Your Financial Institution need an affordable Internet security
Yennik, Inc. has clients in 42 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The penetration audit and
Internet security testing is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give
R. Kinney Williams a call
today at 806-798-7119 or visit
Feds file new felonies against alleged Palin hacker - A University
of Tennessee student accused of illegally breaking into the email
account of Alaska governor Sarah Palin has been hit with three new
felony charges in connection with the case.
Heartland, RBS WorldPay no longer PCI compliant - Visa announced on
Friday that it has removed Heartland Payment Systems and RBS
WorldPay -- two payment processors that have announced massive data
breaches in recent months -- from its list of service providers
compliant with payment industry guidelines.
Cybersecurity expert says preparation key to business survival - The
world is more interconnected than ever before, with an estimated one
billion devices connected to the internet, and in the next three to
five years, that figure will double.
Finland approves email snooping law - Finnish President Tarja
Halonen on Friday ratified a controversial new law giving employers
the right to monitor employees' emails where wrongdoing is
GAO Preliminary Observations on Assistance Provided to AIG.
Companies get checklist on PCI security rules - The organization
that administers the credit card industry's data security rules has
released a new set of compliance guidelines -- a move that
reinforces the widespread perception that efforts to comply are
going slowly at many companies.
GAO - Securities and Exchange Commission Needs to Consistently
Implement Effective Controls.
Web apps account for 80 percent of internet vulnerabilities -
Vulnerabilities in web applications made up 80 percent of all
web-related flaws in the second half of 2008 and rose in prevalence
by about eight percent from the first half of the year.
People are still the biggest security vulnerability - There is an
old saying in the security world stating that people are the weakest
link in the security chain. Here is a bit of data that reinforces
this ancient security adage.
Review of Regulators' Oversight of Risk Management Systems at a
Limited Number of Large, Complex Financial Institutions.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Army database may have been breached - An Army database that
contains personal information about nearly 1,600 soldiers may have
been penetrated by unauthorized users, Army officials have
announced. Soldiers who registered with, or participated in, the
Army-sponsored Operation Tribute to Freedom program during the past
five years may be affected by the security breach, Army officials
Former Minnesota Sen. Norm Coleman's donor database exposed on
Wikileaks - In a brewing controversy, whistle-blower site
Wikileaks.org has published personal information belonging to more
than 51,000 donors and supporters of former U.S. Sen. Norm Coleman
that it says were leaked because the Minnesota Republican's campaign
Web site was not properly secured.
Employee Stole Customer Data - Sprint is warning several thousand
customers that a former employee sold or otherwise provided their
account data without permission. In letters sent via snail mail to
some customers, Sprint urged recipients to contact customers service
and change their existing personal identification number and
Passwords of Comcast Customers Exposed - A list of user names and
passwords for customers of Comcast, one of the nation's largest
Internet service providers, sat unprotected on the Web for the last
Consultant who exposed flaw on Coleman site fires back - I did it
for all the right reasons,' says Adria Richards
By Jaikumar Vijayan A Minneapolis-based IT consultant is defending
her decision to post details of a security weakness she found on
former Minnesota Sen. Norm Coleman's campaign Web site in January, a
flaw that later resulted in a donor database on the site being
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Role Of Consumer Compliance In Developing And Implementing
Electronic Services from FDIC:
When violations of the consumer protection laws regarding a
financial institution's electronic services have been cited,
generally the compliance officer has not been involved in the
development and implementation of the electronic services.
Therefore, it is suggested that management and system
designers consult with the compliance officer during the development
and implementation stages in order to minimize compliance risk.
The compliance officer should ensure that the proper controls
are incorporated into the system so that all relevant compliance
issues are fully addressed. This
level of involvement will help decrease an institution's compliance
risk and may prevent the need to delay deployment or redesign
programs that do not meet regulatory requirements.
The compliance officer should develop a compliance risk profile as a
component of the institution's online banking business and/or
technology plan. This
profile will establish a framework from which the compliance officer
and technology staff can discuss specific technical elements that
should be incorporated into the system to ensure that the online
system meets regulatory requirements.
For example, the compliance officer may communicate with the
technology staff about whether compliance disclosures/notices on a
web site should be indicated or delivered by the use of
"pointers" or "hotlinks" to ensure that required
disclosures are presented to the consumer. The compliance officer can also be an ongoing resource to
test the system for regulatory compliance.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security
SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE -
SOFTWARE DEVELOPMENT AND ACQUISITION
Security Controls in Application Software
Application development should incorporate appropriate security
controls, audit trails, and activity logs. Typical application
access controls are addressed in earlier sections. Application
security controls should also include validation controls for data
entry and data processing. Data entry validation controls include
access controls over entry and changes to data, error checks, review
of suspicious or unusual data, and dual entry or additional review
and authorization for highly sensitive transactions or data. Data
processing controls include: batch control totals; hash totals of
data for comparison after processing; identification of any changes
made to data outside the application (e.g., data-altering
utilities); and job control checks to ensure programs run in correct
sequence (see the booklet "Computer Operations" for additional
Some applications will require the integration of additional
authentication and encryption controls to ensure integrity and
confidentiality of the data. As customers and merchants originate an
increasing number of transactions, authentication and encryption
become increasingly important to ensure non-repudiation of
Return to the top of the
F. PERSONNEL SECURITY
6. Determine if an appropriate disciplinary process for
security violations exists and is functioning.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Account number sharing
A. If available, review a sample of telemarketer scripts used
when making sales calls to determine whether the scripts indicate
that the telemarketers have the account numbers of the institution's
B. Obtain and review a sample of contracts with agents or service
providers to whom the financial institution discloses account
numbers for use in connection with marketing the institution's own
products or services. Determine whether the institution shares
account numbers with nonaffiliated third parties only to perform
marketing for the institution's own products and services. Ensure
that the contracts do not authorize these nonaffiliated third
parties to directly initiate charges to customer's accounts (§12(b)(1)).
C. Obtain a sample of materials and information provided to the
consumer upon entering a private label or affinity credit card
program. Determine if the participants in each program are
identified to the customer when the customer enters into the program