Yennik, Inc.®
Yennik, Inc.

Internet Banking News
brought to you by Yennik, Inc.

December 31, 2006

CONTENT Internet Compliance Information Systems Security
IT Security Question
Internet Privacy
Website for Penetration Testing
Does Your Financial Institution need an affordable Internet security penetration-vulnerability test?  Yennik, Inc. clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit

- Visa U.S.A. adds financial incentives, fines to PCI program - Visa U.S.A. Inc. is adopting a carrot-and-stick approach to help drive merchant compliance with the Payment Card Industry (PCI) data security standard that it -- along with other credit card companies such as MasterCard International Inc. and American Express Co. -- is pushing. Earlier this week, the company announced that it has created a new $20 million incentive program under which it will monetarily reward "acquiring" financial institutions if their members are fully compliant with PCI requirements by Aug. 31, 2007. At the same time, acquiring banks that fail to ensure compliance by Sept. 30, 2007, will be assessed fines starting at $5,000 a month for each noncompliant merchant. The fines increase to $25,000 per month for each noncompliant merchant after Dec. 31, 2007.

FYI - Fla. Motorists Win Class Action Over State Sale of Records to Bank - Tens of thousands of Florida motorists will get compensation under a $50 million class-action settlement approved this week over the alleged illegal purchase of their motor vehicle records by a bank from the state government. U.S. District Judge Daniel T.K. Hurley accepted the settlement between motorists and West Palm Beach-based Fidelity Federal Bank and Trust. The motorists will receive $160 each under the settlement.

FYI - High School Senior Class President Arrested For Grade-Tampering - An 18-year-old high school senior class president was arrested on Tuesday for hacking into the school's computer system and tampering with students' grades.

FYI - Phishing scams thrive in the UK - UK incidents of phishing scams have grown 8,000 per cent over the last two years, according to the government's financial watchdog authority.

FYI - 'Rock Phish' blamed for surge in phishing - Whether a group or person, it's the Keyser Söze of phishing, say experts -The first thing you need to know about Rock Phish is that nobody knows exactly who, or what, they are.


FYI - UTD computer hack worse than feared - Campus officials now say 6,000 at risk of identity theft - The University of Texas at Dallas said Wednesday that more people may be affected by a computer attack than first believed, raising the total to 6,000 current and former students, faculty, staff and others.
FYI - Boeing laptop stolen - 382,000 IDs lost - Past and present employees at risk of being targeted - A laptop with personal information on hundreds of thousands of Boeing Co. employees was stolen earlier this month, and the aerospace company will inform those potentially affected by the theft in a company e-mail today.

FYI - Breach at UCLA exposes data on 800,000 - Intrusion was undetected for more than a year The University of California, Los Angeles, today began sending out letters to more than 800,000 individuals whose personal information may have been compromised in a database breach that remained undetected for more than a year.

FYI - SVVSD students' info with stolen laptop - Information identifying as many as 600 St. Vrain Valley School District students whose health care is paid by Medicaid was stolen with a school nurse's laptop computer last month, a school district spokesman said.

Return to the top of the newsletter

WEB SITE COMPLIANCE - Flood Disaster Protection Act

The regulation implementing the National Flood Insurance Program requires a financial institution to notify a prospective borrower and the servicer that the structure securing the loan is located or to be located in a special flood hazard area. The regulation also requires a notice of the servicer's identity be delivered to the insurance provider. While the regulation addresses electronic delivery to the servicer and to the insurance provider, it does not address electronic delivery of the notice to the borrower.

Return to the top of the newsletter

- We continue our series on the FFIEC interagency Information Security Booklet.  



Financial institutions should protect the confidentiality of information about their customers and organization. A breach in confidentiality could disclose competitive information, increase fraud risk, damage the institution's reputation, violate customer privacy and associated rights, and violate regulatory requirements.  Confidentiality agreements put all parties on notice that the financial institution owns its information, expects strict confidentiality, and prohibits information sharing outside of that required for legitimate business needs. Management should obtain signed confidentiality agreements before granting new employees and contractors access to information technology systems.


Job descriptions, employment agreements, and policy awareness acknowledgements increase accountability for security. Management can communicate general and specific security roles and responsibilities for all employees within their job descriptions. Management should expect all employees, officers, and contractors to comply with security and acceptable use policies and protect the institution's assets, including information. The job descriptions for security personnel should describe the systems and processes they will protect and the control processes for which they are responsible. Management can take similar steps to ensure contractors and consultants understand their security responsibilities as well.


Financial institutions need to educate users regarding their security roles and responsibilities. Training should support security awareness and should strengthen compliance with the security policy. Ultimately, the behavior and priorities of senior management heavily influence the level of employee awareness and policy compliance, so training and the commitment to security should start with senior management. Training materials would typically review the acceptable - use policy and include issues like desktop security, log - on requirements, password administration guidelines, etc. Training should also address social engineering, and the policies and procedures that protect against social engineering attacks. Many institutions integrate a signed security awareness agreement along with periodic training and refresher courses.

Return to the top of the newsletter


1. Inquire about how security requirements are determined for software, whether internally developed or acquired from a vendor.

2. Determine whether management appropriately considers either following a recognized security standard development process, or reference to widely recognized industry standards.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

34. Does the institution deliver a revised privacy notice when it: 

a. discloses a new category of nonpublic personal information to a nonaffiliated third party; [§8(b)(1)(i)]

b. discloses nonpublic personal information to a new category of nonaffiliated third party; [§8(b)(1)(ii)] or

c. discloses nonpublic personal information about a former customer to a nonaffiliated third party, if that former customer has not had the opportunity to exercise an opt out right regarding that disclosure? [§8(b)(1)(iii)]

Note: a revised notice is not required if the institution adequately described the nonaffiliated third party or information to be disclosed in the prior privacy notice. [§8(b)(2)])

NETWORK SECURITY TESTING - IT examination guidelines require financial institutions to annually conduct an independent internal-network penetration test.  With the Gramm-Leach-Bliley and the regulator's IT security concerns, it is imperative to take a professional auditor's approach to annually testing your internal connections to your network.  For more information about our independent-internal testing, please visit


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated