Brought to you by
Yennik, Inc. the acknowledged leader in Internet auditing for financial
May 13, 2007
Your Financial Institution need an affordable Internet security
Yennik, Inc. has clients in 41 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The penetration audit and
Internet security testing is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give
R. Kinney Williams a call
today at 806-798-7119 or visit
Massachusetts banks file class action suit against TJX - Customers
may feel forgiveness; the debit card issuers, less so - The massive
data breach disclosed earlier this year by Framingham Mass.-based
TJX Companies Inc. appears to have done little to hurt consumer
confidence in the company so far. But it is getting the giant
retailer into all sorts of legal trouble.
Secrecy Act - Wolfsberg Group, Clearing House
Joint Statement on Payment Message Standards - The Wolfsberg
Group and The Clearing House Association L.L.C. have issued the
attached joint statement endorsing measures to enhance the
transparency of international wire transfers.
VeriSign to offer disposable passwords on bank card - A leading
provider of digital-security services wants to make disposable
passwords easier for consumers to accept by squeezing the technology
into the corner of a regular credit or ATM card.
GAO report targets data breach guidelines - Report says agencies
need to know how and when to offer credit monitoring and other
services to reduce the risk of identity theft. A U.S. Government
Accountability Office (GAO) report issued Monday in response to a
May 2006 data breach at the Department of Veterans Affairs says
federal agencies should have uniform guidelines governing when to
offer credit monitoring to individuals whose personal information is
YouTube Shocker: Chase Bank Records Found In Trash - Video Exploits
Security Lapses With Customer Info - A bank error that's certainly
not in your favor has found its way onto the Internet, and now
officials say very personal information of thousands of Chase Bank
customers could find its way into the hands of identity thieves.
New York State settles with breach notification law violator - A
claims management company that violated New York's breach
notification law for taking seven weeks to report a missing laptop
containing personal information of more than a half-million injured
workers has settled with the state.
Ceridian chagrined by leak of client data - A former employee
apparently accidentally posted on the Internet payroll files that
were mixed in with family photos. For some, nothing is more sacred
than their identities and their bank accounts.
Personal data on 160,000 Neiman Marcus employees at risk - It was
contained on computer equipment that's been stolen - Specialty
retailer The Neiman Marcus Group Inc. yesterday sent letters to
nearly 160,000 current and former employees to tell them of a
potential breach involving their personal data.
175 told of possible computer security incident at Purdue - Purdue
University is informing 175 people who were students in fall 2001
that a Web page containing information about them was inadvertently
available on the Internet.
NY teen hacks AOL, infects systems - District Attorney's office
charges 17-year-old boy with computer tampering, computer trespass,
and criminal possession of computer material - A New York teenager
broke into AOL networks and databases containing customer
information and infected servers with a malicious program to
transfer confidential data to his computer, AOL and the Manhattan
District Attorney's Office allege.
Caterpillar says computer equipment containing employee data stolen
- Caterpillar Inc. said late Friday that a laptop computer
containing personal data on employees was stolen from a benefits
consultant that works with the company.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
A financial institution that advertises on-line credit products that
are subject to the Fair Housing Act must display the Equal Housing
Lender logotype and legend or other permissible disclosure of its
nondiscrimination policy if required by rules of the institution's
Home Mortgage Disclosure Act (Regulation C)
The regulations clarify that applications accepted through
electronic media with a video component (the financial institution
has the ability to see the applicant) must be treated as "in
person" applications. Accordingly, information about these
applicants' race or national origin and sex must be collected. An
institution that accepts applications through electronic media
without a video component, for example, the Internet or facsimile,
may treat the applications as received by mail.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
Information security is an integrated process that reduces
information security risks to acceptable levels. The entire process,
including testing, is driven by an assessment of risks. The greater
the risk, the greater the need for the assurance and validation
provided by effective information security testing.
In general, risk increases with system accessibility and the
sensitivity of data and processes. For example, a high-risk system
is one that is remotely accessible and allows direct access to
funds, fund transfer mechanisms, or sensitive customer data.
Information only Web sites that are not connected to any internal
institution system or transaction capable service are lower-risk
systems. Information systems that exhibit high risks should be
subject to more frequent and rigorous testing than low-risk systems.
Because tests only measure the security posture at a point in time,
frequent testing provides increased assurance that the processes
that are in place to maintain security over time are functioning.
A wide range of tests exists. Some address only discrete controls,
such as password strength. Others address only technical
configuration, or may consist of audits against standards. Some
tests are overt studies to locate vulnerabilities. Other tests can
be designed to mimic the actions of attackers. In many situations,
management may decide to perform a range of tests to give a complete
picture of the effectiveness of the institution's security
processes. Management is responsible for selecting and designing
tests so that the test results, in total, support conclusions about
whether the security control objectives are being met.
Return to the top of the
3. Determine if cryptographic key controls are adequate.
! Identify where cryptographic keys are stored.
! Review security where keys are stored and when they are used
(e.g., in a hardware module).
! Review cryptographic key distribution mechanisms to secure
the keys against unauthorized disclosure, theft, and diversion.
! Verify that two persons are required for a cryptographic key
to be used, where appropriate.
! Review audit and security reports that review the adequacy
of cryptographic key controls.
Return to the top of
INTERNET PRIVACY - We continue
our review of the issues in the "Privacy of Consumer Financial
Information" published by the financial regulatory agencies.
Nonpublic Personal Information:
"Nonpublic personal information" generally is any
information that is not publicly available and that:
1) a consumer provides to a financial institution to obtain a
financial product or service from the institution;
2) results from a transaction between the consumer and the
institution involving a financial product or service; or
3) a financial institution otherwise obtains about a consumer
in connection with providing a financial product or service.
Information is publicly available if an institution has a reasonable
basis to believe that the information is lawfully made available to
the general public from government records, widely distributed
media, or legally required disclosures to the general public.
Examples include information in a telephone book or a publicly
recorded document, such as a mortgage or securities filing.
Nonpublic personal information may include individual items of
information as well as lists of information. For example, nonpublic
personal information may include names, addresses, phone numbers,
social security numbers, income, credit score, and information
obtained through Internet collection devices (i.e., cookies).
There are special rules regarding lists. Publicly available
information would be treated as nonpublic if it were included on a
list of consumers derived from nonpublic personal information. For
example, a list of the names and addresses of a financial
institution's depositors would be nonpublic personal information
even though the names and addresses might be published in local
telephone directories because the list is derived from the fact that
a person has a deposit account with an institution, which is not
publicly available information.
However, if the financial institution has a reasonable basis to
believe that certain customer relationships are a matter of public
record, then any list of these relationships would be considered
publicly available information. For instance, a list of mortgage
customers where the mortgages are recorded in public records would
be considered publicly available information. The institution could
provide a list of such customers, and include on that list any other
publicly available information it has about the customers on that
list without having to provide notice or opt out.
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at email@example.com if we
can be of assistance.