R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

April 14, 2013

CONTENT Internet Compliance Web Site Audits
IT Security
Internet Privacy
Penetration Testing
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Military Veterans Wanted As Hackers In Cyberwar - A National Guardsman with an IT background, wants to serve on the front lines of a new kind of war -- one being fought with bytes instead of bombs. http://www.huffingtonpost.com/2013/04/01/military-veterans-hackers_n_2990052.html?1364836168&utm_hp_ref=technology

FYI - Google Takes on Rare Fight Against National Security Letters - Google has filed a rare petition to challenge an ultra-secret national security letter issued by the government to obtain private data about one or more of its users. http://www.wired.com/threatlevel/2013/04/google-fight

FYI - FBI Pursuing Real-Time Gmail Spying Powers as “Top Priority” for 2013 - Despite the pervasiveness of law enforcement surveillance of digital communication, the FBI still has a difficult time monitoring Gmail, Google Voice, and Dropbox in real time. http://www.slate.com/blogs/future_tense/2013/03/26/andrew_weissmann_fbi_wants_real_time_gmail_dropbox_spying_power.html

FYI - Judge rules hospital can ask ISP for help in ID'ing alleged hackers - A New Jersey hospital can now pursue a subpoena that would require an internet service provider (ISP) to hand over information potentially identifying at least one person accused of hacking into its email server. http://www.scmagazine.com/judge-rules-hospital-can-ask-isp-for-help-in-iding-alleged-hackers/article/288294/?DCMP=EMC-SCUS_Newswire


FYI - Japanese web portals hacked, up to 100,000 accounts compromised - Two of Japan's major Internet portals were hacked earlier this week, with one warning that as many as 100,000 user accounts were compromised, including financial details. http://www.computerworld.com/s/article/9238123/Japanese_web_portals_hacked_up_to_100_000_accounts_compromised?taxonomyId=17

FYI - Ticket machine card fraud rise in EU A skimming device attached to a ticket machine, from the East report - Five out of 23 European countries reported an increase in card-skimming devices attached to transport ticket machines, according to new research. http://www.bbc.co.uk/news/technology-22013231

FYI - Harvard to review privacy policies in wake of email search scandal - Lack of standard policies 'highly inadequate,' university president says - Harvard University President has ordered a comprehensive review of the university's email privacy polices amid disclosures that a secret search of some deans' email accounts by administrators was broader than originally acknowledged. http://www.computerworld.com/s/article/9238100/Harvard_to_review_privacy_policies_in_wake_of_email_search_scandal?taxonomyId=17

FYI - Nationwide Insurance uses lawyers to protect details of October security breach - Nationwide Insurance wants to keep possible weaknesses in its digital infrastructure under wraps as state and federal investigators look into its October security breach that left 1.1 million Americans' information exposed. http://www.theverge.com/2013/4/1/4170214/nationwide-insurance-covers-massive-security-breach-details-attorney-client-privilege

FYI - Cyberattacks Seem Meant to Destroy, Not Just Disrupt - American Express customers trying to gain access to their online accounts Thursday were met with blank screens or an ominous ancient type face. The company confirmed that its Web site had come under attack. http://www.nytimes.com/2013/03/29/technology/corporate-cyberattackers-possibly-state-backed-now-seek-to-destroy-data.html?pagewanted=all&_r=2&

FYI - Laptop stolen from S.C. medical center contains data on 7k veterans - A Department of Veterans Affairs (VA) laptop containing the sensitive data of several thousand patients was stolen in South Carolina. http://www.scmagazine.com/laptop-stolen-from-sc-medical-center-contains-data-on-7k-veterans/article/287907/?DCMP=EMC-SCUS_Newswire

FYI - Up to 1 million Scribd user passwords may have been compromised - The world's largest document sharing site Scribd says it was hacked earlier this week and believes up to one percent of its 100 million users' passwords were compromised due to being stored with an outdated hashing algorithm. http://www.zdnet.com/up-to-1-million-scribd-user-passwords-may-have-been-compromised-7000013595/

FYI - Vudu resets user passwords after hard drives lost in office burglary - Video service says burglars stole hard drives containing sensitive personal information, including names, e-mail addresses, phone numbers, and some credit card information. http://news.cnet.com/8301-1009_3-57578766-83/vudu-resets-user-passwords-after-hard-drives-lost-in-office-burglary/?tag=nl.e757&s_cid=e757&ttag=e757

FYI - Hack of college database jeopardizes sensitive data of 125k students - An online database containing the personal information of 125,000 students at Kirkwood Community College in Cedar Rapids, Iowa, was hacked. http://www.scmagazine.com/hack-of-college-database-jeopardizes-sensitive-data-of-125k-students/article/288478/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Contract Issues

Some considerations for contracting with service providers are discussed below. This listing is not all-inclusive and the institution may need to evaluate other considerations based on its unique circumstances. The level of detail and relative importance of contract provisions varies with the scope and risks of the services outsourced.

