Does Your Financial Institution need an
affordable Internet security audit?
Yennik, Inc. has clients in 42 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test requirements of
FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with
Gramm-Leach Bliley Act 501(b).
The penetration audit and Internet security testing is an
affordable-sophisticated process than goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses.
For more information, give R. Kinney Williams a call today at
806-798-7119 or visit
Are you ready for your IT examination?
The Weekly IT Security Review
provides a checklist of the IT security issues covered in the
FFIEC IT Examination Handbook, which will prepare you for the IT
information and to subscribe visit
Employee-Attorney E-Mails Are Private - NJ Court Rules Company
Violated Privacy Laws by Reading E-Mails Between Employee, Attorney
- In a decision that could set new ground rules for Internet privacy
in the workplace, New Jersey's Supreme Court has ruled an employer
was wrong in retrieving e-mails between a former employee and her
attorney, even though they were sent from a company computer.
Yahoo targeted in China cyber attacks - The Yahoo e-mail accounts of
foreign journalists based in China and Taiwan have been hacked,
according to a Beijing-based press association.
Law to allow banks to recoup breach losses - A new Washington state
law set to go into effect July 1 will allow banks to recoup certain
data breach losses from negligent businesses.
Cloud computing: Moving up - Are organizations ready to move their
most sensitive enterprise applications to the cloud? Dan Kaplan
investigates. It is no secret that today's most opportune hackers
consider web applications to be the preferred means to either load
malware onto end-user PCs or to plunder the potential gold mine that
are corporate databases.
Boeing, U.S. Government Step Up Recruitment for 'Cyberwarriors' -
Kyle makes a convincing technical support representative. After just
a few phone calls, he's able to persuade the other party to download
New Independent Study Reveals Enterprises are Under-Investing in the
Protection of Corporate Secrets - Focus on Protecting
Compliance-related Data Needs to Expand to More Valuable
GAO applauds DHS critical infrastructure protection plan - An
updated plan from the U.S. Department of Homeland Security (DHS) for
protecting the nation's critical infrastructure facilities earned
high marks in a recent assessment by federal investigators for its
emphasis on risk management, according to a report released. http://www.scmagazineus.com/gao-applauds-dhs-critical-infrastructure-protection-plan/article/167542/?DCMP=EMC-SCUS_Newswire
Most organizations falling short on cloud security policies - The
vast majority of organizations fail to proactively safeguard
sensitive business information that is being stored in the cloud,
concluded a report released by the Ponemon Institute.
Cloudy and a chance of threats - The term "cloud computing" puts
both giddiness and fear in the hearts of IT managers around the
world. Adopting cloud-based services gives organizations many
benefits, but it also opens them up to many risks and
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Barnet council discovers 9000 reasons to encrypt data - The personal
details of 9000 school pupils have been stolen from the home of a
council employee, Barnet council has announced.
Miami-Dade inmates hack into strangers' phone lines - Miami-Dade
Corrections says it can do little about jail inmates who are racking
up tens of thousands of dollars in collect calls billed to the fax
lines of unwitting victims.
'Cyber Attack' Aimed At Texas Electricity Provider - Local 2
Investigates has uncovered details about a so-called "cyber attack"
on one of Texas' largest electricity providers, KPRC Local 2
Sensitive laptops stolen from California hospital system - Two
laptops containing sensitive patient information recently were
stolen from California-based hospital system John Muir Health.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
OCC - Threats from
Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance
for Web Site Spoofing Incidents (Part 3 of 5)
PROCEDURES TO ADDRESS SPOOFING - Information
After a bank has determined that it is the target of a spoofing
incident, it should collect available information about the attack
to enable an appropriate response. The information that is
collected will help the bank identify and shut down the fraudulent
Web site, determine whether customer information has been obtained,
and assist law enforcement authorities with any investigation.
Below is a list of useful information that a bank can collect. In
some cases, banks will require the assistance of information
technology specialists or their service providers to obtain this
* The means by which the bank became aware that it was the target
of a spoofing incident (e.g., report received through Website, fax,
* Copies of any e-mails or documentation regarding other forms of
communication (e.g., telephone calls, faxes, etc.) that were used to
direct customers to the spoofed Web sites;
* Internet Protocol (IP) addresses for the spoofed Web sites along
with identification of the companies associated with the IP
* Web-site addresses (universal resource locator) and the
registration of the associated domain names for the spoofed site;
* The geographic locations of the IP address (city, state, and
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue the
series from the FDIC "Security Risks Associated with the
Product Certification and Security Scanning Products
Several organizations exist which independently assess and
certify the adequacy of firewalls and other computer system related
products. Typically, certified products have been tested for their
ability to permit and sustain business functions while protecting
against both common and evolving attacks.
Security scanning tools should be run frequently by system
administrators to identify any new vulnerabilities or changes in the
system. Ideally, the scan should be run both with and without the
firewall in place so the firewall's protective capabilities can be
fully evaluated. Identifying the susceptibility of the system
without the firewall is useful for determining contingency
procedures should the firewall ever go down. Some scanning tools
have different versions with varying degrees of intrusion/attack
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Financial Institution Duties ( Part 1 of 6)
The regulations establish specific duties and limitations for a
financial institution based on its activities. Financial
institutions that intend to disclose nonpublic personal information
outside the exceptions will have to provide opt out rights to their
customers and to consumers who are not customers. All financial
institutions have an obligation to provide an initial and annual
notice of their privacy policies to their customers. All financial
institutions must abide by the regulatory limits on the disclosure
of account numbers to nonaffiliated third parties and on the
redisclosure and reuse of nonpublic personal information received
from nonaffiliated financial institutions.
A brief summary of financial institution duties and limitations
appears below. A more complete explanation of each appears in the
Notice and Opt Out Duties to Consumers:
If a financial institution intends to disclose nonpublic
personal information about any of its consumers (whether or not they
are customers) to a nonaffiliated third party, and an exception does
not apply, then the financial institution must provide to the
1) an initial notice of its privacy policies;
2) an opt out notice (including, among other things, a reasonable
means to opt out); and
3) a reasonable opportunity, before the financial institution
discloses the information to the nonaffiliated third party, to opt
The financial institution may not disclose any nonpublic personal
information to nonaffiliated third parties except under the
enumerated exceptions unless these notices have been provided and
the consumer has not opted out. Additionally, the institution must
provide a revised notice before the financial institution begins to
share a new category of nonpublic personal information or shares
information with a new category of nonaffiliated third party in a
manner that was not described in the previous notice.
Note that a financial institution need not comply with the initial
and opt-out notice requirements for consumers who are not customers
if the institution limits disclosure of nonpublic personal
information to the exceptions.