R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

June 28, 2009

CONTENT Internet Compliance Information Systems Security
IT Security Question
Internet Privacy
Website for Penetration Testing
Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.


June is the 10th anniversary of the Internet Banking News.  The 520 weekend editions is a labor of love, which we enjoy bringing you.  We look forward to your continued readership and hope you will send us your suggestions to make the newsletter better during our second decade. Thanks - R. Kinney Williams, President of Yennik, Inc.

P. S. If you know someone that would like to receive the newsletter, please let us know.  There is no charge.

FYI - Aetna named in security-breach lawsuit - Hartford health insurer Aetna Inc. is being sued for a data breach that allegedly exposed current, former and prospective employees' personal information to the Web. http://www.hartfordbusiness.com/news9190.html

Webhost denies poor passwords led to catastrophic hack - The director of an internet service provider has denied public allegations that poor password management and server configurations were responsible for an attack that wiped out data for more than 100,000 websites. http://www.theregister.co.uk/2009/06/10/vaserv_follow_up/

FTC releases FAQs on Red Flags Rules - A new frequently-asked-questions document aims to clear up some of the confusion around the Red Flags Rules. http://www.scmagazineus.com/FTC-releases-FAQs-on-Red-Flags-Rules/article/138478/?DCMP=EMC-SCUS_Newswire

Army ends ban on Facebook, Flickr, other social media sites - Certain U.S. Army bases that formerly blocked access to Web 2.0 sites now permit users to surf to sites such as Facebook and Flickr. http://www.scmagazineus.com/Army-ends-ban-on-Facebook-Flickr-other-social-media-sites/article/138392/?DCMP=EMC-SCUS_Newswire

Survey reveals culture of IT admin snooping - IT staff admit to regularly accessing privileged information for personal gain - Over a third of IT staff have used their administration rights to access privileged information about employees, customers and their company for personal reasons, according to a recent survey by Cyber-Ark. http://www.vnunet.com/vnunet/news/2243968/staff-snooping-colleagues

Online banking is booming - Once a niche market, online banking has grown into a widely-used tool for the average consumer. Among 3,988 adults surveyed in the U.S. by Gartner Group, 47 percent said they now bank online. In the U.K, 30 percent echoed the same response. http://news.cnet.com/8301-1035_3-10265409-94.html


T-Mobile confirms hack but doubts crooks have the goods - T-Mobile has confirmed that hackers were able to swipe data from its systems, but the wireless carrier is downplaying the threat to customers. http://www.scmagazineus.com/T-Mobile-confirms-hack-but-doubts-crooks-have-the-goods/article/138211/

Israel suffered massive cyber attack during Gaza offensive - Hackers launched an unprecedented attack on Israel's Internet infrastructure during the January military offensive in the Gaza Strip, and briefly paralyzed government sites, government officials said. http://www.haaretz.com/hasen/spages/1093052.html

52 computers missing from state agency - State auditors released reports Thursday that found several cases of government mismanagement, from lax oversight of a $100,000 education grant to 52 missing computers that may contain sensitive information. http://www.sj-r.com/archive/x986607995/Audit-52-computers-missing-from-state-agency

Return to the top of the newsletter

We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Risk management principles (Part 1 of 2)

Based on the early work of the Electronic Banking Group EBG, the Committee concluded that, while traditional banking risk management principles are applicable to e-banking activities, the complex characteristics of the Internet delivery channel dictate that the application of these principles must be tailored to fit many online banking activities and their attendant risk management challenges. To this end, the Committee believes that it is incumbent upon the Boards of Directors and banks' senior management to take steps to ensure that their institutions have reviewed and modified where necessary their existing risk management policies and processes to cover their current or planned e-banking activities. Further, as the Committee believes that banks should adopt an integrated risk management approach for all banking activities, it is critical that the risk management oversight afforded e-banking activities becomes an integral part of the banking institution's overall risk management framework.

To facilitate these developments, the Committee asked the EBG to identify the key risk management principles that would help banking institutions expand their existing risk oversight policies and processes to cover their e-banking activities and, in turn, promote the safe and sound electronic delivery of banking products and services.

These Risk Management Principles for Electronic Banking, which are identified in this Report, are not put forth as absolute requirements or even "best practice" but rather as guidance to promote safe and sound e-banking activities. The Committee believes that setting detailed risk management requirements in the area of e-banking might be counter-productive, if only because these would be likely to become rapidly outdated by the speed of change related to technological and product innovation. Therefore the principles included in the present Report express supervisory expectations related to the overall objective of banking supervision to ensure safety and soundness in the financial system rather than stringent regulations.

The Committee is of the view that such supervisory expectations should be tailored and adapted to the e-banking distribution channel but not be fundamentally different to those applied to banking activities delivered through other distribution channels. Consequently, the principles presented below are largely derived and adapted from supervisory principles that have already been expressed by the Committee or national supervisors over a number of years. In some areas, such as the management of outsourcing relationships, security controls and legal and reputational risk management, the characteristics and implications of the Internet distribution channel introduce a need for more detailed principles than those expressed to date.

Return to the top of the newsletter
We continue our series on the FFIEC interagency Information Security Booklet.  


Frequently TSPs or user groups will contract with an accounting firm to report on security using Statement on Auditing Standards 70 (SAS 70), an auditing standard developed by the American Institute of Certified Public Accountants. SAS 70 focuses on controls and control objectives. It allows for two types of reports. A SAS 70 Type I report gives the service provider's description of controls at a specific point in time, and an auditor's report. The auditor's report will provide an opinion on whether the control description fairly presents the relevant aspects of the controls, and whether the controls were suitably designed for their purpose.

A SAS 70 Type II report expands upon a Type I report by addressing whether the controls were functioning. It provides a description of the auditor's tests of the controls. It also provides an expanded auditor's report that addresses whether the controls that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives were achieved during the specified period.

Financial institutions should carefully evaluate the scope and findings of any SAS 70 report. The report may be based on different security requirements than those established by the institution. It may not provide a thorough test of security controls unless requested by the TSP or augmented with additional coverage. Additionally, the report may not address the effectiveness of the security process in continually mitigating changing risks.  Therefore, financial institutions may require additional reports to oversee the security program of the service provider.

Return to the top of the newsletter


5. Evaluate the procedure for granting temporary access to personnel during the implementation of contingency plans.

!  Evaluate the extent to which back-up personnel have been assigned different tasks when contingency planning scenarios are in effect and the need for different levels of systems, operational, data and facilities access.
!  Review the assignment of authentication and authorization credentials to see if they are based upon primary job responsibilities or if they also include contingency planning responsibilities. (If an employee is permanently assigned access credential to fill in for another employee who is on vacation or out the office, this assignment would be a primary job responsibility.)

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

12. Does the institution make the following disclosures regarding service providers and joint marketers to whom it discloses nonpublic personal information under 13:

a. as applicable, the same categories and examples of nonpublic personal information disclosed as described in paragraphs (a)(2) and (c)(2) of section six (6) (see questions 8b and 10); and [6(c)(4)(i)]

b. that the third party is a service provider that performs marketing on the institution's behalf or on behalf of the institution and another financial institution; [6(c)(4)(ii)(A)] or

c. that the third party is a financial institution with which the institution has a joint marketing agreement? [6(c)(4)(ii)(B)]


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated