Your Financial Institution need an affordable Internet security
Yennik, Inc. has clients in 42 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The penetration audit and
Internet security testing is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give
R. Kinney Williams a call
today at 806-798-7119 or visit
Risk Management Program Revised IT Officer's Questionnaire -
The FDIC has updated its risk-focused Information Technology
examination procedures for FDIC-supervised financial institutions.
FYI - Visa fines Ohio
bank in TJX data breach - Fifth Third Bancorp, the Ohio bank that
was fined $880,000 by Visa for its role in the customer data
security breach at TJX Cos., the largest ever, also paid fines and
compensation totaling $1.4 million following the loss of data from
BJ's Wholesale Club Inc. several years ago, a court filing shows.
FYI - Insider charged
with hacking California canal system - A man has been charged with
hacking a computer used to control water canals in California. A
former employee of a small California canal system has been charged
with installing unauthorized software and damaging the computer used
to divert water from the Sacramento River.
FYI - Should IT security
workers become professionals? - Lawyers, doctors and engineers are
professionals. Now, with public confidence in IT ebbing as data
thefts dominate headlines, its time for security workers to debate
becoming a self-managing group.
FYI - Visa and TJX Agree
to Provide U.S. Issuers up to $40.9 Million for Data Breach Claims -
U.S. Visa Issuers Eligible to Participate in Speedy, Alternative
Recovery Program - Visa Inc. announced today it has negotiated an
agreement with The TJX Companies, Inc. (TJX) and its U.S. acquirer
to offer an alternative recovery program to U.S. issuers that may
have been affected by the retailer's previously announced
unauthorized computer intrusion(s).
FYI - Hackers Launch
Cyber Attack on Federal Lab - Oak Ridge National Laboratory Says
Breach Could Have Compromised Visitor Information - A "sophisticated
cyber attack" has been detected at Oak Ridge National Laboratory
over the last several weeks that may have compromised the personal
information of thousands of visitors to the lab, according to a
communiqué sent to employees.
FYI - 30,000 Dutch
Telsell-customer creditcard details stolen from Telsell computers -
Telsell claims not their responsibility - Customers of the
television-sales organization TelSell can not only tele-shop while
relaxing in their lazy chair, they also have a good chance to be
robbed, while in that same chair.
FYI - Tesco online store
'is infiltrated by insider card fraudster - Customers shopping at
Britain's biggest Internet store - Tesco Direct - are feared to have
had their card details stolen by a company insider.
FYI - Massachusetts Data
Breach Puts Seniors at Risk - Compromise of the state's insurance
program could expose 150,000 residents to identity theft. The state
of Massachusetts is warning 150,000 members of its Prescription
Advantage insurance program that their personal information may have
been snatched by an identity thief.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Equal Credit Opportunity Act (Regulation
The regulations clarifies the rules concerning the taking of credit
applications by specifying that application information entered
directly into and retained by a computerized system qualifies as a
written application under this section. If an institution makes
credit application forms available through its on-line system, it
must ensure that the forms satisfy the requirements.
The regulations also clarify the regulatory requirements that apply
when an institution takes loan applications through electronic
media. If an applicant applies through an electronic medium (for
example, the Internet or a facsimile) without video capability that
allows employees of the institution to see the applicant, the
institution may treat the application as if it were received by
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue the series
from the FDIC "Security Risks Associated with the
Logical Access Controls (Part 2 of 2)
Token technology relies on a
separate physical device, which is retained by an individual, to
verify the user's identity. The token resembles a small hand-held
card or calculator and is used to generate passwords. The device is
usually synchronized with security software in the host computer
such as an internal clock or an identical time based mathematical
algorithm. Tokens are well suited for one‑time password
generation and access control. A separate PIN is typically required
to activate the token.
Smart cards resemble credit
cards or other traditional magnetic stripe cards, but contain an
embedded computer chip. The chip includes a processor, operating
system, and both read only memory (ROM) and random access memory
(RAM). They can be used to generate one-time passwords when prompted
by a host computer, or to carry cryptographic keys. A smart card
reader is required for their use.
Biometrics involves identification and verification of an individual
based on some physical characteristic, such as fingerprint analysis,
hand geometry, or retina scanning. This technology is advancing
rapidly, and offers an alternative means to authenticate a user.
the top of the newsletter
IT SECURITY QUESTION:
Core application user access controls: (Part 1 of 2)
a. Is there a written procedure for password administration?
b. If a username is required, does the system automatically enter
c. Is the password length six or greater?
d. Is the use of proper nouns and dictionary words discouraged?
e. Is the password required to include upper and lower case letters,
special characters, and numbers?
f. Are passwords required to be changed at least every 30 days?
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Initial Privacy Notice
6. Does the institution provide an annual privacy notice to each
customer whose loan the institution owns the right to service? [§§5(c),