Brought to you by
Yennik, Inc. the acknowledged leader in Internet auditing for financial
April 29, 2007
Your Financial Institution need an affordable Internet security
Yennik, Inc. has clients in 41 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The penetration audit and
Internet security testing is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give
R. Kinney Williams a call
today at 806-798-7119 or visit
Privacy of Consumer Financial Information - The FDIC, the
other federal financial institution regulatory agencies, the
Securities and Exchange Commission, the Federal Trade Commission,
and the Commodity Futures Trading Commission have jointly published
the attached Notice of Proposed Rulemaking seeking comment on a
model privacy form that financial institutions could use to satisfy
the privacy notice requirements of the Gramm-Leach-Bliley Act
FYI - NIST has collaborated with
the Defense Information Systems Agency (DISA), the National Security
Agency (NSA), and Microsoft Corporation to produce Microsoft's
Windows baseline security settings for the Enterprise (EC) and
Specialized Security/ Limited Functionality (SSLF) environments.
VISTA security guidelines:
XP security guidelines:
FYI - Former Morgan Stanley
Employee Arrested On Data Theft Charges - A former Morgan Stanley
client service representative was arrested and charged with stealing
proprietary information relating to the brokerage firm's hedge fund
FYI - Social Security
Administration Worker Charged In Identity Theft Scheme - A former
Social Security Administration employee surrendered to federal
authorities Wednesday to face charges of illegally disclosing
personal information she took off a government computer that was
then used in an identity theft scheme that racked up $2.5 million in
credit card charges.
FYI - Pioneer Press alleges
corporate espionage by former publisher - His password was "Mocha."
But other data on Par Ridder's laptop computer would have been even
tastier to his new bosses.
FYI - Navigating the PCI
Standard - More than just another data-security standard, the PCI
program is corporate America's most ambitious effort yet to prove
that it can self-regulate. But even a standard with everything going
for it might not be enough to stop the loss of credit card data. In
mid-December 2006, just as Visa was announcing a $20 million
incentive to try to hurry compliance with the credit card industry's
data-security standard, a consultant for TJX was discovering
precisely the sort of breach that the standard is supposed to
FYI - GAO - Information
Security: Persistent Weaknesses Highlight Need for Further
FYI - Georgia on the mind of
three million after CD loss - Sensitive personal information on 2.9
million Georgia residents is at risk after a company lost a CD that
contained the details.
FYI - Sensitive Info Is Stolen
From Adoption Agency - The highly confidential information on
children and their adoptive parents is at stake in a criminal case
being investigated by Ft. Lauderdale Police.
FYI - Technician Held In Theft
Of Data On Port Workers - A computer technician at the Port of Tampa
is accused of stealing employee information to apply for credit
cards online, the Florida Department of Law Enforcement said.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
The Role Of Consumer Compliance In Developing And Implementing
Electronic Services from FDIC:
When violations of the consumer protection laws regarding a
financial institution's electronic services have been cited,
generally the compliance officer has not been involved in the
development and implementation of the electronic services.
Therefore, it is suggested that management and system
designers consult with the compliance officer during the development
and implementation stages in order to minimize compliance risk.
The compliance officer should ensure that the proper controls
are incorporated into the system so that all relevant compliance
issues are fully addressed.
This level of involvement will help decrease an institution's
compliance risk and may prevent the need to delay deployment or
redesign programs that do not meet regulatory requirements.
The compliance officer should develop a compliance risk profile as a
component of the institution's online banking business and/or
technology plan. This
profile will establish a framework from which the compliance officer
and technology staff can discuss specific technical elements that
should be incorporated into the system to ensure that the online
system meets regulatory requirements.
For example, the compliance officer may communicate with the
technology staff about whether compliance disclosures/notices on a
web site should be indicated or delivered by the use of "pointers"
or "hotlinks" to ensure that required disclosures are presented to
the consumer. The compliance officer can also be an ongoing resource to
test the system for regulatory compliance.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We continue our series
on the FFIEC interagency Information Security Booklet.
INSURANCE (Part 1 of 2)
Financial institutions have used insurance coverage as an effective
method to transfer risks from themselves to insurance carriers.
Insurance coverage is increasingly available to cover risks from
security breaches or denial of service attacks. For example, several
insurance companies offer e - commerce insurance packages that can
reimburse financial institutions for losses from fraud, privacy
breaches, system downtime, or incident response. When evaluating the
need for insurance to cover information security threats, financial
institutions should understand the following points:
! Insurance is not a substitute for an effective security program.
! Traditional fidelity bond coverage may not protect from losses
related to security intrusions.
! Availability, cost, and covered risks vary by insurance company.
! Availability of new insurance products creates a more dynamic
environment for these factors.
! Insurance cannot adequately cover the reputation and compliance
risk related to customer relationships and privacy.
! Insurance companies typically require companies to certify that
certain security practices are in place.
the top of the newsletter
IT SECURITY QUESTION:
SERVICE PROVIDER OVERSIGHT-SECURITY
6. Determine if institution oversight of third party provider
security controls is adequate.
7. Determine if any third party provider access to the institution's
system is controlled according to "Authentication and Access
Controls" and "Network Security" procedures.
8. Determine if the contract requires secure remote communications,
9. Determine if the institution appropriately assessed the third
party provider's procedures for hiring and monitoring personnel who
have access to the institution's systems and data.
Return to the top of
INTERNET PRIVACY - With this issue,
we begin our review of the issues in the "Privacy of Consumer
Financial Information" published by the financial regulatory
On November 12, 1999, President Clinton signed into law the
Gramm-Leach-Bliley Act (the "Act"). Title V, Subtitle A of the Act
governs the treatment of nonpublic personal information about
consumers by financial institutions. Section 502 of the Subtitle,
subject to certain exceptions, prohibits a financial institution
from disclosing nonpublic personal information about a consumer to
nonaffiliated third parties, unless the institution satisfies
various notice and opt-out requirements, and provided that the
consumer has not elected to opt out of the disclosure. Section 503
requires the institution to provide notice of its privacy policies
and practices to its customers. Section 504 authorizes the issuance
of regulations to implement these provisions.
Accordingly, on June 1, 2000, the four federal bank and thrift
regulators published substantively identical regulations
implementing provisions of the Act governing the privacy of consumer
financial information. The regulations establish rules governing
duties of a financial institution to provide particular notices and
limitations on its disclosure of nonpublic personal information, as
1) A financial institution must provide a notice of its
privacy policies, and allow the consumer to opt out of the
disclosure of the consumer's nonpublic personal information, to a
nonaffiliated third party if the disclosure is outside of the
exceptions in sections 13, 14 or 15 of the regulations.
2) Regardless of whether a financial institution shares
nonpublic personal information, the institution must provide notices
of its privacy policies to its customers.
3) A financial institution generally may not disclose customer
account numbers to any nonaffiliated third party for marketing
4) A financial institution must follow reuse and redisclosure
limitations on any nonpublic personal information it receives from a
nonaffiliated financial institution.
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at firstname.lastname@example.org if we
can be of assistance.