technology audits -
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for financial
Texas, New Mexico, Colorado, and Oklahoma.
- The FFIEC members revised and renamed the Business Continuity
Planning booklet to Business Continuity Management (BCM) to reflect
updated information technology risk practices and frameworks and the
increased focus on ongoing, enterprise-wide business continuity and
resilience. The new Handbook can be found at:
(A side note - the word test
is used more than 90 times.)
Google will offer checking accounts next year, report says - The
tech giant is reportedly partnering with Citigroup and a credit
union at Stanford University. Google reportedly plans to start
offering checking accounts to consumers next year. The accounts will
be run by Citigroup and a credit union at Stanford University,
according to a report Wednesday from The Wall Street Journal.
The Growth and Challenges of Cyber Insurance - Cyberattacks have
grown in frequency and cost over the past decade, with high-profile
cases, such as the 2013 Target data breach, the 2017 Equifax data
breach, and the leak of Democratic National Committee emails during
the 2016 election making national headlines.
Report: Recently breached Capital One reassigns its CISO - Capital
One Financial Corporation is reportedly reassigning its chief
information security officer to an advisory role, less than four
months after the bank holding company disclosed a data breach
affecting more than 100 million individuals.
Aventura Technologies sold Chinese-made security gear with bugs to
govít, feds say - Commack, N.Y.-based Aventura Technologies and
seven of its current and former employers were charged in Brooklyn
federal court today for defrauding customers.
Study: Ransomware, Data Breaches at Hospitals tied to Uptick in
Fatal Heart Attacks - Hospitals that have been hit by a data breach
or ransomware attack can expect to see an increase in the death rate
among heart patients in the following months or years because of
cybersecurity remediation efforts, a new study posits.
Why weakening COPPA could put children at risk online - Privacy
fines have been rolling in by the millions this year and one of the
more high-profile fines is the 170 million dollar fine imposed by
the FTC for Google violating the Childrenís Online Privacy
Protection Act (COPPA).
Ransomware forces New Mexico school district to scrub 30,000 devices
- A New Mexico school district that had its systems infected by
ransomware last month is now having to scrub the hard drives of
about 30,000 devices, district officials announced Thursday.
Texas Health Agency Fined $1.6m for Data Breach - A fine of $1.6m
has been meted out to the Texas Health and Human Services Commission
for unintentionally exposing the personal health information of
thousands of vulnerable people online.
Ransom payments averaging $41,000 per incident - The average ransom
payment paid out by victims increased 13 percent, to $41,000, during
the last three months, but researchers noted the rate of increase
Pemex claims victory over cyberattack; $4.9 million ransom
reportedly demanded - The claim made by the Mexican state-owned
petroleum corporation Pemex that it had recovered from a Nov. 10
cyberattack was met with some skepticism, as published reports
indicate the attack may be still affecting the company.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Maineís InterMed suffers data breach, 30,000 affected - The
Portland, Maine healthcare provider InterMed is informing about
30,000 patients that some of their PHI has been involved in a data
Trend Micro hit with insider attack - Trend Micro was the target of
an insider threat that saw about 100,000 of its consumer customers
have their account information stolen, sold and used to make scam
Canadian Nunavut government systems crippled by ransomware - The
lockdown has impacted medical, legal, and social services.
Ransomware attack knocks SmarterASP.net customers knocked offline -
SmartASP.net reported it was hit with a ransomware attack over the
weekend that encrypted and knocked offline many of the hosting
services customer accounts.
Ransomware attack at Mexico's Pemex halts work, threatens to cripple
computers - A ransomware attack hit computer servers and halted
administrative work on Monday at Mexican state oil firm Pemex,
according to employees and internal emails, in hackersí latest bid
to wring ransom from a major company.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue the series regarding FDIC
Supervisory Insights regarding
Programs. (8 of 12)
During the containment phase, the institution should generally
implement its predefined procedures for responding to the specific
incident (note that containment procedures are a required minimum
component). Additional containment-related procedures some banks
have successfully incorporated into their IRPs are discussed below.
Establish notification escalation procedures.
