R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

June 12, 2011

CONTENT Internet Compliance Information Systems Security
IT Security
Internet Privacy
Website for Penetration Testing
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

Spending less than 5 minutes a week along with a cup of coffee
you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - HHS Proposes Changes To HIPAA Privacy Rule - Individuals would know who accessed their e-health information as well as details about the data disclosed. The U.S. Dept. of Health and Human Services has proposed changes to the Health Insurance Portability and Accountability Act privacy rule that would provide individuals with more details about who accessed their electronic health information and disclosures of the e-health data. http://www.informationweek.com/news/healthcare/policy/229700217

FYI - Is sharing a log-in a criminal act? - Tennessee lawmakers have passed a bill that would make sharing log-in information, including usernames and passwords, illegal within the state's borders. http://news.cnet.com/8301-13506_3-20068233-17.html?tag=mncol;title

FYI - Homeland Security Releases FISMA Compliance Metrics - The Obama administration, by focusing on continuous monitoring, comes closer to assessing the thoroughness of federal agencies' cybersecurity efforts, says SANS Institute. http://www.informationweek.com/news/government/security/230100013

FYI - Good passwords are no joke - And given that the static password is a flawed authentication mechanism that should, according to most expert opinion, have been quietly euthanized decades ago, it might seem strange that so much of that attention, at least in terms of informational writing, has been about improving password practice. http://www.scmagazineus.com/good-passwords-are-no-joke/article/204675/?DCMP=EMC-SCUS_Newswire


FYI - Lockheed admits to hack that may portend more breaches - Lockheed Martin released a statement over the weekend admitting that its network was breached by sophisticated adversaries, but the company said no assets were compromised. http://www.scmagazineus.com/lockheed-admits-to-hack-that-may-portend-more-breaches/article/204205/

FYI - Google Disrupts Chinese Spear-Phishing Attack on Senior U.S. Officials - Google says it’s shut down a well-crafted social engineering attack on Gmail users that targeted the personal accounts of “senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists.” http://www.wired.com/threatlevel/2011/06/gmail-hack/

FYI - Honda Data Breach Triggers Lawsuit - The class action suit accuses Honda of putting 283,000 customers at risk, in part by waiting two months to inform them of the data exposure. Beware storing outdated customer data on websites. Honda Canada is learning that lesson the hard way, after a March breach in which 283,000 customers' details were exposed. http://www.informationweek.com/news/security/attacks/229700261

FYI - Hacker group raids Sony Pictures in latest breach - Fresh off the successful infiltration and defacement of the PBS website, the hacktivist collective known as LulzSec said Thursday that it has compromised the personal information of more than one million users of SonyPictures.com.

FYI - RSA confirms Lockheed hack linked to SecurID breach - Security giant RSA has confirmed that hackers leveraged stolen information about its SecurID two-factor authentication offerings in a recent attack on U.S. defense contractor Lockheed Martin. http://www.scmagazineus.com/rsa-confirms-lockheed-hack-linked-to-securid-breach/article/204744/?DCMP=EMC-SCUS_Newswire

FYI - Hacker group LulzSec targets FBI partner InfraGard - On the heels of successful infiltrations at PBS and Sony, a vigilante hacker collective, known as LulzSec, has compromised the website of the Atlanta chapter of InfraGard, an FBI partner organization. http://www.scmagazineus.com/hacker-group-lulzsec-targets-fbi-partner-infragard/article/204626/?DCMP=EMC-SCUS_Newswire

FYI - Citibank admits customers' data was hacked - Citibank has confirmed that the names, account numbers and contact information of hundreds of thousands of customers have been stolen in a hacking attack. http://www.tgdaily.com/security-features/56506-citibank-admits-customers-data-was-hacked?quicktabs_1=0

Return to the top of the newsletter

We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." 
(Part 2 of 10)



Compliance risk arises when the linked third party acts in a manner that does not conform to regulatory requirements. For example, compliance risk could arise from the inappropriate release or use of shared customer information by the linked third party. Compliance risk also arises when the link to a third party creates or affects compliance obligations of the financial institution.

Financial institutions with weblinking relationships are also exposed to other risks associated with the use of technology, as well as certain risks specific to the products and services provided by the linked third parties. The amount of risk exposure depends on several factors, including the nature of the link.

Any link to a third-party website creates some risk exposure for an institution. This guidance applies to links to affiliated, as well as non-affiliated, third parties. A link to a third-party website that provides a customer only with information usually does not create a significant risk exposure if the information being provided is relatively innocuous, for example, weather reports. Alternatively, if the linked third party is providing information or advice related to financial planning, investments, or other more substantial topics, the risks may be greater. Links to websites that enable the customer to interact with the third party, either by eliciting confidential information from the user or allowing the user to purchase a product or service, may expose the insured financial institution to more risk than those that do not have such features.

Return to the top of the newsletter
We continue our series on the FFIEC interagency Information Security Booklet.  


Network security requires effective implementation of several control mechanisms to adequately secure access to systems and data. Financial institutions must evaluate and appropriately implement those controls relative to the complexity of their network.  Many institutions have increasingly complex and dynamic networks stemming from the growth of distributed computing.

Security personnel and network administrators have related but distinct responsibilities for ensuring secure network access across a diverse deployment of interconnecting network servers, file servers, routers, gateways, and local and remote client workstations.  Security personnel typically lead or assist in the development of policies, standards, and procedures, and monitor compliance. They also lead or assist in incident-response efforts.  Network administrators implement the policies, standards, and procedures in their day-to-day operational role.

Internally, networks can host or provide centralized access to mission-critical applications and information, making secure access an organizational priority. Externally, networks integrate institution and third-party applications that grant customers and insiders access to their financial information and Web-based services. Financial institutions that fail to restrict access properly expose themselves to increased transaction, reputation, and compliance risk from threats including the theft of customer information, data alteration, system misuse, or denial-of-service attacks.


Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

If the institution receives information from a nonaffiliated financial institution under an exception in §14 or §15, does the institution refrain from using or disclosing the information except:

a.  to disclose the information to the affiliates of the financial institution from which it received the information; [§11(a)(1)(i)]

b.  to disclose the information to its own affiliates, which are in turn limited by the same disclosure and use restrictions as the recipient institution; [§11(a)(1)(ii)] and

c.  to disclose and use the information pursuant to an exception in §14 or §15 in the ordinary course of business to carry out the activity covered by the exception under which the information was received? [§11(a)(1)(iii)]

(Note: the disclosure or use described in section c of this question need not be directly related to the activity covered by the applicable exception. For instance, an institution receiving information for fraud-prevention purposes could provide the information to its auditors. But "in the ordinary course of business" does not include marketing. [§11(a)(2)])


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

NEW The Weekly IT Security Review NEW
A weekly email that lets you continuously review
your IT operations throughout the year.

Purchase now for the special inaugural price.

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated