Yennik, Inc.
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

October 14, 2007

CONTENT Internet Compliance Information Systems Security
IT Security Question
 
Internet Privacy
 
Website for Penetration Testing
 
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 41 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.


FYI
- Businesses must do better on tech risk - It's a worrying trend, says KPMG. A significant proportion of corporate audit departments are failing to address IT risk sufficiently, leaving businesses vulnerable and open to security threats. http://software.silicon.com/security/0,39024655,39168530,00.htm

FYI - Man admits causing Cox phone outages in Louisiana - A former Cox Communications Inc. employee has pleaded guilty in federal court to hacking into the company's telecommunications system and causing phone service failures around the country, including Louisiana. http://www.shreveporttimes.com/apps/pbcs.dll/article?AID=/20070927/BREAKINGNEWS/70927009

FYI - Conn. AG Investigating Former Employee Link To Pfizer Data Breach - A former worker's new employer sent Pfizer a DVD containing Pfizer data. The information was allegedly found on the employee's computer at the new job. The Connecticut Attorney General is investigating a former Pfizer employee in connection with a data breach that compromised personally identifying employee information. http://www.informationweek.com/shared/printableArticle.jhtml?articleID=202101944

FYI - OU boosts IT security - Ohio University is trying to turn negative media attention over its computer security problems into an opportunity for change, said its chief information officer. http://thepost.baker.ohiou.edu/Articles/News/2007/09/28/21463/

FYI - Hospital's brand new server room goes up in smoke - An investigation has been launched at Leeds' famous St James' hospital after a server room disastrously overheated, permanently frying a new computer system for storing patient x-rays. http://www.theregister.co.uk/2007/09/27/leeds_server_overheat/print.html

FYI - St. Louis Fed Promotes Hart to Officer - Anna M. Hart has been promoted to officer in the Information Technology Services division of the Federal Reserve Bank of St. Louis. www.stlouisfed.org/news/releases/2007/09_28_07.htm

MISSING COMPUTERS/DATA

FYI - Woman arrested for hospital espionage - Police said yesterday they have uncovered a case of corporate espionage involving two of the country's top private hospitals. http://www.ekathimerini.com/4dcgi/_w_articles_politics_100014_29/09/2007_88365

FYI - Data for 800,000 job applicants stolen - A laptop containing unencrypted personal information for 800,000 people who applied for jobs with clothing retailer Gap Inc. has been stolen. http://www.theregister.co.uk/2007/09/28/gap_data_breach/print.html


Return to the top of the newsletter

WEB SITE COMPLIANCE -
We finish our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 10 of 10)  

B. RISK MANAGEMENT TECHNIQUES

Managing Service Providers

Financial institutions, especially smaller institutions, may choose to subcontract with a service provider to create, arrange, and manage their websites, including weblinks. The primary risks for these financial institutions are the same as for those institutions that arrange the links directly. However, if a financial institution uses a set of pre-established links to a large number of entities whose business policies or procedures may be unfamiliar, it may increase its risk exposure. This is particularly true in situations in which the institution claims in its published privacy policy that it maintains certain minimum information security standards at all times.

When a financial institution subcontracts weblinking arrangements to a service provider, the institution should conduct sufficient due diligence to ensure that the service provider is appropriately managing the risk exposure from other parties. Management should keep in mind that a vendor might establish links to third parties that are unacceptable to the financial institution. Finally, the written agreement should contain a regulatory requirements clause in which the service provider acknowledges that its linking activities must comply with all applicable consumer protection laws and regulations.

Financial institution management should consider weblinking agreements with its service provider to mitigate significant risks. These agreements should be clear and enforceable with descriptions of all obligations, liabilities, and recourse arrangements. These may include the institution's right to exclude from its site links the financial institution considers unacceptable. Such contracts should include a termination clause, particularly if the contract does not include the ability to exclude websites. Finally, a financial institution should apply its link monitoring policies discussed above to links arranged by service providers or other vendors.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY
We continue the series  from the FDIC "Security Risks Associated with the Internet." 

SECURITY MEASURES

Encryption 


Encryption, or cryptography, is a method of converting information to an unintelligible code.  The process can then be reversed, returning the information to an understandable form. The information is encrypted (encoded) and decrypted (decoded) by what are commonly referred to as "cryptographic keys." These "keys" are actually values, used by a mathematical algorithm to transform the data. The effectiveness of encryption technology is determined by the strength of the algorithm, the length of the key, and the appropriateness of the encryption system selected.


Because encryption renders information unreadable to any party without the ability to decrypt it, the information remains private and confidential, whether being transmitted or stored on a system. Unauthorized parties will see nothing but an unorganized assembly of characters.  Furthermore, encryption technology can provide assurance of data integrity as some algorithms offer protection against forgery and tampering. The ability of the technology to protect the information requires that the encryption and decryption keys be properly managed by authorized parties.


Return to the top of the newsletter

IT SECURITY QUESTION:  Internal controls and procedures:  (Part 2 of 2)

i. Is there separation of duties for handling un-posted items?
j. Is there separation of duties for balancing final output?
k. Is there separation of duties for statement preparation?
l. Are there controls for non-dollar transactions? In writing?
m. Are master files changes required to be in writing?
n. Are source documents microfilmed before transportation?
o. Are official checks, which are computer processed, satisfactorily controlled?
p. Are employees prohibited from using computers for personal use?


Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Reuse & Redisclosure of nonpublic personal information received from a nonaffiliated financial institution under Sections 14 and/or 15.

A. Through discussions with management and review of the institution's procedures, determine whether the institution has adequate practices to prevent the unlawful redisclosure and reuse of the information where the institution is the recipient of nonpublic personal information (11(a)).

B. Select a sample of data received from nonaffiliated financial institutions, to evaluate the financial institution's compliance with reuse and redisclosure limitations.

1.  Verify that the institution's redisclosure of the information was only to affiliates of the financial institution from which the information was obtained or to the institution's own affiliates, except as otherwise allowed in the step b below (11(a)(1)(i) and (ii)).

2.  Verify that the institution only uses and shares the data pursuant to an exception in Sections 14 and 15 (11(a)(1)(iii)).

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated