Does Your Financial Institution need an
affordable Internet security audit? Yennik, Inc. has clients in 42 states
that rely on our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test requirements of
FDIC, OCC, FRB, and NCUA, which provides compliance with
Gramm-Leach Bliley Act 501(b).
The penetration audit and Internet security testing is an
affordable-sophisticated process than goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses.
For more information, give R. Kinney Williams a call today at
806-798-7119 or visit
Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Study finds $214 per breached record in 2010 - Data breaches cost
organizations $7.2 million on average in 2010, up seven percent from
$6.8 million the previous year, according to the latest Cost of Data
Breach study, released Tuesday.
- Wakefield postman wins Cyber Security Challenge - A postman from
Wakefield has won the Cyber Security Challenge, a major competition
designed to find UK information security talent and encourage people
into the profession.
- GhostNet cyber crime forum fraudsters jailed - The UK founder of
the infamous GhostMarket.net cyber crime forum has been convicted
along with three others of computer offences linked to the running
of the largest English language site of its kind ever discovered.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- WordPress hit by 'extremely large' DDoS attack - Blog host
WordPress.com was the target of a distributed denial-of-service (DDoS)
attack earlier today described by the company as the largest in its
- Woman sentenced for breaching former employer's PCs -
Pants-ate-my-hard-drive defense fails - A California woman has been
sentenced to 60 days home detention and a year of probation for
breaching the mail system of a former employer and posting
confidential company documents to public websites.
- Man gets 7 years for forcing modems to call premium numbers - A
New Hampshire man who made US$8 million by installing unwanted
dial-up software on computers and then forcing them to call
expensive premium telephone numbers was handed down an 82-month
sentence on Monday.
- Missouri State University student data posted online - Officials
at Missouri State University in Springfield are notifying thousands
of students whose personal information inadvertently was exposed
- Cyber attack on France targeted Paris G20 files - The French
finance ministry has confirmed it came under a cyber attack in
December that targeted files on the G20 summit held in Paris in
- South Korean websites targeted by distributed denial-of-service
attacks - According to the Associated Press and media reports, the
websites of 29 government and other agencies have come under attack
with distributed denial-of-service (DDoS) attacks initially having
been expected to hit up to 40 websites.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of Outsourced Technology Services
Due Diligence in Selecting a Service Provider - Technical and
Assess the service provider’s experience and ability to provide
the necessary services and supporting technology for current and
• Identify areas where the institution would have to supplement
the service provider’s expertise to fully manage risk.
• Evaluate the service provider’s use of third parties or
partners that would be used to support the outsourced
• Evaluate the experience of the service provider in providing
services in the anticipated operating environment.
• Consider whether additional systems, data conversions, and
work are necessary.
• Evaluate the service provider’s ability to respond to service
• Contact references and user groups to learn about the service
provider’s reputation and performance.
• Evaluate key service provider personnel that would be assigned
to support the institution.
• Perform on-site visits, where necessary, to better understand
how the service provider operates and supports its services.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
SECURITY CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Action Summary - Financial institutions should use effective
authentication methods appropriate to the level of risk. Steps
Selecting authentication mechanisms based on the risk associated
with the particular application or services;
2) Considering whether multi - factor authentication is appropriate
for each application, taking into account that multifactor
authentication is increasingly necessary for many forms of
electronic banking and electronic payment activities; and
3) Encrypting the transmission and storage of authenticators (e.g.,
passwords, PINs, digital certificates, and biometric templates).
Authentication is the verification of identity by a system based on
the presentation of unique credentials to that system. The unique
credentials are in the form of something the user knows, something
the user has, or something the user is. Those forms exist as shared
secrets, tokens, or biometrics. More than one form can be used in
any authentication process. Authentication that relies on more than
one form is called multi - factor authentication and is generally
stronger than any single authentication method. Authentication
contributes to the confidentiality of data and the accountability of
actions performed on the system by verifying the unique identity of
the system user.
Authentication is not identification as that term is used in the USA
PATRIOT Act (31 U.S.C. 5318(l)). Authentication does not provide
assurance that the initial identification of a system user is
proper. Authentication only provides assurance that the user of the
system is the same user that was initially identified. Procedures
for the initial identification of a system user are beyond the scope
of this booklet.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
30. Does the institution allow the
consumer to opt out at any time? [§7(f)]
31. Does the institution continue to honor the consumer's opt out
direction until revoked by the consumer in writing, or, if the
consumer agrees, electronically?