R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

October 22, 2017

Newsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

- Australian official: Hackers stole documents on spy planes and warships - Hackers breached a contractor for Australia's Department of Defence and stole documents containing information about next-generation spy planes and naval warships, a government official publicly disclosed. https://www.scmagazine.com/australian-official-hackers-stole-documents-on-spy-planes-and-warships/article/699433/

Bill legalizing hacking back introduced in the House - Reps. Tom Graves, R-Ga., and Kyrsten Sinema, D-Az., today introduced the Active Cyber Defense Bill which if passed would give individuals and companies hit with a cyberattack the legal authority to hack back against their assailant. https://www.scmagazine.com/bill-legalizing-hacking-back-introduced-in-the-house/article/700220/

Oilpro.com founder sentenced to prison after pleading guilty for hacking competitor - The founder of a professional networking site was sentenced to a year and one day in prison after hacking into a competitor's database and attempting to sell his site to the same company whose database he hacked. https://www.scmagazine.com/the-oilprocom-founder-hacked-a-competitors-database-to-boost-own-companys-value/article/699598/


FYI - Another AWS leak exposes 150,000 Patient Home Monitoring Corp. client records - Another publicly accessible Amazon S3 repository has been once again been left exposing sensitive consumer information, this time affecting approximately 150,000 U.S. patients. https://www.scmagazine.com/patient-home-monitoring-corp-exposed-475-gb-worth-of-patient-data/article/699640/

Hyatt Hotels reports POS data breach - Hyatt Hotels announced today a point of sale (POS) breach that impacted several dozen of the company's locations between March and July 2017. https://www.scmagazine.com/hyatt-hotels-reports-pos-data-breach/article/699932/

KU student expelled after using Keystroke logger to change grades - A University of Kansas student was expelled from the school after allegedly changing his grades from an "F" to an "A" using information he obtained via a keystroke logger. https://www.scmagazine.com/ku-student-used-keystroke-logger-to-change-grades/article/700036/

DDoS attacks delay trains, stymie transportation services in Sweden - A series of distributed of denial of service attacks aimed at Sweden's transportation services caused train delays and disrupted over travel service earlier this week. https://www.scmagazine.com/ddos-attacks-delay-trains-stymie-transportation-services-in-sweden/article/700227/

Delayed delivery? Pizza Hut waits two weeks to disclose payment card data breach - Any way you slice it, it's not great news for Pizza Hut customers who learned on Saturday their personal data was stolen during an Oct. 1-2 breach of the Italian food chain's website. https://www.scmagazine.com/delayed-delivery-pizza-hut-waits-two-weeks-to-disclose-payment-card-data-breach/article/700533/

We Heart It breached, 8 million affected - The online image sharing website We Heart It told its members late last week that more than 8 million of its accounts were compromised in a data breach that took place four years ago. https://www.scmagazine.com/we-heart-it-breached-8-million-affected/article/700874/

Return to the top of the newsletter

Risk Management of Outsourced Technology Services ( Part 2 of 4)

Risk Assessment

The board of directors and senior management are responsible for understanding the risks associated with outsourcing arrangements for technology services and ensuring that effective risk management practices are in place. As part of this responsibility, the board and management should assess how the outsourcing arrangement will support the institution’s objectives and strategic plans and how the service provider’s relationship will be managed. Without an effective risk assessment phase, outsourcing technology services may be inconsistent with the institution’s strategic plans, too costly, or introduce unforeseen risks.

Outsourcing of information and transaction processing and settlement activities involves risks that are similar to the risks that arise when these functions are performed internally. Risks include threats to security, availability and integrity of systems and resources, confidentiality of information, and regulatory compliance. In addition, the nature of the service provided, such as bill payment, funds transfer, or emerging electronic services, may result in entities performing transactions on behalf of the institution, such as collection or disbursement of funds, that can increase the levels of credit, liquidity, transaction, and reputation risks.

Management should consider additional risk management controls when services involve the use of the Internet. The broad geographic reach, ease of access, and anonymity of the Internet require close attention to maintaining secure systems, intrusion detection and reporting systems, and customer authentication, verification, and authorization. Institutions should also understand that the potential risks introduced are a function of a system’s structure, design and controls and not necessarily the volume of activity.

An outsourcing risk assessment should consider the following:  

• Strategic goals, objectives, and business needs of the financial institution.
• Ability to evaluate and oversee outsourcing relationships.
• Importance and criticality of the services to the financial institution.
• Defined requirements for the outsourced activity.
• Necessary controls and reporting processes.
• Contractual obligations and requirements for the service provider.
• Contingency plans, including availability of alternative service providers, costs and resources
required to switch service providers.
• Ongoing assessment of outsourcing arrangements to evaluate consistency with strategic
objectives and service provider performance.
• Regulatory requirements and guidance for the business lines affected and technologies used.

Return to the top of the newsletter

We continue our series on the FFIEC interagency Information Security Booklet.

 Management is responsible for ensuring institution and customer data is protected, even when that data is transmitted, processed, or stored by a service provider. Service providers should have appropriate security testing based on the risk to their organization, their customer institutions, and the institution's customers. Accordingly, management and auditors evaluating TSPs providers should use the above testing guidance in performing initial due diligence, constructing contracts, and exercising ongoing oversight or audit responsibilities. Where indicated by the institution's risk assessment, management is responsible for monitoring the testing performed at the service provider through review of timely audits and test results or other equivalent evaluations.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 13.1 Behavior

 People are a crucial factor in ensuring the security of computer systems and valuable information resources. Human actions account for a far greater degree of computer-related loss than all other sources combined. Of such losses, the actions of an organization's insiders normally cause far more harm than the actions of outsiders. (Chapter 4 discusses the major sources of computer-related loss.)
 The major causes of loss due to an organization's own employees are: errors and omissions, fraud, and actions by disgruntled employees. One principal purpose of security awareness, training, and education is to reduce errors and omissions. However, it can also reduce fraud and unauthorized activity by disgruntled employees by increasing employees' knowledge of their accountability and the penalties associated with such actions.
 Management sets the example for behavior within an organization. If employees know that management does not care about security, no training class teaching the importance of security and imparting valuable skills can be truly effective. This "tone from the top" has myriad effects an organization's security program.

Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated