Yennik, Inc. has clients in 42 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test requirements of
FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with
Gramm-Leach Bliley Act 501(b).
The penetration audit and Internet security testing is an
affordable-sophisticated process than goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses.
For more information, visit
Gov't executives cite unstructured data as top concern - More than
cloud computing, mobile devices and Web 2.0 applications,
unstructured data is the cyberthreat federal government IT
executives are most worried about, according to a survey released
Cyberattacks on U.S. military jump sharply in 2009 - Cyberattacks on
the U.S. Department of Defense -- many of them coming from China --
have jumped sharply in 2009, a U.S. congressional committee
Virus attacks 'jail broken' iPhones - Hackers targeting devices with
disabled pre-installed security for ID theft - Hackers have built a
virus that attacks Apple Inc's iPhone by secretly taking control of
the devices via their Internet connections, security experts said.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Connecticut A.G. calls six-month delay in reporting loss
'incomprehensible' - A hard drive with seven years' worth of
personal financial and medical information on about 1.5 million
customers of Health Net of the Northeast Inc. was reported missing
to state officials yesterday -- six months after the drive went
Spanish payment breach prompts huge German card recall - German
authorities have recalled more than 100,000 credit cards over fears
that crooks may have obtained details of the cards via an unnamed
Spanish payment processing firm.
Second-hand ATM trade opens up fraud risk - Craigslist cash machine
contains 1,000 card numbers - Second-hand ATM machines containing
sensitive transaction data are easily available for purchase on eBay
or even Craiglist, according to an investigation by a US-based
T-Mobile criticised by Information Commissioner after rogue employee
passes on customer details to third parties - Reports have been made
that staff from T-Mobile passed customer details to third party
Hancock Fabrics Linked to Fraud in 3 States - CA, WI and MO
Investigators Say Recent Thefts Tied to Retailer's Transactions -
Bank customers in California, Wisconsin and Missouri are reporting
fraudulent ATM withdrawals that police say are tied to transactions
conducted with the Hancock Fabrics retail chain.
FBI looking at UMC records leak - Agent says 'multiple federal laws'
might have been violated - The FBI said Friday it may investigate a
breach of patient privacy laws at University Medical Center, where
hospital officials are reeling with the realization that at least
one of their employees has leaked confidential names, birth dates
and Social Security numbers.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Sound Practices for Managing Outsourced E-Banking Systems
(Part 3 of 3)
4. Banks should ensure that periodic independent internal and/or
external audits are conducted of outsourced operations to at least
the same scope required if such operations were conducted in-house.
a) For outsourced relationships involving critical or
technologically complex e-banking services/applications, banks may
need to arrange for other periodic reviews to be performed by
independent third parties with sufficient technical expertise.
5. Banks should develop appropriate contingency plans for outsourced
a) Banks need to develop and periodically test their contingency
plans for all critical e-banking systems and services that have been
outsourced to third parties.
b) Contingency plans should address credible worst-case scenarios
for providing continuity of e-banking services in the event of a
disruption affecting outsourced operations.
c) Banks should have an identified team that is responsible for
managing recovery and assessing the financial impact of a disruption
in outsourced e-banking services.
6. Banks that provide e-banking services to third parties should
ensure that their operations, responsibilities, and liabilities are
sufficiently clear so that serviced institutions can adequately
carry out their own effective due diligence reviews and ongoing
oversight of the relationship.
a) Banks have a responsibility to provide serviced institutions
with information necessary to identify, control and monitor any
risks associated with the e-banking service arrangement.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our coverage of the FDIC's "Guidance
on Managing Risks Associated With Wireless Networks and Wireless
Security should not be compromised when offering wireless
financial services to customers or deploying wireless internal
networks. Financial institutions should carefully consider the risks
of wireless technology and take appropriate steps to mitigate those
risks before deploying either wireless networks or applications. As
wireless technologies evolve, the security and control features
available to financial institutions will make the process of risk
mitigation easier. Steps that can be taken immediately in wireless
1) Establishing a minimum set of security requirements for
wireless networks and applications;
2) Adopting proven security policies and procedures to address
the security weaknesses of the wireless environment;
3) Adopting strong encryption methods that encompass
end-to-end encryption of information as it passes throughout the
4) Adopting authentication protocols for customers using
wireless applications that are separate and distinct from those
provided by the wireless network operator;
5) Ensuring that the wireless software includes appropriate
audit capabilities (for such things as recording dropped
6) Providing appropriate training to IT personnel on network,
application and security controls so that they understand and can
respond to potential risks; and
9) Performing independent security testing of wireless network
and application implementations.
the top of the newsletter
IT SECURITY QUESTION:
a. Is the core application in-house or outsourced to a data center?
b. What type of network configuration is used?
c. What are the servers' operating systems?
d. What are the workstations' operating systems?
e. Is there a telephone-banking server?
f. Is there a server hosting Internet banking?
g. Are there system logs maintained and reviewed regularly?
h. Are there modem connections to the network?
i. Is a modem log maintained?
j. Is there IT job descriptions?
k. Is there an anti-virus program on all workstations and is the
l. Are there software license agreements for all software?
m. Does the IT department program applications?
n. Are programming requirements outsourced? Vender?
o. Are unauthorized programs such as screen savers prohibited?
p. Does the Board of Directors annually approval the IT policies?
q. If individual computers are not backed up, is important data
saved to network server?
r. Are stand-alone computers with critical data backed up?
s. Are there written IT procedures?
t. Are there network activity reports?
u. Does the personnel manual inform personnel of the Bank's policies
and acceptable computer use?
v. Is a network problem log maintained?
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
39. Does the institution use an appropriate means to ensure
that notices may be retained or obtained later, such as:
a. hand-delivery of a printed copy of the notice; [§9(e)(2)(i)]
b. mailing a printed copy to the last known address of the customer;
c. making the current privacy notice available on the institution's
web site (or via a link to the notice at another site) for the
customer who agrees to receive the notice at the web site? [§9(e)(2)(iii)]