Brought to you by
Yennik, Inc. the acknowledged leader in Internet auditing for financial
June 24, 2007
Your Financial Institution need an affordable Internet security
Yennik, Inc. has clients in 41 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The penetration audit and
Internet security testing is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give
R. Kinney Williams a call
today at 806-798-7119 or visit
OMB finalizes acquisition language for standard desktop
configuration - The Office of Management and Budget yesterday gave
agencies the basic language they will be required to use in all
procurements after June 30 to ensure they are purchasing hardware
and software that meet a standard Windows desktop configuration.
India gets offshore cyber crime watchdog - India is to finally get a
data privacy watchdog to oversee the country's IT and BPO offshore
outsourcing industry and to address international concerns about the
security of customer records and data.
Mass. credit union bills TJX $590k for breach-related costs - But
the retailer has given no indication it plans to pay up - HarborOne
Credit Union in Brockton, Mass., has sent The TJX Companies Inc. an
invoice for $590,000 for what the financial institution says it
incurred in actual costs and reputational damage as a result of the
data compromise disclosed by the retailer in January.
TJX faces five more breach-related state lawsuits - Five additional
states have filed lawsuits against TJX over the massive data breach
that exposed some 45.7 million credit card numbers to hackers, the
retailer reported on Thursday in a federal regulatory filing.
Businesses clueless over database protection - Some 40pc of
organisations don't monitor their databases for suspicious activity
or don't know if such monitoring occurs, according to a new survey.
Hackers load malware onto Mercury music award site - Hackers have
been able to load malware onto the official Mercury music awards
site, as well as hundreds of other sites, after breaking into the
systems of US-based hosting firm DreamHost.
Missing HBOS bank customer data was not encrypted - Bank says breach
of security 'unrelated' to earlier data loss - A lost disk holding
confidential data on 62,000 HBOS banking group mortgage customers
was not encrypted - although it should have been, the bank has
Stolen Laptop Stored Personal Police Data - The personal information
of every police officer in Texas was in the hands of thieves Friday,
after a laptop computer containing the data was stolen.
Connecticut AG investigates Pfizer security breach - Connecticut's
attorney general said on Monday he is investigating the breach of
confidential information of thousands of employees of drugmaker
Pfizer Inc, including that of 305 state residents.
Hackers access personal info on faculty members at Univ. of Virginia
- The breaches occurred between 2005 and this past April - About
6,000 current and former University of Virginia (UVa) faculty
members are being notified that their names, Social Security numbers
and birth dates may have been stolen by computer hackers between May
2005 and April 19 of this year.
Security breach exposes Concord Hospital patient data - A security
lapse exposed the personal information of more than 9,000 Concord
Hospital patients, leaving their names, addresses, dates of birth
and social security numbers unprotected on the internet "for a
period of time," the Concord Monitor has learned.
UI notifies graduate program students, faculty about security breach
- Students and faculty associated with a University of Iowa graduate
program are being notified this week about a Web-site security
breach. UI has sent letters to about 1,000 current students and
applicants to the Molecular and Cellular Biology program and to 100
faculty members, said John Keller, UI Associate Provost and Dean of
the Graduate College.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and
Response Guidance for Web Site Spoofing Incidents (Part 2 of
PROCEDURES TO ADDRESS SPOOFING - Detection
Banks can improve their ability to detect spoofing by monitoring
appropriate information available inside the bank and by searching
the Internet for illegal or unauthorized use of bank names and
trademarks. The following is a list of possible indicators of
* E-mail messages returned to bank mail servers that were not
originally sent by the bank. In some cases, these e-mails may
contain links to spoofed Web sites;
* Reviews of Web-server logs can reveal links to suspect Web
addresses indicating that the bank's Web site is being copied or
that other malicious activity is taking place;
* An increase in customer calls to call centers or other bank
personnel, or direct communications from consumer reporting spoofing
Banks can also detect spoofing by searching the Internet for
identifiers associated with the bank such as the name of a company
or bank. Banks can use available search engines and other tools to
monitor Web sites, bulletin boards, news reports, chat rooms,
newsgroups, and other forums to identify usage of a specific company
or bank name. The searches may uncover recent registrations of
domain names similar to the bank's domain name before they are used
to spoof the bank's Web site. Banks can conduct this monitoring
in-house or can contract with third parties who provide monitoring
Banks can encourage customers and consumers to assist in the
identification process by providing prominent links on their Web
pages or telephone contact numbers through which customers and
consumers can report phishing or other fraudulent activities.
Banks can also train customer-service personnel to identify and
report customer calls that may stem from potential Web-site attacks.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security Booklet.
MONITORING AND UPDATING
A static security program provides a false sense of security and
will become increasingly ineffective over time. Monitoring and
updating the security program is an important part of the ongoing
cyclical security process. Financial institutions should treat
security as dynamic with active monitoring; prompt, ongoing risk
assessment; and appropriate updates to controls. Institutions should
continuously gather and analyze information regarding new threats
and vulnerabilities, actual attacks on the institution or others,
and the effectiveness of the existing security controls. They should
use that information to update the risk assessment, strategy, and
implemented controls. Monitoring and updating the security program
begins with the identification of the potential need to alter
aspects of the security program and then recycles through the
security process steps of risk assessment, strategy, implementation,
the top of the newsletter
IT SECURITY QUESTION:
2. Verify that data is protected consistent with the
financial institution's risk assessment.
• Identify controls used to protect data and determine if the data
is protected throughout its life cycle (i.e., creation, storage,
maintenance, transmission, and disposal) in a manner consistent with
the risk assessment.
• Consider data security controls in effect at key stages such as
data creation/acquisition, storage, transmission, maintenance, and
• Review audit and security review reports that summarize if data is
protected consistent with the risk assessment.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Financial Institution Duties ( Part 2 of 6)
Notice Duties to Customers:
In addition to the duties described above, there are several
duties unique to customers. In particular, regardless of whether the
institution discloses or intends to disclose nonpublic personal
information, a financial institution must provide notice to its
customers of its privacy policies and practices at various times.
1) A financial institution must provide an initial notice of
its privacy policies and practices to each customer, not later than
the time a customer relationship is established. Section 4(e) of the
regulations describes the exceptional cases in which delivery of the
notice is allowed subsequent to the establishment of the customer
2) A financial institution must provide an annual notice at
least once in any period of 12 consecutive months during the
continuation of the customer relationship.
3) Generally, new privacy notices are not required for each
new product or service. However, a financial institution must
provide a new notice to an existing customer when the customer
obtains a new financial product or service from the institution, if
the initial or annual notice most recently provided to the customer
was not accurate with respect to the new financial product or
4) When a financial institution does not disclose nonpublic
personal information (other than as permitted under section 14 and
section 15 exceptions) and does not reserve the right to do so, the
institution has the option of providing a simplified notice.
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at email@example.com if we
can be of assistance.