missouri-AG-sues-Texas-data-broker-over-ID-theft-claims/article/107152/

FYI - OKC woman charged with violating health privacy law - Federal prosecutors have accused an Oklahoma City woman of violating a federal health privacy law as part of an identity theft scheme. http://www.kten.com/global/story.asp?s=7914206

FYI - Patients' medical histories stored on stolen laptop - The computer held "extensive" data on the psychiatric and personal histories of participants in a medical study, as well as information on whether they had suffered physical or sexual abuse. http://news.scotsman.com/scotland/Patients39-medical--histories-stored.3811245.jp


FYI - Laptop theft breaks data protection law But financial firm faced no punishment - Skipton Financial Services (SFS) has been found to have been in breach of the Data Protection Act by the Information Commissioner's Office (ICO) - but has escaped without any punishment.

Return to the top of the newsletter

"Member FDIC" Logo - When is it required?

The FDIC believes that every bank's home page is to some extent an advertisement. Accordingly, bank web site home pages should contain the official advertising statement unless the advertisement is subject to exceptions such as advertisements for loans, securities, trust services and/or radio or television advertisements that do not exceed thirty seconds. 

Whether subsidiary web pages require the official advertising statement will depend upon the content of the particular page.  Subsidiary web pages that advertise deposits must contain the official advertising statement.  Conversely, subsidiary web pages that relate to loans do not require the official advertising statement. 

Return to the top of the newsletter

We continue our series on the FFIEC interagency Information Security Booklet.  



A risk assessment is the key driver of the information security process. Its effectiveness is directly related to the following key practices:

1)  Multidisciplinary and Knowledge - based Approach - A consensus evaluation of the risks and risk mitigation practices followed by the institution requires the involvement of a broad range of users, with a range of expertise and business knowledge. Not all users may have the same opinion of the severity of various attacks, the importance of various controls, and the importance of various data elements and information system components. Management should apply a sufficient level of expertise to the assessment.

2)  Systematic and Central Control - Defined procedures and central control and coordination help to ensure standardization, consistency, and completeness of risk assessment policies and procedures, as well as coordination in planning and performance. Central control and coordination will also facilitate an organizational view of risks and lessons learned from the risk assessment process.

3)  Integrated Process - A risk assessment provides a foundation for the remainder of the security process by guiding the selection and implementation of security controls and the timing and nature of testing those controls. Testing results, in turn, provide evidence to the risk assessment process that the controls selected and implemented are achieving their intended purpose. Testing can also validate the basis for accepting risks.

Return to the top of the newsletter


6. Determine if unauthorized attempts to access authentication mechanisms (e.g., password storage location) are appropriately monitored, reported and followed up.  Attacks on shared secret mechanisms, for instance, could involve multiple log-in attempts using the same username and multiple passwords or multiple usernames and the same password.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

18. If the institution, in its privacy policies, reserves the right to disclose nonpublic personal information to nonaffiliated third parties in the future, does the privacy notice include, as applicable, the:

a. categories of nonpublic personal information that the financial institution reserves the right to disclose in the future, but does not currently disclose;  [§6(e)(1)] and

b. categories of affiliates or nonaffiliated third parties to whom the financial institution reserves the right in the future to disclose, but to whom it does not currently disclose, nonpublic personal information? [§6(e)(2)]


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated