Your Financial Institution need an affordable Internet security
Yennik, Inc. has clients in 41 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The penetration audit and
Internet security testing is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give
R. Kinney Williams a call
today at 806-798-7119 or visit
Major League Baseball, National Hockey League websites hit by
traffic-redirection attack - Malicious banner ads first affected
visitors to the websites of Major League Baseball and the National
Hockey League late last week, according to researchers at Exploit
Nevada tightens payroll security - Under the new procedures, disks
must be signed for and returned to the personnel department after
each pay period. Passwords will be required to read data stored on
CDs. And state employee information will be correlated to unique
employee identification numbers instead of Social Security numbers.
FCO breached data privacy of 50,000 visa applicants - The personal
details of 50,000 visa applicants were on view to visitors to a
website run by the Foreign and Commonwealth Office, the Information
Commissioner's Office has found.
Commonwealth passes security question to Netbank users -
Commonwealth Bank is looking to shift concerns over online security
to Netbank customers with the announcement that it will be giving
away security software to a selection of users.
Ulster Bank steps up security against ID theft - Ulster Bank is
issuing special card readers to its internet banking customers as
part of ongoing measures to combat online banking fraud. The
free-of-charge readers are part of Ulster Bank's overall enhanced
security strategy to prevent identity theft by making it difficult
for attackers to steal a user's online identity.
Targeted e-mail attacks spoof DOJ, business group - Security expert
says latest attacks part of an escalating problem. Availability of
toolkits, rise of social networks are making it easier for phishers.
Security experts warned this week of two separate e-mail attacks
launched Monday that take aim at specific individuals within
NIST addresses security for industrial controls systems - Print this
Email this Purchase a Reprint Link to this page The National
Institute of Standards and Technology has released an initial draft
of new security guidelines for government information technology
systems used for industrial control processes. The guidelines are in
a revised appendix to NIST Special Publication 800-53, "Recommended
Security Controls for Federal Information Systems."
UK bank data of millions missingStory Highlights - Britain's tax and
customs service lost banking and personal data of 25 million people
-- nearly half the country's population -- when two computer disks
disappeared in an internal mail service, the Treasury chief said.
Deja vu all over again at Veterans Administration - Another breach
for an agency that's prone to them - In what's become a fairly
familiar routine for them of late, the U.S. Department of Veterans
Affairs is investigating a potential data breach -- the theft of
three computers containing personal data on potentially 12,000
Missing: 25m people's personal data - Computer discs holding
sensitive personal data on 25 million people and 7.25 million
families have gone missing, Chancellor Alistair Darling has admitted
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
week begins our series on the Federal Financial Institutions Examination Council Guidance
on Electronic Financial Services and Consumer Compliance.
Electronic Fund Transfer Act,
Regulation E (Part 1 of 2)
Generally, when on-line banking systems include electronic fund
transfers that debit or credit a consumer's account, the
requirements of the Electronic Fund Transfer Act and Regulation E
apply. A transaction involving stored value products is covered by
Regulation E when the transaction accesses a consumer's account
(such as when value is "loaded" onto the card from the
consumer's deposit account at an electronic terminal or personal
Financial institutions must provide disclosures that are clear and
readily understandable, in writing, and in a form the consumer may
keep. An Interim rule was issued on March 20, 1998 that allows
depository institutions to satisfy the requirement to deliver by
electronic communication any of these disclosures and other
information required by the act and regulations, as long as the
consumer agrees to such method of delivery.
Financial institutions must ensure that consumers who sign-up for a
new banking service are provided with disclosures for the new
service if the service is subject to terms and conditions different
from those described in the initial disclosures. Although not
specifically mentioned in the commentary, this applies to all new
banking services including electronic financial services.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue the series
from the FDIC "Security Risks Associated with the
Product Certification and Security Scanning Products
Several organizations exist which independently assess and
certify the adequacy of firewalls and other computer system related
products. Typically, certified products have been tested for their
ability to permit and sustain business functions while protecting
against both common and evolving attacks.
Security scanning tools should be run frequently by system
administrators to identify any new vulnerabilities or changes in the
system. Ideally, the scan should be run both with and without the
firewall in place so the firewall's protective capabilities can be
fully evaluated. Identifying the susceptibility of the system
without the firewall is useful for determining contingency
procedures should the firewall ever go down. Some scanning tools
have different versions with varying degrees of intrusion/attack
the top of the newsletter
IT SECURITY QUESTION:
Network user access controls: (Part 1 of 2)
a. Is there a written procedure for password administration?
b. If a username is required, does the system automatically enter
c. Is the password length six or greater?
d. Is the use of proper nouns and dictionary words discouraged?
e. Is the password required to include upper and lower case letters,
special characters, and numbers?
f. Are passwords required to be changed at least every 30 days?
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Initial Privacy Notice
5) When the subsequent delivery of a privacy notice is
permitted, does the institution provide notice after establishing a
customer relationship within a reasonable time? [§4(e)]