If senior management is not already part of the incident
response team, banks may want to consider developing procedures for
notifying these individuals when the situation warrants. Providing
the appropriate executive staff and senior department managers with
information about how containment actions will affect business
operations or systems and including these individuals in the
decision-making process can help minimize undesirable business
disruptions. Institutions that have experienced incidents have
generally found that the management escalation process (and
resultant communication flow) was not only beneficial during the
containment phase, but also proved valuable during the later phases
of the incident response process.
Document details, conversations, and actions.
Retaining documentation is an important component of the
incident response process. Documentation can come in a variety of
forms, including technical reports generated, actions taken, costs
incurred, notifications provided, and conversations held. This
information may be useful to external consultants and law
enforcement for investigative and legal purposes, as well as to
senior management for filing potential insurance claims and for
preparing an executive summary of the events for the board of
directors or shareholders. In addition, documentation can assist
management in responding to questions from its primary Federal
regulator. It may be helpful during the incident response process to
centralize this documentation for organizational purposes.
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - HOST
AND USER EQUIPMENT ACQUISITION AND MAINTENANCE
Software support should incorporate a process to update and
patch operating system and application software for new
vulnerabilities. Frequently, security vulnerabilities are discovered
in operating systems and other software after deployment. Vendors
often issue software patches to correct those vulnerabilities.
Financial institutions should have an effective monitoring process
to identify new vulnerabilities in their hardware and software.
Monitoring involves such actions as the receipt and analysis of
vendor and governmental alerts and security mailing lists. Once
identified, secure installation of those patches requires a process
for obtaining, testing, and installing the patch.
Patches make direct changes to the software and configuration of
each system to which they are applied. They may degrade system
performance. Also, patches may introduce new vulnerabilities, or
reintroduce old vulnerabilities. The following considerations can
help ensure patches do not compromise the security of systems:
! Obtain the patch from a known, trusted source;
! Verify the integrity of the patch through such means as
comparisons of cryptographic hashes to ensure the patch obtained is
the correct, unaltered patch;
! Apply the patch to an isolated test system and verify that the
patch (1) is compatible with other software used on systems to which
the patch will be applied, (2) does not alter the system's security
posture in unexpected ways, such as altering log settings, and (3)
corrects the pertinent vulnerability;
! Back up production systems prior to applying the patch;
! Apply the patch to production systems using secure methods, and
update the cryptographic checksums of key files as well as that
system's software archive;
! Test the resulting system for known vulnerabilities;
! Update the master configurations used to build new systems;
! Create and document an audit trail of all changes; and
! Seek additional expertise as necessary to maintain a secure
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue the series on the
National Institute of Standards and Technology (NIST) Handbook.
Chapter 2 - ELEMENTS OF COMPUTER SECURITY
2.1 Computer Security Supports the Mission of the Organization.
The purpose of computer security is to protect an organization's
valuable resources, such as information, hardware, and software.
Through the selection and application of appropriate safeguards,
security helps the organization's mission by protecting its physical
and financial resources, reputation, legal position, employees, and
other tangible and intangible assets. Unfortunately, security is
sometimes viewed as thwarting the mission of the organization by
imposing poorly selected, bothersome rules and procedures on users,
managers, and systems. On the contrary, well-chosen security rules
and procedures do not exist for their own sake -- they are put in
place to protect important assets and thereby support the overall
Security, therefore, is a means to an end and not an end in itself.
For example, in a private- sector business, having good security is
usually secondary to the need to make a profit. Security, then,
ought to increase the firm's ability to make a profit. In a
public-sector agency, security is usually secondary to the agency's
service provided to citizens. Security, then, ought to help improve
the service provided to the citizen.
To act on this, managers need to understand both their
organizational mission and how each information system supports that
mission. After a system's role has been defined, the security
requirements implicit in that role can be defined. Security can then
be explicitly stated in terms of the organization's mission.
The roles and functions of a system may not be constrained to a
single organization. In an interorganizational system, each
organization benefits from securing the system. For example, for
electronic commerce to be successful, each of the participants
requires security controls to protect their resources. However, good
security on the buyer's system also benefits the seller; the buyer's
system is less likely to be used for fraud or to be unavailable or
otherwise negatively affect the seller. (The reverse is also true.)