R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

October 24, 2010

CONTENT Internet Compliance Information Systems Security
IT Security Question
Internet Privacy
Website for Penetration Testing
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FFIEC's "Interagency Guidelines Establishing Information Security Standards."  For more information and to subscribe visit http://www.yennik.com/it-review/.

Youth jailed for not handing over encryption password - Second ever sentence for RIPA offence - A 19-year old from Lancashire has been sentenced to 16 weeks in a young offenders institution for refusing to give police the password to an encrypted file on his computer. http://www.theregister.co.uk/2010/10/06/jail_password_ripa/

Jury convicts programmer of planting Fannie Mae server bomb - Faces 10 years in prison for trying to erase data on nearly 5,000 servers - A programmer who worked for the Federal National Mortgage Association, better known as Fannie Mae, was convicted Monday on a charge that he tried to destroy data on the organization's nearly 5,000 servers. http://www.computerworld.com/s/article/9189939/Jury_convicts_programmer_of_planting_Fannie_Mae_server_bomb?taxonomyId=144

Banking bill would treat schools, towns like consumers - A New York lawmaker has introduced a bill that would extend financial protection to municipalities and school districts that fall victim to unauthorized bank funds transfers. http://www.scmagazineus.com/banking-bill-would-treat-schools-towns-like-consumers/article/180818/

Feds Unlikely To Meet Cybersecurity Compliance Deadline - A Nov. 15 date for federal cybersecurity managers to start using the new CyberScope online reporting tool will be missed by many, as 85% have yet to use the new software. http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=227701081&cid=RSSfeed_IWK_All

Caught Spying on Student, FBI Demands GPS Tracker Back - A California student got a visit from the FBI this week after he found a secret GPS tracking device on his car, and a friend posted photos of it online. http://www.wired.com/threatlevel/2010/10/fbi-tracking-device/all/1


Aldi data breach shows payment terminal holes - Thieves hit point-of-sale terminals in Aldi grocery stores in 11 states - A debit card breach disclosed late last week by discount grocer Aldi Inc. shows how hardware hacks are starting to pose as much of a threat to payment card data as software-based attacks. http://www.computerworld.com/s/article/9189982/Aldi_data_breach_shows_payment_terminal_holes?taxonomyId=17

Russian authorities detain suspected bank carding kingpin - $660,000 gone in 6 months - Russian authorities have detained a Ukrainian citizen accused of overseeing a criminal operation that used fraudulent credit cards and passports to siphon large amounts of cash out of banks around the world. http://www.theregister.co.uk/2010/10/05/russia_detains_bank_fraud_kingpin/

Cancer researcher fights UNC demotion - She was deemed responsible for security breach -
A UNC cancer researcher is fighting a demotion and pay cut she received after a security breach in the medical study she directs. http://www.heraldsun.com/view/full_story/9804450/article-Cancer-researcher-fights-UNC-demotion?instance=homesecondleft

Personal data on Tamil refugees exposed - A computer containing the names of Tamil refugees has been stolen from the offices of the Canadian Tamil Congress. http://www.scmagazineus.com/personal-data-on-tamil-refugees-exposed/article/180656/?DCMP=EMC-SCUS_Newswire

Swiss bank accounts under CRA investigation - The Canadian Revenue Agency (CRA) is investigating more than 1,000 high-value bank accounts in Switzerland, after a former employee stole the account data and handed it to investigators. http://www.scmagazineus.com/swiss-bank-accounts-under-cra-investigation/article/180653/?DCMP=EMC-SCUS_Newswire

Virus strikes University of Oklahoma computer - A virus recently compromised a clinic computer at the University of Oklahoma-Tulsa neurology practice to possibly retrieve sensitive documents on the machine. http://www.scmagazineus.com/virus-strikes-university-of-oklahoma-computer/article/180883/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter


Generally, Internet web sites are considered advertising by the regulatory agencies. In some cases, the regulations contain special rules for multiple-page advertisements. It is not yet clear what would constitute a single "page" in the context of the Internet or on-line text. Thus, institutions should carefully review their on-line advertisements in an effort to minimize compliance risk.

In addition, Internet or other systems in which a credit application can be made on-line may be considered "places of business" under HUD's rules prescribing lobby notices. Thus, institutions may want to consider including the "lobby notice," particularly in the case of interactive systems that accept applications.

Return to the top of the newsletter
We conclude our review of the FDIC paper "Risk Assessment Tools and Practices of Information System Security." We hope you have found this series useful.

INCIDENT RESPONSE - Discusses implementing an incident response strategy for the response component of an institution's information security program. After implementing a defense strategy and monitoring for new attacks, hacker activities, and unauthorized insider access, management should develop a response strategy. The sophistication of an incident response plan will vary depending on the risks inherent in each system deployed and the resources available to an institution. In developing a response strategy or plan, management should consider the following:

1) The plan should provide a platform from which an institution can prepare for, address, and respond to intrusions or unauthorized activity. The beginning point is to assess the systems at risk, as identified in the overall risk assessment, and consider the potential types of security incidents.

2) The plan should identify what constitutes a break-in or system misuse, and incidents should be prioritized by the seriousness of the attack or system misuse.

3) Individuals should be appointed and empowered with the latitude and authority to respond to an incident. The plan should include what the appropriate responses may be for potential intrusions or system misuse.

4) A recovery plan should be established, and in some cases, an incident response team should be identified.

5) The plan should include procedures to officially report the incidents to senior management, the board of directors, legal counsel, and law enforcement agents as appropriate.

FYI - Please remember that we perform vulnerability-penetration studies and would be happy to e-mail {custom4} a proposal. E-mail Kinney Williams at examiner@yennik.com for more information.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice  

8)  Do the initial, annual, and revised privacy notices include each of the following, as applicable:  (Part 1 of 2)

a)  the categories of nonpublic personal information that the institution collects; [6(a)(1)]

b)  the categories of nonpublic personal information that the institution discloses; [6(a)(2)]

c)  the categories of affiliates and nonaffiliated third parties to whom the institution discloses nonpublic personal information, other than parties to whom information is disclosed under an exception in 14 or 15; [6(a)(3)]

d)  the categories of nonpublic personal information disclosed about former customers, and the categories of affiliates and nonaffiliated third parties to whom the institution discloses that information, other than those parties to whom the institution discloses information under an exception in 14 or 15; [6(a)(4)]


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

IT Security Checklist
A weekly email that provides an effective
method to prepare for your IT examination.

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated