Internet Banking News

November 14, 2010

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FFIEC's "Interagency Guidelines Establishing Information Security Standards." For more information and to subscribe visit http://www.yennik.com/it-review/.

FYI - Vulnerabilities Found In Banking Apps - Security holes in Android and iPhone apps from PayPal, Bank of America, Chase, Wells Fargo, and more could give attackers access to financial data. http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=228200291&cid=RSSfeed_IWK_News

FYI - Federal gov't releases draft cloud security guidelines - The U.S. government's CIO Council this week released a draft document outlining a proposed government-wide cloud computing risk and authorization management program. http://www.scmagazineus.com/federal-govt-releases-draft-cloud-security-guidelines/article/190172/?DCMP=EMC-SCUS_Newswire

FYI - FTC names Princeton computer security expert as first chief technologist - The Federal Trade Commission appointed Princeton University professor Edward Felten as its first chief technologist. http://voices.washingtonpost.com/posttech/2010/11/ftc_names_internet_security_an.html

FYI - File Sharing Mom Ordered To Pay $1.5 Million - RIAA applauds jury's decision in third trial of the Minnesota mother of four who illegally downloaded 24 songs. - A Minnesota woman was ordered to pay $1.5 million for illegally downloading 24 songs, in her third trial in three years. The verdict was hailed by the record industry as justified. http://www.informationweek.com/news/software/server_virtualization/showArticle.jhtml?articleID=228200244

FYI - Sealed Courtroom Sought in High-Speed - Federal prosecutors in Manhattan have asked a judge to seal the courtroom in an upcoming corporate-espionage trial to protect the secret of Goldman Sachs’ controversial high-speed trading software. http://www.wired.com/threatlevel/2010/11/sergey-aleynikov/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Facebook, Twitter fail latest security assessment - A nonprofit security think tank's "report card" has failed Facebook and Twitter for neglecting to implement safeguards that are available on other popular online services. http://www.scmagazineus.com/facebook-twitter-fail-latest-security-assessment/article/190264/?DCMP=EMC-SCUS_Newswire

FYI - Two alleged Zeus mules arrested in Wisconsin - Two Moldovan men were charged this week for their involvement with the Zeus trojan, which has been used to steal millions of dollars from U.S. bank accounts. http://www.scmagazineus.com/two-alleged-zeus-mules-arrested-in-wisconsin/article/190213/?DCMP=EMC-SCUS_Newswire

FYI - Royal Navy website attacked by Romanian hacker - The hacker gained access to the website on 5 November using a common attack method known as SQL injection.
http://www.bbc.co.uk/news/technology-11711478
http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=228200418&cid=RSSfeed_IWK_All

Return to the top of the newsletter

WEB SITE COMPLIANCE - Flood Disaster Protection Act

The regulation implementing the National Flood Insurance Program requires a financial institution to notify a prospective borrower and the servicer that the structure securing the loan is located or to be located in a special flood hazard area. The regulation also requires a notice of the servicer's identity be delivered to the insurance provider. While the regulation addresses electronic delivery to the servicer and to the insurance provider, it does not address electronic delivery of the notice to the borrower.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet. This booklet is required reading for anyone involved in information systems security, such as the Network Administrator, Information Security Officer, members of the IS Steering Committee, and most important your outsourced network security consultants. Your outsourced network security consultants can receive the "Internet Banking News" by completing the subscription for at https://yennik.com/newletter_page.htm. There is no charge for the e-newsletter.

ROLES AND RESPONSIBILITIES (1 of 2)

Information security is the responsibility of everyone at the institution, as well as the institution's service providers and contractors. The board, management, and employees all have different roles in developing and implementing an effective security process. The board of directors is responsible for overseeing the development, implementation, and maintenance of the institution's information security program. Oversight requires the board to provide management with guidance and receive reports on the effectiveness of management's response. The board should approve written information security policies and the information security program at least annually. The board should provide management with its expectations and requirements for:

1) Central oversight and coordination,
2) Areas of responsibility,
3) Risk measurement,
4) Monitoring and testing,
5) Reporting, and
6) Acceptable residual risk.

Senior management's attitude towards security affects the entire organization's commitment to security. For example, the failure of a financial institution president to comply with security policies could undermine the entire organization's commitment to security.

Senior management should designate one or more individuals as information security officers. Security officers should be responsible and accountable for security administration. At a minimum, they should directly manage or oversee risk assessment, development of policies, standards, and procedures, testing, and security reporting processes. Security officers should have the authority to respond to a security event by ordering emergency actions to protect the financial institution and its customers from an imminent loss of information or value. They should have sufficient knowledge, background, and training, as well as an organizational position, to enable them to perform their assigned tasks.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

10) Does the institution list the following categories of nonpublic personal information that it discloses, as applicable, and a few examples of each, or alternatively state that it reserves the right to disclose all the nonpublic personal information that it collects:

a) information from the consumer;

b) information about the consumer's transactions with the institution or its affiliates;

c) information about the consumer's transactions with nonaffiliated third parties; and

d) information from a consumer reporting agency? [§6(c)(2)]

IT Security Checklist
A weekly email that provides an effective
method to prepare for your IT examination.