Does Your Financial Institution need an
affordable Internet security audit? Yennik, Inc. has clients in 42 states
that rely on our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test requirements of
FDIC, OCC, FRB, and NCUA, which provides compliance with
Gramm-Leach Bliley Act 501(b).
The penetration audit and Internet security testing is an
affordable-sophisticated process than goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses.
For more information, give R. Kinney Williams a call today at
806-798-7119 or visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- America is losing the cybersecurity war; China hacked every major
US company - Gloom and doom is the predicted forecast, but that is
in regard to U.S. cybersecurity instead of the weather. Four top
government cybersecurity officials have basically come out to say
America is getting her hiney kicked in cyberattacks by nation state
- Counterterrorism Czar: China's Hacked Every Major U.S. Firm -
Legendary spook Richard A. Clarke's gone on the record claiming
Chinese hackers have infiltrated every major American corporation.
He warns that the effects for American innovation--and especially
corporate R&D--will be brutal.
- Shutting access to passwords - Mobile devices free us from being
tied to an office computer when accessing personal information: web
logins, passwords, PINs, account numbers, etc. Imagine a mobile
device falling into the wrong hands – resulting in the draining of
bank accounts co-opting of identities.
- Most police departments track cellphones without warrants - A
"disturbing" number of law enforcement agencies track cell phones
without a warrant, the American Civil Liberties said on Monday,
citing documents gathered from across the United States.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Laptop with patient data stolen from Howard University Hospital
contractor - Letters have gone out to patients of Howard University
Hospital in Washington, D.C., after their personal information was
exposed when a laptop was stolen from the car of a contractor.
- Military dating website says LulzSec hack didn't happen - A
military dating website, which a band of hackers claimed this week
to successfully infiltrate to pillage members' personal information,
was not actually hacked, according to its administrator.
- NSA's top spook blames China for RSA hack - Says People's Republic
trousers loads of US military IP - The director of the US National
Security Agency has named China as the country behind last year's
high profile hack against RSA that resulted in the extraction of
data related to SecurID tokens.
- Devices lost containing data on 800K users of child support
services - A number of unencrypted storage devices belonging to the
California Department of Child Support Services went missing.
- Visa confirms processor credit card breach - Visa and MasterCard
are investigating a major breach of credit card numbers at a payment
processor, the size of which may exceed anything seen in at least
- Global Payments Says 1.5 Million Cards Stolen; Won’t Discuss
Details of Breach - About 1.5 million cards were potentially stolen
by hackers in the recent breach of Atlanta-based card processor
Global Payments Inc, according to a statement released by the
company on Sunday.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Risk Management Principles for Electronic Banking
The e-banking risk management principles identified in this
Report fall into three broad, and often overlapping, categories of
issues. However, these principles are not weighted by order of
preference or importance. If only because such weighting might
change over time, it is preferable to remain neutral and avoid such
A. Board and Management Oversight (Principles 1 to 3):
1. Effective management oversight of e-banking activities.
2. Establishment of a comprehensive security control process.
3. Comprehensive due diligence and management oversight process for
outsourcing relationships and other third-party dependencies.
B. Security Controls (Principles 4 to 10):
4. Authentication of e-banking customers.
5. Non-repudiation and accountability for e-banking transactions.
6. Appropriate measures to ensure segregation of duties.
7. Proper authorization controls within e-banking systems, databases
8. Data integrity of e-banking transactions, records, and
9. Establishment of clear audit trails for e-banking transactions.
10. Confidentiality of key bank information.
C. Legal and Reputational Risk Management (Principles 11 to
11. Appropriate disclosures for e-banking services.
12. Privacy of customer information.
13. Capacity, business continuity and contingency planning to ensure
availability of e-banking systems and services.
14. Incident response planning.
Each of the above principles will be cover over the next few weeks,
as they relate to e-banking and the underlying risk management
principles that should be considered by banks to address these
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
LOGGING AND DATA COLLECTION (Part 1 of 2)
Financial institutions should take reasonable steps to ensure that
sufficient data is collected from secure log files to identify and
respond to security incidents and to monitor and enforce policy
compliance. Appropriate logging controls ensure that security
personnel can review and analyze log data to identify unauthorized
access attempts and security violations, provide support for
personnel actions, and aid in reconstructing compromised systems.
An institution's ongoing security risk assessment process should
evaluate the adequacy of the system logging and the type of
information collected. Security policies should address the proper
handling and analysis of log files. Institutions have to make
risk-based decisions on where and when to log activity. The
following data are typically logged to some extent including
! Inbound and outbound Internet traffic,
! Internal network traffic,
! Firewall events,
! Intrusion detection system events,
! Network and host performance,
! Operating system access (especially high - level administrative or
! Application access (especially users and objects with write - and
execute privileges), and
! Remote access.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
9) Does the institution list the following categories of nonpublic
personal information that it collects, as applicable:
a) information from the consumer; [§6(c)(1)(i)]
b) information about the consumer's transactions with the
institution or its affiliates; [§6(c)(1)(ii)]
c) information about the consumer's transactions with nonaffiliated
third parties; [§6(c)(1)(iii)] and
d) information from a consumer reporting agency? [§6(c)(1)(iv)]