R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

October 31, 2010

CONTENT Internet Compliance Information Systems Security
IT Security Question
 		 Internet Privacy
 		 Website for Penetration Testing
 
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.


Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FFIEC's "Interagency Guidelines Establishing Information Security Standards."  For more information and to subscribe visit http://www.yennik.com/it-review/.

FYI - School District Pays $610,000 to Settle Webcam Spying Lawsuits - A suburban Philadelphia school district is agreeing to pay $610,000 to settle two lawsuits brought by students who were victims of a webcam spying scandal in which high school-issued laptops secretly snapped thousands of pictures of pupils. http://www.wired.com/threatlevel/2010/10/webcam-spy-settlement/

FYI - Government vows to transform cyber defences - The Government tonight pledged to transform Britain's defences to counter cyber attacks as it warned of the "devastating real-world effect" of a successful assault on the UK's communications infrastructure. http://www.independent.co.uk/news/uk/home-news/cyberattacks-are-key-threat-to-uk-security-2109628.html

FYI - Government agents following suspects on social networks - The issue of whether or not government or law enforcement agents are or should be allowed to go "undercover" on social networks is not a new one, but thanks to the Electronic Frontier Foundation, it is one that will continue to be in the public spotlight at least for a while more.  http://www.net-security.org/secworld.php?id=9998

FYI - Data theft by cybercriminals biggest loss for businesses, survey reveals - Data theft has more than doubled to overtake physical property losses for the first time in the past year, according to an annual global fraud survey. http://www.computerweekly.com/Articles/2010/10/18/243378/Data-theft-by-cybercriminals-biggest-loss-for-businesses-survey.htm

FYI - ID fraud costs UK £2.7bn a year - Victims can spend up to 200 hours undoing damage. Identity fraud affects 1.8 million Britons every year, costing £2.7bn in the process, researcher claimed today. http://www.theregister.co.uk/2010/10/18/nfa_id_fraud_survey/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Europe's ATM skimming attacks rise, but losses fall - European banks reported a record number of skimming attacks, where payment card details were captured by criminals as bank customers tried to withdraw cash from ATMs. http://www.computerworld.com/s/article/9191120/Europe_s_ATM_skimming_attacks_rise_but_losses_fall?taxonomyId=82

FYI - Microsoft confirms Russian pill-pusher attack on its network - Is there a Linux admin in the house? Microsoft has confirmed that two devices on its corporate network were compromised to help a notorious gang of Russian criminals. http://www.theregister.co.uk/2010/10/14/microsoft_confirms_ip_hijack/ 

FYI - University of North Florida breach exposes data on 107,000 individuals - University networks are said to be frequently breached because they are rich targets, enrolling thousands of students a year. http://www.computerworld.com/s/article/9191458/University_of_North_Florida_breach_exposes_data_on_107_000_individuals

Return to the top of the newsletter

WEB SITE COMPLIANCE - Record Retention

Record retention provisions apply to electronic delivery of disclosures to the same extent required for non-electronic delivery of information. For example, if the web site contains an advertisement, the same record retention provisions that apply to paper-based or other types of advertisements apply. Copies of such advertisements should be retained for the time period set out in the relevant regulation. Retention of electronic copies is acceptable. 

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We begin our series on the FFIEC interagency Information Security BookletThis booklet is required reading for anyone involved in information systems security, such as the Network Administrator, Information Security Officer, members of the IS Steering Committee, and most important your outsourced network security consultants.  Your outsourced network security consultants can receive the "Internet Banking News" by completing the subscription for at https://yennik.com/newletter_page.htm.  There is no charge for the e-newsletter. 

SECURITY OBJECTIVES

Information security enables a financial institution to meet its business objectives by implementing business systems with due consideration of information technology (IT) -  related risks to the organization, business and trading partners, technology service providers, and customers. Organizations meet this goal by striving to accomplish the following objectives.

1)  Availability - The ongoing availability of systems addresses the processes, policies, and controls used to ensure authorized users have prompt access to information. This objective protects against intentional or accidental attempts to deny legitimate users access to information and/or systems.

2)  Integrity of Data or Systems - System and data integrity relate to the processes, policies, and controls used to ensure information has not been altered in an unauthorized manner and that systems are free from unauthorized manipulation that will compromise accuracy, completeness, and reliability.

3)  Confidentiality of Data or Systems - Confidentiality covers the processes, policies, and controls employed to protect information of customers and the institution against unauthorized access or use.

4)  Accountability - Clear accountability involves the processes, policies, and controls necessary to trace actions to their source. Accountability directly supports non-repudiation, deterrence, intrusion prevention, intrusion detection, recovery, and legal admissibility of records.

5)  Assurance - Assurance addresses the processes, policies, and controls used to develop confidence that technical and operational security measures work as intended. Assurance levels are part of the system design and include availability, integrity, confidentiality, and accountability. Assurance highlights the notion that secure systems provide the intended functionality while preventing undesired actions.

Appropriate security controls are necessary for financial institutions to challenge potential customer or user claims that they did not initiate a transaction. Financial institutions can accomplish this by achieving both integrity and accountability to produce what is known as non-repudiation. Non-repudiation occurs when the financial institution demonstrates that the originators who initiated the transaction are who they say they are, the recipient is the intended counter party, and no changes occurred in transit or storage. Non-repudiation can reduce fraud and promote the legal enforceability of electronic agreements and transactions. While non-repudiation is a goal and is conceptually clear, the manner in which non-repudiation can be achieved for electronic systems in a practical, legal sense may have to wait for further judicial clarification.
Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice 

8)  Do the initial, annual, and revised privacy notices include each of the following, as applicable: (Part 2 of 2)

e)  if the institution discloses nonpublic personal information to a nonaffiliated third party under §13, and no exception under §14 or §15 applies, a separate statement of the categories of information the institution discloses and the categories of third parties with whom the institution has contracted; [§6(a)(5)]

f)  an explanation of the opt out right, including the method(s) of opt out that the consumer can use at the time of the notice; [§6(a)(6)]

g)  any disclosures that the institution makes under §603(d)(2)(A)(iii) of the Fair Credit Reporting Act (FCRA); [§6(a)(7)]

h)  the institution's policies and practices with respect to protecting the confidentiality and security of nonpublic personal information; [§6(a)(8)] and

i)  a general statement--with no specific reference to the exceptions or to the third parties--that the institution makes disclosures to other nonaffiliated third parties as permitted by law? [§6(a)(9), (b)]

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

IT Security Checklist
A weekly email that provides an effective
method to prepare for your IT examination.

Company Information
Yennik, Inc.
4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

  

Please visit our other web sites:
 VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated