Does Your Financial Institution need an
affordable Internet security audit?
Yennik, Inc. has clients in 42 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test requirements of
FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with
Gramm-Leach Bliley Act 501(b).
The penetration audit and Internet security testing is an
affordable-sophisticated process than goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses.
For more information, give R. Kinney Williams a call today at
806-798-7119 or visit
Are you ready for your IT examination?
The Weekly IT Security Review
provides a checklist of the IT security issues covered in the
FFIEC IT Examination Handbook, which will prepare you for the IT
information and to subscribe visit
FYI - The
Federal Reserve Board announced posting rules for a new same-day
automated clearing house service. - The Federal Reserve Banks will
be offering an opt-in, same-day settlement service for certain ACH
debit payments through the FedACH service effective August 2, 2010.
FedACH customers may opt-in to this service by completing a
participation agreement. The service will be limited to transactions
arising from consumer checks converted to ACH and consumer debit
transfers initiated over the Internet and phone.
Security budgets stable or increasing at financial firms - Despite
the Great Recession, information security budgets at financial
institutions generally are staying stable, many even have increased,
according to a study.
Supreme Court ruling lets employers view worker text messages with
reason - Overturns earlier rulings that search violated fourth
amendment rights of California police officer - The U.S. Supreme
Court today ruled that employers have the right to search through
text messages, including personal ones, sent by workers if they have
reason to believe that workplace rules are being violated.
New fraud service serves as repository for stolen data - Microsoft
has joined forces with the National Cyber Forensics Training
Alliance (NCFTA) to launch a portal designed to immediately alert
companies if credentials or credit card numbers belonging to their
customers have been discovered online.
Wanted: Young cyberexperts to defend Internet - Nationwide campaigns
to steer youthful techies into careers defending the Internet are
Senior leaders becoming disconnected from security - The boards and
senior executives at many organizations are not adequately involved
in enterprise privacy and security decisions, according to a report
released by researchers at Carnegie Mellon University's CyLab.
World Cup Security Uses Physics To Thwart Hackers - South African
physicists working to protect data networks at the World Cup hope to
provide something that no goalkeeper can promise: perfect defense.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Eastern European banks under attack by next-gen crime app -
BlackEnergy 2's one-two punch - Banks in Russia and Ukraine are
under continued siege by criminal gangs wielding a sophisticated,
next-generation exploitation kit that hacks the financial
institutions' authentication system and then hits it with a
Google's Wi-Fi snoop nabbed passwords and emails - The Wi-Fi traffic
collected by Google's world-roving Street View cars included
passwords and email, according to a report citing a preliminary
study from the French data protection authority.
Beach schools report computer security breach - A student gained
access to a computer file last month containing names, addresses and
Social Security numbers of about 16,000 students attending 22 Beach
schools, administrators said.
SMBs, individuals being targeted by telephone DoS - If your phone
starts ringing of the hook, there is a chance cybercriminals are
draining your bank or online trading account at the exact same
moment, the FBI warned.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the
FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 6 of 10)
B. RISK MANAGEMENT TECHNIQUES
Planning Weblinking Relationships
A financial institution should conduct sufficient due diligence
to determine whether it wishes to be associated with the quality of
products, services, and overall content provided by third-party
sites. A financial institution should consider more product-focused
due diligence if the third parties are providing financial products,
services, or other financial website content. In this case,
customers may be more likely to assume the institution reviewed and
approved such products and services. In addition to reviewing the
linked third-party's financial statements and its customer service
performance levels, a financial institution should consider a review
of the privacy and security policies and procedures of the third
party. Also, the financial institution should consider the
character of the linked party by considering its past compliance
with laws and regulations and whether the linked advertisements
might by viewed as deceptive advertising in violation of Section 5
of the Federal Trade Commission Act.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our review of the OCC Bulletin about
Infrastructure Threats and Intrusion Risks. This week we review
Suspicious Activity Reporting.
National banks are required to report intrusions and other computer
crimes to the OCC and law enforcement by filing a Suspicious
Activity Report (SAR) form and submitting it to the Financial Crimes
Enforcement Network (FinCEN), in accordance with 12 USC 21.11. This
reporting obligation exists regardless of whether the institution
has reported the intrusion to the information-sharing organizations
discussed below. For purposes of the regulation and the SAR form
instructions, an "intrusion" is defined as gaining access to the
computer system of a financial institution to remove, steal, procure
or otherwise affect information or funds of the institution or
customers. It also includes actions that damage, disable, or
otherwise affect critical systems of the institution. For example,
distributed denial of service attaches (DDoS) attacks should be
reported on a SAR because they may temporarily disable critical
systems of financial institutions.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Sharing nonpublic personal information with nonaffiliated third
parties under Sections 14 and/or 15 and outside of exceptions (with
or without also sharing under Section 13). (Part 1 of 3)
Note: Financial institutions whose practices fall within this
category engage in the most expansive degree of information sharing
permissible. Consequently, these institutions are held to the most
comprehensive compliance standards imposed by the Privacy
A. Disclosure of Nonpublic Personal Information
1) Select a sample of third party relationships with nonaffiliated
third parties and obtain a sample of data shared between the
institution and the third party both inside and outside of the
exceptions. The sample should include a cross-section of
relationships but should emphasize those that are higher risk in
nature as determined by the initial procedures. Perform the
following comparisons to evaluate the financial institution's
compliance with disclosure limitations.
a. Compare the categories of data shared and with whom the data
were shared to those stated in the privacy notice and verify that
what the institution tells consumers (customers and those who are
not customers) in its notices about its policies and practices in
this regard and what the institution actually does are consistent
b. Compare the data shared to a sample of opt out directions and
verify that only nonpublic personal information covered under the
exceptions or from consumers (customers and those who are not
customers) who chose not to opt out is shared (§10).
2) If the financial institution also shares information under
Section 13, obtain and review contracts with nonaffiliated third
parties that perform services for the financial institution not
covered by the exceptions in section 14 or 15. Determine whether the
contracts prohibit the third party from disclosing or using the
information other than to carry out the purposes for which the
information was disclosed. Note that the "grandfather" provisions of
Section 18 apply to certain of these contracts (§13(a)).