- Is your web site compliant with the Americans with Disabilities
Act? For the past 20 years, our bank web site audits have
covered the ADA guidelines. Help reduce any liability, please
contact me for more information at
The FDIC, NCUA, and the OCC do not have a requirement
that financial institutions change third-party vendors on a
Any such decision would be up to bank management.
EU's privacy statutes preclude U.K.'s data retention legislation,
court rules - The European Court of Justice ruled on Wednesday that
the U.K.'s Data Retention and Investigatory Powers Act (DRIPA) of
2014 is effectively invalidated by European Union statutes that
protect citizens from the indiscriminate collection and retention of
The year of ransomware, data breaches and Brad Pitt - It would
appear SC Media's readers are a rather eclectic bunch. Not in their
personal habits, of which I have no knowledge, but in what everyone
in webland found interesting on the site during 2016.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- FBI probing hack of FDIC credited to China - The FBI is
investigating a hack into the network of the Federal Deposit
Insurance Corporation (FDIC), which is said to have lasted years.
Fraudsters target Groupon users in the UK: losses add up in the £100s
- In recent weeks, fraudsters have managed to hack into a number of
Groupon accounts in the UK. Users have seen hundreds of pounds
siphoned from their banks.
Data exposed of 15K clients of New Hampshire DHHS - A former patient
of the New Hampshire Department of Health and Human Services (DHHS)
posted data of patients, including Social Security numbers, to
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Board and Management Oversight - Principle 3: The
Board of Directors and senior management should establish a
comprehensive and ongoing due diligence and oversight process for
managing the bank's outsourcing relationships and other third-party
dependencies supporting e-banking.
Increased reliance upon partners and third party service providers
to perform critical e-banking functions lessens bank management's
direct control. Accordingly, a comprehensive process for managing
the risks associated with outsourcing and other third-party
dependencies is necessary. This process should encompass the
third-party activities of partners and service providers, including
the sub-contracting of outsourced activities that may have a
material impact on the bank.
Historically, outsourcing was often limited to a single service
provider for a given functionality. However, in recent years, banks'
outsourcing relationships have increased in scale and complexity as
a direct result of advances in information technology and the
emergence of e-banking. Adding to the complexity is the fact that
outsourced e-banking services can be sub-contracted to additional
service providers and/or conducted in a foreign country. Further, as
e-banking applications and services have become more technologically
advanced and have grown in strategic importance, certain e-banking
functional areas are dependent upon a small number of specialized
third-party vendors and service providers. These developments may
lead to increased risk concentrations that warrant attention both
from an individual bank as well as a systemic industry standpoint.
Together, these factors underscore the need for a comprehensive
and ongoing evaluation of outsourcing relationships and other
external dependencies, including the associated implications for the
bank's risk profile and risk management oversight abilities. Board
and senior management oversight of outsourcing relationships and
third-party dependencies should specifically focus on ensuring that:
1) The bank fully understands the risks associated with entering
into an outsourcing or partnership arrangement for its e-banking
systems or applications.
2) An appropriate due diligence review of the competency and
financial viability of any third-party service provider or partner
is conducted prior to entering into any contract for e-banking
3) The contractual accountability of all parties to the
outsourcing or partnership relationship is clearly defined. For
instance, responsibilities for providing information to and
receiving information from the service provider should be clearly
4) All outsourced e-banking systems and operations are subject to
risk management, security and privacy policies that meet the bank's
5) Periodic independent internal and/or external audits are
conducted of outsourced operations to at least the same scope
required if such operations were conducted in-house.
This is the last of three principles regarding Board and
Management Oversight. Next week we will begin the series on the
principles of security controls, which include Authentication,
Non-repudiation, Data and transaction integrity, Segregation of
duties, Authorization controls, Maintenance of audit trails, and
Confidentiality of key bank information.
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
IMPLEMENTATION - DATA CENTER SECURITY
When selecting a site for the most important information systems
components, one major objective is to limit the risk of exposure
from internal and external sources. The selection process should
include a review of the surrounding area to determine if it is
relatively safe from exposure to fire, flood, explosion, or similar
environmental hazards. Outside intruders can be deterred through the
use of guards, fences, barriers, surveillance equipment, or other
similar devices. Since access to key information system hardware and
software should be limited, doors and windows must be secure.
Additionally, the location should not be identified or advertised by
signage or other indicators.
Detection devices, where applicable, should be utilized to prevent
theft and safeguard the equipment. They should provide continuous
coverage. Detection devices have two purposes - to alarm when a
response is necessary and to support subsequent forensics. The alarm
capability is only useful when a response will occur. Some intruder
detection devices available include:
! Switches that activate an alarm when an electrical circuit is
! Light and laser beams, ultraviolet beams and sound or vibration
detectors that are invisible to the intruder, and ultrasonic and
radar devices that detect movement in a room; and
! Closed-circuit television that allows visual observation and
recording of actions.
Risks from environmental threats can be addressed somewhat through
devices such as halon gas, smoke alarms, raised flooring, heat
sensors, and the like.
Physical security devices frequently need preventive maintenance to
function properly. Maintenance logs are one control the institution
can use to determine whether the devices are appropriately
maintained. Periodic testing of the devices provides assurance that
they are operating correctly.
Security guards should be properly instructed about their duties.
The employees who access secured areas should have proper
identification and authorization to enter the area. All visitors
should sign in and wear proper IDs so that they can be identified
easily. Security guards should be trained to restrict the removal of
assets from the premises and to record the identity of anyone
removing assets. Consideration should be given to implementing a
specific and formal authorization process for the removal of
hardware and software from premises.
The following security zones should have access restricted to a
! Operations center
! Uninterrupted power supply
! Telecommunications equipment
! Media library
CABINET AND VAULT SECURITY
Protective containers are designed to meet either fire-resistant or
burglar-resistant standards. Labels describing expected tolerance
levels are usually attached to safes and vault doors. An institution
should select the tolerance level based on the sensitivity and
importance of the information being protected.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 9 - Assurance
A product evaluation normally includes testing. Evaluations can be
performed by many types of organizations, including government
agencies, both domestic and foreign; independent organizations, such
as trade and professional organizations; other vendors or commercial
groups; or individual users or user consortia. Product reviews in
trade literature are a form of evaluation, as are more formal
reviews made against specific criteria. Important factors for using
evaluations are the degree of independence of the evaluating group,
whether the evaluation criteria reflect needed security features,
the rigor of the testing, the testing environment, the age of the
evaluation, the competence of the evaluating organization, and the
limitations placed on the evaluations by the evaluating group (e.g.,
assumptions about the threat or operating environment).
9.3.7 Assurance Documentation
The ability to describe security requirements and how they were met
can reflect the degree to which a system or product designer
understands applicable security issues. Without a good understanding
of the requirements, it is not likely that the designer will be able
to meet them.
Assurance documentation can address the security either for a
system or for specific components. System-level documentation should
describe the system's security requirements and how they have been
implemented, including interrelationships among applications, the
operating system, or networks. System-level documentation addresses
more than just the operating system, the security system, and
applications; it describes the system as integrated and implemented
in a particular environment. Component documentation will generally
be an off-the-shelf product, whereas the system designer or
implementer will generally develop system documentation.
9.3.8 Accreditation of Product to Operate in Similar Situation
The accreditation of a product or system to operate in a similar
situation can be used to provide some assurance. However, it is
important to realize that an accreditation is environment- and
system-specific. Since accreditation balances risk against
advantages, the same product may be appropriately accredited for one
environment but not for another, even by the same accrediting