FFIEC information technology audits
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma.
For more information go
On-site FFIEC IT Audits.
- FTC Punishes Children's App Company for Not Playing by the Rules -
In early January the Federal Trade Commission announced that it
reached a settlement in a lawsuit against VTech Electronics, an
Internet-connected toy maker, for violating the Children's Online
Privacy Protection Act (COPPA) and the FTC Act.
All it took was $35 and a laptop to hack SF emergency alert system -
Not long ago, skilled hackers could have blasted the sounds of
Dodger Stadium or even a fake attack warning over San Francisco's
emergency alert sirens, according to a security firm which exposed a
vulnerability in the network.
NIST details software security assessment process - To help
organizations manage the risk from attackers who take advantage of
unmanaged software on a network, the National Institute of Standards
and Technology has released a draft operational approach for
automating the assessment of SP 800-53 security controls that manage
Survey says: Many breaches accomplished in less than an hour -
Penetration testers and hackers are having little problem breaching
the perimeter and quickly locating critical data with 12 percent
saying they can get into a system in less than an hour and despite
learning their company is vulnerable some firms still opt to do
nothing to improve security.
“Privacy is not for sale,” Telegram founder says after being banned
in Russia - Russian authorities are demanding a universal key.
Telegram says it doesn’t exist.
Bracing for Tomorrow's Threats with Behavioral Analytics - As the
cybersecurity threat landscape becomes increasingly complex, attacks
are growing in both volume and sophistication.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Uber, FTC agree to expanded settlement after second breach - Uber
Technologies Inc. has agreed to broaden its proposed settlement with
the Federal Trade Commission (FTC) over its deceptive privacy and
data security practices after the commission discovered that the
car-sharing company had failed to disclose a major 2016 breach.
Medical supplier Inogen hit with breach, 30,000 possibly affected -
A California-based medical device manufacturer reported that 30,000
former and current customers may have had their personal information
exposed when a company employee's email account was compromised.
Texas Health Resources' patient information exposed in October 2017
email compromise - Texas Health Resources, a nonprofit health care
delivery system in North Central Texas, has disclosed that an
unauthorized party may have gained access to patient information
back in October 2017 by compromising some of the organization's
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
This week begins our series on the
FDIC's Supervisory Policy on Identity Theft.
1 of 6)
Policy on Identity Theft
Identity theft is fraud committed or attempted by using the
identifying information of another person without his or her
authority. Identifying information may include such things as a
Social Security number, account number, date of birth, driver's
license number, passport number, biometric data and other unique
electronic identification numbers or codes. As more financial
transactions are done electronically and remotely, and as more
sensitive information is stored in electronic form, the
opportunities for identity theft have increased significantly. This
policy statement describes the characteristics of identity theft and
emphasizes the FDIC's well-defined expectations that institutions
under its supervision detect, prevent and mitigate the effects of
identity theft in order to protect consumers and help ensure safe
and sound operations.
the top of the newsletter
FFIEC IT SECURITY -
We continue the
series from the FDIC "Security Risks Associated with the
Logical Access Controls (Part 2 of 2)
Token technology relies on a separate physical device, which is
retained by an individual, to verify the user's identity. The token
resembles a small hand-held card or calculator and is used to
generate passwords. The device is usually synchronized with security
software in the host computer such as an internal clock or an
identical time based mathematical algorithm. Tokens are well suited
for one‑time password generation and access control. A separate PIN
is typically required to activate the token.
Smart cards resemble credit cards or other traditional magnetic
stripe cards, but contain an embedded computer chip. The chip
includes a processor, operating system, and both read only memory
(ROM) and random access memory (RAM). They can be used to generate
one-time passwords when prompted by a host computer, or to carry
cryptographic keys. A smart card reader is required for their use.
Biometrics involves identification and verification of an
individual based on some physical characteristic, such as
fingerprint analysis, hand geometry, or retina scanning. This
technology is advancing rapidly, and offers an alternative means to
authenticate a user.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 16 - TECHNICAL CONTROLS - IDENTIFICATION AND
For most systems, identification and authentication (I&A) is the
first line of defense. I&A is a technical measure that prevents
unauthorized people (or unauthorized processes) from entering a
I&A is a critical building block of computer security since it is
the basis for most types of access control and for establishing user
accountability. Access control often requires that the system be
able to identify and differentiate among users. For example, access
control is often based on least privilege, which refers to the
granting to users of only those accesses required to perform their
duties. User accountability requires the linking of activities on a
computer system to specific individuals and, therefore, requires the
system to identify users.
Identification is the means by which a user provides a claimed
identity to the system. Authentication108 is the means of
establishing the validity of this claim.
This chapter discusses the basic means of identification and
authentication, the current technology used to provide I&A, and some
important implementation issues.
Computer systems recognize people based on the authentication data
the systems receive. Authentication presents several challenges:
collecting authentication data, transmitting the data securely, and
knowing whether the person who was originally authenticated is still
the person using the computer system. For example, a user may walk
away from a terminal while still logged on, and another person may
start using it.
There are three means of authenticating a user's identity, which
can be used alone or in combination:
1) something the individual knows (a secret -- e.g., a password,
Personal Identification Number (PIN), or cryptographic key);
2) something the individual possesses (a token -- e.g., an ATM card
or a smart card); and
3) something the individual is (a biometric -- e.g., such
characteristics as a voice pattern, handwriting dynamics, or a
A typical user identification could be JSMITH (for Jane Smith).
This information can be known by system administrators and other
system users. A typical user authentication could be Jane Smith's
password, which is kept secret. This way system administrators can
set up Jane's access and see her activity on the audit trail, and
system users can send her e-mail, but no one can pretend to be Jane.
Please don't hesitate to email me (firstname.lastname@example.org)
if you have any questions.
Have a great week,
CFE, CISM, CGEIT, CRISC
IT Security Auditor
Our cybersecurity pen-test firewall audit
meets the independent diagnostic test
requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with
Bliley Act 501(b).
a hacker's perspective, which will help
your IT staff identify real-world weaknesses.
There is no charge if you are not satisfied with our service.
For more information, please call R. Kinney Williams at 806-798-7119, send
an email to
email@example.com, or visit
Information Systems Audit and Control Association
Society of Financial Examiners
Association of Credit Union Internal Auditors
The Institute of Internal Auditors