Scope of Service

The contract should clearly describe the rights and responsibilities of parties to the contract.
Considerations include:

• Timeframes and activities for implementation and assignment of responsibility.  Implementation provisions should take into consideration other existing systems or interrelated systems to be developed by different service providers (e.g., an Internet banking system being integrated with existing core applications or systems customization).
• Services to be performed by the service provider including duties such as software support and maintenance, training of employees or customer service.
• Obligations of the financial institution.
• The contracting parties’ rights in modifying existing services performed under the contract.
• Guidelines for adding new or different services and for contract re-negotiation.

Performance Standards

Institutions should generally include performance standards defining minimum service level requirements and remedies for failure to meet standards in the contract. For example, common service level metrics include percent system uptime, deadlines for completing batch processing, or number of processing errors. Industry standards for service levels may provide a reference point. The institution should periodically review overall performance standards to ensure consistency with its goals and objectives.

Return to the top of the newsletter
We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review the last of a three part series regarding controls to prevent and detect intrusions.

8) Encryption. Encryption is a means of securing data. Data can by encrypted when it is transmitted, and when it is stored. Because networks are not impervious to penetration, management should evaluate the need to secure their data as well as their network. Management's use of encryption should be based on an internal risk assessment and a classification of data. The strength of encryption should be proportional to the risk and impact if the data were revealed.

9) Employee and Contractor Background Checks. Management should ensure that information technology staff, contractors, and others who can make changes to information systems have passed background checks. Management also should revalidate periodically access lists and logon IDs. 

10) Accurate and Complete Records of Uses and Activities. Accurate and complete records of users and activities are essential for analysis, recovery, and development of additional security measures, as well as possible legal action. Information of primary importance includes the methods used to gain access, the extent of the intruder's access to systems and data, and the intruder's past and current activities. To ensure that adequate records exist, management should consider collecting information about users and user activities, systems, networks, file systems, and applications. Consideration should be given to protecting and securing this information by locating it in a physical location separate from the devices generating the records, writing the data to a tamperproof device, and encrypting the information both in transit and in storage. The OCC expects banks to limit the use of personally identifiable information collected in this manner for security purposes, and to otherwise comply with applicable law and regulations regarding the privacy of personally identifiable information.

11) Vendor Management. Banks rely on service providers, software vendors, and consultants to manage networks and operations. In outsourcing situations, management should ensure that contractual agreements are comprehensive and clear with regard to the vendor's responsibility for network security, including its monitoring and reporting obligations. Management should monitor the vendor's performance under the contract, as well as assess the vendor's financial condition at least annually.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Examination Procedures (Part 1 of 3)

A. Through discussions with management and review of available information, identify the institution's information sharing practices (and changes to those practices) with affiliates and nonaffiliated third parties; how it treats nonpublic personal information; and how it administers opt-outs. Consider the following as appropriate:

1)  Notices (initial, annual, revised, opt out, short-form, and simplified);

2)  Institutional privacy policies and procedures, including those to: 
     a)  process requests for nonpublic personal information, including requests for aggregated data; 
     b)  deliver notices to consumers; manage consumer opt out directions (e.g., designating files, allowing a reasonable time to opt out, providing new opt out and privacy notices when necessary, receiving opt out directions, handling joint account holders); 
     c)  prevent the unlawful disclosure and use of the information received from nonaffiliated financial institutions; and 
     d)  prevent the unlawful disclosure of account numbers;

3)  Information sharing agreements between the institution and affiliates and service agreements or contracts between the institution and nonaffiliated third parties either to obtain or provide information or services;

4)  Complaint logs, telemarketing scripts, and any other information obtained from nonaffiliated third parties (Note: review telemarketing scripts to determine whether the contractual terms set forth under section 13 are met and whether the institution is disclosing account number information in violation of section 12);

5)  Categories of nonpublic personal information collected from or about consumers in obtaining a financial product or service (e.g., in the application process for deposit, loan, or investment products; for an over-the-counter purchase of a bank check; from E-banking products or services, including the data collected electronically through Internet cookies; or through ATM transactions);

6)  Categories of nonpublic personal information shared with, or received from, each nonaffiliated third party; and

7)  Consumer complaints regarding the treatment of nonpublic personal information, including those received electronically.

8)  Records that reflect the bank's categorization of its information sharing practices under Sections 13, 14, 15, and outside of these exceptions.

9)  Results of a 501(b) inspection (used to determine the accuracy of the institution's privacy disclosures regarding data security).


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated