Does Your Financial Institution need an
affordable Internet security audit? Yennik, Inc.
has clients in 42 states that rely on our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test requirements of
FDIC, OCC, FRB, and NCUA, which provides compliance with
Gramm-Leach Bliley Act 501(b).
The penetration audit and Internet security testing
is an affordable-sophisticated process than goes far beyond the
simple scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses.
For more information, give R. Kinney Williams a call today at
806-798-7119 or visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- White House Brainstorms With Businesses On Disaster Recovery - The
White House has turned to more than 80 innovators in the private
sector to come up with ways that could help the U.S. government
improve disaster response and recovery efforts.
- FTC slaps TRENDnet with 20 years' probation over webcam spying
flaw - The Federal Trade Commission has reached a settlement with US
wireless webcam manufacturer TRENDnet that will commit the firm to
third-party security audits for the next 20 years, plus two years of
free technical support for its customers.
- Banking trojan now circulating overseas could soon reach U.S. -
Researchers at IT security company ESET have discovered a banking
trojan that is targeting users who bank online in the Czech
Republic, Turkey, Portugal and, most recently, the United Kingdom.
- Indian spooks snooping without ISP knowledge - 'Lawful Intercept
and Monitoring' systems don't sound very lawful - India's
authorities are carrying out wide-ranging and indiscriminate
internet surveillance of their citizens thanks to secret intercept
systems located at the international gateways of several large ISPs,
according to The Hindu.
- Medical ID theft victims increasingly report spoofed sites and
phishing as cause of fraud - As the number of individuals impacted
by medical identity theft continues to climb, so does the number of
victims fooled by spurious emails and websites designed to purloin
their sensitive information, a study finds.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Computer hard drive compromised in hotel burglary - An undisclosed
number of guests of the InterContinental Mark Hopkins San Francisco
luxury hotel were alerted that personal information may have been
accessed by two criminals who burglarized a sales office and
compromised a computer hard drive.
- Energy Department Updates Breach Count, Says 53,000 Affected - The
Department of Energy (DOE) has confirmed reports that it suffered a
data breach in July that lead to the theft of employees' personally
identifying information (PII).
- FTC files complaint against LabMD after investigating its security
practices - After a legal back-and-forth to investigate a major
breach, the Federal Trade Commission (FTC) has filed a complaint
against an Atlanta-based medical testing lab accused of exposing the
data of more than 9,000 consumers.
- Laptop and flash drive stolen from doctor's car - Thousands of
patients of St. Anthony's Medical Center long-term care in St. Louis
may have had health information compromised after a laptop and flash
drive were stolen from the vehicle of a staff doctor.
- State employee error puts thousands at risk - Nearly 5,000 people
who filed for unemployment with the Georgia Department of Labor may
have had their personal information compromised after an employee
inadvertently sent out an email containing the data.
- Card information stolen in attack on hospital payment vendor -
Credit and debit card information for thousands of patients of
Medical University of South Carolina (MUSC) may be at risk following
a malicious attack on MUSA's third-party card payment vendor,
Blackhawk Consulting Group.
- Millions in Germany have data compromised in Vodafone hack -
Authorities have identified an attacker suspected of carrying out a
sophisticated hack against Vodafone Germany.
- Unauthorized third party compromises payroll card company data -
Florida-based payroll card company Paymast'r Services is sending out
letters to an undisclosed number of customers who had personal
information compromised in a data breach.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
This week continues our series on
the FDIC's Supervisory Policy on Identity Theft.
3 of 6)
FDIC Response to Identity Theft
The FDIC's supervisory programs include many steps to address
identity theft. The FDIC acts directly, often in conjunction with
other Federal regulators, by promulgating standards that financial
institutions are expected to meet to protect customers' sensitive
information and accounts. The FDIC enforces these standards against
the institutions under its supervision and encourages all financial
institutions to educate their customers about steps they can take to
reduce the chances of becoming an identity theft victim. The FDIC
also sponsors and conducts a variety of consumer education efforts
to make consumers more aware of the ways they can protect themselves
from identity thieves.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Access Rights Administration (3 of 5)
The enrollment process establishes the user's identity
and anticipated business needs to information and systems. New
employees, IT outsourcing relationships, and contractors may also be
identified, and the business need for access determined during the
hiring or contracting process.
During enrollment and thereafter, an authorization process
determines user access rights. In certain circumstances the
assignment of access rights may be performed only after the manager
responsible for each accessed resource approves the assignment and
documents the approval. In other circumstances, the assignment of
rights may be established by the employee's role or group
membership, and managed by pre - established authorizations for that
group. Customers, on the other hand, may be granted access based on
their relationship with the institution.
Authorization for privileged access should be tightly controlled.
Privileged access refers to the ability to override system or
application controls. Good practices for controlling privileged
! Identifying each privilege associated with each system component,
! Implementing a process to allocate privileges and allocating those
privileges either on a need - to - use or an event - by - event
basis,! Documenting the granting and administrative limits on
! Finding alternate ways of achieving the business objectives,
! Assigning privileges to a unique user ID apart from the one used
for normal business use,
! Logging and auditing the use of privileged access,
! Reviewing privileged access rights at appropriate intervals and
regularly reviewing privilege access allocations, and
! Prohibiting shared privileged access by multiple users.
Return to the top of
INTERNET PRIVACY - We continue our
series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
10) Does the institution list the following categories of
nonpublic personal information that it discloses, as applicable, and
a few examples of each, or alternatively state that it reserves the
right to disclose all the nonpublic personal information that it
a) information from the consumer;
b) information about the consumer's transactions with the
institution or its affiliates;
c) information about the consumer's transactions with
nonaffiliated third parties; and
d) information from a consumer reporting agency? [§6(c)(2)]