R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

July 7, 2013

CONTENT Internet Compliance Web Site Audits
IT Security
Internet Privacy
Penetration Testing
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - What's wrong with cybersecurity training? - Are we training our cybersecurity professionals in all the wrong ways? Agencies have been ramping up efforts in training, education, recruiting and hiring, and still the government faces a shortage of skilled cyber professionals. http://fcw.com/articles/2013/06/26/cybersecurity-training.aspx

FYI - Why business is losing the war against cybercrime - New State of Cybercrime survey finds lack of risk awareness means poor defenses in the enterprise - The good guys are losing the cybercrime war. One major reason is that they don't understand their enemies, and therefore are not fighting back effectively. http://www.csoonline.com/article/735511/why-business-is-losing-the-war-against-cybercrime?source=CSONLE_nlt_update_2013-06-27

FYI - Defense Department building its own secure 4G network - The department hopes new network will improve collaboration among separate branches of the military, the chairman of the Joint Chiefs of Staff says. http://news.cnet.com/8301-1009_3-57591445-83/defense-department-building-its-own-secure-4g-network/?tag=nl.e757&s_cid=e757&ttag=e757&ftag=


FYI - Chinese malware attack affected dozens of South Korean organizations, researchers say - Over 1,000 computers were recently infected with a piece of malware used by Chinese-speaking hackers, researchers from Seculert said. http://www.computerworld.com/s/article/9240376/Chinese_malware_attack_affected_dozens_of_South_Korean_organizations_researchers_say?taxonomyId=17

FYI - South Korea govt site hacking sees massive data breach - Summary: Presidential office says personal information of approximately 100,000 people was leaked in last week's attack on its Web site, but user passwords and identification numbers were not stolen. http://www.zdnet.com/south-korea-govt-site-hacking-sees-massive-data-breach-7000017507/

FYI - Opera code-signing certificate abused in failed breach - Summary: Opera has managed to detect and stop an attack on its internal systems, but not before potentially a few thousand Windows users were put in harm's way. http://www.zdnet.com/opera-code-signing-certificate-abused-in-failed-breach-7000017361/

FYI - Detective's stolen laptop risks data of 2,300 in Washington state - An unencrypted laptop was stolen from a Washington state detective's vehicle, exposing the data of thousands of people, including crime victims, witnesses, suspects and police. http://www.scmagazine.com/detectives-stolen-laptop-risks-data-of-2300-in-washington-state/article/300965/?DCMP=EMC-SCUS_Newswire

FYI - More than 6K personal records compromised in university breach - The personal information of thousands of students at the University of South Carolina (USC) in Columbus is at risk after a laptop was stolen from the school. http://www.scmagazine.com/more-than-6k-personal-records-compromised-in-university-breach/article/301368/?DCMP=EMC-SCUS_Newswire

FYI - Document management error exposes data on 187,500 Indiana residents - A contractor serving the Indiana Family and Social Services Administration (FSSA) committed a programming error, which led to private documents being sent to the wrong people. http://www.scmagazine.com/document-management-error-exposes-data-on-187500-indiana-residents/article/301367/?DCMP=EMC-SCUS_Newswire

FYI - Lost thumb drive leads to compromised patient data - A lost thumb drive containing thousands of patient records went missing from a Nebraska doctor's office. http://www.scmagazine.com/lost-thumb-drive-leads-to-compromised-patient-data/article/301571/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 3 of 10)


Reputation Risk

Customers may be confused about whether the financial institution or a third party is supplying the product, service, or other website content available through the link. The risk of customer confusion can be affected by a number of factors:

  • nature of the third-party product or service;
  • trade name of the third party; and
  • website appearance.

Nature of Product or Service

When a financial institution provides links to third parties that sell financial products or services, or provide information relevant to these financial products and services, the risk is generally greater than if third parties sell non-financial products and services due to the greater potential for customer confusion. For example, a link from a financial institution's website to a mortgage bank may expose the financial institution to greater reputation risk than a link from the financial institution to an online clothing store.

The risk of customer confusion with respect to links to firms selling financial products is greater for two reasons. First, customers are more likely to assume that the linking financial institution is providing or endorsing financial products rather than non-financial products. Second, products and services from certain financial institutions often have special regulatory features and protections, such as federal deposit insurance for qualifying deposits. Customers may assume that these features and protections also apply to products that are acquired through links to third-party providers, particularly when the products are financial in nature.

When a financial institution links to a third party that is providing financial products or services, management should consider taking extra precautions to prevent customer confusion. For example, a financial institution linked to a third party that offers nondeposit investment products should take steps to prevent customer confusion specifically with respect to whether the institution or the third party is offering the products and services and whether the products and services are federally insured or guaranteed by the financial institution.

Financial institutions should recognize, even in the case of non-financial products and services, that customers may have expectations about an institution's due diligence and its selection of third parties to which the financial institution links its website. Should customers experience dissatisfaction as a result of poor quality products or services, or loss as a result of their transactions with those companies, they may consider the financial institution responsible for the perceived deficiencies of the seller.

Return to the top of the newsletter
We continue our series on the FFIEC interagency Information Security Booklet.  



Common elements of risk assessment approaches involve three phases: information gathering, analysis, and prioritizing responses. Vendor concerns add additional elements to the process.


Identifying and understanding risk requires the analysis of a wide range of information relevant to the particular institution's risk environment. Once gathered, the information can be catalogued to facilitate later analysis. Information gathering generally includes the following actions:

1)  Obtaining listings of information system assets (e.g., data, software, and hardware). Inventories on a device - by - device basis can be helpful in risk assessment as well as risk mitigation. Inventories should consider whether data resides in house or at a TSP.

2)  Determining threats to those assets, resulting from people with malicious intent, employees and others who accidentally cause damage, and environmental problems that are outside the control of the organization (e.g., natural disasters, failures of interdependent infrastructures such as power, telecommunications, etc.).

3)  Identifying organizational vulnerabilities (e.g., weak senior management support, ineffective training, inadequate expertise or resource allocation, and inadequate policies, standards, or procedures).

4)  Identifying technical vulnerabilities (e.g., vulnerabilities in hardware and software, configurations of hosts, networks, workstations, and remote access).

5)  Documenting current controls and security processes, including both information technology and physical security.

6)  Identifying security requirements and considerations (e.g., GLBA).

7)  Maintaining the risk assessment process requires institutions to review and update their risk assessment at least once a year, or more frequently in response to material changes in any of the six actions above.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice

1)  Does the institution provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to all customers not later than when the customer relationship is established, other than as allowed in paragraph (e) of section four (4) of the regulation? [4(a)(1))]?

(Note: no notice is required if nonpublic personal information is disclosed to nonaffiliated third parties only under an exception in Sections 14 and 15, and there is no customer relationship. [4(b)] With respect to credit relationships, an institution establishes a customer relationship when it originates a consumer loan. If the institution subsequently sells the servicing rights to the loan to another financial institution, the customer relationship transfers with the servicing rights. [4(c)])


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated