Does Your Financial Institution need an
affordable Internet security audit?
Yennik, Inc. has clients in 42 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test requirements of
FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with
Gramm-Leach Bliley Act 501(b).
The penetration audit and Internet security testing is an
affordable-sophisticated process than goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses.
For more information, give R. Kinney Williams a call today at
806-798-7119 or visit
Are you ready for your IT examination?
The Weekly IT Security Review
provides a checklist of the IT security issues covered in the
FFIEC IT Examination Handbook, which will prepare you for the IT
information and to subscribe visit
Irish Data Protection Commissioner introduces draft code of practice
on breach notification - The theft or loss of personal data relating
to more than 100 individuals now has to be reported to the Data
Protection Commissioner under a draft code of practice in Ireland.
California Fines Five Hospitals For Failure To Protect Patient Data
- Unauthorized access leads to stiff penalties, showing teeth behind
new state law - The California Department of Public Health (CDPH)
announced today that five California hospitals have been assessed
administrative penalties and fines totaling $675,000 for failing to
prevent unauthorized access to confidential patient medical
ICO will not compel companies to report data losses - UK data
watchdog declines to follow likely introduction of compulsory
reporting in Ireland - The Information Commissioner's Office (ICO)
has no plans to force companies to report data losses, despite the
Irish data protection watchdog lobbying its government for such
GAO - Continued Attention Is Needed to Protect Federal Information
Systems from Evolving Threats.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Bank of America insider admits he stole sensitive customer data -
Account balances under $100,000 need not apply - An employee in one
of Bank of America's customer call centers has admitted he stole
sensitive account information and tried to sell it for cash.
Crooks siphon $644,000 from school district's bank account -
Unlimited e-transfers made simple - New York City's Department of
Education was defrauded out of more than $644,000 by hackers who
targeted an electronic bank account used to manage petty cash
expenditures, investigators said.
Weak web application could be to blame for iPad breach - A
vulnerability on the AT&T website resulted in the exposure of email
addresses belonging to some 114,000 Apple iPad users, including a
number of A-list celebrities and politicians.
Wall Street Journal, others, hit in mass SQL attack - Security
researchers have discovered a widescale SQL injection attack that
has compromised thousands of websites to spread malware, including
pages belonging to the Wall Street Journal and the Jerusalem Post.
Hacker charged with threatening US VP using neighbour's PC -
Frame-up alleged - A hacker tried to frame his neighbour by tapping
into his Wi-Fi and sending threatening emails to US vice president
Joe Biden, according to search warrant affidavits unsealed last
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the
FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 5 of 10)
B. RISK MANAGEMENT TECHNIQUES
Management must effectively plan, implement, and monitor the
financial institution's weblinking relationships. This includes
situations in which the institution has a third-party service
provider create, arrange, or manage its website. There are several
methods of managing a financial institution's risk exposure from
third-party weblinking relationships. The methods adopted to manage
the risks of a particular link should be appropriate to the level of
risk presented by that link as discussed in the prior section.
Planning Weblinking Relationships
In general, a financial institution planning the use of weblinks
should review the types of products or services and the overall
website content made available to its customers through the
weblinks. Management should consider whether the links support the
institution's overall strategic plan. Tools useful in planning
weblinking relationships include:
1) due diligence with respect to third parties to which the
financial institution is considering links; and
2) written agreements with significant third parties.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our review
of the OCC Bulletin about Infrastructure Threats and Intrusion
Risks. This week we review Gathering and Retaining Intrusion
Particular care should be taken when gathering intrusion
information. The OCC expects management to clearly assess the
tradeoff between enabling an easier recovery by gathering
information about an intruder and the risk that an intruder will
inflict additional damage while that information is being gathered.
Management should establish and communicate procedures and
guidelines to employees through policies, procedures, and training.
Intrusion evidence should be maintained in a fashion that enables
recovery while facilitating subsequent actions by law enforcement.
Legal chain of custody requirements must be considered. In general,
legal chain of custody requirements address controlling and securing
evidence from the time of the intrusion until it is turned over to
law enforcement personnel. Chain of custody actions, and those
actions that should be guarded against, should be identified and
embodied in the bank's policies, procedures, and training.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Examination Procedures (Part 3 of 3)
E. Ascertain areas of risk associated with the financial
institution's sharing practices (especially those within Section 13
and those that fall outside of the exceptions ) and any weaknesses
found within the compliance management program. Keep in mind any
outstanding deficiencies identified in the audit for follow-up when
completing the modules.
F. Based on the results of the foregoing initial procedures and
discussions with management, determine which procedures if any
should be completed in the applicable module, focusing on areas of
particular risk. The selection of procedures to be employed depends
upon the adequacy of the institution's compliance management system
and level of risk identified. Each module contains a series of
general instruction to verify compliance, cross-referenced to cites
within the regulation.
Additionally, there are cross-references to a more comprehensive
checklist, which the examiner may use if needed to evaluate
compliance in more detail.
G. Evaluate any additional information or documentation discovered
during the course of the examination according to these procedures.
Note that this may reveal new or different sharing practices
necessitating reapplication of the Decision Trees and completion of
additional or different modules.
H. Formulate conclusions.
1) Summarize all findings.
2) For violation(s) noted, determine the cause by identifying
weaknesses in internal controls, compliance review, training,
management oversight, or other areas.
3) Identify action needed to correct violations and weaknesses in
the institution's compliance system, as appropriate.
4) Discuss findings with management and obtain a commitment for