Yennik, Inc.®
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

June 3, 2007

CONTENT Internet Compliance Information Systems Security
IT Security Question
 		 Internet Privacy
 		 Website for Penetration Testing
 
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 41 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

 

FYI - DOUGH UNTO OTHERS - BANK PUTS $QUEEZE ON ID VICTIM - Gloria Carlo of The Bronx says she's the victim of $68,733 in fraudulent charges on her Bank of America accounts. After identity thieves wiped out a Bronx mom's life savings, her neighborhood bank sprung into action - by slapping her with a lawsuit. http://www.nypost.com/seven/05212007/news/regionalnews/dough_unto_others_regionalnews_chuck_bennett.htm

FYI - TK Maxx security blunder will cost US$8.3B - 45 million customers' cards at an estimated US$186 each. TJX, the owner of TK Maxx, claimed in an earnings report today that the recent security blunder which exposed the credit card details of 45 million customers has cost the company US$12m. http://www.itnews.com.au/newsstory.aspx?CIaNID=52299

FYI - HISD contractor accused of computer thefts - A man HISD hired to fix its computers was in jail Friday accused instead of stealing them. It didn't take police long to make the arrest. In fact, within 48 hours of receiving reports of stolen computer servers from several HISD schools the HISD Police Department arrested a former employee. http://www.khou.com/news/local/houstonmetro/stories/khou070511_tj_computerthefts.5e2c149b.html

FYI - Highland Hospital Security Breach - Highland Hospital is warning patients of a security breach. A hospital spokesperson said a computer containing patient information was stolen from a business office last month. Over 13,000 people are affected.
http://www.democratandchronicle.com/apps/pbcs.dll/article?AID=/20070515/NEWS01/705150325/1002/NEWS
http://www.13wham.com/news/local/story.aspx?content_id=d70aed97-d001-4e3f-990d-50f9d8e32769

FYI - Teens fight off hackers - They weathered the worst that hackers could throw at them, and still kept their computer network running strong. Fueled by pizzas and pop, 19 teams of high-school students pulled an all-nighter over the weekend, during a computer security competition aimed at rewarding kids for being the good guys rather than the bad guys. http://cosmiclog.msnbc.msn.com/archive/2007/05/21/199009.aspx

FYI - Los Alamos beefs up security in wake of data breach - The theft of classified information by a contractor's former employee has forced the Los Alamos National Laboratory to implement a variety of tactical and strategic security policies commonly found in a private enterprise. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20070523/659068/

FYI - Sensitive information of 140,000 new Georgia parents compromised - Forms containing the sensitive information of about 140,000 parents of newborns are at risk for compromise after they were not shredded upon disposal, the Georgia Department of Human Resources (DHR) has told parents in a letter. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20070523/658694/

MISSING COMPUTERS/DATA

FYI - Alcatel-Lucent Notifies Employees and Retirees of Former Lucent Technologies of Missing Computer Disk Containing Personal Information - Alcatel-Lucent was informed on May 7 by one of the company's vendors that a computer disk containing personal information could not be located. http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/05-17-2007/0004591162&EDATE=

FYI - IBM loses tapes with employee personal info - The tapes were "inadvertently" lost Feb. 23 while a third-party vendor was transporting them from an IBM location in Westchester County, N.Y. to a permanent storage facility, company spokesman Fred McNeese told SCMagazine.com. http://www.scmagazine.com/us/news/article/657949/ibm-loses-tapes-employee-personal-info/

FYI - Virus compromises 200,000 records at Community College of Southern Nevada - The personal records of nearly 200,000 students were compromised when a virus attacked a Microsoft Windows 2003 Server at the Community College of Southern Nevada. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20070521/658373/

FYI - Columbia Bank says online hackers breached security - Columbia Bank, which has the largest share of deposits in Fair Lawn, has notified its online banking customers of a security breach that could make them vulnerable to identity theft. http://www.northjersey.com/page.php?qstr=eXJpcnk3ZjczN2Y3dnFlZUVFeXkzJmZnYmVsN2Y3dnFlZUVFeXk3MTM4Njk2JnlyaXJ5N2Y3MTdmN3ZxZWVFRXl5Mg==

