Does Your Financial Institution need an
affordable Internet security audit? Yennik, Inc. has clients in 42 states
that rely on our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test requirements of
FDIC, OCC, FRB, and NCUA, which provides compliance with
Gramm-Leach Bliley Act 501(b).
The penetration audit and Internet security testing is an
affordable-sophisticated process than goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses.
For more information, give R. Kinney Williams a call today at
806-798-7119 or visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Court Rebukes DOJ, Says Hacking Required to Be Prosecuted as
Hacker - Employees may not be prosecuted under a federal
anti-hacking statute for simply violating their employer’s computer
use policy, a federal appeals court ruled Tuesday.
Energy Companies Need Continuous Monitoring Practices - Utility
companies managing the nation’s critical infrastructure should
regularly check for security gaps within their delivery systems,
according to the White House’s cybersecurity head.
Military finds IT security certification difficulties - The U.S.
Army is having a hard time manning its IT staff because it cannot
find military personnel with the right networking and IT security
Two arrests over Scotland Yard terror line hack - Two teenage boys
have been arrested in connection with an investigation into reports
that hackers accessed Scotland Yard's anti-terror hotline.
Los Alamos subjected to ‘maelstrom’ of simulated cyberattacks - Los
Alamos National Laboratory, the government lab responsible for the
security of the US nuclear stockpile, recently conducted a vigorous
cyber exercise involving more 100 participants from a number of
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Smart Meter Hacks Likely to Spread - A series of hacks perpetrated
against so-called “smart meter” installations over the past several
years may have cost a single U.S. electric utility hundreds of
millions of dollars annually, the FBI said in a cyber intelligence
Connecticut community college hit with "zero-day" malware - A
Connecticut community college reported the potential exposure of
confidential records following a malware infection.
- Ohio man charged in Utah police hacks - Said to be a member of
hacker activist group Anonymous, the man is alleged to have been
involved in bringing down police Web sites. An Ohio man has been
indicted in connection with attacks that brought down the Web sites
of police agencies in Utah.
Securities fraud hacker charged after $1 million heist - A Russian
national is in custody in Newark, N.J., facing charges of hacking
into the web accounts of several brokerages to initiate sham stock
trades that allegedly netted $1 million.
- Hospital workers access patient data with fraud in mind -
Thousands of patients of Memorial Healthcare System in Hollywood,
Fla. may be at risk for identity theft after two former employees
improperly accessed their records.
- Trojan designed to take screenshots of hotel payment apps -
Researchers warned this week of a trojan that is being hawked, on
black market websites, as a way to steal customer credit card
information from hotels.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Board and Management Oversight - Principle 1: The
Board of Directors and senior management should establish effective
management oversight over the risks associated with e-banking
activities, including the establishment of specific accountability,
policies and controls to manage these risks. (Part 1 of 2)
Vigilant management oversight is essential for the provision of
effective internal controls over e-banking activities. In addition
to the specific characteristics of the Internet distribution channel
discussed in the Introduction, the following aspects of e-banking
may pose considerable challenge to traditional risk management
1) Major elements of the delivery channel (the Internet and related
technologies) are outside of the bank's direct control.
2) The Internet facilitates delivery of services across multiple
national jurisdictions, including those not currently served by the
institution through physical locations.
3) The complexity of issues that are associated with e-banking and
that involve highly technical language and concepts are in many
cases outside the traditional experience of the Board and senior
In light of the unique characteristics of e-banking, new e-banking
projects that may have a significant impact on the bank's risk
profile and strategy should be reviewed by the Board of Directors
and senior management and undergo appropriate strategic and
cost/reward analysis. Without adequate up-front strategic review and
ongoing performance to plan assessments, banks are at risk of
underestimating the cost and/or overestimating the payback of their
In addition, the Board and senior management should ensure that the
bank does not enter into new e-banking businesses or adopt new
technologies unless it has the necessary expertise to provide
competent risk management oversight. Management and staff expertise
should be commensurate with the technical nature and complexity of
the bank's e-banking applications and underlying technologies.
Adequate expertise is essential regardless of whether the bank's
e-banking systems and services are managed in-house or outsourced to
third parties. Senior management oversight processes should operate
on a dynamic basis in order to effectively intervene and correct any
material e-banking systems problems or security breaches that may
occur. The increased reputational risk associated with e-banking
necessitates vigilant monitoring of systems operability and customer
satisfaction as well as appropriate incident reporting to the Board
and senior management.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
SERVICE PROVIDER OVERSIGHT
Many financial institutions outsource some aspect of their
operations. Although outsourcing arrangements often provide a cost -
effective means to support the institution's technology needs, the
ultimate responsibility and risk rests with the institution.
Financial institutions are required under Section 501(b) of the GLBA
to ensure service providers have implemented adequate security
controls to safeguard customer information. Supporting interagency
guidelines require institutions to:
! Exercise appropriate due diligence in selecting service providers,
! Require service providers by contract to implement appropriate
security controls to comply with the guidelines, and
! Monitor service providers to confirm that they are maintaining
those controls when indicated by the institution's risk assessment.
Financial institutions should implement these same precautions in
all TSP relationships based on the level of access to systems or
data for safety and soundness reasons, in addition to the privacy
Financial institutions should determine the following security
considerations when selecting or monitoring a service provider:
! Service provider references and experience,
! Security expertise of TSP personnel,
! Background checks on TSP personnel,
! Contract assurances regarding security responsibilities and
! Nondisclosure agreements covering the institution's systems and
! Ability to conduct audit coverage of security controls or
provisions for reports of security testing from independent third
! Clear understanding of the provider's security incidence response
policy and assurance that the provider will communicate security
incidents promptly to the institution when its systems or data were
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
11. Does the institution list the following categories of
affiliates and nonaffiliated third parties to whom it discloses
information, as applicable, and a few examples to illustrate the
types of the third parties in each category:
a. financial service providers; [§6(c)(3)(i)]
b. non-financial companies; [§6(c)(3)(ii)] and
c. others? [§6(c)(3)(iii)]