Yennik, Inc. has clients in 42 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test requirements of
FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with
Gramm-Leach Bliley Act 501(b).
The penetration audit and Internet security testing is an
affordable-sophisticated process than goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses.
For more information, give R. Kinney Williams a call today at
806-798-7119 or visit
Worker training key to data protection - An effective security
awareness campaign doesn't make security experts out of company
employees. It just makes them know who to call in case something
Recidivist stock fraud hacker pleads guilty to ID theft - A former
stock fraud hacker has pleaded guilty to new fraud and identity
FYI - Stolen NHS laptops recovered - no data breach thanks to remote
wiping - Four stolen laptops belonging to Lancashire Care NHS
Foundation Trust, which provides mental health services, have been
traced and recovered. According to the NHS Trust, no confidential
data was compromised due to remote wiping.
FYI - DHS Web sites vulnerable to hackers, IG says - Protocols are in
place, but patch management is spotty - The Homeland Security
Department's most popular Web sites appear to be vulnerable to
hackers and could put department data at risk of loss or
unauthorized use, according to a new report from DHS Inspector
General Richard Skinner.
FYI - GAO - Information Technology: Social Security Administration's Data
Exchanges Support Current Programs, but Better Planning Is Needed to
Meet Future Demands.
GAO - Information Security: NASA Needs to Remedy Vulnerabilities in
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Blue Cross Blue Shield Association affirms laptop breach - The Blue
Cross Blue Shield Association (BCBSA) is reviewing its security
practices after thieves stole an employee's computer that contained
an unencrypted file with the personal information of nearly every
doctor who accepts the popular health insurance plan.
T-Mobile sidelines Sidekick in wake of data debacle - T-Mobile USA
Inc. has for the time being pulled all of its Sidekick phones off
the market after the phones were hit by massive data outages.
FYI - IT analyst at NY Fed Reserve Bank pleads guilty to ID theft scheme
- A former employee of the Federal Reserve Bank in New York, Curtis
L. Wiltshire, pleaded guilty today to one count of bank fraud and
one count of aggravated identity theft for having obtained student
loans using stolen identities.
Former DuPont researcher hit with federal data theft charges - Meng
accused of wrongfully accessing a company computer - A former
research scientist at DuPont USA who is already facing civil charges
for allegedly attempting to steal corporate secrets from the
company, has been hit with a federal criminal complaint on the same
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Principle 9: Banks should take appropriate measures to ensure
adherence to customer privacy requirements applicable to the
jurisdictions to which the bank is providing e-banking products and
Maintaining a customer's information privacy is a key responsibility
for a bank. Misuse or unauthorized disclosure of confidential
customer data exposes a bank to both legal and reputation risk. To
meet these challenges concerning the preservation of privacy of
customer information, banks should make reasonable endeavors to
1) The bank's customer privacy policies and standards take account
of and comply with all privacy regulations and laws applicable to
the jurisdictions to which it is providing e-banking products and
2) Customers are made aware of the bank's privacy policies and
relevant privacy issues concerning use of e-banking products and
3) Customers may decline (opt out) from permitting the bank to
share with a third party for cross-marketing purposes any
information about the customer's personal needs, interests,
financial position or banking activity.
4) Customer data are not used for purposes beyond which they are
specifically allowed or for purposes beyond which customers have
5) The bank's standards for customer data use must be met when
third parties have access to customer data through outsourcing
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security Booklet.
SECURITY TESTING - KEY FACTORS
Management is responsible for considering the following key factors
in developing and implementing independent diagnostic tests:
Personnel. Technical testing is frequently only as good as
the personnel performing and supervising the test. Management is
responsible for reviewing the qualifications of the testing
personnel to satisfy themselves that the capabilities of the testing
personnel are adequate to support the test objectives.
Scope. The tests and methods utilized should be sufficient to
validate the effectiveness of the security process in identifying
and appropriately controlling security risks.
Notifications. Management is responsible for considering whom
to inform within the institution about the timing and nature of the
tests. The need for protection of institution systems and the
potential for disruptive false alarms must be balanced against the
need to test personnel reactions to unexpected activities.
Controls Over Testing. Certain testing can adversely affect
data integrity, confidentiality, and availability. Management is
expected to limit those risks by appropriately crafting test
protocols. Examples of issues to address include the specific
systems to be tested, threats to be simulated, testing times, the
extent of security compromise allowed, situations in which testing
will be suspended, and the logging of test activity. Management is
responsible for exercising oversight commensurate with the risk
posed by the testing.
Frequency. The frequency of testing should be determined by
the institution's risk assessment. High - risk systems should be
subject to an independent diagnostic test at least once a
year. Additionally, firewall policies and other policies addressing
access control between the financial institution's network and other
networks should be audited and verified at least quarterly.
Factors that may increase the frequency of testing include the
extent of changes to network configuration, significant changes in
potential attacker profiles and techniques, and the results of other
(FYI - This is exactly the type of
independent diagnostic testing that the VISTA pen-test study
covers. Please refer to
http://www.internetbankingaudits.com/ for information.)
Proxy Testing. Independent diagnostic testing of a proxy
system is generally not effective in validating the effectiveness of
a security process. Proxy testing, by its nature, does not test the
operational system's policies and procedures, or its integration
with other systems. It also does not test the reaction of personnel
to unusual events. Proxy testing may be the best choice, however,
when management is unable to test the operational system without
creating excessive risk.
the top of the newsletter
IT SECURITY QUESTION:
Determine if cryptographic keys are destroyed in a secure manner
when they are no longer required.
Return to the top of
INTERNET PRIVACY - e continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
33. Except as permitted by §§13-15,
does the institution refrain from disclosing any nonpublic personal
information about a consumer to a nonaffiliated third party, other
than as described in the initial privacy notice provided to the
a. the institution has provided the consumer with a clear and
conspicuous revised notice that accurately describes the
institution's privacy policies and practices;
b. the institution has provided the consumer with a new opt out
c. the institution has given the consumer a reasonable opportunity
to opt out of the disclosure, before disclosing any information; [§8(a)(3)]
d. the consumer has not opted out? [§8(a)(4)]