R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

May 5, 2013

CONTENT Internet Compliance Web Site Audits
IT Security
Internet Privacy
Penetration Testing
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Report to the Congress - Report to the Congress on the Use of the ACH System and Other Payment Mechanisms for Remittance Transfers to Foreign Countries.  www.federalreserve.gov/publications/other-reports/files/ACH_report_201304.pdf

FYI - CISPA 'dead' in Senate, privacy concerns cited - The chairman of a key Senate committee cited "insufficient" privacy protections in the cybersecurity bill, recently passed by the House. A new report says the Senate is drafting separate bills. http://www.zdnet.com/cispa-dead-in-senate-privacy-concerns-cited-7000014536/

FYI - DoJ Secretly Granted Immunity to Companies that Participated in Monitoring Program - The Justice Department agree to grant internet service providers that participated in a new cybersecurity monitoring program legal authorization to monitor and intercept communications traffic, according to documents obtained by the Electronic Privacy Information Center.

FYI - Judge rejects FBI's bid to hack computer of suspect in attempted cyberheist - Warrant request too broad, fails to meet 4th amendment standards - A federal court in Houston has rejected an FBI request for a warrant to hack into the computer of a suspect in an attempted cyberheist. http://www.computerworld.com/s/article/9238699/Judge_rejects_FBI_s_bid_to_hack_computer_of_suspect_in_attempted_cyberheist?taxonomyId=17

FYI - Here’s a Good Reason to Encrypt Your Data - There’s many reasons to password-protect - or encrypt - one’s digital data. Foremost among them is to protect it during a security breach.
Text of Ruling: http://ia601700.us.archive.org/6/items/gov.uscourts.wied.63043/gov.uscourts.wied.63043.3.0.pdf

FYI - DDoS attacks increase across industries - While distributed denial-of-service (DDoS) attacks aimed at major banks have recently garnered the majority of headlines around the nation, finance isn't the only industry grappling with the challenges of the prevalent threat, according to a new study. http://www.scmagazine.com/study-ddos-attacks-increase-across-industries/article/290112/?DCMP=EMC-SCUS_Newswire

FYI - Panel seeks to fine tech companies for noncompliance with wiretap orders - A government task force is preparing legislation that would pressure companies such as Face­book and Google to enable law enforcement officials to intercept online communications as they occur, according to current and former U.S. officials familiar with the effort. http://www.washingtonpost.com/world/national-security/proposal-seeks-to-fine-tech-companies-for-noncompliance-with-wiretap-orders/2013/04/28/29e7d9d8-a83c-11e2-b029-8fb7e977ef71_story.html

FYI - U.S. response to bank cyberattacks reflects diplomatic caution, vexes bank industry - The United States, concerned that Iran is behind a string of cyberattacks against U.S. banking sites, has considered delivering a formal warning through diplomatic channels but has not pursued the idea out of fears that doing so could escalate hostilities, according to American officials. http://www.washingtonpost.com/world/national-security/us-response-to-bank-cyberattacks-reflects-diplomatic-caution-vexes-bank-industry/2013/04/27/4a71efe2-aea2-11e2-98ef-d1072ed3cc27_story.html


FYI - AP Twitter hack looks like a security tipping point - Getting hacked on Twitter is fast becoming a rite of passage for big corporations, but Tuesday's attack on the Associated Press could be a tipping point and shows that social networks must do more to keep their users safe, security experts said.

FYI - LivingSocial updates encryption practices after password breach affects 50m - After a massive breach impacted more than 50 million of its customers, the daily-deal website LivingSocial has updated its password encryption method to bolster security. http://www.scmagazine.com/livingsocial-updates-encryption-practices-after-password-breach-affects-50m/article/291042/?DCMP=EMC-SCUS_Newswire

FYI - Syrian Hacktivists Hit Guardian Twitter Feeds - The Syrian Electronic Army (SEA) announced Sunday that it took over 11 Twitter feeds belonging to Britain's Guardian newspaper, including its book, film, photography and travel feeds, as well as multiple journalists' accounts.

