R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

October 25, 2009

CONTENT Internet Compliance Information Systems Security
IT Security Question
Internet Privacy
Website for Penetration Testing
Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Worker training key to data protection - An effective security awareness campaign doesn't make security experts out of company employees. It just makes them know who to call in case something happens. http://www.scmagazineus.com/SC-World-Congress-Worker-training-key-to-data-protection/article/152189/?DCMP=EMC-SCUS_Newswire

Recidivist stock fraud hacker pleads guilty to ID theft - A former stock fraud hacker has pleaded guilty to new fraud and identity theft charges. http://www.theregister.co.uk/2009/10/08/recidivist_hacker_pleads_guilty/

FYI - Stolen NHS laptops recovered - no data breach thanks to remote wiping - Four stolen laptops belonging to Lancashire Care NHS Foundation Trust, which provides mental health services, have been traced and recovered. According to the NHS Trust, no confidential data was compromised due to remote wiping. http://www.infosecurity-magazine.com/view/4508/stolen-nhs-laptops-recovered-no-data-breach-thanks-to-remote-wiping/

FYI - DHS Web sites vulnerable to hackers, IG says - Protocols are in place, but patch management is spotty - The Homeland Security Department's most popular Web sites appear to be vulnerable to hackers and could put department data at risk of loss or unauthorized use, according to a new report from DHS Inspector General Richard Skinner. http://fcw.com/Articles/2009/10/09/DHS-Web-sites-vulnerable-to-hackers-IG-says.aspx

FYI - GAO - Information Technology: Social Security Administration's Data Exchanges Support Current Programs, but Better Planning Is Needed to Meet Future Demands.
Report - http://www.gao.gov/new.items/d09966.pdf
Highlights - http://www.gao.gov/highlights/d09966high.pdf

GAO - Information Security: NASA Needs to Remedy Vulnerabilities in Key Networks.
Report - http://www.gao.gov/new.items/d104.pdf
Highlights - http://www.gao.gov/highlights/d104high.pdf


Blue Cross Blue Shield Association affirms laptop breach - The Blue Cross Blue Shield Association (BCBSA) is reviewing its security practices after thieves stole an employee's computer that contained an unencrypted file with the personal information of nearly every doctor who accepts the popular health insurance plan. http://www.scmagazineus.com/Blue-Cross-Blue-Shield-Association-affirms-laptop-breach/article/151740/

T-Mobile sidelines Sidekick in wake of data debacle - T-Mobile USA Inc. has for the time being pulled all of its Sidekick phones off the market after the phones were hit by massive data outages. http://www.computerworld.com/s/article/9139261/T_Mobile_sidelines_Sidekick_in_wake_of_data_debacle?taxonomyId=1

FYI - IT analyst at NY Fed Reserve Bank pleads guilty to ID theft scheme - A former employee of the Federal Reserve Bank in New York, Curtis L. Wiltshire, pleaded guilty today to one count of bank fraud and one count of aggravated identity theft for having obtained student loans using stolen identities.

Former DuPont researcher hit with federal data theft charges - Meng accused of wrongfully accessing a company computer - A former research scientist at DuPont USA who is already facing civil charges for allegedly attempting to steal corporate secrets from the company, has been hit with a federal criminal complaint on the same charges. http://www.computerworld.com/s/article/9139014/Former_DuPont_researcher_hit_with_federal_data_theft_charges?taxonomyId=17

Return to the top of the newsletter

We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Principle 9: Banks should take appropriate measures to ensure adherence to customer privacy requirements applicable to the jurisdictions to which the bank is providing e-banking products and services.

Maintaining a customer's information privacy is a key responsibility for a bank. Misuse or unauthorized disclosure of confidential customer data exposes a bank to both legal and reputation risk. To meet these challenges concerning the preservation of privacy of customer information, banks should make reasonable endeavors to ensure that:

1)  The bank's customer privacy policies and standards take account of and comply with all privacy regulations and laws applicable to the jurisdictions to which it is providing e-banking products and services.

2)  Customers are made aware of the bank's privacy policies and relevant privacy issues concerning use of e-banking products and services.

3)  Customers may decline (opt out) from permitting the bank to share with a third party for cross-marketing purposes any information about the customer's personal needs, interests, financial position or banking activity.

4)  Customer data are not used for purposes beyond which they are specifically allowed or for purposes beyond which customers have authorized.

5)  The bank's standards for customer data use must be met when third parties have access to customer data through outsourcing relationships.

Return to the top of the newsletter
We continue our series on the FFIEC interagency Information Security Booklet.


Management is responsible for considering the following key factors in developing and implementing independent diagnostic tests:

Personnel. Technical testing is frequently only as good as the personnel performing and supervising the test. Management is responsible for reviewing the qualifications of the testing personnel to satisfy themselves that the capabilities of the testing personnel are adequate to support the test objectives.

Scope. The tests and methods utilized should be sufficient to validate the effectiveness of the security process in identifying and appropriately controlling security risks.

Notifications. Management is responsible for considering whom to inform within the institution about the timing and nature of the tests. The need for protection of institution systems and the potential for disruptive false alarms must be balanced against the need to test personnel reactions to unexpected activities.

Controls Over Testing. Certain testing can adversely affect data integrity, confidentiality, and availability. Management is expected to limit those risks by appropriately crafting test protocols. Examples of issues to address include the specific systems to be tested, threats to be simulated, testing times, the extent of security compromise allowed, situations in which testing will be suspended, and the logging of test activity. Management is responsible for exercising oversight commensurate with the risk posed by the testing.

Frequency. The frequency of testing should be determined by the institution's risk assessment. High - risk systems should be subject to an independent diagnostic test at least once a year. Additionally, firewall policies and other policies addressing access control between the financial institution's network and other networks should be audited and verified at least quarterly.  Factors that may increase the frequency of testing include the extent of changes to network configuration, significant changes in potential attacker profiles and techniques, and the results of other testing.
(FYI - This is exactly the type of independent diagnostic testing that the VISTA pen-test study covers.  Please refer to http://www.internetbankingaudits.com/ for information.)

Proxy Testing. Independent diagnostic testing of a proxy system is generally not effective in validating the effectiveness of a security process. Proxy testing, by its nature, does not test the operational system's policies and procedures, or its integration with other systems. It also does not test the reaction of personnel to unusual events. Proxy testing may be the best choice, however, when management is unable to test the operational system without creating excessive risk.

Return to the top of the newsletter


7. Determine if cryptographic keys are destroyed in a secure manner when they are no longer required.

Return to the top of the newsletter

- e continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

33. Except as permitted by 13-15, does the institution refrain from disclosing any nonpublic personal information about a consumer to a nonaffiliated third party, other than as described in the initial privacy notice provided to the consumer, unless:

a. the institution has provided the consumer with a clear and conspicuous revised notice that accurately describes the institution's privacy policies and
practices; [8(a)(1)]

b. the institution has provided the consumer with a new opt out notice;

c. the institution has given the consumer a reasonable opportunity to opt out of the disclosure, before disclosing any information; [8(a)(3)] and

d. the consumer has not opted out? [8(a)(4)]


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated