R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

August 5, 2012

CONTENT Internet Compliance Web Site Audits
IT Security
Internet Privacy
Penetration Testing
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

Community Bank Technology Conference - If you have nothing on your plate, plan to attend the Independent Community Bankers of America’s Community Bank Technology Conference, September 12-14, 2012 in Las Vegas. I will be speaking Thursday on auditing community banks. For more information please visit http://www.icba.org/events/eventdetail.cfm?EventID=199421

FYI - Hackers Linked to China’s Army Seen From EU to D.C. - And the spies were themselves being watched. Working together in secret, some 30 North American private security researchers were tracking one of the biggest and busiest hacking groups in China. http://www.bloomberg.com/news/2012-07-26/china-hackers-hit-eu-point-man-and-d-c-with-byzantine-candor.html

FYI - Air Traffic Controllers Pick the Wrong Week to Quit Using Radar - It’s a Twilight Zone episode waiting to happen. A commercial pilot at 30,000 feet gets sudden instructions from air traffic control on the ground that another plane is headed his way. http://www.wired.com/threatlevel/2012/07/adsb-spoofing/

FYI - UK.gov warned: Halt exports of spyware to brutal regimes - The grubby practice of allowing UK-stamped surveillance tech to be shipped to brutal regimes could land the British government in court to answer allegations of aiding human rights breaches. http://www.theregister.co.uk/2012/07/24/privacy_international_legal_action/

FYI - GAO - Privacy: Federal Law Should Be Updated to Address Changing Technology Landscape. http://www.gao.gov/products/GAO-12-961T

FYI - Two men sentenced in Michaels breach after looting ATMs - Two men each have been sentenced to 36 months in prison for withdrawing tens of thousands of dollars from ATMs with credit card information that was stolen from craft-store retail chain Michaels Stores. http://www.scmagazine.com/two-men-sentenced-in-michaels-breach-after-looting-atms/article/252538/?DCMP=EMC-SCUS_Newswire

FYI - NIST Updates Computer Security Guides - Guidelines focus on wireless security and protecting mobile devices from intrusion. The National Institute of Standards and Technology has released updated guidance on how federal agencies and businesses can deal with network attacks and malware. http://www.informationweek.com/news/government/security/240004585

FYI - Singapore selected as CSA’s corporate headquarters - The Cloud Security Alliance (CSA) is establishing its corporate headquarters in Singapore, under an effort led by the Infocomm Development Authority of Singapore (IDA), Singapore Economic Development Board (EDB), and Trend Micro. http://www.computerworld.com.sg/resource/cloud-computing/singapore-selected-as-csas-corporate-headquarters/


FYI - Global Payments says breach will cost $85 million - The Atlanta-based company revealed in March that its systems were raided of no more than 1.5 million credit and debit card numbers. http://www.scmagazine.com/global-payments-says-breach-will-cost-85-million/article/252144/?DCMP=EMC-SCUS_Newswire

FYI - Netflix punters told of privacy change, get 3 months to object - Accept, and you opt in to class-action settlement - Netflix is alerting customers to changes in its privacy policy under a proposed legal settlement that would put an end to a class action suit launched against the company last year. http://www.theregister.co.uk/2012/07/30/netflix_data_privacy/

FYI - Data breach to cost $84M for Global Payments - After a security breach that took place months ago, Global Payments is now left with a hefty surcharge. Hoping to reassure customers and analysts as soon as possible, Global Payments has released a detailed statement about the data breach that it incurred months ago. http://www.zdnet.com/data-breach-to-cost-84m-for-global-payments-7000001674/

FYI - Computer with patient data stolen from NYC hospital - A desktop computer storing personal health information was stolen from NYU Langone Medical Center. http://www.scmagazine.com/computer-with-patient-data-stolen-from-nyc-hosptial/article/252618/?DCMP=EMC-SCUS_Newswire

