Yennik, Inc. has clients in 42 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test requirements of
FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with
Gramm-Leach Bliley Act 501(b).
The penetration audit and Internet security testing is an
affordable-sophisticated process than goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses.
For more information, give R. Kinney Williams a call today at
806-798-7119 or visit
Microsoft recovers most Sidekick data - Only a small number of
Sidekick users will suffer permanent data loss - Microsoft has good
news for most Sidekick users: The company says it has recovered most
of the data for T-Mobile Sidekick users who saw personal information
accidentally wiped from their devices.
Fugitive hacker headed back to U.S. for arraignment - Edwin Pena
faces 20 federal charges related to hacking and wire fraud in VoIP
theft scam - A Miami man who for three years had evaded prosecution
in connection with the theft and reselling of VoIP services is being
extradited to Newark from Mexico today and is set to be arraigned in
a New Jersey federal courthouse.
Michigan airport grounds website over malware risk - An airport in
Michigan reportedly took down its website late on Monday in response
to a computer virus risk.
FTC increases security obligations of ChoicePoint - The Federal
Trade Commission has punished ChoicePoint for another data breach
after the agency concluded the data broker failed to properly
implement security measures as prescribed in the wake of its
watershed 2005 incident.
Survey finds lax health care privacy in United States - More than
half of American hospitals fail to take appropriate steps to protect
the privacy of patients, according to a new survey of health care IT
ID theft tops list of American's security concerns - More than the
H1N1 flu or their ability to meet financial obligations, Americans
are most concerned about identity theft, according to the latest
Unisys Security Index released Tuesday.
NASA must fix cyber vulnerabilities - A new report from the
Government Accountability Office (GAO) found that NASA has multiple
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Trojan plunders $480k from online bank account - A Pennsylvania
organization that helps develop affordable housing learned a painful
lesson about the hazards of online banking using the Windows
operating system when a notorious trojan siphoned almost $480,000
from its account.
Data on 103,000 Students Misplaced - A flash drive containing the
personal information of more than 103,000 former adult education
students in Virginia was misplaced last month, state education
Ex-Ford engineer charged with trade secret theft - Suspect allegedly
stole trade secrets after accepting job with a competing Chinese
company - A former product engineer at Ford Motor Co. has been
charged with stealing sensitive design documents from the auto maker
worth millions of dollars.
Time Warner Cable Exposes 65,000 Customer Routers to Remote Hacks -
A vulnerability in a Time Warner cable modem and Wi-Fi router
deployed to 65,000 customers would allow a hacker to remotely access
the device's administrative menu over the internet, and potentially
change the settings to intercept traffic, according to a blogger who
discovered the issue.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Principle 10: Banks should have effective capacity,
business continuity and contingency planning processes to help
ensure the availability of e-banking systems and services.
To protect banks against business, legal and reputation risk,
e-banking services must be delivered on a consistent and timely
basis in accordance with customer expectations. To achieve this, the
bank must have the ability to deliver e-banking services to
end-users from either primary (e.g. internal bank systems and
applications) or secondary sources (e.g. systems and applications of
service providers). The maintenance of adequate availability is also
dependent upon the ability of contingency back-up systems to
mitigate denial of service attacks or other events that may
potentially cause business disruption.
The challenge to maintain continued availability of e-banking
systems and applications can be considerable given the potential for
high transaction demand, especially during peak time periods. In
addition, high customer expectations regarding short transaction
processing cycle times and constant availability (24 X 7) has also
increased the importance of sound capacity, business continuity and
contingency planning. To provide customers with the continuity of
e-banking services that they expect, banks need to ensure that:
1) Current e-banking system capacity and future scalability are
analyzed in light of the overall market dynamics for e-commerce and
the projected rate of customer acceptance of e-banking products and
2) E-banking transaction processing capacity estimates are
established, stress tested and periodically reviewed.
3) Appropriate business continuity and contingency plans for
critical e-banking processing and delivery systems are in place and
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security Booklet.
SECURITY TESTING - OUTSOURCED SYSTEMS
Management is responsible for ensuring institution and customer data
is protected, even when that data is transmitted, processed, or
stored by a service provider. Service providers should have
appropriate security testing based on the risk to their
organization, their customer institutions, and the institution's
customers. Accordingly, management and auditors evaluating TSPs
providers should use the above testing guidance in performing
initial due diligence, constructing contracts, and exercising
ongoing oversight or audit responsibilities. Where indicated by the
institution's risk assessment, management is responsible for
monitoring the testing performed at the service provider through
review of timely audits and test results or other equivalent
the top of the newsletter
IT SECURITY QUESTION:
1. Obtain an understanding of the data security
• Identify the financial institution's approach to protecting data
(e.g., protect all data similarly, protect data based upon risk of
• Obtain and review the risk assessment covering financial
institution data. Determine if the risk assessment classifies data
sensitivity in a reasonable manner and consistent with the financial
institution's strategic and business objectives.
• Consider whether policies and procedures address the protections
for data that is sent outside the institution.
• Identify processes to periodically review data sensitivity and
update corresponding risk assessments.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
34. Does the institution deliver a
revised privacy notice when it:
a. discloses a new category of nonpublic personal information to a
nonaffiliated third party; [§8(b)(1)(i)]
b. discloses nonpublic personal information to a new category of
nonaffiliated third party; [§8(b)(1)(ii)] or
c. discloses nonpublic personal information about a former customer
to a nonaffiliated third party, if that former customer has not had
the opportunity to exercise an opt out right regarding that
(Note: a revised
notice is not required if the institution adequately described the
nonaffiliated third party or information to be disclosed in the
prior privacy notice. [§8(b)(2)])