R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

July 18, 2010

CONTENT Internet Compliance Information Systems Security
IT Security Question
 
Internet Privacy
 
Website for Penetration Testing
 
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.


Spending
less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FFIEC's "Interagency Guidelines Establishing Information Security Standards."  For more information and to subscribe visit http://www.yennik.com/it-review/.

FYI
-
50 arrested in smartphone spyware dragnet - Cop, judge, and parliamentarian among the suspects - Romanian authorities have arrested 50 individuals accused of using off-the-shelf software to monitor cellphone communications of their spouses, competitors, and others, according to news reports. http://www.theregister.co.uk/2010/07/01/romanian_spyware_arrests/

FYI -
HIPAA encryption: meeting today's regulations - If you work with an organization that must adhere to the Health Insurance Portability and Accountability (HIPAA), you know by now that encryption is now a de facto primary aspect of HIPAA compliance after the passing of the HITECH Act. http://www.scmagazineus.com/hipaa-encryption-meeting-todays-regulations/article/173661/?DCMP=EMC-SCUS_Newswire

FYI -
IT staffer at New York bank pleads guilty to data theft, fraud - Charged with using stolen employee data to steal $1 million-plus from charities - A former IT staffer with the Bank of New York Mellon pleaded guilty Thursday to stealing sensitive information belonging to 2,000 bank employees and then using that data to steal more than $1 million from charities. http://www.computerworld.com/s/article/9178840/IT_staffer_at_New_York_bank_pleads_guilty_to_data_theft_fraud?taxonomyId=17

FYI -
Federal agencies lack advisement on cloud security - A growing number of federal agencies are running some form of cloud computing, but nearly all lack policies around securing data hosted offsite, according to a new report from the U.S. Government Accountability Office (GAO). http://www.scmagazineus.com/gao-federal-agencies-lack-advisement-on-cloud-security/article/174041/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI -
WellPoint Breach Could Have Exposed Enrollees' Medical, Financial Data - The insurer WellPoint recently notified 470,000 individual policyholders that their medical records, Social Security numbers, credit card information and other sensitive data might have been exposed during a recent security breach. http://www.californiahealthline.org/articles/2010/6/30/wellpoint-breach-could-have-exposed-enrollees-medical-financial-data.aspx

FYI -
Hackers compromise Destination Hotels' credit card system - Guests at 21 Destination Hotels & Resorts' properties may have been subjected to credit card theft after the chain discovered malware installed in its credit card processing system. http://www.scmagazineus.com/hackers-compromise-destination-hotels-credit-card-system/article/173670/?DCMP=EMC-SCUS_Newswire

FYI -
University of Maine student information exposed - Hackers recently gained access to a pair of file servers containing the personal information of University of Maine students who received counseling services at the school for the past eight years. http://www.scmagazineus.com/university-of-maine-student-information-exposed/article/173667/?DCMP=EMC-SCUS_Newswire

FYI -
Indiana restaurant chain in the US hit by credit card breach, after hack of central processing system - Several restaurants have been hit by a credit card breach following a hack of the processing system. http://www.scmagazineuk.com/indiana-restaurant-chain-in-the-us-hit-by-credit-card-breach-after-hack-of-central-processing-system/article/173951/

FYI -
New York hospital loses data on 130,000 via FedEx - Breach affects 130,495 patients - New York's Lincoln Medical and Mental Health Center is notifying patients that their personal information may have been compromised after seven CDs full of unencrypted data were FedExed by a hospital contractor and then lost in transit. http://www.computerworld.com.au/article/351659/new_york_hospital_loses_data_130_000_via_fedex/

FYI -
Mass. secretary of state's office accidentally releases sensitive data - The Massachusetts secretary of state's office earlier this year accidentally released the confidential personal information of state-registered investment advisers to a business publication. http://www.scmagazineus.com/mass-secretary-of-states-office-accidentally-releases-sensitive-data/article/174098/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE -
We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."
  (Part 8 of 10)

B. RISK MANAGEMENT TECHNIQUES

Implementing Weblinking Relationships

The strategy that financial institutions choose when implementing weblinking relationships should address ways to avoid customer confusion regarding linked third-party products and services. This includes disclaimers and disclosures to limit customer confusion and a customer service plan to address confusion when it occurs.

Disclaimers and Disclosures

Financial institutions should use clear and conspicuous webpage disclosures to explain their limited role and responsibility with respect to products and services offered through linked third-party websites. The level of detail of the disclosure and its prominence should be appropriate to the harm that may ensue from customer confusion inherent in a particular link. The institution might post a disclosure stating it does not provide, and is not responsible for, the product, service, or overall website content available at a third-party site. It might also advise the customer that its privacy polices do not apply to linked websites and that a viewer should consult the privacy disclosures on that site for further information. The conspicuous display of the disclosure, including its placement on the appropriate webpage, by effective use of size, color, and graphic treatment, will help ensure that the information is noticeable to customers. For example, if a financial institution places an otherwise conspicuous disclosure at the bottom of its webpage (requiring a customer to scroll down to read it), prominent visual cues that emphasize the information's importance should point the viewer to the disclosure.

