Brought to you by
Yennik, Inc. the acknowledged leader in Internet auditing for financial
April 8, 2007
Your Financial Institution need an affordable Internet security
Yennik, Inc. has clients in 41 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The penetration audit and
Internet security testing is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give
R. Kinney Williams a call
today at 806-798-7119 or visit
OCC Model Privacy Notice: Proposed Rule - Agencies
request comments on proposed model privacy notice that financial
institutions may use for disclosures under Gramm-Leach-Bliley Act.
FYI - Half of corporate
web traffic not work related - Almost half of all web traffic
originating from corporate networks is non-productive, it was
FYI - Loss of data a
major fear among Irish firms - Around three quarters of Irish IT
managers cite "loss of business-critical data" and "downtime of key
IT systems" as the greatest risks they face in IT planning.
FYI - Cingular to
deposit banking app onto cell phones - AT&T Tuesday it has taken a
step toward the long-promised notion of phones replacing credit
cards, checks and cash by signing agreements with Wachovia and
several other banks.
FYI - California cuts
off aid to ID thieves - The California secretary of state's office
has shut down portions of its website after it was discovered it had
been selling hundreds of thousands of public documents containing
social security numbers and signatures, a practice that lasted for
FYI - Hacker sees 71,000
state employees' private data - An audit of a state government Web
site database after someone hacked into the system found that
personal information including Social Security numbers for 71,000
health care workers was accessed, officials said.
FYI - Security flap as
Scottish council loses USB key - Pay details of scores of workers of
Perth and Kinross Council has been found on a memory stick left in
the street. The security lapse could have exposed workers to ID
FYI - Group Health
laptops missing, 31,000 identities at risk - Group Health
Cooperative Health Care System said Friday two of its laptop
computers containing the personal information of 31,000 people are
missing. The computers are said to contain the names, addresses,
social security numbers and Group Health ID numbers of local
patients and employees.
FYI - Hard drives stolen
at clinic - Contained data on 19,000 patients - Three computer hard
drives were stolen from the locked office of Swedish Urology Group
earlier this month, and the clinic has been notifying persons
affected by the theft. The external hard drives contained
information on about 19,000 current and former patients and were
used to back up the clinic's computer system.
FYI - Hacker Suspected
Of Multistate Break-In Spree - The hacker under investigation for
stealing personal and financial information from an Indiana
government site also is under suspicion of breaking into other state
government Web sites. The hacker being investigated for stealing the
personal identification information of 71,000 health-care workers
certified in Indiana is suspected of breaching other state
FYI - DOD investigates
hacking of troops' personal computers - Defense Department officials
have launched an investigation into recent computer hackings of
servicemembers' home computers that compromised personal information
and led to the redirection of funds from their military pay
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue the series regarding FDIC Supervisory Insights regarding
Programs. (10 of 12)
Test affected systems or procedures prior to implementation.
Testing is an important function in the incident response
process. It helps ensure that reconfigured systems, updated
procedures, or new technologies implemented in response to an
incident are fully effective and performing as expected. Testing can
also identify whether any adjustments are necessary prior to
implementing the updated system, process, or procedure.
During the follow-up process, an institution has the opportunity to
regroup after the incident and strengthen its control structure by
learning from the incident. A number of institutions have included
the following best practice in their IRPs.
Conduct a "lessons-learned" meeting.
1) Successful organizations can use the incident and build
from the experience. Organizations can use a lessons-learned meeting
2) discuss whether affected controls or procedures need to be
strengthened beyond what was implemented during the recovery phase;
3) discuss whether significant problems were encountered during the
incident response process and how they can be addressed;
4) determine if updated written policies or procedures are needed
for the customer information security risk assessment and
information security program;
5) determine if updated training is necessary regarding any new
procedures or updated policies that have been implemented; and
6) determine if the bank needs additional personnel or technical
resources to be better prepared going forward.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
INTRUSION DETECTION AND RESPONSE
INTRUSION RESPONSE (Part 1 of 2)
Intrusion detection by itself does not mitigate risks of an
intrusion. Risk mitigation only occurs through an effective and
timely response. The goal of the response is to minimize damage to
the institution and its customers through containment of the
intrusion, and restoration of systems.
The response primarily involves people rather then technologies. The
quality of intrusion response is a function of the institution's
culture, policies and procedures, and training.
Preparation determines the success of any intrusion response.
Preparation involves defining the policies and procedures that guide
the response, assigning responsibilities to individuals and
providing appropriate training, formalizing information flows, and
selecting, installing, and understanding the tools used in the
response effort. Key considerations that directly affect the
institution's policies and procedures include the following:
! How to balance concerns regarding availability, confidentiality,
and integrity, for devices and data of different sensitivities. This
consideration is a key driver for a containment strategy and may
involve legal and liability considerations. An institution may
decide that some systems must be disconnected or shut down at the
first sign of intrusion, while others must be left on line.
! When and under what circumstances to invoke the intrusion response
activities, and how to ensure the proper personnel are available and
! How to control the frequently powerful intrusion identification
and response tools.
! When to involve outside experts and how to ensure the proper
expertise will be available when needed. This consideration
addresses both the containment and the restoration strategy.
! When and under what circumstances to involve regulators,
customers, and law enforcement. This consideration drives certain
monitoring decisions, decisions regarding evidence-gathering and
preservation, and communications considerations.
! Which personnel have authority to perform what actions in
containment of the intrusion and restoration of the systems. This
consideration affects the internal communications strategy, the
commitment of personnel, and procedures that escalate involvement
and decisionswithin the organization.
! How and what to communicate outside the organization, whether to
law enforcement, customers, service providers, potential victims,
and others. This consideration drives the communication strategy,
and is a key component in mitigating reputation risk.
! How to document and maintain the evidence, decisions, and actions
! What criteria must be met before compromised services, equipment
and software are returned to the network.
! How to learn from the intrusion and use those lessons to improve
the institution's security.
! How and when to prepare and file a Suspicious Activities Report
Return to the top of the
INTRUSION DETECTION AND RESPONSE
15. Determine if the security policy specifies the actions to be
taken following the discovery of an unexpected, unusual, or
suspicious activity (potential intrusion), and that appropriate
personnel are authorized to take those actions.
16. Evaluate the appropriateness of the security policy in
addressing the review of compromised systems. Consider:
! Documentation of the roles, responsibilities and authority
of employees and contractors, and
! Conditions for the examination and analysis of data,
systems, and networks.
17. Determine if the information disclosure policy indicates what
information is shared with others, in what circumstances, and
identifies the individual(s) who have the authority to initiate
disclosure beyond the stated policy.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Exceptions to Notice and Opt Out Requirements for Processing and
If the institution discloses nonpublic personal
information to nonaffiliated third parties, do the requirements for
initial notice in §4(a)(2), opt out in §§7 and 10, revised notice
in §8, and for service providers and joint marketing in §13, not
apply because the information is disclosed as necessary to effect,
administer, or enforce a transaction that the consumer requests or
authorizes, or in connection with:
a. servicing or processing a financial product or service
requested or authorized by the consumer; [§14(a)(1)]
b. maintaining or servicing the consumer's account with the
institution or with another entity as part of a private label credit
card program or other credit extension on behalf of the entity; or [§14(a)(2)]
c. a proposed or actual securitization, secondary market sale
(including sale of servicing rights) or other similar transaction
related to a transaction of the consumer? [§14(a)(3)]
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at firstname.lastname@example.org if we
can be of assistance.