Brought to you by
Yennik, Inc. the acknowledged leader in Internet auditing for financial
May 27, 2007
Your Financial Institution need an affordable Internet security
Yennik, Inc. has clients in 41 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The penetration audit and
Internet security testing is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give
R. Kinney Williams a call
today at 806-798-7119 or visit
FYI - GAO - Federal
Deposit Insurance Corporation Needs to Sustain Progress Improving
FYI - Union sues TSA
over data breach - TSA loses hard drive with personal information of
100,000 employees - A federal employee union has filed suit against
the Transportation Security Administration over a lost external hard
drive that contained the personal information of some 100,000
FYI - Six in California
indicted for online bank fraud - Six California men accused of
breaking in to online bank accounts and funneling out the proceeds
have been indicted for bank and wire fraud and money laundering. The
53-count indictment could carry a sentence of as much as 30 years in
prison and a fine of $1m.
FYI - Wireless identity
thieves - According to an article in the Wall Street Journal
(subscription required), the seeds of the nation's largest identity
theft operation involving customers of TJX Companies (owners of TJ
Maxx, Marshalls, and other discount stores) began in the parking lot
outside a Marshalls discount clothing store in St. Paul, Minnesota.
FYI - Computer Economics
study: Insiders top IT pros' worries - Researchers have pointed
their fingers at insiders as the main security bugaboos facing
enterprises. Insider misuse and unauthorized access to information
by insiders are the No. 1 and No. 2 security threats worrying IT
security professionals, according to Computer Economics' "Trends in
IT Security Threats: 2007" report, released this week.
FYI - NIST puts its
security guidelines in one basket - The National Institute of
Standards and Technology has released a database to help agencies
collect data needed to assess information technology security
programs and produce reports for action plans.
FYI - Military puts
MySpace, other sites off limits - No more using the military's
computer system to socialize and trade videos on MySpace, YouTube
and nine other Web sites, the Pentagon says.
FYI - IDS in Mid-Morph -
Intrusion detection systems (IDS) technology isn't dead -- it's just
gradually being retooled, according to an IDS/IPS expert who will
present his findings at an upcoming conference.
FYI - Hackers steal
22,000 Social Security numbers from University of Missouri database
- The University of Missouri is the latest university to fall victim
to cybercrime, after hackers breached a database and lifted more
than 20,000 Social Security numbers.
FYI - Eurocard swaps
thousand cards over security worry - Over 1,000 Swedish Eurocard
holders are being issued with new cards following suspicions that
fraudsters have got hold of some people's card details.
FYI - Indiana State site
reveals personal data - The state Department of Administration may
have inadvertently disclosed the Social Security numbers of dozens
of people involved with women- or minority-owned businesses,
officials said today.
FYI - Bank tape lost
with data on 90,000 customers - People's Bank in Connecticut said
the tape was lost in transit - A computer tape from a Connecticut
bank containing personal data on 90,000 customers was lost in
transit recently, the bank reported.
FYI - Goshen College
reports computer security breach - Goshen College joined the ranks
of other notable colleges and universities as the latest victim of
compromised computer security by hackers. From May 5 to 7, a college
computer was remotely accessed with the suspected motivation of
using the system to send spam e-mails.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
(Part 1 of 2)
Several regulations require disclosures and notices to be given at
specified times during a financial transaction. For example, some
regulations require that disclosures be given at the time an
application form is provided to the consumer. In this situation,
institutions will want to ensure that disclosures are given to the
consumer along with any application form. Institutions may
accomplish this through various means, one of which may be through
the automatic presentation of disclosures with the application form.
Regulations that allow disclosures/notices to be delivered
electronically and require institutions to deliver disclosures in a
form the customer can keep have been the subject of questions
regarding how institutions can ensure that the consumer can "keep"
the disclosure. A consumer using certain electronic devices, such as
Web TV, may not be able to print or download the disclosure. If
feasible, a financial institution may wish to include in its on-line
program the ability for consumers to give the financial institution
a non-electronic address to which the disclosures can be mailed.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security Booklet.
SECURITY TESTING - TESTING CONCEPTS AND APPLICATION
Measurement and Interpretation of Test Results.
Institutions should design tests to produce results that are logical
and objective. Results that are reduced to metrics are potentially
more precise and less subject to confusion, as well as being more
readily tracked over time. The interpretation and significance of
test results are most useful when tied to threat scenarios.
Traceability. Test results that indicate an unacceptable risk in an
institution's security should be traceable to actions subsequently
taken to reduce the risk to an acceptable level.
Thoroughness. Institutions should perform tests sufficient to
provide a high degree of assurance that their security plan,
strategy and implementation is effective in meeting the security
objectives. Institutions should design their test program to draw
conclusions about the operation of all critical controls. The scope
of testing should encompass all systems in the institution's
production environment and contingency plans and those systems
within the institution that provide access to the production
Frequency. Test frequency should be based on the risk that
critical controls are no longer functioning. Factors to consider
include the nature, extent, and results of prior tests, the value
and sensitivity of data and systems, and changes to systems,
policies and procedures, personnel, and contractors. For example,
network vulnerability scanning on highrisk systems can occur at
least as frequently as significant changes are made to the network.
the top of the newsletter
IT SECURITY QUESTION:
Determine if cryptographic keys expire and are replaced at
appropriate time intervals.
Return to the top of
INTERNET PRIVACY - We continue
our review of the issues in the "Privacy of Consumer Financial
Information" published by the financial regulatory agencies.
Exceptions to the opt out right are detailed in sections 13, 14,
and 15 of the regulations. Financial institutions need not comply
with opt-out requirements if they limit disclosure of nonpublic
1) To a nonaffiliated third party to perform services for the
financial institution or to function on its behalf, including
marketing the institution's own products or services or those
offered jointly by the institution and another financial
institution. The exception is permitted only if the financial
institution provides notice of these arrangements and by contract
prohibits the third party from disclosing or using the information
for other than the specified purposes. In a contract for a joint
marketing agreement, the contract must provide that the parties to
the agreement are jointly offering, sponsoring, or endorsing a
financial product or service. However, if the service or function is
covered by the exceptions in section 14 or 15 (discussed below), the
financial institution does not have to comply with the additional
disclosure and confidentiality requirements of section 13.
Disclosure under this exception could include the outsourcing of
marketing to an advertising company. (Section 13)
2) As necessary to effect, administer, or enforce a
transaction that a consumer requests or authorizes, or under certain
other circumstances relating to existing relationships with
customers. Disclosures under this exception could be in connection
with the audit of credit information, administration of a rewards
program, or to provide an account statement. (Section 14)
3) For specified other disclosures that a financial
institution normally makes, such as to protect against or prevent
actual or potential fraud; to the financial institution's attorneys,
accountants, and auditors; or to comply with applicable legal
requirements, such as the disclosure of information to regulators.
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at email@example.com if we
can be of assistance.