R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

March 18, 2012

CONTENT Internet Compliance Information Systems Security
IT Security
Internet Privacy
Website for Penetration Testing
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

- The six most dangerous infosec attacks - The most popular track session of RSA San Francisco for the past five years was again packed to the rafters. http://www.scmagazine.com.au/News/292784,the-six-most-dangerous-infosec-attacks.aspx

FYI - Uncle Sam: If It Ends in .Com, It’s .Seizable - When U.S. authorities shuttered sports-wagering site Bodog.com last week, it raised eyebrows across the net because the domain name was registered with a Canadian company, ostensibly putting it beyond the reach of the U.S. government. http://www.wired.com/threatlevel/2012/03/feds-seize-foreign-sites/

FYI - FCC: No, you can't jam your neighbor's cellphone - The Federal Communications Commission is officially reminding people that it is illegal to use cell phone jammers on other people, no matter how annoying you find their conversation on the bus. http://www.nextgov.com/nextgov/ng_20120306_1935.php?oref=topnews

FYI - Study Confirms The Government Produces The Buggiest Software - Humans aren’t generally very good at writing secure code. But it seems they’re even worse at it when they’re an employee of a government bureaucracy or hired as unaccountable federal contractors. http://www.forbes.com/sites/andygreenberg/2012/03/13/study-confirms-governments-produce-the-buggiest-software/

FYI - GCHQ-backed competition names Cyber Security Champion - A 19-year-old university student has been named the UK's "Cyber Security Champion" following a competition sponsored by the intelligence agency GCHQ and several leading tech firms. http://www.bbc.co.uk/news/technology-17333601


FYI - Digital Playground hacked to expose card numbers - Another web site has fallen victim to hackers. Online intruders from a group calling itself The Consortium claimed this week to have invaded Digital Playground. http://www.bbc.co.uk/news/technology-17339508

FYI - Source code of Symantec Antivirus posted on the net - As expected, hackers have released the source code of Norton Antivirus 2006 on the net. According to the page on The Pirate Bay where the 1.1GB file has been posted as a torrent, the hackers go by the name of AntiSec and sympathise with the Anonymous hacker group. http://www.h-online.com/security/news/item/Source-code-of-Symantec-Antivirus-posted-on-the-net-1468974.html

FYI - Cops nab mobile net workmen for snarfing punters' data - Gang allegedly tracked and sold Koreans' info - Police in South Korea have arrested five men working as sub-contractors for the country’s two biggest mobile companies. http://www.theregister.co.uk/2012/03/09/south_korea_phone_hackers/

Return to the top of the newsletter

We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Risk management challenges

The Electronic Banking Group (EBG) noted that the fundamental characteristics of e-banking (and e-commerce more generally) posed a number of risk management challenges:

   The speed of change relating to technological and customer service innovation in e-banking is unprecedented. Historically, new banking applications were implemented over relatively long periods of time and only after in-depth testing. Today, however, banks are experiencing competitive pressure to roll out new business applications in very compressed time frames - often only a few months from concept to production. This competition intensifies the management challenge to ensure that adequate strategic assessment, risk analysis and security reviews are conducted prior to implementing new e-banking applications.

   Transactional e-banking web sites and associated retail and wholesale business applications are typically integrated as much as possible with legacy computer systems to allow more straight-through processing of electronic transactions. Such straight-through automated processing reduces opportunities for human error and fraud inherent in manual processes, but it also increases dependence on sound systems design and architecture as well as system interoperability and operational scalability.

  E-banking increases banks' dependence on information technology, thereby increasing the technical complexity of many operational and security issues and furthering a trend towards more partnerships, alliances and outsourcing arrangements with third parties, many of whom are unregulated. This development has been leading to the creation of new business models involving banks and non-bank entities, such as Internet service providers, telecommunication companies and other technology firms.

4)  The Internet is ubiquitous and global by nature. It is an open network accessible from anywhere in the world by unknown parties, with routing of messages through unknown locations and via fast evolving wireless devices. Therefore, it significantly magnifies the importance of security controls, customer authentication techniques, data protection, audit trail procedures, and customer privacy standards.

Return to the top of the newsletter
We continue our series on the FFIEC interagency Information Security Booklet.  



Financial institutions should protect the confidentiality of information about their customers and organization. A breach in confidentiality could disclose competitive information, increase fraud risk, damage the institution's reputation, violate customer privacy and associated rights, and violate regulatory requirements.  Confidentiality agreements put all parties on notice that the financial institution owns its information, expects strict confidentiality, and prohibits information sharing outside of that required for legitimate business needs. Management should obtain signed confidentiality agreements before granting new employees and contractors access to information technology systems.


Job descriptions, employment agreements, and policy awareness acknowledgements increase accountability for security. Management can communicate general and specific security roles and responsibilities for all employees within their job descriptions. Management should expect all employees, officers, and contractors to comply with security and acceptable use policies and protect the institution's assets, including information. The job descriptions for security personnel should describe the systems and processes they will protect and the control processes for which they are responsible. Management can take similar steps to ensure contractors and consultants understand their security responsibilities as well.


Financial institutions need to educate users regarding their security roles and responsibilities. Training should support security awareness and should strengthen compliance with the security policy. Ultimately, the behavior and priorities of senior management heavily influence the level of employee awareness and policy compliance, so training and the commitment to security should start with senior management. Training materials would typically review the acceptable - use policy and include issues like desktop security, log - on requirements, password administration guidelines, etc. Training should also address social engineering, and the policies and procedures that protect against social engineering attacks. Many institutions integrate a signed security awareness agreement along with periodic training and refresher courses.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice

6. Does the institution provide an annual privacy notice to each customer whose loan the institution owns the right to service? [§§5(c), 4(c)(2)]


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated