Brought to you by
Yennik, Inc. the acknowledged leader in Internet auditing for financial
May 6, 2007
Your Financial Institution need an affordable Internet security
Yennik, Inc. has clients in 41 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The penetration audit and
Internet security testing is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give
R. Kinney Williams a call
today at 806-798-7119 or visit
FDIC Makes Available on Its Web Site New Government-Wide Id
Theft Home Page - The Federal Deposit Insurance Corporation, a
participant in the government-wide Identity Theft Task Force, will
provide a direct link to the new, centralized government Web site on
The Federal Reserve Board on Friday requested public
comment on proposed amendments to five consumer financial services
and fair lending regulations (Regulations B, E, M, Z, and DD) to
clarify the requirements for providing consumer disclosures in
FYI - Auditors cite security
problems with IRS wireless networks - The Internal Revenue Service
has jeopardized sensitive taxpayer information by failing to lock
down its wireless networks, according to an audit report.
FYI - Consumers baulk at
returning to hacked stores - Consumers are wary about returning to
shop at retailers that have been the subject of security breaches,
according to a new study. The survey of 1,200 UK consumers revealed
that the majority would take their business elsewhere in the event
of loss of customer data as a result of a security breach or hack
FYI - Bottom line impact of data
breaches unclear - Despite the fact that unwanted exposure of
consumer data has become a hot-button issue in the media and among
legislators nationwide, experts admit that it remains unclear just
how much damage the events will cause to the finances and
reputations of companies that experience major incidents.
FYI - U.S. shuts student
database to lenders amid concerns - Following reports of abuse, the
U.S. government on Tuesday temporarily barred college loan firms
from accessing a database containing confidential personal
information on millions of student borrowers.
FYI - Disgruntled techie
attempts Californian power blackout - A cheesed-off American IT
worker was seized by an FBI Joint Terrorism Task Force on Wednesday
for attacking the Californian electric power grid.
FYI - USDA has data breach - The
Agriculture Department announced Friday it has publicly exposed the
personal information of up to 63,000 citizens. A USDA loan recipient
April 13 notified OMB Watch that her social security and tax
identification numbers were intertwined with a longer data set in
their fedspending.org database. OMB Watch notified the agency, which
pulled down the data that day.
FYI - Security breach suspected
at grocery ATMs - Customers are urged to check statements after card
readers are discovered. Authorities and a national grocery-store
chain are warning Inland residents about evidence of electronic card
readers discovered on at least three ATMs in the Inland area last
FYI - System update led to
Blackberry outage - BlackBerry maker Research in Motion Ltd. said an
insufficiently tested software update at the company's network data
center was the cause of a service outage this week that left
millions of users without wireless e-mail access.
FYI - UCSF computer server with
research subject information is stolen - A computer file server
containing research subject information related to studies on causes
and cures for different types of cancer was stolen from a locked
UCSF office on March 30, 2007.
FYI - Ohio State database
compromised - Personal information on some 14,000 employees was
exposed - A database intrusion by foreign hackers may have
compromised Social Security numbers and other sensitive data
belonging to more than 14,000 current and former employees at Ohio
FYI - Thieves take laptop with
Smith photos - The head of Edgewood Studios in Rutland is looking
for the return of a stolen laptop containing some valuable
information, including unreleased images of Anna Nicole Smith, the
star of his most recent film.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
"Member FDIC" Logo - When is it required?
The FDIC believes that every bank's home page is to some extent an
advertisement. Accordingly, bank web site home pages should contain
the official advertising statement unless the advertisement is
subject to exceptions such as advertisements for loans, securities,
trust services and/or radio or television advertisements that do not
exceed thirty seconds.
Whether subsidiary web pages require the official advertising
statement will depend upon the content of the particular page.
Subsidiary web pages that advertise deposits must contain the
official advertising statement.
Conversely, subsidiary web pages that relate to loans do not
require the official advertising statement.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We continue our series
on the FFIEC interagency Information Security Booklet.
INSURANCE (Part 1 of 2)
Insurance coverage is rapidly evolving to meet the growing number of
security-related threats. Coverage varies by insurance company, but
currently available insurance products may include coverage for the
! Vandalism of financial institution Web sites,
! Denial - of - service attacks,
! Loss of income,
! Computer extortion associated with threats of attack or disclosure
! Theft of confidential information,
! Privacy violations,
! Litigation (breach of contract),
! Destruction or manipulation of data (including viruses),
! Fraudulent electronic signatures on loan agreements,
! Fraudulent instructions through e - mail,
! Third - party risk from companies responsible for security of
financial institution systems or information,
! Insiders who exceed system authorization, and
! Incident response costs related to the use of negotiators, public
relations consultants, security and computer forensic consultants,
programmers, replacement systems, etc.
Financial institutions can attempt to insure against these risks
through existing blanket bond insurance coverage added on to address
specific threats. It is important that financial institutions
understand the extent of coverage and the requirements governing the
reimbursement of claims. For example, financial institutions should
understand the extent of coverage available in the event of security
breaches at a third - party service provider. In such a case, the
institution may want to consider contractual requirements that
require service providers to maintain adequate insurance to cover
When considering supplemental insurance coverage for security
incidents, the institution should assess the specific threats in
light of the impact these incidents will have on its financial,
operational, and reputation risk profiles. Obviously, when a
financial institution contracts for additional coverage, it should
ensure that it is aware of and prepared to comply with any required
security controls both at inception of the coverage and over the
term of the policy.
the top of the newsletter
IT SECURITY QUESTION:
1. Review the information security risk assessment and identify
those items and areas classified as requiring encryption.
2. Evaluate the appropriateness of the criteria used to select the
type of encryption/cryptographic algorithms.
! Consider if cryptographic algorithms are both publicly known
and widely accepted (e.g. RSA, SHA, Triple DES, Blowfish, Twofish,
etc.) or banking industry standard algorithms.
! Note the basis for choosing key sizes (e.g., 40-bit,
128-bit) and key space.
! Identify management's understanding of cryptography and
expectations of how it will be used to protect data.
Return to the top of
INTERNET PRIVACY - We continue our
review of the issues in the "Privacy of Consumer Financial
Information" published by the financial regulatory agencies.
Definitions and Key Concepts
In discussing the duties and limitations imposed by the
regulations, a number of key concepts are used. These concepts
include "financial institution"; "nonpublic personal information";
"nonaffiliated third party"; the "opt out" right and the exceptions
to that right; and "consumer" and "customer." Each concept is
briefly discussed below. A more complete explanation of each appears
in the regulations.
A "financial institution" is any institution the business of
which is engaging in activities that are financial in nature or
incidental to such financial activities, as determined by section
4(k) of the Bank Holding Company Act of 1956. Financial institutions
can include banks, securities brokers and dealers, insurance
underwriters and agents, finance companies, mortgage bankers, and
Nonaffiliated Third Party:
A "nonaffiliated third party" is any person except a
financial institution's affiliate or a person employed jointly by a
financial institution and a company that is not the institution's
affiliate. An "affiliate" of a financial institution is any company
that controls, is controlled by, or is under common control with the
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at email@example.com if we
can be of assistance.