FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - CISOs' No. 1 Concern in 2018: The Talent Gap - Survey finds 'lack of competent in-house staff' outranks all other forms of cybersecurity worry, including data breaches to ransomware attacks. http://www.darkreading.com/vulnerabilities---threats/cisos-no-1-concern-in-2018-the-talent-gap/d/d-id/1330800

Rethinking the SSN in light of Equifax - According to the U.S. Census Bureau, there were 125.9 million adult men and women in the United States as of 2014. With a population growth rate of approximately 2.9 million per year, it is a safe bet that if you have received credit for anything in your life, you should assume you are affected and take steps to protect yourself. https://www.scmagazine.com/rethinking-the-ssn-in-light-of-equifax/article/734271/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Belle Fourche (S.D.) city hall hit with ransomware - The small city of Belle Fourche, S.D. was hit with a ransomware attack late last week with the malware encrypting at least some files and demanding a ransom. https://www.scmagazine.com/belle-fourche-sd-city-hall-hit-with-ransomware/article/736278/

Jason's Deli reports possible POS data breach - The 266-location Jason's Deli is notifying its customers that their payment card information may have been compromised through a point of sale data breach. https://www.scmagazine.com/jasons-deli-reports-possible-pos-data-breach/article/736308/

Hackers crack BlackWallet DNS server, steal $400,000 - Attackers have made off with up to $400,000 (£290,000) in cryptocurrency after an ingenious attack on Stellar Lumen (XLM) wallet, BlackWallet. https://www.scmagazine.com/hackers-crack-blackwallet-dns-server-steal-400000/article/737099/

Ransomware shuts down Greenfield's Hancock Regional Hospital - A ransomware attack at Hancock Regional Hospital in Greenfield, Indiana has forced the facility to shut down its computer network to limit damage. https://www.scmagazine.com/ransomware-shuts-down-greenfields-hancock-regional-hospital/article/737081/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Oversight of Service Provider

Some of the oversight activities management should consider in administering the service provider relationship are categorized and listed below. The degree of oversight activities will vary depending upon the nature of the services outsourced. Institutions should consider the extent to which the service provider conducts similar oversight activities for any of its significant supporting agents (i.e., subcontractors, support vendors, and other parties) and the extent to which the institution may need to perform oversight activities on the service provider’s significant supporting agents.

Monitor Financial Condition and Operations

• Evaluate the service provider’s financial condition periodically.
• Ensure that the service provider’s financial obligations to subcontractors are being met in a timely manner.
• Review audit reports (e.g., SAS 70 reviews, security reviews) as well as regulatory examination reports if available, and evaluate the adequacy of the service providers’ systems and controls including resource availability, security, integrity, and confidentiality.
• Follow up on any deficiencies noted in the audits and reviews of the service provider.
• Periodically review the service provider’s policies relating to internal controls, security, systems development and maintenance, and back up and contingency planning to ensure they meet the institution’s minimum guidelines, contract requirements, and are consistent with the current market and technological environment.
• Review access control reports for suspicious activity.
• Monitor changes in key service provider project personnel allocated to the institution.
• Review and monitor the service provider’s insurance policies for effective coverage.
• Perform on-site inspections in conjunction with some of the reviews performed above, where practicable and necessary.
• Sponsor coordinated audits and reviews with other client institutions.

Some services provided to insured depository institutions by service providers are examined by the FFIEC member agencies. Regulatory examination reports, which are only available to clients/customers of the service provider, may contain information regarding a service provider’s operations. However, regulatory reports are not a substitute for a financial institution’s due diligence in oversight of the service provider.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 
 
 Non-repudiation 
 
 Non-repudiation involves creating proof of the origin or delivery of data to protect the sender against false denial by the recipient that the data has been received or to protect the recipient against false denial by the sender that the data has been sent. To ensure that a transaction is enforceable, steps must be taken to prohibit parties from disputing the validity of, or refusing to acknowledge, legitimate communications or transactions. 
 
 Access Control / System Design 
 
 Establishing a link between a bank's internal network and the Internet can create a number of additional access points into the internal operating system. Furthermore, because the Internet is global, unauthorized access attempts might be initiated from anywhere in the world. These factors present a heightened risk to systems and data, necessitating strong security measures to control access. Because the security of any network is only as strong as its weakest link, the functionality of all related systems must be protected from attack and unauthorized access. Specific risks include the destruction, altering, or theft of data or funds; compromised data confidentiality; denial of service (system failures); a damaged public image; and resulting legal implications. Perpetrators may include hackers, unscrupulous vendors, former or disgruntled employees, or even agents of espionage.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 14 - SECURITY CONSIDERATIONS IN COMPUTER SUPPORT AND OPERATIONS

14.5 Media Controls

Media controls include a variety of measures to provide physical and environmental protection and accountability for tapes, diskettes, printouts, and other media. From a security perspective, media controls should be designed to prevent the loss of confidentiality, integrity, or availability of information, including data or software, when stored outside the system. This can include storage of information before it is input to the system and after it is output.

The extent of media control depends upon many factors, including the type of data, the quantity of media, and the nature of the user environment. Physical and environmental protection is used to prevent unauthorized individuals from accessing the media. It also protects against such factors as heat, cold, or harmful magnetic fields. When necessary, logging the use of individual media (e.g., a tape cartridge) provides detailed accountability -- to hold authorized people responsible for their actions.

14.5.1 Marking

Controlling media may require some form of physical labeling. The labels can be used to identify media with special handling instructions, to locate needed information, or to log media (e.g., with serial/control numbers or bar codes) to support accountability. Identification is often by colored labels on diskettes or tapes or banner pages on printouts.

If labeling is used for special handling instructions, it is critical that people be appropriately trained. The marking of PC input and output is generally the responsibility of the user, not the system support staff. Marking backup diskettes can help prevent them from being accidentally overwritten.

Typical markings for media could include: Privacy Act Information, Company Proprietary, or Joe's Backup Tape. In each case, the individuals handling the media must know the applicable handling instructions. For example, at the Acme Patent Research Firm, proprietary information may not leave the building except under the care of a security officer. Also, Joe's Backup Tape should be easy to find in case something happens to Joe's system.

14.5.2 Logging

The logging of media is used to support accountability. Logs can include control numbers (or other tracking data), the times and dates of transfers, names and signatures of individuals involved, and other relevant information. Periodic spot checks or audits may be conducted to determine that no controlled items have been lost and that all are in the custody of individuals named in control logs. Automated media tracking systems may be helpful for maintaining inventories of tape and disk libraries.