Does Your Financial Institution need an
affordable Internet security audit?
Yennik, Inc. has clients in 42 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test requirements of
FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with
Gramm-Leach Bliley Act 501(b).
The penetration audit and Internet security testing is an
affordable-sophisticated process than goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses.
For more information, give R. Kinney Williams a call today at
806-798-7119 or visit
Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT security as
required by the FFIEC's "Interagency Guidelines Establishing
Information Security Standards."
information and to subscribe visit
REMINDER - The ISACA Information Security and
Risk Management Conference is being held September 13-15, 2010
in Las Vegas, Nevada. This is a great conference that I highly
recommend. For more information and to register, please go to
I will the there and look forward to meeting you.
Second Student Sues School District Over Webcam Spying - A webcam
scandal at a suburban Philadelphia school district expanded Tuesday
to include a second student alleging his school-issued laptop
secretly snapped images of him.
Massive check-fraud botnet operation tied to Russia - Check fraud is
an old-fashioned kind of crime, but a criminal ring with ties to
Russia is using modern cybercrime techniques, including botnets,
online databases of financial information and check imaging
archives, to run a highly automated, multi-million-dollar
Black Hat 2010: Researcher Jack uses design, authentication flaws to
force ATMs to spit out cash - Vulnerabilities & Flaws Making a dream
come true for anyone who ever has seen their chips evaporate at a
Las Vegas casino, a security researcher on Wednesday forced two ATMs
to spit out bundles of cash thanks to security weaknesses in the
U.S. military launches review of IT security after Wikileaks breach
- Defense chief Gates said changes already underway in war zones,
where security is loosened to get data to soldiers more quickly -
Defense Secretary Robert Gates Thursday announced that U.S.
information security practices will be reviewed following the leak
of tens of thousands of classified war documents that were published
by WikiLeaks earlier this week.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Data breaches blamed on organised crime - Hackers feast on financial
sector security mistakes - Cybercrooks continue to be a menace to
corporate security, with hackers and malware authors collectibly
responsible for 85 per cent of all stolen data.
New Zealand pizza lovers suffer information theft - Breach reveals
personal information and topping preferences - Some 230,000 New
Zealanders have been told that their personally identifiable
information may have fallen into the hands of hackers who apparently
compromised the network of a locally famous food chain.
Sensitive thumb drive missing from New Jersey hospital - A thumb
drive containing the personal data of current and former graduate
medical education residents and fellows at Cooper University
Hospital in Camden, N.J. has gone missing.
Texas Firm Blames Bank for $50,000 Cyber Heist - A business
telephone equipment company in Texas is trying to force its bank to
settle a liability claim over an attack by organized cyber thieves
last year that cost the company $50,000.
Police bust e-crime gang for online bank thefts - UK and Irish
police have today swooped on an international e-crime gang accused
of attempting to steal money from up to 20,000 online bank accounts
and credit cards in the countries.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
This week continues our
series on the FDIC's Supervisory Policy on Identity Theft.
2 of 6)
Characteristics of Identity Theft
At this time, the majority of identity theft is committed using
hard-copy identification or other documents obtained from the victim
without his or her permission. A smaller, but significant, amount of
identity theft is committed electronically via phishing, spyware,
hacking and computer viruses. Financial institutions are among the
most frequent targets of identity thieves since they store sensitive
information about their customers and hold customer funds in
accounts that can be accessed remotely and transferred
Identity theft may harm consumers in several ways. First, an
identity thief may gain access to existing accounts maintained by
consumers and either transfer funds out of deposit accounts or incur
charges to credit card accounts. Identity thieves may also open new
accounts in the consumer's name, incur expenses, and then fail to
pay. This is likely to prompt creditors to attempt to collect
payment from the consumer for debts the consumer did not incur. In
addition, inaccurate adverse information about the consumer's
payment history may prevent the consumer from obtaining legitimate
credit when he or she needs it. An identity theft victim can spend
months or years attempting to correct errors in his or her credit
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our review
of the FDIC paper "Risk Assessment Tools and Practices or
Information System Security."
A thorough and proactive risk assessment is the first step in
establishing a sound security program. This is the ongoing process
of evaluating threats and vulnerabilities, and establishing an
appropriate risk management program to mitigate potential monetary
losses and harm to an institution's reputation. Threats have the
potential to harm an institution, while vulnerabilities are
weaknesses that can be exploited.
The extent of the information security program should be
commensurate with the degree of risk associated with the
institution's systems, networks, and information assets. For
example, compared to an information-only Web site, institutions
offering transactional Internet banking activities are exposed to
greater risks. Further, real-time funds transfers generally pose
greater risks than delayed or batch-processed transactions because
the items are processed immediately. The extent to which an
institution contracts with third-party vendors will also affect the
nature of the risk assessment program.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Reuse & Redisclosure of nonpublic
personal information received from a nonaffiliated financial
institution under Sections 14 and/or 15.
A. Through discussions with management and review of the
institution's procedures, determine whether the institution has
adequate practices to prevent the unlawful redisclosure and reuse of
the information where the institution is the recipient of nonpublic
personal information (§11(a)).
B. Select a sample of data received from nonaffiliated financial
institutions, to evaluate the financial institution's compliance
with reuse and redisclosure limitations.
1. Verify that the institution's redisclosure of the information
was only to affiliates of the financial institution from which the
information was obtained or to the institution's own affiliates,
except as otherwise allowed in the step b below (§11(a)(1)(i) and
2. Verify that the institution only uses and shares the data
pursuant to an exception in Sections 14 and 15 (§11(a)(1)(iii)).