R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

November 16, 2014

CONTENT Internet Compliance Web Site Audits
IT Security
Internet Privacy
Penetration Testing
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - The Federal Bureau of Investigation (FBI) arrested one of it “Most Wanted Cyber Fugitives” earlier this week in Tijuana, Mexico, nearly five months after his indictment. He allegedly stole the identities of 40,000 people and then used their information to siphon funds from their brokerage or bank accounts to pay for expensive electronics, which led to losses in the millions of dollars.  http://www.scmagazine.com/fbi-arrests-most-wanted-cyber-fugitive-in-tijuana/article/381914/

FYI - Windows vulnerability identified as root cause in Home Depot breach - In a detailed account of Home Depot's breach, The Wall Street Journal disclosed that the compromised credit cards and emails could have been stolen as a result of a Windows vulnerability in the retailer's main network. http://www.scmagazine.com/home-depot-breach-caused-by-windows-vulnerability/article/382450/

FYI - Efforts to protect US government data against hackers undermined by worker mistakes - A $10bn-a-year effort to protect sensitive government data, from military secrets to social security numbers, is struggling to keep pace with an increasing number of cyberattacks and is unwittingly being undermined by federal employees and contractors. http://www.theguardian.com/technology/2014/nov/10/us-government-hacking-cybercrime-workers-crime

FYI - Postal workers union files charges following USPS breach - The American Postal Workers Union (APWU) has filed charges to the National Labor Relations Board against the Postal Service for failing to consult with the group following its recent data breach. http://www.scmagazine.com/postal-workers-union-files-charges-following-usps-breach/article/382916/


FYI - Home Depot hackers stole 53 million email addresses - US retail giant Home Depot says hackers who stole payment-card details of millions of customers also stole 53 million email addresses. http://www.bbc.com/news/world-us-canada-29946792

FYI - USPS investigates breach, more than 800K employees possibly affected - The United States Postal Service (USPS) announced on Monday that an investigation is underway – led by the FBI and joined by other federal and postal investigatory agencies – with regard to a cyber security intrusion into some of its information systems.

FYI - Feeling safe in your executive hotel suite, Mr CEO? Well, DON'T - Corporate bosses clobbered on luxury venue networks by 'Darkhotel' - Corporate bosses are coming under attack from a shadowy new group that spreads malware by hijacking the networks of luxury hotels. http://www.theregister.co.uk/2014/11/10/corporate_bosses_clobbered_as_they_sleep/

FYI - BrowserStack HACK ATTACK: Service still suspended after rogue email - Admits breach, but only within email address list - Browser testing service BrowserStack has temporarily suspended its services while it recovers from a "hack attack" by someone apparently bent on discrediting the security of the widely used tool. http://www.theregister.co.uk/2014/11/10/browserstack_hack_attack_service_still_suspended_after_rogue_email/

FYI - Wildfire breach affects 15,000 - British Columbia's provincial government is notifying 15,000 individuals after a privacy breach in its Wildfire Management Branch. http://www.scmagazine.com/wildfire-breach-affects-15000/article/382519/

FYI - Four NOAA websites compromised by an internet-sourced attack - Four NOAA websites were compromised in recent weeks by an internet-sourced attack, according to a National Oceanic and Atmospheric Administration (NOAA) statement emailed to SCMagazine.com by Scott Smullen, deputy director of NOAA communications and external affairs. http://www.scmagazine.com/four-noaa-websites-compromised-by-an-internet-sourced-attack/article/382918/

FYI - Visionworks notifies 75K Maryland customers of missing database server - Texas-based eye care services provider Visionworks is notifying as many as 75,000 customers who received services at its Jennifer Square location in Annapolis, MD that an investigation is underway to locate a missing database server potentially containing their personal information. http://www.scmagazine.com/visionworks-notifies-75k-maryland-customers-of-missing-database-server/article/382915/

Return to the top of the newsletter

We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

 Principle 9: Banks should take appropriate measures to ensure adherence to customer privacy requirements applicable to the jurisdictions to which the bank is providing e-banking products and services.
 Maintaining a customer's information privacy is a key responsibility for a bank. Misuse or unauthorized disclosure of confidential customer data exposes a bank to both legal and reputation risk. To meet these challenges concerning the preservation of privacy of customer information, banks should make reasonable endeavors to ensure that:
 1)  The bank's customer privacy policies and standards take account of and comply with all privacy regulations and laws applicable to the jurisdictions to which it is providing e-banking products and services.
 2)  Customers are made aware of the bank's privacy policies and relevant privacy issues concerning use of e-banking products and services.
 3)  Customers may decline (opt out) from permitting the bank to share with a third party for cross-marketing purposes any information about the customer's personal needs, interests, financial position or banking activity.
 4)  Customer data are not used for purposes beyond which they are specifically allowed or for purposes beyond which customers have authorized.
 5)  The bank's standards for customer data use must be met when third parties have access to customer data through outsourcing relationships.

Return to the top of the newsletter

We continue our series on the FFIEC interagency Information Security Booklet.  
 Many financial institutions outsource some aspect of their operations. Although outsourcing arrangements often provide a cost - effective means to support the institution's technology needs, the ultimate responsibility and risk rests with the institution. Financial institutions are required under Section 501(b) of the GLBA to ensure service providers have implemented adequate security controls to safeguard customer information. Supporting interagency guidelines require institutions to:
 ! Exercise appropriate due diligence in selecting service providers,
 ! Require service providers by contract to implement appropriate security controls to comply with the guidelines, and
 ! Monitor service providers to confirm that they are maintaining those controls when indicated by the institution's risk assessment.
 Financial institutions should implement these same precautions in all TSP relationships based on the level of access to systems or data for safety and soundness reasons, in addition to the privacy requirements.
 Financial institutions should determine the following security considerations when selecting or monitoring a service provider:
 ! Service provider references and experience,
 ! Security expertise of TSP personnel,
 ! Background checks on TSP personnel,
 ! Contract assurances regarding security responsibilities and controls,
 ! Nondisclosure agreements covering the institution's systems and data,
 ! Ability to conduct audit coverage of security controls or provisions for reports of security testing from independent third parties, and
 ! Clear understanding of the provider's security incidence response policy and assurance that the provider will communicate security incidents promptly to the institution when its systems or data were potentially compromised.

Return to the top of the newsletter

(At the end of November 2014, we will discontinue this section on Internet Privacy.  You will find the entire regulation PART 332—PRIVACY OF CONSUMER FINANCIAL INFORMATION at http://www.fdic.gov/regulations/laws/rules/2000-5550.html.)

We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.
 Reuse & Redisclosure of nonpublic personal information received from a nonaffiliated financial institution under Sections 14 and/or 15.

 A. Through discussions with management and review of the institution's procedures, determine whether the institution has adequate practices to prevent the unlawful redisclosure and reuse of the information where the institution is the recipient of nonpublic personal information (§11(a)).
 B. Select a sample of data received from nonaffiliated financial institutions, to evaluate the financial institution's compliance with reuse and redisclosure limitations.
 1.  Verify that the institution's redisclosure of the information was only to affiliates of the financial institution from which the information was obtained or to the institution's own affiliates, except as otherwise allowed in the step b below (§11(a)(1)(i) and (ii)).
 2.  Verify that the institution only uses and shares the data pursuant to an exception in Sections 14 and 15 (§11(a)(1)(iii)).

(At the end of November 2014, we will discontinue this section on Internet Privacy.  You will find the entire regulation PART 332—PRIVACY OF CONSUMER FINANCIAL INFORMATION at http://www.fdic.gov/regulations/laws/rules/2000-5550.html.)


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated