R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

May 6, 2012

CONTENT Internet Compliance Web Site Audits
IT Security
 
Internet Privacy
 
Penetration Testing
 
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.


REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - The Federal Financial Institutions Examination Council has recently upgraded the functions and features of the InfoBase for the FFIEC Information Technology Examination Handbook.  www.ffiec.gov/press/pr050312.htm

FYI - Pentagon nears expansion of cyber information sharing effort - Defense Department officials said a pilot program that lets them share cyber threat information with the private sector has been a success story, and more firms are clamoring to join. http://www.federalnewsradio.com/?nid=411&sid=2840342

FYI - Digital Economy Act's anti-piracy measures are delayed - The controversial piracy law, the Digital Economy Act, has again been delayed, the Department for Culture, Media and Sport has confirmed. http://www.bbc.co.uk/news/technology-17853518

FYI - GAO - Electronic Health Records: First Year of CMS's Incentive Programs Shows Opportunities to Improve Processes to Verify Providers Met Requirements.  http://www.gao.gov/products/GAO-12-481

FYI - In U.S.-Russia deal, nuclear communication system may be used for cybersecurity - A secure communications channel set up to prevent misunderstandings that might lead to nuclear war is likely to expand to handling new kinds of conflict - in cyberspace. http://www.washingtonpost.com/world/national-security/in-us-russia-deal-nuclear-communication-system-may-be-used-for-cybersecurity/2012/04/26/gIQAT521iT_story.html

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - VMware Breached, More Hypervisor Source Code To Come - Hacker Hardcore Charlie reveals stolen VMware source code and documents from Asian defense contractors, promises more disclosures in May.
http://www.informationweek.com/news/security/attacks/232901025
http://www.scmagazine.com/vmware-source-code-leaked-onto-internet/article/238642/?DCMP=EMC-SCUS_Newswire

FYI - Feds Seize 36 Criminal Carding Sites - Three dozen criminal carding sites were seized on Wednesday by the FBI, as part of a two-year investigation conducted with authorities in Europe and elsewhere. http://www.wired.com/threatlevel/2012/04/36-carding-sites-seized/

FYI - 14,000 students' information placed on insecure server - The personal information of 14,000 students, former students and faculty at Volunteer Community College in Gallatin, Tenn., was placed on a web server that was not secure. http://www.scmagazine.com/14000-students-information-placed-on-insecure-server/article/239187/?DCMP=EMC-SCUS_Newswire

FYI - I still have a full list of projects working this weekend. I can take a break for lunch on Monday, but I'm gone from 5/8 - 5/15. I'll be around for lunch the week after the 15th, but on the 21st, I'll be in Amarillo, OKC, the Amarillo again. Call me if you want to do lunch at the Lone Star Oyster Bar again.

FYI - Wrigley Field fans targeted by skimming scam - A group of six has been charged in the latest scam to defraud bank customers through the use of skimming devices, a trend that has seen a noticeable uptick in arrests and prosecutions over the past year. http://www.scmagazine.com/wrigley-field-fans-targeted-by-skimming-scam/article/239417/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE -
We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Board and Management Oversight - Principle 2: The Board of Directors and senior management should review and approve the key aspects of the bank's security control process. 

The Board of Directors and senior management should oversee the development and continued maintenance of a security control infrastructure that properly safeguards e-banking systems and data from both internal and external threats. This should include establishing appropriate authorization privileges, logical and physical access controls, and adequate infrastructure security to maintain appropriate boundaries and restrictions on both internal and external user activities.

Safeguarding of bank assets is one of the Board's fiduciary duties and one of senior management's fundamental responsibilities. However, it is a challenging task in a rapidly evolving e-banking environment because of the complex security risks associated with operating over the public Internet network and using innovative technology.

To ensure proper security controls for e-banking activities, the Board and senior management need to ascertain whether the bank has a comprehensive security process, including policies and procedures, that addresses potential internal and external security threats both in terms of incident prevention and response. Key elements of an effective e-banking security process include: 

1) Assignment of explicit management/staff responsibility for overseeing the establishment and maintenance of corporate security policies.

2) Sufficient physical controls to prevent unauthorized physical access to the computing environment.

3) Sufficient logical controls and monitoring processes to prevent unauthorized internal and external access to e-banking applications and databases.

4)  Regular review and testing of security measures and controls, including the continuous tracking of current industry security developments and installation of appropriate software upgrades, service packs and other required measures.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY
-
We continue our series on the FFIEC interagency Information Security Booklet.  

INTRUSION DETECTION AND RESPONSE

A maxim of security is "prevention is ideal, but detection is a must."  Security systems must both restrict access and protect against the failure of those access restrictions. When those systems fail, however, an intrusion occurs and the only remaining protection is a detection - and - response capability. The earlier an intrusion is detected, the greater the institution's ability to mitigate the risk posed by the intrusion. Financial institutions should have a capability to detect and react to an intrusion into their information systems.

INTRUSION DETECTION

Preparation for intrusion detection generally involves identifying data flows to monitor for clues to an intrusion, deciding on the scope and nature of monitoring, implementing that monitoring, and establishing a process to analyze and maintain custody over the resulting information. Additionally, legal requirements may include notifications of users regarding the monitoring and the extent to which monitoring must be performed as an ordinary part of ongoing operations.

Adequate preparation is a key prerequisite to detection. The best intrusion detection systems will not identify an intrusion if they are not located to collect the relevant data, do not analyze correct data, or are not configured properly. Even if they detect an intrusion, the information gathered may not be usable by law enforcement if proper notification of monitoring and preservation of data integrity has not taken place.


Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.


Content of Privacy Notice

13. If the institution does not disclose nonpublic personal information, and does not reserve the right to do so, other than under exceptions in 14 and 15, does the institution provide a simplified privacy notice that contains at a minimum: 

a. a statement to this effect;

b. the categories of nonpublic personal information it collects;

c. the policies and practices the institution uses to protect the confidentiality and security of nonpublic personal information; and

d. a general statement that the institution makes disclosures to other nonaffiliated third parties as permitted by law? [6(c)(5)]

(Note: use of this type of simplified notice is optional; an institution may always use a full notice.)

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  



Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated