Does Your Financial Institution need an
affordable Internet security audit? Yennik, Inc. has clients in 42 states
that rely on our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test requirements of
FDIC, OCC, FRB, and NCUA, which provides compliance with
Gramm-Leach Bliley Act 501(b).
The penetration audit and Internet security testing is an
affordable-sophisticated process than goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses.
For more information, give R. Kinney Williams a call today at
806-798-7119 or visit
Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
Additional Guidance Needed to Address Cloud Computing Concerns
- EU cloud vendors liable for breaches - Directive asks vendors to
prove security and accept liability. The European Union will
introduce rules that make cloud providers legally liable for data
- Lawmakers want investigation of supercookies - Markey and Barton
call on the FTC to investigate the use of the hard-to-delete
tracking tools - Two U.S. lawmakers have called on the U.S. Federal
Trade Commission to investigate the use of so-called supercookies on
many websites, with the two suggesting that use of the
hard-to-remove tracking tools may be an unfair business practice.
- (ISC)2 at a crossroads: CISSP value vs. security industry growth -
(ISC)2 wants to dramatically swell its CISSP ranks in the next few
years. That plan does not sit well with some CISSPs, who say their
numbers are already growing too fast and putting CISSP value in
question, even though the organization itself believes it’s not
growing nearly fast enough.
- State Department Employee Faces Firing for Posting WikiLeaks Link
- A veteran U.S. State Department foreign service officer says his
job is on the line after he posted a link on his blog to a WikiLeaks
- GAO - Weaknesses Continue Amid New Federal Efforts to Implement
- Most businesses lack social media security controls - IT security
practitioners agree that employees' social media use represents a
security threat, but 29 percent polled in a new survey said their
company has the necessary controls in place to mitigate the risks.
- GAO - Federal Reserve System: Opportunities Exist to Strengthen
Policies and Processes for Managing Emergency Assistance
- Malware victim loses net connection to iCode - An Australian woman
this month has had her internet connection cut off under the iCode
initiative after she received 42 consecutive emails warning that
her computer was infected.
- On the frontlines of cyber defence - Meet the teams fighting the
malware threat - Something has gone terribly wrong on the plant
floor at ACME Specialty Chemical International.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Countrywide insider gets eight months in prison for theft - A
former employee of mortgage company Countrywide Financial was
sentenced Tuesday to eight months in prison and ordered to pay $1.2
million in restitution after admitting to stealing and selling
customers' personal data.
- Air traffic control data found on eBayed network gear - NATS
passwords and info left on £20 switch - A switch with networking
configurations and passwords for the UK traffic control centre was
offered for sale on eBay, raising serious security concerns.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Equal Credit Opportunity Act (Regulation B)
The regulations clarifies the rules concerning the taking of credit
applications by specifying that application information entered
directly into and retained by a computerized system qualifies as a
written application under this section. If an institution makes
credit application forms available through its on-line system, it
must ensure that the forms satisfy the requirements.
The regulations also clarify the regulatory requirements that apply
when an institution takes loan applications through electronic
media. If an applicant applies through an electronic medium (for
example, the Internet or a facsimile) without video capability that
allows employees of the institution to see the applicant, the
institution may treat the application as if it were received by
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
e continue our series on the
FFIEC interagency Information Security Booklet.
SECURITY CONTROLS -
IMPLEMENTATION - OPERATING SYSTEM ACCESS (Part 2 of 2)
Additional operating system access controls include the following
! Ensure system administrators and security professionals have
adequate expertise to securely configure and manage the operating
! Ensure effective authentication methods are used to restrict
system access to both users and applications.
! Activate and utilize operating system security and logging
capabilities and supplement with additional security software where
supported by the risk assessment process.
! Restrict operating system access to specific terminals in
physically secure and monitored locations.
! Lock or remove external drives from system consoles or terminals
residing outside physically secure locations.
! Restrict and log access to system utilities, especially those with
data altering capabilities.
! Restrict access to operating system parameters.
! Prohibit remote access to sensitive operating system functions,
where feasible, and at a minimum require strong authentication and
encrypted sessions before allowing remote support.
! Limit the number of employees with access to sensitive operating
systems and grant only the minimum level of access required to
perform routine responsibilities.
! Segregate operating system access, where possible, to limit full
or root - level access to the system.
! Monitor operating system access by user, terminal, date, and time
! Update operating systems with security patches and using
appropriate change control mechanisms.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Financial Institution Duties ( Part 4 of 6)
Requirements for Notices (continued)
Notice Content. A privacy notice must contain specific
disclosures. However, a financial institution may provide to
consumers who are not customers a "short form" initial notice
together with an opt out notice stating that the institution's
privacy notice is available upon request and explaining a reasonable
means for the consumer to obtain it. The following is a list of
disclosures regarding nonpublic personal information that
institutions must provide in their privacy notices, as applicable:
1) categories of information collected;
2) categories of information disclosed;
3) categories of affiliates and nonaffiliated third parties to whom
the institution may disclose information;
4) policies with respect to the treatment of former customers'
5) information disclosed to service providers and joint marketers
6) an explanation of the opt out right and methods for opting out;
7) any opt out notices the institution must provide under the Fair
Credit Reporting Act with respect to affiliate information sharing;
8) policies for protecting the security and confidentiality of
9) a statement that the institution makes disclosures to other
nonaffiliated third parties as permitted by law (Sections 14 and