R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

July 5, 2009

CONTENT Internet Compliance Information Systems Security
IT Security Question
Internet Privacy
Website for Penetration Testing
Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - The brochure for the Information Security and Risk Management Conference being held 28-30 September 2009 in Las Vegas, Nevada came out this week. This is a great conference that I highly recommend. For more information and to register, please go to http://www.isaca.org/isrmc.

Criminal network to trade botnets and malware uncovered - Researchers at a web security firm have discovered what they term the latest milestone in the evolving cybercriminal underground: a one-stop-shop for hackers. http://www.scmagazineus.com/Criminal-network-to-trade-botnets-and-malware-uncovered/article/138675/

Security expert wants feds to recruit volunteer pen testers - One white-hat security researcher wants to legalize the hacking of federal government and military websites. But before you call for Jeremiah Grossman, CTO and founder of application security firm WhiteHat Security, to stand trial for treason, there's one caveat: These hackers have to report any vulnerabilities they find and promise not to break or steal anything. http://www.scmagazineus.com/Security-expert-wants-feds-to-recruit-volunteer-pen-testers/article/138752/?DCMP=EMC-SCUS_Newswire

Nevada Mandates PCI Standard - Nevada has recently passed a law mandating PCI compliance for companies accepting payment cards that do business in the state. It is scheduled to go into effect on January 1st, 2010. http://www.boazgelbord.com/2009/06/nevada-mandates-pci-standard.html

Appeal to constitutional court over 'hacker clauses' inadmissible - The German Federal Constitutional Court has ruled that legislation criminalising the use of hacking software, which has now been in force for two years, is compatible with the German constitution. http://www.h-online.com/security/Appeal-to-constitutional-court-over-hacker-clauses-inadmissible--/news/113571

Heartland CEO commended for data breach response - Heartland Payment Systems Inc. CEO Robert Carr is getting high marks from some analysts for his response so far to a massive data breach discovered at the credit- and debit-card payment processor early this year. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=340371

TJX settles over breach with 41 states for $9.75 million - In a move to close the door on the largest reported retail data breach in history, TJX announced Tuesday that it has settled with 41 states who were probing the discount merchant's data security practices. http://www.scmagazineus.com/TJX-settles-over-breach-with-41-states-for-975-million/article/138930/?DCMP=EMC-SCUS_Newswire

CISOs worried about insiders, data breaches - Eighty percent of CISOs believe their company's own employees and contractors are the greatest threat to company data, according to a new study conducted by security vendor NetWitness and audit-and-information-security training company MIS Training Institute. http://www.scmagazineus.com/Survey-CISOs-worried-about-insiders-data-breaches/article/138885/?DCMP=EMC-SCUS_Newswire


75,000 customers' bank details on stolen Bord Gais laptop - Just days after 15 laptops went missing from Health Service Executive (HSE) offices in Co Roscommon, it has now emerged that details of 75,000 Bord Gáis customers were contained on one of four laptops stolen a fortnight ago from the offices of Bord Gáis. http://www.siliconrepublic.com/news/article/13218/cio/75-000-customers-bank-details-on-stolen-bord-gais-laptop

Return to the top of the newsletter

We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Risk management principles (Part 2 of 2)

The Committee recognizes that banks will need to develop risk management processes appropriate for their individual risk profile, operational structure and corporate governance culture, as well as in conformance with the specific risk management requirements and policies set forth by the bank supervisors in their particular jurisdiction(s). Further, the numerous e-banking risk management practices identified in this Report, while representative of current industry sound practice, should not be considered to be all-inclusive or definitive, since many security controls and other risk management techniques continue to evolve rapidly to keep pace with new technologies and business applications.

This Report does not attempt to dictate specific technical solutions to address particular risks or set technical standards relating to e-banking. Technical issues will need to be addressed on an on-going basis by both banking institutions and various standards-setting bodies as technology evolves. Further, as the industry continues to address e-banking technical issues, including security challenges, a variety of innovative and cost efficient risk management solutions are likely to emerge. These solutions are also likely to address issues related to the fact that banks differ in size, complexity and risk management culture and that jurisdictions differ in their legal and regulatory frameworks.

For these reasons, the Committee does not believe that a "one size fits all" approach to e-banking risk management is appropriate, and it encourages the exchange of good practices and standards to address the additional risk dimensions posed by the e-banking delivery channel. In keeping with this supervisory philosophy, the risk management principles and sound practices identified in this Report are expected to be used as tools by national supervisors and implemented with adaptations to reflect specific national requirements where necessary, to help promote safe and secure e-banking activities and operations.

The Committee recognizes that each bank's risk profile is different and requires a risk mitigation approach appropriate for the scale of the e-banking operations, the materiality of the risks present, and the willingness and ability of the institution to manage these risks. These differences imply that the risk management principles presented in this Report are intended to be flexible enough to be implemented by all relevant institutions across jurisdictions. National supervisors will assess the materiality of the risks related to e-banking activities present at a given bank and whether, and to what extent, the risk management principles for e-banking have been adequately met by the bank's risk management framework.

Return to the top of the newsletter
We continue our series on the FFIEC interagency Information Security Booklet.  


A maxim of security is "prevention is ideal, but detection is a must."  Security systems must both restrict access and protect against the failure of those access restrictions. When those systems fail, however, an intrusion occurs and the only remaining protection is a detection - and - response capability. The earlier an intrusion is detected, the greater the institution's ability to mitigate the risk posed by the intrusion. Financial institutions should have a capability to detect and react to an intrusion into their information systems.


Preparation for intrusion detection generally involves identifying data flows to monitor for clues to an intrusion, deciding on the scope and nature of monitoring, implementing that monitoring, and establishing a process to analyze and maintain custody over the resulting information. Additionally, legal requirements may include notifications of users regarding the monitoring and the extent to which monitoring must be performed as an ordinary part of ongoing operations.

Adequate preparation is a key prerequisite to detection. The best intrusion detection systems will not identify an intrusion if they are not located to collect the relevant data, do not analyze correct data, or are not configured properly. Even if they detect an intrusion, the information gathered may not be usable by law enforcement if proper notification of monitoring and preservation of data integrity has not taken place.

Return to the top of the newsletter


1. Identify controls used to detect and respond to unauthorized activities.

!  Review the schematic of the information technology systems for common intrusion detection systems.
!  Review security procedures for daily and periodic report monitoring to identify unauthorized or unusual activities.
!  Identify IT architectural design and intrusion detection systems that increase management's confidence that security is maintained (e.g., through the use of routers, host-based security, data segregation and information flows).

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

13. If the institution does not disclose nonpublic personal information, and does not reserve the right to do so, other than under exceptions in §14 and §15, does the institution provide a simplified privacy notice that contains at a minimum: 

a. a statement to this effect;

b. the categories of nonpublic personal information it collects;

c. the policies and practices the institution uses to protect the confidentiality and security of nonpublic personal information; and

d. a general statement that the institution makes disclosures to other nonaffiliated third parties as permitted by law? [§6(c)(5)]

(Note: use of this type of simplified notice is optional; an institution may always use a full notice.)


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated