Your Financial Institution need an affordable Internet security
Yennik, Inc. has clients in 41 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The penetration audit and
Internet security testing is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give
R. Kinney Williams a call
today at 806-798-7119 or visit
FYI - Businesses must do
better on tech risk - It's a worrying trend, says KPMG. A
significant proportion of corporate audit departments are failing to
address IT risk sufficiently, leaving businesses vulnerable and open
to security threats.
FYI - Man admits causing
Cox phone outages in Louisiana - A former Cox Communications Inc.
employee has pleaded guilty in federal court to hacking into the
company's telecommunications system and causing phone service
failures around the country, including Louisiana.
FYI - Conn. AG
Investigating Former Employee Link To Pfizer Data Breach - A former
worker's new employer sent Pfizer a DVD containing Pfizer data. The
information was allegedly found on the employee's computer at the
new job. The Connecticut Attorney General is investigating a former
Pfizer employee in connection with a data breach that compromised
personally identifying employee information.
FYI - OU boosts IT
security - Ohio University is trying to turn negative media
attention over its computer security problems into an opportunity
for change, said its chief information officer.
FYI - Hospital's brand
new server room goes up in smoke - An investigation has been
launched at Leeds' famous St James' hospital after a server room
disastrously overheated, permanently frying a new computer system
for storing patient x-rays.
FYI - St. Louis Fed
Promotes Hart to Officer - Anna M. Hart has been promoted to officer
in the Information Technology Services division of the Federal
Reserve Bank of St. Louis.
FYI - Woman arrested for
hospital espionage - Police said yesterday they have uncovered a
case of corporate espionage involving two of the country's top
FYI - Data for 800,000
job applicants stolen - A laptop containing unencrypted personal
information for 800,000 people who applied for jobs with clothing
retailer Gap Inc. has been stolen.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We finish our review of the FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 10 of 10)
B. RISK MANAGEMENT TECHNIQUES
Managing Service Providers
Financial institutions, especially smaller institutions, may
choose to subcontract with a service provider to create, arrange,
and manage their websites, including weblinks. The primary risks for
these financial institutions are the same as for those institutions
that arrange the links directly. However, if a financial institution
uses a set of pre-established links to a large number of entities
whose business policies or procedures may be unfamiliar, it may
increase its risk exposure. This is particularly true in situations
it maintains certain minimum information security standards at all
When a financial institution subcontracts weblinking arrangements to
a service provider, the institution should conduct sufficient due
diligence to ensure that the service provider is appropriately
managing the risk exposure from other parties. Management should
keep in mind that a vendor might establish links to third parties
that are unacceptable to the financial institution. Finally, the
written agreement should contain a regulatory requirements clause in
which the service provider acknowledges that its linking activities
must comply with all applicable consumer protection laws and
Financial institution management should consider weblinking
agreements with its service provider to mitigate significant risks.
These agreements should be clear and enforceable with descriptions
of all obligations, liabilities, and recourse arrangements. These
may include the institution's right to exclude from its site links
the financial institution considers unacceptable. Such contracts
should include a termination clause, particularly if the contract
does not include the ability to exclude websites. Finally, a
financial institution should apply its link monitoring policies
discussed above to links arranged by service providers or other
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue the series
from the FDIC "Security Risks Associated with the
Encryption, or cryptography, is a method of converting information
to an unintelligible code. The
process can then be reversed, returning the information to an
understandable form. The information is encrypted (encoded) and
decrypted (decoded) by what are commonly referred to as "cryptographic keys." These
"keys" are actually values, used
by a mathematical algorithm to transform the data. The effectiveness
of encryption technology is determined by the strength of the
algorithm, the length of the key, and the appropriateness of the
encryption system selected.
Because encryption renders information unreadable to any party
without the ability to decrypt it, the information remains private
and confidential, whether being transmitted or stored on a system.
Unauthorized parties will see nothing but an unorganized assembly of
encryption technology can provide assurance of data integrity as
some algorithms offer protection against forgery and tampering. The
ability of the technology to protect the information requires that
the encryption and decryption keys be properly managed by authorized
the top of the newsletter
IT SECURITY QUESTION:
Internal controls and procedures:
(Part 2 of 2)
i. Is there separation of duties for handling un-posted items?
j. Is there separation of duties for balancing final output?
k. Is there separation of duties for statement preparation?
l. Are there controls for non-dollar transactions? In writing?
m. Are master files changes required to be in writing?
n. Are source documents microfilmed before transportation?
o. Are official checks, which are computer processed, satisfactorily
p. Are employees prohibited from using computers for personal use?
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Reuse & Redisclosure of nonpublic personal information received
from a nonaffiliated financial institution under Sections 14 and/or
A. Through discussions with management and review of the
institution's procedures, determine whether the institution has
adequate practices to prevent the unlawful redisclosure and reuse of
the information where the institution is the recipient of nonpublic
personal information (§11(a)).
B. Select a sample of data received from nonaffiliated financial
institutions, to evaluate the financial institution's compliance
with reuse and redisclosure limitations.
1. Verify that the institution's redisclosure of the
information was only to affiliates of the financial institution from
which the information was obtained or to the institution's own
affiliates, except as otherwise allowed in the step b below (§11(a)(1)(i)
2. Verify that the institution only uses and shares the data
pursuant to an exception in Sections 14 and 15 (§11(a)(1)(iii)).