|
 ®
Yennik, Inc.
|
Internet Banking
News
brought to you by Yennik, Inc.
|
|
December 31, 2006
|
Does
Your Financial Institution need an affordable Internet security
penetration-vulnerability test?
Yennik, Inc. clients in 41 states rely on
VISTA
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
compliance with
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
focuses on
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give
R. Kinney Williams a call
today at 806-798-7119 or visit
http://www.internetbankingaudits.com/. |
FYI - Visa U.S.A. adds
financial incentives, fines to PCI program - Visa U.S.A. Inc. is
adopting a carrot-and-stick approach to help drive merchant
compliance with the Payment Card Industry (PCI) data security
standard that it -- along with other credit card companies such as
MasterCard International Inc. and American Express Co. -- is
pushing. Earlier this week, the company announced that it has
created a new $20 million incentive program under which it will
monetarily reward "acquiring" financial institutions if their
members are fully compliant with PCI requirements by Aug. 31, 2007.
At the same time, acquiring banks that fail to ensure compliance by
Sept. 30, 2007, will be assessed fines starting at $5,000 a month
for each noncompliant merchant. The fines increase to $25,000 per
month for each noncompliant merchant after Dec. 31, 2007.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9006100&taxonomyId=17&intsrc=kc_top
FYI - Fla. Motorists Win
Class Action Over State Sale of Records to Bank - Tens of thousands
of Florida motorists will get compensation under a $50 million
class-action settlement approved this week over the alleged illegal
purchase of their motor vehicle records by a bank from the state
government. U.S. District Judge Daniel T.K. Hurley accepted the
settlement between motorists and West Palm Beach-based Fidelity
Federal Bank and Trust. The motorists will receive $160 each under
the settlement.
http://www.insurancejournal.com/news/southeast/2006/12/15/74964.htm?print=1
FYI - High School Senior
Class President Arrested For Grade-Tampering - An 18-year-old high
school senior class president was arrested on Tuesday for hacking
into the school's computer system and tampering with students'
grades.
http://www.allheadlinenews.com/articles/7005847659
FYI - Phishing scams
thrive in the UK - UK incidents of phishing scams have grown 8,000
per cent over the last two years, according to the government's
financial watchdog authority.
http://www.theregister.co.uk/2006/12/14/phishing_fraud_uk/print.html
FYI - 'Rock Phish'
blamed for surge in phishing - Whether a group or person, it's the
Keyser Söze of phishing, say experts -The first thing you need to
know about Rock Phish is that nobody knows exactly who, or what,
they are.
http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/06/12/12/HNrockphish_1.html
MISSING COMPUTERS/DATA
FYI - UTD computer hack
worse than feared - Campus officials now say 6,000 at risk of
identity theft - The University of Texas at Dallas said Wednesday
that more people may be affected by a computer attack than first
believed, raising the total to 6,000 current and former students,
faculty, staff and others.
http://www.wfaa.com/sharedcontent/dws/news/localnews/stories/DN-utdhack_14met.ART0.North.Edition1.3eb1c28.html
FYI - Boeing laptop
stolen - 382,000 IDs lost - Past and present employees at risk of
being targeted - A laptop with personal information on hundreds of
thousands of Boeing Co. employees was stolen earlier this month, and
the aerospace company will inform those potentially affected by the
theft in a company e-mail today.
http://seattlepi.nwsource.com/local/295769_boeing13.html
FYI - Breach at UCLA
exposes data on 800,000 - Intrusion was undetected for more than a
year The University of California, Los Angeles, today began sending
out letters to more than 800,000 individuals whose personal
information may have been compromised in a database breach that
remained undetected for more than a year.
http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9005925
FYI - SVVSD students'
info with stolen laptop - Information identifying as many as 600 St.
Vrain Valley School District students whose health care is paid by
Medicaid was stolen with a school nurse's laptop computer last
month, a school district spokesman said.
http://www.longmontfyi.com/Local-Story.asp?id=12861
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Flood Disaster Protection Act
The regulation implementing the National Flood Insurance Program
requires a financial institution to notify a prospective borrower
and the servicer that the structure securing the loan is located or
to be located in a special flood hazard area. The regulation also
requires a notice of the servicer's identity be delivered to the
insurance provider. While the regulation addresses electronic
delivery to the servicer and to the insurance provider, it does not
address electronic delivery of the notice to the borrower.
Return to
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
Booklet.
PERSONNEL SECURITY
AGREEMENTS: CONFIDENTIALITY, NON - DISCLOSURE, AND
AUTHORIZED USE
Financial institutions should protect the confidentiality of
information about their customers and organization. A breach in
confidentiality could disclose competitive information, increase
fraud risk, damage the institution's reputation, violate customer
privacy and associated rights, and violate regulatory requirements.
Confidentiality agreements put all parties on notice that the
financial institution owns its information, expects strict
confidentiality, and prohibits information sharing outside of that
required for legitimate business needs. Management should obtain
signed confidentiality agreements before granting new employees and
contractors access to information technology systems.
JOB DESCRIPTIONS
Job descriptions, employment agreements, and policy awareness
acknowledgements increase accountability for security. Management
can communicate general and specific security roles and
responsibilities for all employees within their job descriptions.
Management should expect all employees, officers, and contractors to
comply with security and acceptable use policies and protect the
institution's assets, including information. The job descriptions
for security personnel should describe the systems and processes
they will protect and the control processes for which they are
responsible. Management can take similar steps to ensure contractors
and consultants understand their security responsibilities as well.
TRAINING
Financial institutions need to educate users regarding their
security roles and responsibilities. Training should support
security awareness and should strengthen compliance with the
security policy. Ultimately, the behavior and priorities of senior
management heavily influence the level of employee awareness and
policy compliance, so training and the commitment to security should
start with senior management. Training materials would typically
review the acceptable - use policy and include issues like desktop
security, log - on requirements, password administration guidelines,
etc. Training should also address social engineering, and the
policies and procedures that protect against social engineering
attacks. Many institutions integrate a signed security awareness
agreement along with periodic training and refresher courses.
Return to the top of the
newsletter
IT SECURITY
QUESTION:
SOFTWARE DEVELOPMENT AND ACQUISITION
1.
Inquire about how security requirements are determined for software,
whether internally developed or acquired from a vendor.
2. Determine whether management appropriately considers either
following a recognized security standard development process, or
reference to widely recognized industry standards.
Return to the top of
the newsletter
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
34. Does the institution deliver a
revised privacy notice when it:
a. discloses a new category of nonpublic personal information to a
nonaffiliated third party; [§8(b)(1)(i)]
b. discloses nonpublic personal information to a new category of
nonaffiliated third party; [§8(b)(1)(ii)] or
c. discloses nonpublic personal information about a former customer
to a nonaffiliated third party, if that former customer has not had
the opportunity to exercise an opt out right regarding that
disclosure? [§8(b)(1)(iii)]
(Note: a revised
notice is not required if the institution adequately described the
nonaffiliated third party or information to be disclosed in the
prior privacy notice. [§8(b)(2)])
NETWORK SECURITY TESTING - IT
examination guidelines require financial institutions to annually
conduct an independent internal-network penetration test.
With the Gramm-Leach-Bliley and the regulator's IT security
concerns, it is imperative to take a professional auditor's approach
to annually testing your internal connections to your network.
For more information about our independent-internal testing,
please visit
http://www.internetbankingaudits.com/internal_testing.htm. |
|
| PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at examiner@yennik.com if we
can be of assistance. |
|