R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

November 22, 2009

CONTENT Internet Compliance Information Systems Security
IT Security Question
Internet Privacy
Website for Penetration Testing
Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Corporate bank accounts targeted in online fraud - Criminals have tried to steal an estimated $100 million from corporate bank accounts using targeted malware and money mules, the FBI said.

Judge spanks lawyer for leaking personal details in brief - 'Negligent, inattentive electronic filing' - A judge has chastised a lawyer for including the social security numbers and birthdays of 179 individuals in an electronic court brief, ordering him to pay a $5,000 sanction and provide credit monitoring. http://www.theregister.co.uk/2009/11/05/judge_sanctions_attorney/

Browser cookie handling could widen web attack space - Attacker could gain free reign over principal production domain. A web security researcher has revealed a major new threat to most websites due to the contradictory way that cookies and the domain name system (DNS) act. http://www.securecomputing.net.au/News/159809,browser-cookie-handling-could-widen-web-attack-space.aspx

Corporate Breaches Increase Chances Of Consumer ID Theft, Study Says - When their data is leaked by a business, individuals are four times more likely to suffer identity theft - Consumers who have received data breach notifications within the past year are at a much greater risk for fraud than typical consumers, according to a new study. http://www.darkreading.com/security/privacy/showArticle.jhtml?articleID=221600348

Apple iPhones hit by major worm attack after a Rick Astley 'joke' spirals out of control - Users of the Apple iPhone have been warned of the first major worm to hit the handset. http://www.scmagazineuk.com/Apple-iPhones-hit-by-major-worm-attack-after-a-Rick-Astley-joke-spirals-out-of-control/article/157359/


Men allegedly broke into computers of former employer - Poor password hygiene indictment - Federal authorities on Wednesday filed intrusion charges against two men accused of accessing the computer systems of their former employer. http://www.theregister.co.uk/2009/11/05/computer_intrusion_charges_filed/

Computer theft suit bites feds for $751K - The federal government paid out $751,750 to avoid a class action lawsuit after personal information was stolen from a Canada Revenue Agency office. http://www.edmontonsun.com/news/canada/2009/11/07/11668041-sun.html

Bord Gáis implements new security regime after major data breach - Encryption is to be deployed on all Bord Gáis laptops and workers are to receive classroom training and awareness on data protection following an investigation on the loss of laptops containing details of 75,000 customers. http://www.siliconrepublic.com/news/article/14343/cio/bord-gais-implements-new-security-regime-after-major-data-breach

Return to the top of the newsletter

We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Sound Practices for Managing Outsourced E-Banking Systems and Services (Part 1 of 3)

1. Banks should adopt appropriate processes for evaluating decisions to outsource e-banking systems or services.

a)  Bank management should clearly identify the strategic purposes, benefits and costs associated with entering into outsourcing arrangements for e-banking with third parties.
b)  The decision to outsource a key e-banking function or service should be consistent with the bank's business strategies, be based on a clearly defined business need, and recognize the specific risks that outsourcing entails.
c)  All affected areas of the bank need to understand how the service provider(s) will support the bank's e-banking strategy and fit into its operating structure.

2. Banks should conduct appropriate risk analysis and due diligence prior to selecting an e-banking service provider and at appropriate intervals thereafter.

a)  Banks should consider developing processes for soliciting proposals from several e-banking service providers and criteria for choosing among the various proposals.
b)  Once a potential service provider has been identified, the bank should conduct an appropriate due diligence review, including a risk analysis of the service provider's financial strength, reputation, risk management policies and controls, and ability to fulfill its obligations.
c)  Thereafter, banks should regularly monitor and, as appropriate, conduct due diligence reviews of the ability of the service provider to fulfill its service and associated risk management obligations throughout the duration of the contract.
d)  Banks need to ensure that adequate resources are committed to overseeing outsourcing arrangements supporting e-banking.
e)  Responsibilities for overseeing e-banking outsourcing arrangements should be clearly assigned.
f)  An appropriate exit strategy for the bank to manage risks should it need to terminate the outsourcing relationship.

Return to the top of the newsletter
We conclude our series on the FFIEC interagency Information Security Booklet


Financial institutions should evaluate the information gathered to determine the extent of any required adjustments to the various components of their security program. The institution will need to consider the scope, impact, and urgency of any new threat. Depending on the new threat or vulnerability, the institution will need to reassess the risk and make changes to its security process (e.g., the security strategy, the controls implementation, or the security testing requirements).

Institution management confronts routine security issues and events on a regular basis. In many cases, the issues are relatively isolated and may be addressed through an informal or targeted risk assessment embedded within an existing security control process. For example, the institution might assess the risk of a new operating system vulnerability before testing and installing the patch. More systemic events like mergers, acquisitions, new systems, or system conversions, however, would warrant a more extensive security risk assessment. Regardless of the scope, the potential impact and the urgency of the risk exposure will dictate when and how controls are changed.

Return to the top of the newsletter


4. Determine whether, where appropriate, the system securely links the receipt of information with the originator of the information and other identifying information, such as date, time, address, and other relevant factors.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

37.  For annual notices only, if the institution does not employ one of the methods described in question 36, does the institution employ one of the following reasonable means of delivering the notice such as:

a. for the customer who uses the institution's web site to access products and services electronically and who agrees to receive notices at the web site, continuously posting the current privacy notice on the web site in a clear and conspicuous manner; [§9(c)(1)] or

b. for the customer who has requested the institution refrain from sending any information about the customer relationship, making copies of the current privacy notice available upon customer request? [§9(c)(2)]


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated