R. Kinney Williams
December 17, 2006
Your Financial Institution need an affordable Internet security
Our clients in 41 states rely on
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give Kinney Williams a call
today at 806-798-7119 or visit
GAO - Credit Unions: Greater Transparency Needed on Who Credit
Unions Serve and on Senior Executive Compensation.
Report - http://www.gao.gov/cgi-bin/getrpt?GAO-07-29
Pick up the tab by texting - Forgot your credit card? Don't have
cash on you? No worries--just use your cell phone to pay the bill.
That's what some folks in Boulder, Colo., can do if they sign up for
an account with a Boulder-based start-up called Feed Tribes.
New E-Discovery Rules Benefit Some Firms - Companies that help
businesses track and search their e-mails and other electronic data
are experiencing a surge of interest in the wake of federal rule
changes that clarify requirements to produce such evidence in
Kaiser members warned of possible data theft - In yet another
instance of laptop theft potentially endangering personal data,
Kaiser Permanente Colorado is notifying some 38,000 members of a
possible breach of their private health information.
Linkin Park fan hacks phone data - A woman is accused of using a
computer at a national laboratory to hack into a cell phone
company's Web site to get a number for Chester Bennington, lead
singer of the Grammy-winning rock group Linkin Park.
Personal data at risk after Pa. DOT robbery - Thieves stole
computers containing information on nearly 11,400 customers -
Thieves stole equipment from a driver's license center and got away
with computers containing personal information on more than 11,000
people, state officials said.
Credit Bureau Security Breached - TransUnion Credit Bureau is
investigating who was able to get into their database and illegally
download hundreds of people's personal information. The victims are
now being told they'll have to monitor their credit report every
month to make sure no one is abusing their identity.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Record retention provisions apply to electronic delivery of
disclosures to the same extent required for non-electronic delivery
of information. For example, if the web site contains an
advertisement, the same record retention provisions that apply to
paper-based or other types of advertisements apply. Copies of such
advertisements should be retained for the time period set out in the
relevant regulation. Retention of electronic copies is acceptable.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - HOST
AND USER EQUIPMENT ACQUISITION AND MAINTENANCE
Software support should incorporate a process to update and
patch operating system and application software for new
vulnerabilities. Frequently, security vulnerabilities are discovered
in operating systems and other software after deployment. Vendors
often issue software patches to correct those vulnerabilities.
Financial institutions should have an effective monitoring process
to identify new vulnerabilities in their hardware and software.
Monitoring involves such actions as the receipt and analysis of
vendor and governmental alerts and security mailing lists. Once
identified, secure installation of those patches requires a process
for obtaining, testing, and installing the patch.
Patches make direct changes to the software and configuration of
each system to which they are applied. They may degrade system
performance. Also, patches may introduce new vulnerabilities, or
reintroduce old vulnerabilities. The following considerations can
help ensure patches do not compromise the security of systems:
! Obtain the patch from a known, trusted source;
! Verify the integrity of the patch through such means as
comparisons of cryptographic hashes to ensure the patch obtained is
the correct, unaltered patch;
! Apply the patch to an isolated test system and verify that the
patch (1) is compatible with other software used on systems to which
the patch will be applied, (2) does not alter the system's security
posture in unexpected ways, such as altering log settings, and (3)
corrects the pertinent vulnerability;
! Back up production systems prior to applying the patch;
! Apply the patch to production systems using secure methods, and
update the cryptographic checksums of key files as well as that
system's software archive;
! Test the resulting system for known vulnerabilities;
! Update the master configurations used to build new systems;
! Create and document an audit trail of all changes; and
! Seek additional expertise as necessary to maintain a secure
Return to the top of the
Determine whether re-establishment of any session after interruption
requires normal user identification, authentication, and
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
32. When a customer relationship
ends, does the institution continue to apply the customer's opt
out direction to the nonpublic personal information collected
during, or related to, that specific customer relationship (but not
to new relationships, if any, subsequently established by that
NETWORK SECURITY TESTING - IT
examination guidelines require financial institutions to annually
conduct an independent internal-network penetration test.
With the Gramm-Leach-Bliley and the regulator's IT security
concerns, it is imperative to take a professional auditor's approach
to annually testing your internal connections to your network.
For more information about our independent-internal testing,
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at email@example.com if we
can be of assistance.