FYI - Unencrypted EMC laptop stolen containing patient data - An unencrypted laptop containing the personal data of roughly 10,000 medical patients in Connecticut was stolen from a hospital vendor employee's home. http://www.scmagazine.com/unencrypted-emc-laptop-stolen-containing-patient-data/article/253026/?DCMP=EMC-SCUS_Newswire

FYI - EPA security breach exposes 8,000 people’s personal information - The Environmental Protection Agency has experienced a computer security breach exposing personal information - such as Social Security numbers and banking info - of nearly 8,000 people, mostly current employees. http://www.bizjournals.com/kansascity/blog/2012/08/epa-security-breach-exposes-8000.html

Return to the top of the newsletter

We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Principle 11: Banks should develop appropriate incident response plans to manage, contain and minimize problems arising from unexpected events, including internal and external attacks, that may hamper the provision of e-banking systems and services.

Effective incident response mechanisms are critical to minimize operational, legal and reputational risks arising from unexpected events such as internal and external attacks that The current and future capacity of critical e-banking delivery systems should be assessed on an ongoing basis may affect the provision of e-banking systems and services. Banks should develop appropriate incident response plans, including communication strategies, that ensure business continuity, control reputation risk and limit liability associated with disruptions in their e-banking services, including those originating from outsourced systems and operations.

To ensure effective response to unforeseen incidents, banks should develop: 

1)  Incident response plans to address recovery of e-banking systems and services under various scenarios, businesses and geographic locations. Scenario analysis should include consideration of the likelihood of the risk occurring and its impact on the bank. E-banking systems that are outsourced to third-party service providers should be an integral part of these plans.

2)  Mechanisms to identify an incident or crisis as soon as it occurs, assess its materiality, and control the reputation risk associated with any disruption in service.

3)  A communication strategy to adequately address external market and media concerns that may arise in the event of security breaches, online attacks and/or failures of e-banking systems.

4)  A clear process for alerting the appropriate regulatory authorities in the event of material security breaches or disruptive incidents occur.

5)  Incident response teams with the authority to act in an emergency and sufficiently trained in analyzing incident detection/response systems and interpreting the significance of related output.

6)  A clear chain of command, encompassing both internal as well as outsourced operations, to ensure that prompt action is taken appropriate for the significance of the incident. In addition, escalation and internal communication procedures should be developed and include notification of the Board where appropriate.

7)  A process to ensure all relevant external parties, including bank customers, counterparties and the media, are informed in a timely and appropriate manner of material e-banking disruptions and business resumption developments.

8)  A process for collecting and preserving forensic evidence to facilitate appropriate post-mortem reviews of any e-banking incidents as well as to assist in the prosecution of attackers.

Return to the top of the newsletter
We continue our series on the FFIEC interagency Information Security Booklet.


Testing Risks to Data Integrity, Confidentiality, and Availability. Management is responsible for carefully controlling information security tests to limit the risks to data integrity, confidentiality, and system availability. Because testing may uncover nonpublic customer information, appropriate safeguards to protect the information must be in place. Contracts with third parties to provide testing services should require that the third parties implement appropriate measures to meet the objectives of section 501(b) of the GLBA. Management also is responsible for ensuring that employee and contract personnel who perform the tests or have access to the test results have passed appropriate background checks, and that contract personnel are appropriately bonded. Because certain tests may pose more risk to system availability than other tests, management is responsible for considering whether to require the personnel performing those tests to maintain logs of their testing actions. Those logs can be helpful should the systems react in an unexpected manner.

Confidentiality of Test Plans and Data. Since knowledge of test planning and results may facilitate a security breach, institutions should carefully limit the distribution of their testing information. Management is responsible for clearly identifying the individuals responsible for protecting the data and provide guidance for that protection, while making the results available in a useable form to those who are responsible for following up on the tests. Management also should consider requiring contractors to sign nondisclosure agreements and to return to the institution information they obtained in their testing.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

28. Does the institution refrain from requiring all joint consumers to opt out before implementing any opt out direction with respect to the joint account? [§7(d)(4)]

29. Does the institution comply with a consumer's direction to opt out as soon as is reasonably practicable after receiving it? [§7(e)]


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated