R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

April 12, 2009

CONTENT Internet Compliance Information Systems Security
IT Security Question
 
Internet Privacy
 
Website for Penetration Testing
 
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.


FYI
-
A recovering CIO's view of the new security initiatives - As debate continues over the value the Consensus Audit Guidelines have for securing government systems, I'd like to put my chief information officer's hat back on for a moment and explain how I see the comparison between the CAG and the current security advice from the National Institute of Standards and Technology (NIST) in its Special Publication 800-53. http://gcn.com/Articles/2009/03/26/Another-View-audit-guidelines.aspx?s=gcndaily_270309&Page=1

FYI -
GAO -  Suspicious Activity Report Use Is Increasing, but FinCEN Needs to Further Develop and Document Its Form Revision Process.
Report - http://www.gao.gov/new.items/d09226.pdf
Highlights - http://www.gao.gov/highlights/d09226high.pdf

FYI -
White House expected to lead cybersecurity efforts - When Melissa Hathaway concludes her 60-day review of federal cybersecurity initiatives, the White House likely will be appointed decision-maker, Rep. James Langevin, D-R.I., said in a conference call with reporters. http://www.scmagazineus.com/White-House-expected-to-lead-cybersecurity-efforts/article/129539/?DCMP=EMC-SCUS_Newswire

FYI -
Court won't revive Va. anti-spam law - Law ruled unconstitutional because it prohibited political, religious e-mails - The Supreme Court will not consider reinstating Virginia's anti-spam law, among the nation's toughest in banning unsolicited e-mails. http://www.msnbc.msn.com/id/29960046/

FYI -
Prosecutors charge former IRS employee with filing false tax claims - Federal prosecutors on Monday charged a former Internal Revenue Service employee with illegally accessing agency computers and filing false claims against the government. http://www.nextgov.com/nextgov/ng_20090330_4956.php

FYI -
U.K. parliament computers get Confickered - You'd think the British government would be up on the latest and greatest security practices, but apparently even officials there have their problems. http://news.cnet.com/8301-1009_3-10206354-83.html?part=rss&subj=news&tag=2547-1009_3-0-20

FYI -
95pc of organisations store personal data, but few know how to protect it - While close to 95pc of Irish organisations store personal data, only 31pc have a formal data-breach policy. And nearly half of these organisations have little confidence in ISPs preventing unauthorised access to private data. http://www.siliconrepublic.com/news/article/12597/cio/95pc-of-organisations-store-personal-data-but-few-know-how-to-protect-it

FYI -
Conficker expectedly chaos-free as it activates across world - Right on schedule, the latest variant of the Conficker worm awoke Wednesday, querying hundreds of new URLs for instructions on what to do next. But, as most experts predicted, there were no orders to be had, and the estimated millions of machines infected by the malware remain in standby mode. http://www.scmagazineus.com/Conficker-expectedly-chaos-free-as-it-activates-across-world/article/129897/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI -
ACU says computer server hacked - An Abilene Christian University computer server was hacked near the end of February, but university officials do not at this point believe any personal information was distributed. http://www.reporternews.com/news/2009/mar/26/acu-says-computer-server-hacked/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Fair Housing Act

A financial institution that advertises on-line credit products that are subject to the Fair Housing Act must display the Equal Housing Lender logotype and legend or other permissible disclosure of its nondiscrimination policy if required by rules of the institution's regulator.

Home Mortgage Disclosure Act (Regulation C)

The regulations clarify that applications accepted through electronic media with a video component (the financial institution has the ability to see the applicant) must be treated as "in person" applications. Accordingly, information about these applicants' race or national origin and sex must be collected. An institution that accepts applications through electronic media without a video component, for example, the Internet or facsimile, may treat the applications as received by mail.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY
-
We continue our series on the FFIEC interagency Information Security Booklet.  

SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - SOFTWARE DEVELOPMENT AND ACQUISITION

Source Code Review and Testing

Application and operating system source code can have numerous vulnerabilities due to programming errors or misconfiguration. Where possible, financial institutions should use software that has been subjected to independent security reviews of the source code especially for Internet facing systems. Software can contain erroneous or intentional code that introduces covert channels, backdoors, and other security risks into systems and applications. These hidden access points can often provide unauthorized access to systems or data that circumvents built-in access controls and logging. The source code reviews should be repeated after the creation of potentially significant changes.


Return to the top of the newsletter

IT SECURITY QUESTION:

G. APPLICATION SECURITY

2. Determine if user input is validated appropriately (e.g. character set, length, etc).

Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.


Initial Privacy Notice

2)  Does the institution provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to all consumers, who are not customers, before any nonpublic personal information about the consumer is disclosed to a nonaffiliated third party, other than under an exception in 14 or 15? [4(a)(2)]?

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated