Yennik, Inc. has clients in 42 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test requirements of
FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with
Gramm-Leach Bliley Act 501(b).
The penetration audit and Internet security testing is an
affordable-sophisticated process than goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses.
For more information, give R. Kinney Williams a call today at
806-798-7119 or visit
Businesses fail to understand threats and fail to keep patches
updated - Security attacks are growing in quantity and frequency, as
well as having more impact on business operations.
US healthcare data plan slammed for encryption get-out clause - New
data breach rules for US healthcare providers have come under
criticism from a security firm that specialises in encryption.
Misdirected spyware infects Ohio hospital - It was a bad idea from
the start, but even as bad ideas go, this one went horribly wrong.
Sears told to destroy data gathered by online tracking software -
Catalogue of snooping does not impress FTC - US retailer Sears has
been ordered to destroy all the customer data it collected from a
piece of online tracking software that consumer regulator the
Federal Trade Commission (FTC) said was unfairly used.
New Trojan virus poses online banking threat - Cyber criminals have
created a highly sophisticated Trojan virus that steals online
banking log-in details from infected computers.
Security considerations critical in the cloud - With the dragging
economy as a driver, IT departments are increasingly realizing the
benefits of cloud security, but business leaders must ask themselves
a few questions before handing over control to a third-party.
FYI - 2009 CRA &
HMDA Data - The free FFIEC CRA and HMDA Data Entry Software, version
2009 for CY 2009 data due March 1, 2010, is only available by
DOWNLOAD from the FFIEC CRA and HMDA web sites.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Bank Sends Sensitive E-mail to Wrong Gmail Address, Sues Google -
Wyoming bank sent an e-mail containing sensitive customer data to
the wrong Gmail account, and now wants Google to reveal the identity
of the account holder who received the data.
Scammers gain access to Downeast Energy's cash, clients - The e-mail
scam costs the company up to $150,000, and may have exposed
customers' bank data. A sophisticated e-mail scam cost a
Brunswick-based heating fuel company as much as $150,000 and
potentially exposed hundreds of customers' checking account
information, the company said Monday - a day when the U.S. Senate's
Homeland Security Committee held hearings on cybersecurity.
PBS' Curious George site hacked to serve malware - The website for
the popular children's television show "Curious George" was
compromised this week to serve malware to visitors, according to
researchers at web security vendor Purewire.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering some of the issues discussed in the "Risk
Management Principles for Electronic Banking" published by the Basel
Committee on Bank Supervision.
Principle 6: Banks should ensure that clear audit trails exist
for all e-banking
Delivery of financial services over the Internet can make it more
difficult for banks to apply and enforce internal controls and
maintain clear audit trails if these measures are not adapted to an
e-banking environment. Banks are not only challenged to ensure that
effective internal control can be provided in highly automated
environments, but also that the controls can be independently
audited, particularly for all critical e-banking events and
A bank's internal control environment may be weakened if it is
unable to maintain clear audit trails for its e-banking activities.
This is because much, if not all, of its records and evidence
supporting e-banking transactions are in an electronic format. In
making a determination as to where clear audit trails should be
maintained, the following types of e-banking transactions should be
1) The opening,
modification or closing of a customer's account.
2) Any transaction with
3) Any authorization
granted to a customer to exceed a limit.
4) Any granting,
modification or revocation of systems access rights or privileges.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC interagency Information
SECURITY TESTING - TESTING CONCEPTS AND APPLICATION
Testing Risks to Data Integrity, Confidentiality, and Availability.
Management is responsible for carefully controlling information
security tests to limit the risks to data integrity,
confidentiality, and system availability. Because testing may
uncover nonpublic customer information, appropriate safeguards to
protect the information must be in place. Contracts with third
parties to provide testing services should require that the third
parties implement appropriate measures to meet the objectives of
section 501(b) of the GLBA. Management also is responsible for
ensuring that employee and contract personnel who perform the tests
or have access to the test results have passed appropriate
background checks, and that contract personnel are appropriately
bonded. Because certain tests may pose more risk to system
availability than other tests, management is responsible for
considering whether to require the personnel performing those tests
to maintain logs of their testing actions. Those logs can be helpful
should the systems react in an unexpected manner.
Confidentiality of Test Plans and Data. Since knowledge of test
planning and results may facilitate a security breach, institutions
should carefully limit the distribution of their testing
information. Management is responsible for clearly identifying the
individuals responsible for protecting the data and provide guidance
for that protection, while making the results available in a useable
form to those who are responsible for following up on the tests.
Management also should consider requiring contractors to sign
nondisclosure agreements and to return to the institution
information they obtained in their testing.
the top of the newsletter
IT SECURITY QUESTION:
Determine whether adequate provision is made for different
cryptographic keys for different uses and data.
Return to the top of
INTERNET PRIVACY - We continue our
series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
28. Does the institution refrain from
requiring all joint consumers to opt out before implementing any opt
out direction with respect to the joint account? [§7(d)(4)]
29. Does the institution comply with a consumer's direction to opt
out as soon as is reasonably practicable after receiving it? [§7(e)]