FYI - Thousands of Illinois realtors, mortgage brokers warned of data compromise - Alert prompted by May 3 breach of state agency server - The Illinois Department of Financial and Professional Regulation (IDFPR) is sending out letters to an estimated 300,000 licensees and applicants informing them of a potential compromise of their names, Social Security numbers and other personal data. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9020218&source=rss_topic17

Return to the top of the newsletter

WEB SITE COMPLIANCE - Disclosures/Notices (Part 2 of 2)

In those instances where an electronic form of communication is permissible by regulation, to reduce compliance risk institutions should ensure that the consumer has agreed to receive disclosures and notices through electronic means. Additionally, institutions may want to provide information to consumers about the ability to discontinue receiving disclosures through electronic means, and to implement procedures to carry out consumer requests to change the method of delivery. Furthermore, financial institutions advertising or selling non-deposit investment products through on-line systems, like the Internet, should ensure that consumers are informed of the risks associated with non-deposit investment products as discussed in the "Interagency Statement on Retail Sales of Non Deposit Investment Products." On-line systems should comply with this Interagency Statement, minimizing the possibility of customer confusion and preventing any inaccurate or misleading impression about the nature of the non-deposit investment product or its lack of FDIC insurance.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

 SECURITY TESTING - INDEPENDENT DIAGNOSTIC TESTS
(FYI - This is the type of independent diagnostic testing that we perform.  Please refer to http://www.internetbankingaudits.com/ for information.)

Independent diagnostic tests include penetration tests, audits, and assessments. Independence provides credibility to the test results. To be considered independent, testing personnel should not be responsible for the design, installation, maintenance, and operation of the tested system, as well as the policies and procedures that guide its operation. The reports generated from the tests should be prepared by individuals who also are independent of the design, installation, maintenance, and operation of the tested system.

Penetration tests, audits, and assessments can use the same set of tools in their methodologies.  The nature of the tests, however, is decidedly different. Additionally, the definitions of penetration test and assessment, in particular, are not universally held and have changed over time.

Penetration Tests. A penetration test subjects a system to the real - world attacks selected and conducted by the testing personnel. The benefit of a penetration test is to identify the extent to which a system can be compromised before the attack is identified and assess the response mechanism's effectiveness. Penetration tests generally are not a comprehensive test of the system's security and should be combined with other independent diagnostic tests to validate the effectiveness of the security process.

Audits. Auditing compares current practices against a set of standards. Industry groups or institution management may create those standards. Institution management is responsible for demonstrating that the standards they adopt are appropriate for their institution.

Assessments. An assessment is a study to locate security vulnerabilities and identify corrective actions. An assessment differs from an audit by not having a set of standards to test against. It differs from a penetration test by providing the tester with full access to the systems being tested. Assessments may be focused on the security process or the information system. They may also focus on different aspects of the information system, such as one or more hosts or networks.

Return to the top of the newsletter

IT SECURITY QUESTION:  ENCRYPTION

 6. Determine whether appropriate provisions are made for the recovery of data should a key be unusable.

 Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Consumer and Customer:

The distinction between consumers and customers is significant because financial institutions have additional disclosure duties with respect to customers. All customers covered under the regulation are consumers, but not all consumers are customers.

A "consumer" is an individual, or that individual's legal representative, who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes.

A "financial service" includes, among other things, a financial institution's evaluation or brokerage of information that the institution collects in connection with a request or an application from a consumer for a financial product or service. For example, a financial service includes a lender's evaluation of an application for a consumer loan or for opening a deposit account even if the application is ultimately rejected or withdrawn.

Consumers who are not customers are entitled to an initial privacy and opt out notice only if their financial institution wants to share their nonpublic personal information with nonaffiliated third parties outside of the exceptions.

A "customer" is a consumer who has a "customer relationship" with a financial institution. A "customer relationship" is a continuing relationship between a consumer and a financial institution under which the institution provides one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.
4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

  

Please visit our other web sites:
 VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated