Brought to you by
Yennik, Inc. the acknowledged leader in Internet auditing for financial
May 20, 2007
Your Financial Institution need an affordable Internet security
Yennik, Inc. has clients in 41 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The penetration audit and
Internet security testing is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give
R. Kinney Williams a call
today at 806-798-7119 or visit
Royal Bank of Scotland to give customers handheld chip and PIN
readers - Move follows Barclays' announcement - The Royal Bank of
Scotland is to become the second bank in a month to give out
handheld chip and PIN readers to customers. The move follows
Barclays' announcement last month that it would hand out chip and
PIN devices to 500,000 customers.
Thumb Drives Replace Malware As Top Security Concern, Study Finds -
A survey of IT managers showed that while more than half use a USB
flash drive on a daily basis, many still view portable storage
devices as a huge security threat. A worker calls up a sensitive
investor list and downloads it on her thumb drive, slips it into her
pocket, and walks out, smiling and waving to her boss and the
security officer stationed at the front door.
NIST Issues Security Recommendations For RFID - Federal agency
guidelines help "smart tag" users evaluate and reduce potential
security and privacy risks. The National Institute of Standards and
Technology (NIST) has issued guidelines for radio-frequency
CIS tool aims to help federal agencies check Windows security
settings - They have until February to implement common secure
configuration settings - The Center for Internet Security (CIS) this
summer will release a free tool designed to help federal agencies
check whether their Windows systems configurations comply with
security requirements mandated recently by the White House's Office
of Management and Budget.
J.P. Morgan Chase probing data breach shown in YouTube video - The
video appears to show client documents in garbage bags - Financial
services firm J.P. Morgan Chase is investigating claims by a
Washington, D.C.-based workers union that it dumped documents
containing personal financial data belonging to its customers in
garbage bags outside five branch offices in New York.
GAO Information Technology: VA and DOD Are Making Progress in
Sharing Medical Information, but Are Far from Comprehensive
Electronic Medical Records.
Highlights - http://www.gao.gov/highlights/d07852thigh.pdf
Lax security led to TJX breach - A wireless network that employed
less protection than many people use on their home systems appears
to be the weak link that led TJX Companies, the US-based retailing
empire, to preside over the world's biggest known theft of
Stolen laptop may hold ID numbers - Delays follow in notification of
theft - An Information Technology investigation has revealed that a
laptop stolen from a faculty member's Baton Rouge home may contain
personally identifiable information for about 750 University
Missing drive held DNR names, SSN - Official says employees being
informed, protected - A miniature data storage device containing the
names and Social Security numbers of 1,433 current and retired
Department of Natural Resources employees is missing but does not
appear to have been used to exploit personal information, according
to the superintendent of the agency's police force.
Hospital staff warned after theft - A computer containing the bank
details of thousands of hospital staff has been stolen from an NHS
building, it has been revealed. The computer contains bank and
personal information about staff at the Royal Cornwall Hospitals NHS
Trust but does contain any patient records.
Data about 139 officers left on donated computer - Names and Social
Security numbers for 139 Champaign police officers were left on a
computer donated to charity.
Personal data stolen from Virginia agency - The names, addresses and
Social Security numbers of 40,000 people were stolen last month from
a state agency that serves elderly Virginians.
TSA computer hard drive missing - Drive contained data for over
100,000 Homeland Security employees - The Transportation Security
Administration has lost a computer hard drive containing Social
Security numbers, bank data and payroll information for about
100,000 employee records.
M&S staff at risk in laptop theft - M&S believes no-one has yet
become a victim of identity crime - Staff at Marks and Spencer have
been warned they may be at risk of identity crime after the theft of
a laptop. Salary details, addresses, dates of birth, national
insurance and phone numbers were on the machine which was stolen
from a printing firm.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Non-Deposit Investment Products
Financial institutions advertising or selling non-deposit investment
products on-line should ensure that consumers are informed of the
risks associated with non-deposit investment products as discussed
in the "Interagency Statement on Retail Sales of Non Deposit
Investment Products." On-line systems should comply with
this Interagency Statement, minimizing the possibility of customer
confusion and preventing any inaccurate or misleading impression
about the nature of the non-deposit investment product or its lack
of FDIC insurance.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security Booklet.
SECURITY TESTING -
TESTING CONCEPTS AND APPLICATION
Testing Risks to Data Integrity, Confidentiality, and Availability.
Management is responsible for carefully controlling information
security tests to limit the risks to data integrity,
confidentiality, and system availability. Because testing may
uncover nonpublic customer information, appropriate safeguards to
protect the information must be in place. Contracts with third
parties to provide testing services should require that the third
parties implement appropriate measures to meet the objectives of
section 501(b) of the GLBA. Management also is responsible for
ensuring that employee and contract personnel who perform the tests
or have access to the test results have passed appropriate
background checks, and that contract personnel are appropriately
bonded. Because certain tests may pose more risk to system
availability than other tests, management is responsible for
considering whether to require the personnel performing those tests
to maintain logs of their testing actions. Those logs can be helpful
should the systems react in an unexpected manner.
Confidentiality of Test Plans and Data. Since knowledge of test
planning and results may facilitate a security breach, institutions
should carefully limit the distribution of their testing
information. Management is responsible for clearly identifying the
individuals responsible for protecting the data and provide guidance
for that protection, while making the results available in a useable
form to those who are responsible for following up on the tests.
Management also should consider requiring contractors to sign
nondisclosure agreements and to return to the institution
information they obtained in their testing.
the top of the newsletter
IT SECURITY QUESTION:
Determine whether adequate provision is made for different
cryptographic keys for different uses and data.
Return to the top of
INTERNET PRIVACY - We continue
our review of the issues in the "Privacy of Consumer Financial
Information" published by the financial regulatory agencies.
Opt Out Right and Exceptions:
Consumers must be given the right to "opt out" of, or
prevent, a financial institution from disclosing nonpublic personal
information about them to a nonaffiliated third party, unless an
exception to that right applies. The exceptions are detailed in
sections 13, 14, and 15 of the regulations and described below.
As part of the opt out right, consumers must be given a reasonable
opportunity and a reasonable means to opt out. What constitutes a reasonable
opportunity to opt out depends on the circumstances surrounding
the consumer's transaction, but a consumer must be provided a
reasonable amount of time to exercise the opt out right. For
example, it would be reasonable if the financial institution allows
30 days from the date of mailing a notice or 30 days after customer
acknowledgement of an electronic notice for an opt out direction to
be returned. What constitutes a reasonable means to opt out
may include check-off boxes, a reply form, or a toll-free telephone
number, again depending on the circumstances surrounding the
consumer's transaction. It is not reasonable to require a consumer
to write his or her own letter as the only means to opt out.
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at firstname.lastname@example.org if we
can be of assistance.