FYI - LivingSocial hacked; 50 million affected - Hackers target LivingSocial, stealing the personal data of more than 50 million people in an enormous security breach. Daily deals Web site LivingSocial is the latest database target for hackers, who have compromised the personal information of more than 50 million people.

FYI - Army database housing sensitive data on major US dams breached - The U.S. Army Corps of Engineers (USACE) has confirmed that a national database, which contains sensitive information on potentially hazardous U.S. dams, was accessed by an “unauthorized individual.” http://www.scmagazine.com/report-army-database-housing-sensitive-data-on-major-us-dams-breached/article/291574/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Contract Issues

Business Resumption and Contingency Plans

The contract should address the service provider’s responsibility for backup and record protection, including equipment, program and data files, and maintenance of disaster recovery and contingency plans. Responsibilities should include testing of the plans and providing results to the institution. The institution should consider interdependencies among service providers when determining business resumption testing requirements. The service provider should provide the institution with operating procedures the service provider and institution are to implement in the event business resumption contingency plans are implemented. Contracts should include specific provisions for business recovery timeframes that meet the institution’s business requirements. The institution should ensure that the contract does not contain any provisions that would excuse the service provider from implementing its contingency plans.

Sub-contracting and Multiple Service Provider Relationships

Some service providers may contract with third-parties in providing services to the financial institution. To provide accountability, it may be beneficial for the financial institution to seek an agreement with and designate a primary contracting service provider. The institution may want to consider including a provision specifying that the contracting service provider is responsible for the service provided to the institution regardless of which entity is actually conducting the operations. The institution may also want to consider including notification and approval requirements regarding changes to the service provider’s significant subcontractors.


The contract should fully describe fees and calculations for base services, including any development, conversion, and recurring services, as well as any charges based upon volume of activity and for special requests. Cost and responsibility for purchase and maintenance of hardware and software may also need to be addressed. Any conditions under which the cost structure may be changed should be addressed in detail including limits on any cost increases.

Return to the top of the newsletter
We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review Suspicious Activity Reporting.

National banks are required to report intrusions and other computer crimes to the OCC and law enforcement by filing a Suspicious Activity Report (SAR) form and submitting it to the Financial Crimes Enforcement Network (FinCEN), in accordance with 12 USC 21.11. This reporting obligation exists regardless of whether the institution has reported the intrusion to the information-sharing organizations discussed below. For purposes of the regulation and the SAR form instructions, an "intrusion" is defined as gaining access to the computer system of a financial institution to remove, steal, procure or otherwise affect information or funds of the institution or customers. It also includes actions that damage, disable, or otherwise affect critical systems of the institution. For example, distributed denial of service attaches (DDoS) attacks should be reported on a SAR because they may temporarily disable critical systems of financial institutions. 

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Sharing nonpublic personal information with nonaffiliated third parties under Sections 14 and/or 15 and outside of exceptions (with or without also sharing under Section 13).  (Part 1 of 3)

Financial institutions whose practices fall within this category engage in the most expansive degree of information sharing permissible. Consequently, these institutions are held to the most comprehensive compliance standards imposed by the Privacy regulation.

A. Disclosure of Nonpublic Personal Information 

1)  Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of data shared between the institution and the third party both inside and outside of the exceptions. The sample should include a cross-section of relationships but should emphasize those that are higher risk in nature as determined by the initial procedures. Perform the following comparisons to evaluate the financial institution's compliance with disclosure limitations.

a.  Compare the categories of data shared and with whom the data were shared to those stated in the privacy notice and verify that what the institution tells consumers (customers and those who are not customers) in its notices about its policies and practices in this regard and what the institution actually does are consistent (§§10, 6).

b.  Compare the data shared to a sample of opt out directions and verify that only nonpublic personal information covered under the exceptions or from consumers (customers and those who are not customers) who chose not to opt out is shared (§10).

2)  If the financial institution also shares information under Section 13, obtain and review contracts with nonaffiliated third parties that perform services for the financial institution not covered by the exceptions in section 14 or 15. Determine whether the contracts prohibit the third party from disclosing or using the information other than to carry out the purposes for which the information was disclosed. Note that the "grandfather" provisions of Section 18 apply to certain of these contracts (§13(a)).


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated