Does Your Financial Institution need an
affordable Internet security audit? Yennik, Inc. has clients in 42 states
that rely on our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test requirements of
FDIC, OCC, FRB, and NCUA, which provides compliance with
Gramm-Leach Bliley Act 501(b).
The penetration audit and Internet security testing is an
affordable-sophisticated process than goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses.
For more information, give R. Kinney Williams a call today at
806-798-7119 or visit
Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- White House Releases Cybersecurity Plans - The Obama
administration's legislative proposal includes critical
infrastructure protection, breach notification, privacy
requirements, and overhauls for internal government cybersecurity.
- ACS:Law fined for data breach - ACS:Law has been fined by the
Information Commissioner's Office for failing to follow data
protection law. The one-man law firm, which has since ceased
trading, won infamy for using IP numbers to accuse people of illegal
file-sharing. Victims received a letter offering to settle the
claims rather than go to court. But ACS:Law never took anyone to
court, and some judges doubted whether it ever had the legal basis
to do so.
- Senators call on SEC to mandate more breach reporting - Prompted
by recent breaches of intellectual property belonging to U.S.
corporations, federal lawmakers want the Securities and Exchange
Commission (SEC) to clarify guidance around the obligation to
publicly disclose these incidents to shareholders.
- FCC unveils cyber defense website for small businesses - The
Federal Communications Commission (FCC) on Monday announced the
launch of a new website designed to help small businesses protect
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Breach at Michaels Stores Extends Nationwide - Earlier this month,
arts & crafts chain Michaels Stores disclosed that crooks had
tampered with some point-of-sale devices at store registers in the
Chicago area in a scheme to steal credit and debit card numbers and
associated PINs. But new information on the investigation shows that
many Michaels stores across the country have discovered compromised
- Man sentenced to 3 years for ATM hack scheme - Attempted heist
worth $200,000 - A North Carolina man has been sentenced to three
years in prison after admitting he planned to pocket as much as
$200,000 by hacking into automatic teller machines.
- Teenage duo sentenced over credit card Ghostmarket - 'I will never
get a job in IT,' laments hacker - Two UK teenagers received
sentences for repeated hack attacks that stole credit card data and
took one online webhost offline.
- Anonymous Splinter Group Implicated in Game Company Hack - The Web
sites for computer game giant Eidos Interactive and one of its
biggest titles - Deus Ex - were defaced and plundered on Wednesday
in what appears to have been an attack from a splinter cell of the
hacktivist group Anonymous.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of Outsourced Technology Services
Due Diligence in Selecting a Service Provider - Oversight of Service Provider
Assess Quality of Service and Support
Regularly review reports documenting the service provider’s
performance. Determine if the reports are accurate and allow for
a meaningful assessment of the service provider’s performance.
• Document and follow up on any problem in service in a timely
manner. Assess service provider plans to enhance service levels.
• Review system update procedures to ensure appropriate change
controls are in effect, and ensure authorization is established
for significant system changes.
• Evaluate the provider’s ability to support and enhance the
institution’s strategic direction including anticipated business
development goals and objectives, service delivery requirements,
and technology initiatives.
• Determine adequacy of training provided to financial
• Review customer complaints on the products and services
provided by the service provider.
• Periodically meet with contract parties to discuss performance
and operational issues.
• Participate in user groups and other forums.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
AUTHENTICATION - Single Sign - On
Several single sign - on protocols are in use. Those protocols allow
clients to authenticate themselves once to obtain access to a range
of services. An advantage of single sign - on systems is that users
do not have to remember or possess multiple authentication
mechanisms, potentially allowing for more complex authentication
methods and fewer user - created weaknesses. Disadvantages include
the broad system authorizations potentially tied to any given
successful authentication, the centralization of authenticators in
the single sign - on server, and potential weaknesses in the single
sign - on technologies.
When single sign - on systems allow access for a single login to
multiple instances of sensitive data or systems, financial
institutions should employ robust authentication techniques, such as
multi - factor, PKI, and biometric techniques. Financial
institutions should also employ additional controls to protect the
authentication server and detect attacks against the server and
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
41. Does the institution refrain from disclosing any nonpublic
personal information about a consumer to a nonaffiliated third
party, other than as permitted under §§13-15, unless:
a. it has provided the consumer with an initial notice; [§10(a)(1)(i)]
b. it has provided the consumer with an opt out notice;
c. it has given the consumer a reasonable opportunity to opt out
before the disclosure; [§10(a)(1)(iii)] and
d. the consumer has not opted out? [§10(a)(1)(iv)]
(Note: this disclosure limitation applies to consumers as
well as to customers [§10(b)(1)], and to all nonpublic personal
information regardless of whether collected before or after
receiving an opt out direction. [§10(b)(2)])