Your Financial Institution need an affordable Internet security
Yennik, Inc. has clients in 42 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The penetration audit and
Internet security testing is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give
R. Kinney Williams a call
today at 806-798-7119 or visit
New Data Privacy Laws Set For Firms - A Nevada law that took effect
this month requires all businesses there to encrypt
personally-identifiable customer data, including names and
credit-card numbers, that are transmitted electronically.
ComputraceOne used by Nottingham police to reduce laptop theft -
Nottingham's students and community members are to receive software
to protect their laptops. Nottinghamshire Police, the Crime and
Drugs Partnership and other agencies have provided funding to give
out the licenses for ComputraceOne from Absolute Software free of
charge in a bid to reduce laptop theft.
Court of Appeal orders men to disclose encryption keys - Two men
have been told that they cannot rely on their right to silence to
refuse to give British police a computer password.
DHS lax on portable device security controls - The Homeland Security
Department has not deployed effective controls on portable storage
devices that may be attached to its unclassified computer systems,
according to an audit report from DHS Inspector General Richard
Skinner released today.
National Cybersecurity Initiative R&D effort launched - The
government officially has begun to formulate a national research and
development agenda for "game-changing ideas" as part of the
multiyear, multibillion-dollar, governmentwide effort to secure
cyberspace through the Comprehensive National Cybersecurity
GAO - Social Security Numbers Are Widely Available in Bulk and
Online Records, but Changes to Enhance Security Are Occurring.
Groups want IT security burden to also fall on CFOs - Cybersecurity
isn't only an IT problem. Instead a successful response requires all
departments to work together, with the CFO coordinating an
enterprise-wide effort. So says a new, free guide developed for CFOs
wanting to have more of a hand in cyber-risk decisions.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Data breaches at state, local agencies expose data about millions -
Data breaches at state and local government agencies exposed the
personal information of nearly 3.8 million Americans in the first
three quarters of this year, according to the Privacy Rights
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 9 of 10)
B. RISK MANAGEMENT TECHNIQUES
Implementing Weblinking Relationships
Customer Service Complaints
Financial institutions should have plans to respond to customer
complaints, including those regarding the appropriateness or quality
of content, services, or products provided or the privacy and
security policies of the third-party site. The plan also should
address how the financial institution will address complaints
regarding any failures of linked third parties to provide agreed
upon products or services.
Monitoring Weblinking Relationships
The financial institution should consider monitoring the
activities of linked third parties as a part of its risk management
strategy. Monitoring policies and procedures should include periodic
content review and testing to ensure that links function properly,
and to verify that the levels of services provided by third parties
are in accordance with contracts and agreements. Website
content is dynamic, and third parties may change the presentation or
content of a website in a way that results in risk to the financial
institution's reputation. Periodic review and testing will reduce
this risk exposure. The frequency of review should be commensurate
with the degree of risk presented by the linked site.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION -
Firewall Services and Configuration
Firewalls may provide some additional services:
! Network address translation (NAT) - NAT readdresses outbound
packets to mask the internal IP addresses of the network. Untrusted
networks see a different host IP address from the actual internal
address. NAT allows an institution to hide the topology and address
schemes of its trusted network from untrusted networks.
! Dynamic host configuration protocol (DHCP) - DHCP assigns IP
addresses to machines that will be subject to the security controls
of the firewall.
! Virtual Private Network (VPN) gateways - A VPN gateway provides an
encrypted tunnel between a remote external gateway and the internal
network. Placing VPN capability on the firewall and the remote
gateway protects information from disclosure between the gateways
but not from the gateway to the terminating machines.
Placement on the firewall, however, allows the firewall to
inspect the traffic and perform access control, logging, and
malicious code scanning.
One common firewall implementation in financial institutions hosting
Internet applications is a DMZ, which is a neutral Internet
accessible zone typically separated by two firewalls. One firewall
is between the institution's private network and the DMZ and then
another firewall is between the DMZ and the outside public network.
The DMZ constitutes one logical security domain, the outside public
network is another security domain, and the institution's internal
network may be composed of one or more additional logical security
domains. An adequate and effectively managed firewall can ensure
that an institution's computer systems are not directly accessible
to any on the Internet.
Financial institutions have a variety of firewall options from which
to choose depending on the extent of Internet access and the
complexity of their network. Considerations include the ease of
firewall administration, degree of firewall monitoring support
through automated logging and log analysis, and the capability to
provide alerts for abnormal activity.
Return to the top of the
C. HOST SECURITY
10. Determine if vulnerability testing takes
place after each configuration change.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Consumer and Customer:
The distinction between consumers and customers is
significant because financial institutions have additional
disclosure duties with respect to customers. All customers covered
under the regulation are consumers, but not all consumers are
A "consumer" is an individual, or that individual's legal
representative, who obtains or has obtained a financial product or
service from a financial institution that is to be used primarily
for personal, family, or household purposes.
A "financial service" includes, among other things, a
financial institution's evaluation or brokerage of information that
the institution collects in connection with a request or an
application from a consumer for a financial product or service. For
example, a financial service includes a lender's evaluation of an
application for a consumer loan or for opening a deposit account
even if the application is ultimately rejected or withdrawn.
Consumers who are not customers are entitled to an initial privacy
and opt out notice only if their financial institution wants to
share their nonpublic personal information with nonaffiliated third
parties outside of the exceptions.
A "customer" is a consumer who has a "customer
relationship" with a financial institution. A "customer
relationship" is a continuing relationship between a consumer
and a financial institution under which the institution provides one
or more financial products or services to the consumer that are to
be used primarily for personal, family, or household purposes.