R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

Remote offsite and onsite FFIEC IT Security Audits

November 26, 2023

Newsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Gold Standard Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.
Bank regulatory FFIEC IT audits - I perform annual IT audits required by the regulatory agencies for banks and credit unions. I am a former bank examiner over 30 years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.


MISCELLANEOUS CYBERSECURITY NEWS:

Ransomware Group Files SEC Complaint Over Victim’s Failure to Disclose Data Breach - The ransomware group known as Alphv and BlackCat claims to have breached the systems of MeridianLink, a California-based company that provides digital lending solutions for financial institutions and data verification solutions for consumers. https://www.securityweek.com/ransomware-group-files-sec-complaint-over-victims-failure-to-disclose-data-breach/ 

LockBit may have stolen 24 years of data on Canadian government employees - A data breach affecting Canadian government, military and police employees may involve 24 years’ worth of personal and financial information, officials announced Friday. https://www.scmagazine.com/news/lockbit-may-have-stolen-24-years-of-data-on-canadian-government-employees

Pen-testing in 2024 - Testing the security of computer networks by trying to break into them, otherwise known as pen testing, has been going on for nearly 50 years. https://www.scmagazine.com/resource/penetration-testing-in-2024  Please contact me at exminer@yennik.com if I can help with you 2024 pen-testing needs.

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

Medical Transcription Service Data Breach Impacts Multiple Health Systems - Northwell Health and Cook County Health both notified patients of a third-party data breach that originated at Perry Johnson & Associates, a medical transcription vendor. https://healthitsecurity.com/news/medical-transcription-service-data-breach-impacts-multiple-health-systems

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
 
 Board and Management Oversight 
 
 Because the Board of Directors and senior management are responsible for developing the institution's business strategy and establishing an effective management oversight over risks, they are expected to take an explicit, informed and documented strategic decision as to whether and how the bank is to provide e-banking services. The initial decision should include the specific accountabilities, policies and controls to address risks, including those arising in a cross-border context. Effective management oversight is expected to encompass the review and approval of the key aspects of the bank's security control process, such as the development and maintenance of a security control infrastructure that properly safeguards e-banking systems and data from both internal and external threats. It also should include a comprehensive process for managing risks associated with increased complexity of and increasing reliance on outsourcing relationships and third-party dependencies to perform critical e-banking functions.

 Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
    
    INFORMATION SECURITY RISK ASSESSMENT
    
    Action Summary -Financial institutions must maintain an ongoing information security risk assessment program that effectively
    
    1)  Gathers data regarding the information and technology assets of the organization, threats to those assets, vulnerabilities, existing security controls and processes, and the current security standards and requirements;
    
    2)  Analyzes the probability and impact associated with the known threats and vulnerabilities to its assets; and
    
    3) Prioritizes the risks present due to threats and vulnerabilities to determine the appropriate level of training, controls, and testing necessary for effective mitigation.
Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
  
  11.3 Step 3: Anticipating Potential Contingencies or Disasters
  
  Although it is impossible to think of all the things that can go wrong, the next step is to identify a likely range of problems. The development of scenarios will help an organization develop a plan to address the wide range of things that can go wrong.
  
  Scenarios should include small and large contingencies. While some general classes of contingency scenarios are obvious, imagination and creativity, as well as research, can point to other possible, but less obvious, contingencies. The contingency scenarios should address each of the resources described above. The following are examples of some of the types of questions that contingency scenarios may address:
  
  Human Resources: Can people get to work? Are key personnel willing to cross a picket line? Are there critical skills and knowledge possessed by one person? Can people easily get to an alternative site?
  
  Processing Capability: Are the computers harmed? What happens if some of the computers are inoperable, but not all?
  
  Automated Applications and Data: Has data integrity been affected? Is an application sabotaged? Can an application run on a different processing platform?
  
  Computer-Based Services: Can the computers communicate? To where? Can people communicate? Are information services down? For how long?
  
  Infrastructure: Do people have a place to sit? Do they have equipment to do their jobs? Can they occupy the building?
  
  Documents/Paper: Can needed records be found? Are they readable?
  
  Examples of Some Less Obvious Contingencies
  
  1. A computer center in the basement of a building had a minor problem with rats. Exterminators killed the rats, but the bodies were not retrieved because they were hidden under the raised flooring and in the pipe conduits. Employees could only enter the data center with gas masks because of the decomposing rats.
  
  2. After the World Trade Center explosion when people reentered the building, they turned on their computer systems to check for problems. Dust and smoke damaged many systems when they were turned on. If the systems had been cleaned first, there would not have been significant damage.

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.