R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

October 2, 2011

CONTENT Internet Compliance Information Systems Security
IT Security
Internet Privacy
Website for Penetration Testing
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

Spending less than 5 minutes a week along with a cup of coffee
you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.  For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

- The State Department's approach to cybersecurity is so innovative and effective that companies are clamoring to copy it. The State Department has pioneered an approach to network security that makes it easier for managers in large organizations to identify trouble spots, prioritize them and get them fixed fast. http://online.wsj.com/article/SB10001424053111904353504576566802789426680.html

FYI - California bill would ban warrantless cell phone searches - If you get arrested in California, the photos, e-mails and other personal data on your cell phone soon could be a bit safer from prying police eyes soon. http://edition.cnn.com/2011/09/20/tech/mobile/california-phone-search-law/index.html

FYI - 3 indicted in sophisticated hacking, theft scheme - At least 53 Seattle-area companies hit, with losses in the hundreds of thousands - Soon after his office was burglarized - twice - Jeff walked in and found a payroll report sitting on his printer. He hadn't printed it, and as his company's chief financial officer, he's the only person who would have.

FYI - Losing medical data - It may seem strange that someone who works so closely with ESET North America should keep writing about the UK's National Health Service, but then I do live there. http://www.scmagazineus.com/losing-medical-data/article/212839/?DCMP=EMC-SCUS_Newswire

FYI - National breach notification bill passes hurdle - Three separate national breach notification bills making their way through the Senate came a step closer to being enacted into law on Thursday. http://www.scmagazineus.com/national-breach-notification-bill-passes-hurdle/article/212686/?DCMP=EMC-SCUS_Newswire

FYI - Dutch government to revoke #DigiNotar certificates on Wednesday - Certificates issued by DigiNotar are to be officially revoked this week by the Dutch government. http://www.scmagazineuk.com/dutch-government-to-revoke-diginotar-certificates-on-wednesday/article/212832/

FYI - Senator Wants Investigation of OnStar’s ‘Brazen’ Privacy Invasion - New York’s senior senator Charles Schumer wants the feds to investigate OnStar’s controversial new privacy policy, and demanded the Detroit navigation-and-emergency company refrain from monitoring vehicles after customers cancel service. http://www.wired.com/threatlevel/2011/09/senator-onstar-brazen-privacy-invasion/

FYI - Corporate bank fraud losses expected to total $210M - Businesses in North America are expected to lose $210 million this year to corporate bank account takeovers, according to a new report from financial research and consulting firm. http://www.scmagazineus.com/corporate-bank-fraud-losses-expected-to-total-210m/article/212876/?DCMP=EMC-SCUS_Newswire


FYI - Alleged LulzSec, Anonymous hackers arrested in Ariz., Calif. - An Arizona man was arrested today for allegedly stealing data from Sony Pictures Entertainment earlier this year, and two others were indicted on charges of participating in a denial-of-service (DoS) attack that temporarily shut down Santa Cruz County servers late last year. http://news.cnet.com/8301-1009_3-20110264-83/alleged-lulzsec-anonymous-hackers-arrested-in-ariz-calif/?tag=mncol;txt

FYI - Mitsubishi Heavy Industries attack puts Japan's defence contractors on alert - Viruses have been found on more than 80 computers and servers belonging to a Japanese weapons contractor. http://www.scmagazineuk.com/mitsubishi-heavy-industries-attack-puts-japans-defence-contractors-on-alert/article/212468/s/

FYI - Harvard site back online after "sophisticated" defacement - The home page of Harvard University is functioning normally after it was defaced Monday morning by activists in support of the embattled regime in Syria. http://www.scmagazineus.com/losing-medical-data/article/212839/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

Electronic Fund Transfer Act, Regulation E  (Part 2 of 2)

The Federal Reserve Board Official Staff Commentary (OSC) also clarifies that terminal receipts are unnecessary for transfers initiated on-line. Specifically, OSC regulations provides that, because the term "electronic terminal" excludes a telephone operated by a consumer, financial institutions need not provide a terminal receipt when a consumer initiates a transfer by a means analogous in function to a telephone, such as by a personal computer or a facsimile machine.

Additionally, the regulations clarifies that a written authorization for preauthorized transfers from a consumer's account includes an electronic authorization that is not signed, but similarly authenticated by the consumer, such as through the use of a security code. According to the OSC, an example of a consumer's authorization that is not in the form of a signed writing but is, instead, "similarly authenticated" is a consumer's authorization via a home banking system. To satisfy the regulatory requirements, the institution must have some means to identify the consumer (such as a security code) and make a paper copy of the authorization available (automatically or upon request). The text of the electronic authorization must be displayed on a computer screen or other visual display that enables the consumer to read the communication from the institution.

Only the consumer may authorize the transfer and not, for example, a third-party merchant on behalf of the consumer.

Pursuant to the regulations, timing in reporting an unauthorized transaction, loss, or theft of an access device determines a consumer's liability. A financial institution may receive correspondence through an electronic medium concerning an unauthorized transaction, loss, or theft of an access device. Therefore, the institution should ensure that controls are in place to review these notifications and also to ensure that an investigation is initiated as required. 

Return to the top of the newsletter
We continue our series on the FFIEC interagency Information Security Booklet.  


Financial institutions must control access to system software within the various network clients and servers as well as stand-alone systems. System software includes the operating system and system utilities. The computer operating system manages all of the other applications running on the computer. Common operating systems include IBM OS/400 and AIX, LINUX, various versions of Microsoft Windows, and Sun Solaris. Security administrators and IT auditors need to understand the common vulnerabilities and appropriate mitigation strategies for their operating systems. Application programs and data files interface through the operating system. System utilities are programs that perform repetitive functions such as creating, deleting, changing, or copying files. System utilities also could include numerous types of system management software that can supplement operating system functionality by supporting common system tasks such as security, system monitoring, or transaction processing.

System software can provide high-level access to data and data processing. Unauthorized access could result in significant financial and operational losses. Financial institutions must restrict privileged access to sensitive operating systems. While many operating systems have integrated access control software, third - party security software is available for most operating systems. In the case of many mainframe systems, these programs are essential to ensure effective access control and can often integrate the security management of both the operating system and the applications. Network security software can allow institutions to improve the effectiveness of the administration and security policy compliance for a large number of servers often spanning multiple operating system environments. The critical aspects for access control software, whether included in the operating system or additional security software, are that management has the capability to:

! Restrict access to sensitive or critical system resources or processes and have the capability, depending on the sensitivity to extend protection at the program, file, record, or field level;
! Log user or program access to sensitive system resources including files, programs, processes, or operating system parameters; and
! Filter logs for potential security events and provide adequate reporting and alerting capabilities.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 3 of 6)

Requirements for Notices

Clear and Conspicuous. Privacy notices must be clear and conspicuous, meaning they must be reasonably understandable and designed to call attention to the nature and significance of the information contained in the notice. The regulations do not prescribe specific methods for making a notice clear and conspicuous, but do provide examples of ways in which to achieve the standard, such as the use of short explanatory sentences or bullet lists, and the use of plain-language headings and easily readable typeface and type size. Privacy notices also must accurately reflect the institution's privacy practices.

Delivery Rules. Privacy notices must be provided so that each recipient can reasonably be expected to receive actual notice in writing, or if the consumer agrees, electronically. To meet this standard, a financial institution could, for example, (1) hand-deliver a printed copy of the notice to its consumers, (2) mail a printed copy of the notice to a consumer's last known address, or (3) for the consumer who conducts transactions electronically, post the notice on the institution's web site and require the consumer to acknowledge receipt of the notice as a necessary step to completing the transaction.

For customers only, a financial institution must provide the initial notice (as well as the annual notice and any revised notice) so that a customer may be able to retain or subsequently access the notice. A written notice satisfies this requirement. For customers who obtain financial products or services electronically, and agree to receive their notices on the institution's web site, the institution may provide the current version of its privacy notice on its web site.


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

NEW The Weekly IT Security Review NEW
A weekly email that lets you continuously review
your IT operations throughout the year.

Purchase now for the special inaugural price.

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated