R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

November 26, 2006

CONTENT Internet Compliance Information Systems Security
IT Security Question
 
Internet Privacy
 
Website for Penetration Testing
 
Does Your Financial Institution need an affordable Internet security penetration-vulnerability test?  Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI
- Cop's errant click posts personal infoPosted - There's a new reason to be concerned about an encounter with local police, whether you're a victim or a suspect. In Ohio last month, a police department accidentally published intimate details about every person officers encountered during a single day, including Social Security Numbers, driver's license numbers and more. http://redtape.msnbc.com/2006/11/cops_errant_cli.html

FYI -
November 14, 2006 - Former NCUA Employee Pleads Guilty to Illegal Access of a Government Computer - National Credit Union Administration Inspector General William A. DeSarno announced today that former NCUA employee Raymond Lindeman, Jr., of Coventry, Rhode Island, pleaded guilty yesterday to a charge of unauthorized access of a government computer in violation of federal law. www.ncua.gov/news/press_releases/2006/MR06-1114.htm 

FYI - Beware Social Security e-mail scam - 'Phishers' are trying to get personal information from e-mail recipients by threatening to suspend their Social Security accounts. If you get an e-mail announcing the cost-of-living increases scheduled for 2007 Social Security benefits and purporting to be from the Social Security Administration, don't answer it and don't click on any links in the e-mail. http://money.cnn.com/2006/11/07/pf/Social_Security_email/index.htm?section=money_latest

FYI - Bank account data swiped in gas-station scam - Devices attached to pay-at-the-pump stations recorded info from hundreds of cards, police say. Hundreds of people had their bank account information compromised when they paid at outside pay pumps at three gas stations in Orange County and one in Torrance. http://www.ocregister.com/ocregister/homepage/abox/article_1350521.php

FYI - 49 Million U.S. Adults Notified Of Data Breaches - An estimated 49 million U.S. adults have been told over the last three years that their personal information has been lost, stolen, or improperly disclosed, a research firm. Most of the notifications came from government agencies and financial institutions. http://www.techweb.com/article/printableArticle.jhtml?articleID=193700752&site_section=700029

FYI - Cingular plans mobile banking service for 2007 - Cingular Wireless, the No. 1 U.S. cellular operator, said on Wednesday it is talking with banks about letting its customers manage their money by cell phone as part of a push to expand phone use beyond talking. http://www.washingtonpost.com/wp-dyn/content/article/2006/11/15/AR2006111500097.html

MISSING COMPUTERS/DATA

FYI - FBI locates missing Hertz Computer - Hertz Global Holdings, owners of the world's largest rental-car company, said the FBI found a computer containing the names and Social Security numbers of most of Hertz's U.S. workers at the home of a former employee. http://www.sltrib.com/business/ci_4642128

FYI - LANL contractor information could be at risk - As many as 1,000 contract employees who work in Los Alamos have been warned that a compact disk containing their personal information could be missing. http://www.freenewmexican.com/news/51948.html

Return to the top of the newsletter

WEB SITE COMPLIANCE -
Advertisement Of Membership

The FDIC and NCUA consider every insured depository institution's online system top-level page, or "home page", to be an advertisement. Therefore, according to these agencies' interpretation of their rules, financial institutions subject to the regulations should display the official advertising statement on their home pages unless subject to one of the exceptions described under the regulations. Furthermore, each subsidiary page of an online system that contains an advertisement should display the official advertising statement unless subject to one of the exceptions described under the regulations. Additional information about the FDIC's interpretation can be found in the Federal Register, Volume 62, Page 6145, dated February 11, 1997.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY
- We continue our series on the FFIEC interagency Information Security Booklet.  


SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - SOFTWARE DEVELOPMENT AND ACQUISITION

Source Code Review and Testing

Application and operating system source code can have numerous vulnerabilities due to programming errors or misconfiguration. Where possible, financial institutions should use software that has been subjected to independent security reviews of the source code especially for Internet facing systems. Software can contain erroneous or intentional code that introduces covert channels, backdoors, and other security risks into systems and applications. These hidden access points can often provide unauthorized access to systems or data that circumvents built-in access controls and logging. The source code reviews should be repeated after the creation of potentially significant changes.


Return to the top of the newsletter

IT SECURITY QUESTION:

G. APPLICATION SECURITY

2. Determine if user input is validated appropriately (e.g. character set, length, etc).

Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

27. If each joint consumer may opt out separately, does the institution permit:

a. one joint consumer to opt out on behalf of all of the joint consumers; [7(d)(3)]

b. the joint consumers to notify the institution in a single response; [7(d)(5)] and

c. each joint consumer to opt out either for himself or herself, and/or for another joint consumer? [7(d)(5)]


NETWORK SECURITY TESTING
- IT examination guidelines require financial institutions to annually conduct an independent internal-network penetration test.  With the Gramm-Leach-Bliley and the regulator's IT security concerns, it is imperative to take a professional auditor's approach to annually testing your internal connections to your network.  For more information about our independent-internal testing, please visit http://www.internetbankingaudits.com/internal_testing.htm.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated