technology audits -
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma. For more information go
On-site FFIEC IT Audits.
- CISOs' No. 1 Concern in 2018: The Talent Gap - Survey finds 'lack
of competent in-house staff' outranks all other forms of
cybersecurity worry, including data breaches to ransomware attacks.
Rethinking the SSN in light of Equifax - According to the U.S.
Census Bureau, there were 125.9 million adult men and women in the
United States as of 2014. With a population growth rate of
approximately 2.9 million per year, it is a safe bet that if you
have received credit for anything in your life, you should assume
you are affected and take steps to protect yourself.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Belle Fourche (S.D.) city hall hit with ransomware - The small
city of Belle Fourche, S.D. was hit with a ransomware attack late
last week with the malware encrypting at least some files and
demanding a ransom.
Jason's Deli reports possible POS data breach - The 266-location
Jason's Deli is notifying its customers that their payment card
information may have been compromised through a point of sale data
Hackers crack BlackWallet DNS server, steal $400,000 - Attackers
have made off with up to $400,000 (£290,000) in cryptocurrency after
an ingenious attack on Stellar Lumen (XLM) wallet, BlackWallet.
Ransomware shuts down Greenfield's Hancock Regional Hospital - A
ransomware attack at Hancock Regional Hospital in Greenfield,
Indiana has forced the facility to shut down its computer network to
Return to the top
of the newsletter
WEB SITE COMPLIANCE - Risk
Management of Outsourced Technology Services
Due Diligence in Selecting a Service Provider - Oversight of
Some of the oversight activities management should consider in
administering the service provider relationship are categorized and
listed below. The degree of oversight activities will vary depending
upon the nature of the services outsourced. Institutions should
consider the extent to which the service provider conducts similar
oversight activities for any of its significant supporting agents
(i.e., subcontractors, support vendors, and other parties) and the
extent to which the institution may need to perform oversight
activities on the service provider’s significant supporting agents.
Monitor Financial Condition and Operations
• Evaluate the service
provider’s financial condition periodically.
• Ensure that the service provider’s financial obligations to
subcontractors are being met in a timely manner.
• Review audit reports (e.g., SAS 70 reviews, security reviews)
as well as regulatory examination reports if available, and
evaluate the adequacy of the service providers’ systems and
controls including resource availability, security, integrity,
• Follow up on any deficiencies noted in the audits and reviews
of the service provider.
• Periodically review the service provider’s policies relating
to internal controls, security, systems development and
maintenance, and back up and contingency planning to ensure they
meet the institution’s minimum guidelines, contract
requirements, and are consistent with the current market and
• Review access control reports for suspicious activity.
• Monitor changes in key service provider project personnel
allocated to the institution.
• Review and monitor the service provider’s insurance policies
for effective coverage.
• Perform on-site inspections in conjunction with some of the
reviews performed above, where practicable and necessary.
• Sponsor coordinated audits and reviews with other client
Some services provided to insured
depository institutions by service providers are examined by the
FFIEC member agencies. Regulatory examination reports, which are
only available to clients/customers of the service provider, may
contain information regarding a service provider’s operations.
However, regulatory reports are not a substitute for a financial
institution’s due diligence in oversight of the service provider.
the top of the newsletter
FFIEC IT SECURITY -
We continue the
series from the FDIC "Security Risks Associated with the
Non-repudiation involves creating proof of the origin or delivery
of data to protect the sender against false denial by the recipient
that the data has been received or to protect the recipient against
false denial by the sender that the data has been sent. To ensure
that a transaction is enforceable, steps must be taken to prohibit
parties from disputing the validity of, or refusing to acknowledge,
legitimate communications or transactions.
Access Control / System Design
Establishing a link between a bank's internal network and the
Internet can create a number of additional access points into the
internal operating system. Furthermore, because the Internet is
global, unauthorized access attempts might be initiated from
anywhere in the world. These factors present a heightened risk to
systems and data, necessitating strong security measures to control
access. Because the security of any network is only as strong as its
weakest link, the functionality of all related systems must be
protected from attack and unauthorized access. Specific risks
include the destruction, altering, or theft of data or funds;
compromised data confidentiality; denial of service (system
failures); a damaged public image; and resulting legal implications.
Perpetrators may include hackers, unscrupulous vendors, former or
disgruntled employees, or even agents of espionage.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 14 - SECURITY CONSIDERATIONS IN COMPUTER SUPPORT AND
14.5 Media Controls
Media controls include a variety of measures to provide physical and
environmental protection and accountability for tapes, diskettes,
printouts, and other media. From a security perspective, media
controls should be designed to prevent the loss of confidentiality,
integrity, or availability of information, including data or
software, when stored outside the system. This can include storage
of information before it is input to the system and after it is
The extent of media control depends upon many factors, including the
type of data, the quantity of media, and the nature of the user
environment. Physical and environmental protection is used to
prevent unauthorized individuals from accessing the media. It also
protects against such factors as heat, cold, or harmful magnetic
fields. When necessary, logging the use of individual media (e.g., a
tape cartridge) provides detailed accountability -- to hold
authorized people responsible for their actions.
Controlling media may require some form of physical labeling. The
labels can be used to identify media with special handling
instructions, to locate needed information, or to log media (e.g.,
with serial/control numbers or bar codes) to support accountability.
Identification is often by colored labels on diskettes or tapes or
banner pages on printouts.
If labeling is used for special handling instructions, it is
critical that people be appropriately trained. The marking of PC
input and output is generally the responsibility of the user, not
the system support staff. Marking backup diskettes can help prevent
them from being accidentally overwritten.
Typical markings for media could include: Privacy Act Information,
Company Proprietary, or Joe's Backup Tape. In each case, the
individuals handling the media must know the applicable handling
instructions. For example, at the Acme Patent Research Firm,
proprietary information may not leave the building except under the
care of a security officer. Also, Joe's Backup Tape should be easy
to find in case something happens to Joe's system.
The logging of media is used to support accountability. Logs can
include control numbers (or other tracking data), the times and
dates of transfers, names and signatures of individuals involved,
and other relevant information. Periodic spot checks or audits may
be conducted to determine that no controlled items have been lost
and that all are in the custody of individuals named in control
logs. Automated media tracking systems may be helpful for
maintaining inventories of tape and disk libraries.