In addition, the technology used to provide disclosures is important. While many institutions may simply place a disclaimer notice on applicable webpages, some institutions use "pop-ups," or intermediate webpages called "speedbumps," to notify customers they are leaving the institution's website. For the reasons described below, financial institutions should use speedbumps rather than pop-ups if they choose to use this type of technology to deliver their online disclaimers.

A "pop up" is a screen generated by mobile code, for example Java or Active X, when the customer clicks on a particular hyperlink. Mobile code is used to send small programs to the user's browser. Frequently, those programs cause unsolicited messages to appear automatically on a user's screen. At times, the programs may be malicious, enabling harmful viruses or allowing unauthorized access to a user's personal information. Consequently, customers may reconfigure their browsers or install software to block disclosures delivered via mobile codes.

In contrast, an intermediate webpage, or "speedbump," alerts the customer to the transition to the third-party website. Like a pop-up, a speedbump is activated when the customer clicks on a particular weblink. However, use of a speedbump avoids the problems of pop-up technology, because the speedbump is not generated externally using mobile code, but is created within the institution's operating system, and cannot be disabled by the customer.


Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY
-
This completes our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks.  This week we review Information Sharing.

Information sharing among reliable and reputable experts can help institutions reduce the risk of information system intrusions. The OCC encourages management to participate in information-sharing mechanisms as part of an effort to detect and respond to intrusions and vulnerabilities. Mechanisms for information sharing are being developed by many different organizations, each with a different mission and operation. In addition, many vendors offer information sharing and analysis services. Three organizations that are primarily involved with the federal government's national information security initiatives are the Financial Services Information Sharing and Analysis Center (FS/ISAC), the Federal Bureau of Investigation (FBI), and Carnegie Mellon University's CERT/CC.

The FS/ISAC was formed in response to Presidential Decision Directive 63: Critical Infrastructure Protection (May 22, 1998), which encourages the banking, finance, and other industries to establish information-sharing efforts in conjunction with the federal government. The FS/ISAC allows financial services entities to report incidents anonymously. In turn, the FS/ISAC rapidly distributes information about attacks to the FS/ISAC members. Banks can contact FS/ISAC by telephone at (888) 660-0134, e-mail at admin@fsisac.com or their Web site at http://www.fsisac.com.

The FBI operates the National Information Protection Center Infraguard outreach effort. Since Infraguard supports law enforcement efforts, Infraguard members submit two versions of an incident report. One complete version is used by law enforcement and contains information that identifies the reporting member. The other version does not contain that identifying information, and is distributed to other Infraguard members. Banks can contact the FBI by contacting local FBI field offices or via e-mail at nipc@fbi.gov. 

CERT/CC is part of a federally funded research and development center at Carnegie Mellon University that helps organizations identify vulnerabilities and recover from intrusions. It provides up-to-date information on specific attacks (including viruses and denial of service) and collates and shares information with other organizations. CERT/CC does not require membership to report problems. Banks can contact CERT/CC by phone at (412) 268-7090 or e-mail at cert@cert.org.


Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Sharing nonpublic personal information with nonaffiliated third parties under Sections 14 and/or 15 and outside of exceptions (with or without also sharing under Section 13).  (Part 3 of 3)

C. Opt Out Right 

1)  Review the financial institution's opt out notices. An opt out notice may be combined with the institution's privacy notices. Regardless, determine whether the opt out notices:

a.  Are clear and conspicuous (§§3(b) and 7(a)(1));

b.  Accurately explain the right to opt out (§7(a)(1));

c.  Include and adequately describe the three required items of information (the institution's policy regarding disclosure of nonpublic personal information, the consumer's opt out right, and the means to opt out) (§7(a)(1)); and

d.  Describe how the institution treats joint consumers (customers and those who are not customers), as applicable (§7(d)).

2)  Through discussions with management, review of the institution's policies and procedures, and a sample of electronic or written records where available, determine if the institution has adequate procedures in place to provide the opt out notice and comply with opt out directions of consumers (customers and those who are not customers), as appropriate. Assess the following:

a.  Timeliness of delivery (§10(a)(1));

b.  Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the consumer agrees; or as a necessary step of a transaction) (§9).

c.  Reasonableness of the opportunity to opt out (the time allowed to and the means by which the consumer may opt out) (§§10(a)(1)(iii), 10(a)(3)); and

d.  Adequacy of procedures to implement and track the status of a consumer's (customers and those who are not customers) opt out direction, including those of former customers (§7(e), (f), (g)).

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

IT Security Checklist
A weekly email that provides an effective
method to prepare for your IT examination.


Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated