R. Kinney Williams
November 19, 2006
Your Financial Institution need an affordable Internet security
Our clients in 41 states rely on
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give Kinney Williams a call
today at 806-798-7119 or visit
FYI - Better
coordination of cybersecurity R&D needed - The federal government
has to do a better job of coordinating research and development on
cybersecurity issues and needs to improve its information sharing
and collaboration efforts on the topic, according to a just-released
report by the Government Accountability Office.
FYI - BT reviews
security after exchange break in - Vandals disconnect 35,000 phone
lines - BT is reviewing security at thousands of telephone exchanges
across the country after a Birmingham exchange was vandalised at the
weekend, causing 35,000 phone lines to be cut.
FYI - Level 3 floored by
robbery - Level 3, the supposedly secure back bone provider, has
lost all services at its Braham Street data centre thanks to a
FYI - Hackers break into
water system network - Pennsylvania breach occurred via compromised
laptop - An infected laptop PC gave hackers access to computer
systems at a Harrisburg, Pa., water treatment plant earlier this
month. The plant's systems were accessed in early October after an
employee's laptop computer was compromised via the Internet and then
used as an entry point to install a computer virus and spyware on
the plant's computer system, according to a report by ABC News.
FYI - Janesville student
expelled for hacking into computers - A high school student has been
expelled after being accused of hacking into the computer system and
causing outages over two weeks last month. The student at Craig High
School has been banned from district schools, said superintendent
FYI - Another VA breach
affects 1,600 veterans from New York system - The Department of
Veterans Affairs (VA) is again warning veterans their identity may
be at risk following the theft of an unencrypted laptop from the
agency's New York Harbor Healthcare System.
FYI - Taken Los Alamos
drives held secrets - U.S. government officials said sensitive and
classified documents were among the files on portable drives taken
from Los Alamos National Laboratory.
FYI - 'Scrubbed' laptop
had data on 6,000 Utahns - More than 6,000 people who worked for
Intermountain Healthcare's central urban region in 1999 have learned
that a file listing their Social Security numbers was briefly for
sale - for $20. The good news, according to Intermountain, is the
man who unknowingly bought the data didn't compromise anyone. And
steps have been taken to see it never happens again.
FYI - Starbucks loses
laptops with worker data - Starbucks Corp. said Friday it had lost
track of four laptop computers, two of which had private information
on about 60,000 current and former U.S. employees and fewer than 80
Canadian workers and contractors.
FYI - PC with personal
information of 1.4 million Colorado residents stolen - A Denver
company today offered $10,000 for information leading to the
recovery of a stolen PC containing a government database with the
personal information of 1.4 million Colorado citizens.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Equal Credit Opportunity Act (Regulation
The regulations clarifies the rules concerning the taking of credit
applications by specifying that application information entered
directly into and retained by a computerized system qualifies as a
written application under this section. If an institution makes
credit application forms available through its on-line system, it
must ensure that the forms satisfy the requirements.
The regulations also clarify the regulatory requirements that apply
when an institution takes loan applications through electronic
media. If an applicant applies through an electronic medium (for
example, the Internet or a facsimile) without video capability that
allows employees of the institution to see the applicant, the
institution may treat the application as if it were received by
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE -
SOFTWARE DEVELOPMENT AND ACQUISITION
Development and Support
Development and support activities should ensure that new software
and software changes do not compromise security. Financial
institutions should have an effective application and system change
control process for developing, implementing, and testing changes to
internally developed software and purchased software. Weak change
control procedures can corrupt applications and introduce new
security vulnerabilities. Change control considerations relating to
security include the following:
! Restricting changes to authorized users,
! Reviewing the impact changes will have on security controls,
! Identifying all system components that are impacted by the
! Ensuring the application or system owner has authorized changes in
! Maintaining strict version control of all software updates, and
! Maintaining an audit trail of all changes.
Changes to operating systems may degrade the efficiency and
effectiveness of applications that rely on the operating system for
interfaces to the network, other applications, or data. Generally,
management should implement an operating system change control
process similar to the change control process used for application
changes. In addition, management should review application systems
following operating system changes to protect against a potential
compromise of security or operational integrity.
When creating and maintaining software, separate software libraries
should be used to assist in enforcing access controls and
segregation of duties. Typically, separate libraries exist for
development, test, and production.
Return to the top of the
G. APPLICATION SECURITY
1. Determine if operational software storage, program source, object
libraries and load modules are appropriately secured against
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
25. Does the institution permit
each of the joint consumers in a joint relationship to opt out? [§7(d)(2)]
26. Does the opt out notice to joint consumers state that either:
a. the institution will consider an opt out by a joint consumer as
applying to all associated joint consumers; [§7(d)(2)(i)] or
b. each joint consumer is permitted to opt out separately? [§7(d)(2)(ii)]
NETWORK SECURITY TESTING - IT
examination guidelines require financial institutions to annually
conduct an independent internal-network penetration test.
With the Gramm-Leach-Bliley and the regulator's IT security
concerns, it is imperative to take a professional auditor's approach
to annually testing your internal connections to your network.
For more information about our independent-internal testing,
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at firstname.lastname@example.org if we
can be of assistance.