Does Your Financial Institution need an
affordable Internet security audit? Yennik, Inc.
has clients in 42 states that rely on our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test requirements of
FDIC, OCC, FRB, and NCUA, which provides compliance with
Gramm-Leach Bliley Act 501(b).
The penetration audit and Internet security testing
is an affordable-sophisticated process than goes far beyond the
simple scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses.
For more information, give R. Kinney Williams a call today at
806-798-7119 or visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- FDA calls on medical device makers to focus on cybersecurity - The
agency's recommendations follow reports of vulnerabilities in some
- DHS warns of vulns in hospital medical equipment - Has your
doctor's anasthesia machine been hacked? The US Department of
Homeland Security has warned hospitals and health clinics that many
of the electronic medical devices in use at their facilities may be
vulnerable to cybersecurity attacks.
- IT decision makers are more optimistic about breach detection than
they should be - A new McAfee study released Monday said
organizations are overwhelmed by Big Data, yet appear to be
overvaluing their ability to detect data breaches.
- DHS Does Not Track Security Training of System Administrator
Contractors - The Homeland Security Department does not keep tabs on
whether contractors that monitor vulnerabilities on federal networks
have undergone training, according to a new inspector general audit.
- Texas becomes first state to require warrant for e-mail snooping -
Gov. Rick Perry signed HB 2268 on June 14, and it takes effect
immediately. Texas Gov. Rick Perry has signed a bill giving Texans
more privacy over their inboxes than anywhere else in the United
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Prosecutors team up to combat smartphone thefts - Police and other
law enforcement officials would be part of a new group dedicated to
clamping down on the rise in smartphone thefts, says the Associated
- Laptop stolen from Calif. health care provider exposing data of
1,500 - An unencrypted laptop was stolen from SynerMed, a Monterey
Park, Calif.-based practice serving patients using a public health
service called the Inland Empire Health Plan (IEHP).
- Snowden Smuggled Documents From NSA on a Thumb Drive - The dreaded
thumb drive has struck the Defense Department again as word comes
that NSA whistleblower Edward Snowden smuggled out thousands of
classified documents on one of the portable devices, despite the
military’s efforts to ban them.
- Hacker defaces Facebook fan page of children's theme park - The
Facebook fan page of a children's theme park located in Hampshire,
England was hacked and littered with controversial comments.
- City of Waukee website pulled offline after hacker defaces site -
Hackers defaced an Iowa city's website on Sunday and Monday, causing
officials to temporarily take the site offline.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We begin this week reviewing
the FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques." (Part 1 of 10)
A. RISK DISCUSSION
A significant number of financial institutions regulated by the
financial institution regulatory agencies (Agencies) maintain sites
on the World Wide Web. Many of these websites contain weblinks to
other sites not under direct control of the financial institution.
The use of weblinks can create certain risks to the financial
institution. Management should be aware of these risks and take
appropriate steps to address them. The purpose of this guidance is
to discuss the most significant risks of weblinking and how
financial institutions can mitigate these risks.
When financial institutions use weblinks to connect to third-party
websites, the resulting association is called a "weblinking
relationship." Financial institutions with weblinking relationships
are exposed to several risks associated with the use of this
technology. The most significant risks are reputation risk and
Generally, reputation risk arises when a linked third party
adversely affects the financial institution's customer and, in turn,
the financial institution, because the customer blames the financial
institution for problems experienced. The customer may be under a
misimpression that the institution is providing the product or
service, or that the institution recommends or endorses the
third-party provider. More specifically, reputation risk could arise
in any of the following ways:
- customer confusion in
distinguishing whether the financial institution or the linked
third party is offering products and services;
dissatisfaction with the quality of products or services
obtained from a third party; and
- customer confusion as
to whether certain regulatory protections apply to third-party
products or services.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
INFORMATION SECURITY RISK ASSESSMENT
Action Summary -Financial institutions must maintain an ongoing
information security risk assessment program that effectively
1) Gathers data regarding the information and technology assets of
the organization, threats to those assets, vulnerabilities, existing
security controls and processes, and the current security standards
2) Analyzes the probability and impact associated with the known
threats and vulnerabilities to its assets; and
3) Prioritizes the risks present due to threats and vulnerabilities
to determine the appropriate level of training, controls, and
testing necessary for effective mitigation.
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Redisclosure of nonpublic personal information received
from a nonaffiliated financial institution outside of Sections 14
A. Through discussions with management and review of the
institution's procedures, determine whether the institution has
adequate practices to prevent the unlawful redisclosure of the
information where the institution is the recipient of nonpublic
personal information (§11(b)).
B. Select a sample of data received from nonaffiliated financial
institutions and shared with others to evaluate the financial
institution's compliance with redisclosure limitations.
1. Verify that the institution's redisclosure of the information
was only to affiliates of the financial institution from which the
information was obtained or to the institution's own affiliates,
except as otherwise allowed in the step b below (§11(b)(1)(i) and
2. If the institution shares information with entities other than
those under step a above, verify that the institution's information
sharing practices conform to those in the nonaffiliated financial
institution's privacy notice (§11(b)(1)(iii)).
3. Also, review the procedures used by the institution to ensure
that the information sharing reflects the opt out status of the
consumers of the nonaffiliated financial institution (§§10,