R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

September 2, 2012

CONTENT Internet Compliance Web Site Audits
IT Security
Internet Privacy
Penetration Testing
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

Community Bank Technology Conference - If you have nothing on your plate, plan to attend the Independent Community Bankers of America’s Community Bank Technology Conference, September 12-14, 2012 in Las Vegas. I will be speaking Thursday on auditing community banks.  For more information please visit http://www.icba.org/events/eventdetail.cfm?EventID=199421

FYI - US boardrooms wake up to data security - But work still needs to be done by businesses to be fully protected - corporate America says data security is now the main concern in the boardroom when it comes to legal considerations. http://www.computerworlduk.com/news/it-business/3376626/us-boardrooms-wake-up-data-security/

FYI - California approves Location Privacy Act: 'Get a warrant' - Summary: A new privacy bill, forcing police and law enforcement to obtain a warrant before gathering cellphone GPS or location data, has been passed by California state legislators. http://www.zdnet.com/california-approves-location-privacy-act-get-a-warrant-7000003050/

FYI - GAO Questions EPA's Ability to Secure Data - Audit: Security Control Weaknesses Pervade IT Systems - Environmental Protection Agency, jeopardizing the agency's ability to sufficiently protect the confidentiality, integrity and availability of its information and systems, the Government Accountability Office said in an audit made public Aug. 21. http://www.govinfosecurity.com/gao-questions-epas-ability-to-secure-data-a-5051


FYI - Siemens 'flaw' claim sparks US power plant security probe -The US government is investigating claims that a flaw in Siemens' networking equipment could enable hackers to attack power plants and other critical systems. http://www.bbc.com/news/technology-19343131

FYI - Researchers consider threat of car hacking -McAfee's year-old team of elite hackers has been researching a place many people wouldn't think is vulnerable to attack - the automobile. http://www.scmagazine.com/researchers-consider-threat-of-car-hacking/article/255698/?DCMP=EMC-SCUS_Newswire

FYI - Students improperly view file that contained personal data - A file containing the personal information of current and former Colorado State University-Pueblo students was accessed last spring by unauthorized users. http://www.scmagazine.com/students-improperly-view-file-that-contained-personal-data/article/256047/?DCMP=EMC-SCUS_Newswire

FYI - Riding low and slow, Hikit targets U.S. defense contractors - Researchers at security firm Mandiant have identified a backdoor trojan, called Hikit, which has targeted a small number of defense contractors in the United States. http://www.scmagazine.com/riding-low-and-slow-hikit-targets-us-defense-contractors/article/256332/?DCMP=EMC-SCUS_Newswire

FYI - Saudi oil company back online after cyber sabotage attempt - Saudi Arabia-based oil company Saudi Aramco said it has restored internal network services after about 30,000 workstations were infected earlier this month with an unknown piece of sabotage malware.

FYI - University of Rhode Island server breach exposes staff and student data - University of Rhode Island (URI) officials disabled the school's College of Business Administration computer server, after the personal information of more than 1,000 faculty and students, as well as students from another school, was publicly available. http://www.scmagazine.com/university-of-rhode-island-server-breach-exposes-staff-and-student-data/article/256398/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Sound Practices for Managing Outsourced E-Banking Systems and Services (Part 3 of 3)

4. Banks should ensure that periodic independent internal and/or external audits are conducted of outsourced operations to at least the same scope required if such operations were conducted in-house.

a)   For outsourced relationships involving critical or technologically complex e-banking services/applications, banks may need to arrange for other periodic reviews to be performed by independent third parties with sufficient technical expertise.

5. Banks should develop appropriate contingency plans for outsourced e-banking activities.

a)  Banks need to develop and periodically test their contingency plans for all critical e-banking systems and services that have been outsourced to third parties.

b)  Contingency plans should address credible worst-case scenarios for providing continuity of e-banking services in the event of a disruption affecting outsourced operations.

c)   Banks should have an identified team that is responsible for managing recovery and assessing the financial impact of a disruption in outsourced e-banking services.

6. Banks that provide e-banking services to third parties should ensure that their operations, responsibilities, and liabilities are sufficiently clear so that serviced institutions can adequately carry out their own effective due diligence reviews and ongoing oversight of the relationship.

a)   Banks have a responsibility to provide serviced institutions with information necessary to identify, control and monitor any risks associated with the e-banking service arrangement.

Return to the top of the newsletter
We continue our series on the FFIEC interagency Information Security Booklet.


Management is responsible for ensuring institution and customer data is protected, even when that data is transmitted, processed, or stored by a service provider. Service providers should have appropriate security testing based on the risk to their organization, their customer institutions, and the institution's customers. Accordingly, management and auditors evaluating TSPs providers should use the above testing guidance in performing initial due diligence, constructing contracts, and exercising ongoing oversight or audit responsibilities. Where indicated by the institution's risk assessment, management is responsible for monitoring the testing performed at the service provider through review of timely audits and test results or other equivalent evaluations.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

34. Does the institution deliver a revised privacy notice when it: 

a. discloses a new category of nonpublic personal information to a nonaffiliated third party; [§8(b)(1)(i)]

b. discloses nonpublic personal information to a new category of nonaffiliated third party; [§8(b)(1)(ii)] or

c. discloses nonpublic personal information about a former customer to a nonaffiliated third party, if that former customer has not had the opportunity to exercise an opt out right regarding that disclosure? [§8(b)(1)(iii)]

Note: a revised notice is not required if the institution adequately described the nonaffiliated third party or information to be disclosed in the prior privacy notice. [§8(b)(2)])


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated