Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Sample - Internet Banking News
Subscription Form
 
CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Penetration Tests  Web Site Audits


THANK YOU - Because of your help, more than 2,900 subscribers read our e-newsletters each week.  Further, our web sites had over 3,00,000 hits a year.  Our web site audit and vulnerability-penetration testing clients are located in 42 states.  Your comments and suggestions are always welcome.  Please let us know how we can serve your Internet security needs.  Thank you, Yennik, Inc., R. Kinney Williams.

FYI - E-mail viruses double in 2002 - E-mail viruses are now twice as prevalent as they were in 2001, with one e-mail in every 200 containing a virus.  http://news.com.com/2100-1001-977945.html?tag=cd_mh 

FYINew IT Strategy: Stopping Viruses at the Gate - The theory behind gateway filtering products is that many viruses can be barred from the workplace by monitoring network protocols, such as SMTP, to filter out malware, rather than depending on desktop antivirus software alone.  http://www.newsfactor.com/perl/story/20201.html 

 FYI - Terrorists on the Net? Who Cares? - To all those Chicken Littles clucking frantically about the imminent threat of a terrorist attack on U.S. computer networks, a new report says: Knock it off.  Online attacks are merely "weapons of mass annoyance," no more harmful than the routine power failures, airplane delays and dropped phone calls that take place every day.  http://www.wired.com/news/infostructure/0,1377,56935,00.html 

FYI - Ex-IT worker charged with sabotage - A former system administrator for UBS PaineWebber appeared in a New Jersey federal court Tuesday on charges of sabotaging two-thirds of the company's computer systems in an attempt to crash its stock price.  http://news.com.com/2100-1001-978386.html 

FYI - Bank Secrecy Act/Anti-Money Laundering - This bulletin transmits a notice of designation of Nauru and Ukraine as Primary Money Laundering Concerns. www.occ.treas.gov/ftp/bulletin/2002-47.txt

Return to the top of the newsletter

INTERNET COMPLIANCEFair Housing Act

A financial institution that advertises on-line credit products that are subject to the Fair Housing Act must display the Equal Housing Lender logotype and legend or other permissible disclosure of its nondiscrimination policy if required by rules of the institution's regulator.

Home Mortgage Disclosure Act (Regulation C)

The regulations clarify that applications accepted through electronic media with a video component (the financial institution has the ability to see the applicant) must be treated as "in person" applications. Accordingly, information about these applicants' race or national origin and sex must be collected. An institution that accepts applications through electronic media without a video component, for example, the Internet or facsimile, may treat the applications as received by mail.
Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - DATA CENTER SECURITY

When selecting a site for the most important information systems components, one major objective is to limit the risk of exposure from internal and external sources. The selection process should include a review of the surrounding area to determine if it is relatively safe from exposure to fire, flood, explosion, or similar environmental hazards. Outside intruders can be deterred through the use of guards, fences, barriers, surveillance equipment, or other similar devices. Since access to key information system hardware and software should be limited, doors and windows must be secure. Additionally, the location should not be identified or advertised by signage or other indicators.

Detection devices, where applicable, should be utilized to prevent theft and safeguard the equipment. They should provide continuous coverage. Detection devices have two purposes - to alarm when a response is necessary and to support subsequent forensics. The alarm capability is only useful when a response will occur. Some intruder detection devices available include:

! Switches that activate an alarm when an electrical circuit is broken;
! Light and laser beams, ultraviolet beams and sound or vibration detectors that are invisible to the intruder, and ultrasonic and radar devices that detect movement in a room; and
! Closed-circuit television that allows visual observation and recording of actions.

Risks from environmental threats can be addressed somewhat through devices such as halon gas, smoke alarms, raised flooring, heat sensors, and the like.

Physical security devices frequently need preventive maintenance to function properly. Maintenance logs are one control the institution can use to determine whether the devices are appropriately maintained. Periodic testing of the devices provides assurance that they are operating correctly.

Security guards should be properly instructed about their duties. The employees who access secured areas should have proper identification and authorization to enter the area. All visitors should sign in and wear proper IDs so that they can be identified easily. Security guards should be trained to restrict the removal of assets from the premises and to record the identity of anyone removing assets. Consideration should be given to implementing a specific and formal authorization process for the removal of hardware and software from premises.

The following security zones should have access restricted to a need basis:

! Operations center
! Uninterrupted power supply
! Telecommunications equipment
! Media library

CABINET AND VAULT SECURITY

Protective containers are designed to meet either fire-resistant or burglar-resistant standards. Labels describing expected tolerance levels are usually attached to safes and vault doors. An institution should select the tolerance level based on the sensitivity and importance of the information being protected.

Return to the top of the newsletter

IT SECURITY QUESTION:

D. USER EQUIPMENT SECURITY (E.G. WORKSTATION, LAPTOP, HANDHELD)

6. Determine whether appropriate workstations are deactivated after a period of inactivity through screen saver passwords, server time-outs, powering down, or other means.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

40.  Does the institution provide at least one initial, annual, and revised notice, as applicable, to joint consumers? [§9(g)]

IN CLOSING - The Gramm-Leach-Bliley Act, best practices, and examiners recommend a penetration study of your Internet  connection.   The Vulnerability Internet Security Test Audit (VISTA) is an independent penetration study of R. Kinney Williams & Associate's network connection to the Internet that meets the regulatory requirements.  As professional IT auditors, we provide an independent review of the vulnerability test results and an audit letter to your Board of Directors certifying the test results.  For answer to your questions about vulnerability testing go to https://internetbankingaudits.com/frequently_asked_questions.htm

Subscription Form

Back Button

 

Company Information
Yennik, Inc.
5704 71st Street
Lubbock, Texas 79424
806-798-7119; Fax 806-784-0061
Examiner@yennik.com

Please visit our other web sites:
 VISTA penetration-vulnerability testing
The Community Banker - Bank Web Site Audits
Credit Union Web Site Audits - Bank Auditing Services
 US Banks on the Internet  
US Credit Unions on the Internet
R. Kinney Williams & Associates

All rights reserved; Our logo R. Kinney Williams & Associates is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright 1980 - 2008 Yennik, Incorporated

We are Americans and will never be defeated.