Does Your Financial Institution need an
affordable Internet security audit? Yennik, Inc. has clients in 42 states
that rely on our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test requirements of
FDIC, OCC, FRB, and NCUA, which provides compliance with
Gramm-Leach Bliley Act 501(b).
The penetration audit and Internet security testing is an
affordable-sophisticated process than goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses.
For more information, give R. Kinney Williams a call today at
806-798-7119 or visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
Community Bank Technology Conference
- If you have nothing on your plate, plan to attend the Independent
Community Bankers of America’s Community Bank Technology Conference,
September 12-14, 2012 in Las Vegas. I will be speaking Thursday on
auditing community banks. For more information please visit
- US boardrooms wake up to data security - But work still needs to
be done by businesses to be fully protected - corporate America says
data security is now the main concern in the boardroom when it comes
to legal considerations.
- California approves Location Privacy Act: 'Get a warrant' -
Summary: A new privacy bill, forcing police and law enforcement to
obtain a warrant before gathering cellphone GPS or location data,
has been passed by California state legislators.
- GAO Questions EPA's Ability to Secure Data - Audit: Security
Control Weaknesses Pervade IT Systems - Environmental Protection
Agency, jeopardizing the agency's ability to sufficiently protect
the confidentiality, integrity and availability of its information
and systems, the Government Accountability Office said in an audit
made public Aug. 21.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Siemens 'flaw' claim sparks US power plant security probe -The US
government is investigating claims that a flaw in Siemens'
networking equipment could enable hackers to attack power plants and
other critical systems.
- Researchers consider threat of car hacking -McAfee's year-old team
of elite hackers has been researching a place many people wouldn't
think is vulnerable to attack - the automobile.
- Students improperly view file that contained personal data - A
file containing the personal information of current and former
Colorado State University-Pueblo students was accessed last spring
by unauthorized users.
- Riding low and slow, Hikit targets U.S. defense contractors -
Researchers at security firm Mandiant have identified a backdoor
trojan, called Hikit, which has targeted a small number of defense
contractors in the United States.
- Saudi oil company back online after cyber sabotage attempt - Saudi
Arabia-based oil company Saudi Aramco said it has restored internal
network services after about 30,000 workstations were infected
earlier this month with an unknown piece of sabotage malware.
- University of Rhode Island server breach exposes staff and student
data - University of Rhode Island (URI) officials disabled the
school's College of Business Administration computer server, after
the personal information of more than 1,000 faculty and students, as
well as students from another school, was publicly available.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Sound Practices for Managing Outsourced E-Banking Systems
(Part 3 of 3)
4. Banks should ensure that periodic independent internal and/or
external audits are conducted of outsourced operations to at least
the same scope required if such operations were conducted in-house.
a) For outsourced relationships involving critical or
technologically complex e-banking services/applications, banks may
need to arrange for other periodic reviews to be performed by
independent third parties with sufficient technical expertise.
5. Banks should develop appropriate contingency plans for outsourced
a) Banks need to develop and periodically test their contingency
plans for all critical e-banking systems and services that have been
outsourced to third parties.
b) Contingency plans should address credible worst-case scenarios
for providing continuity of e-banking services in the event of a
disruption affecting outsourced operations.
c) Banks should have an identified team that is responsible for
managing recovery and assessing the financial impact of a disruption
in outsourced e-banking services.
6. Banks that provide e-banking services to third parties should
ensure that their operations, responsibilities, and liabilities are
sufficiently clear so that serviced institutions can adequately
carry out their own effective due diligence reviews and ongoing
oversight of the relationship.
a) Banks have a responsibility to provide serviced institutions
with information necessary to identify, control and monitor any
risks associated with the e-banking service arrangement.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY TESTING - OUTSOURCED SYSTEMS
Management is responsible for ensuring institution and customer data
is protected, even when that data is transmitted, processed, or
stored by a service provider. Service providers should have
appropriate security testing based on the risk to their
organization, their customer institutions, and the institution's
customers. Accordingly, management and auditors evaluating TSPs
providers should use the above testing guidance in performing
initial due diligence, constructing contracts, and exercising
ongoing oversight or audit responsibilities. Where indicated by the
institution's risk assessment, management is responsible for
monitoring the testing performed at the service provider through
review of timely audits and test results or other equivalent
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
34. Does the institution deliver a
revised privacy notice when it:
a. discloses a new category of nonpublic personal information to a
nonaffiliated third party; [§8(b)(1)(i)]
b. discloses nonpublic personal information to a new category of
nonaffiliated third party; [§8(b)(1)(ii)] or
c. discloses nonpublic personal information about a former customer
to a nonaffiliated third party, if that former customer has not had
the opportunity to exercise an opt out right regarding that
(Note: a revised
notice is not required if the institution adequately described the
nonaffiliated third party or information to be disclosed in the
prior privacy notice. [§8(b)(2)])