- Our cybersecurity testing
meets the independent pen-test requirements outlined in
the FFIEC Information Security booklet as well as
the penetration study complies
with the FFIEC Cybersecurity Assessment Tool regarding
resilience testing. Independent
pen-testing is part of any financial institution's cybersecurity
defense. To receive due diligence information, agreement
and, cost saving fees, please complete the information form at
All communication is kept strictly confidential.
- NSA chief: Encryption is here to stay - National Security Agency
Director Adm. Michael Rogers on Thursday insisted “encryption is
foundational to the future.”
- Dridex trojan targeting UK banks with Dyre-like 'redirection'
techniques - Researchers from IBM Security have revealed that a new
variant of the Dridex malware has taken inspiration from the Dyre
banking Trojan and is launching attacks on UK bank accounts.
- 64 percent of IT execs think achieving basic compliance will
stop most breaches - In a survey of large enterprises, 64 percent of
more than 1,100 senior IT executives believe that simply meeting
cybersecurity compliance requirements, as opposed to striving for
best practices, is “very” or “extremely” effective at preventing
- Cyber Hit on China-Owned Boeing Supplier Sends Stock Down 19%
- Cyberfraud sent shares of Austria’s FACC AGto their steepest drop
since the supplier of parts to Boeing Co.and Airbus Group SE began
trading in 2014. The company put damages at 50 million euros ($55
million) -- one of biggest losses after a hacking event for its
- Survey says: Data breaches in other industries will damage
financial institutions - Respondents to a new survey from Silicon
Valley-based software company FICO unanimously agreed: Data breaches
this year in other industries will damage financial institutions.
- U.S. Supreme Court affirms Exel exec's hacking conviction -
The felony conviction of former Exel Transportation Services (ETS)
President, who used the information he pilfered from his former
employer to start a new company, still stands, the U.S. Supreme
Court said Monday.
Advocacy groups call for repeal Cybersecurity Act of 2015 - A
coalition that includes the American Civil Liberties Union (ACLU),
FreedomWorks, and other digital privacy advocacy groups sent a
letter to members of the U.S. House of Representatives urging them
to support a bipartisan bill that would repeal the Cybersecurity Act
Feds say 'Oops!' in anti-hacking deal - An update to an
international accord potentially opens everyone to attacks,
something the US government didn't figure out until after it was
signed. To fight hackers and oppressive rulers, the US government
updated a deal with 40 countries last May to keep dangerous software
from moving from one nation to another.
Apple can read your iMessages despite them being encrypted - Despite
Apple taking a pro-encryption stance, with its CEO insisting that
iMessages are safely encrypted, it turns out that if users backup
data using iCloud Backup, they need to be aware that although Apple
stores the backup in encrypted form, it uses its own key.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Ukraine energy utilities attacked again with open source Trojan
backdoor - Macro phish attempts to hook BlackEnergy borscht and
battered sector - Battered Ukrainian electricity utilities are being
targeted with backdoors in attacks possibly linked to those fingered
for recent blackouts.
- San Diego County employees data mistakenly sent to Wells Fargo
- San Diego Country, California employees mistakenly had their
personal information, to include Social Security numbers, forwarded
to Wells Fargo late last year.
- FACC AG, Belgian bank fall victim to BEC - An aircraft
components designer and a Belgian bank were the latest victims of
the business email compromise (BEC) scam, prompting the IC3 to issue
- University of Virginia hit with Phishing scam, 1,400 affected
- The University of Virginia (UVA) suffered a data breach that was
initiated via a phishing scam that revealed the tax and banking data
of some of the school's employees.
- Flint hospital hit with cyber attack after Anonymous threatens
action - Hurley Medical Center in Flint, Mich. was hit by a cyber
attack Thursday, one day after the hacktivist group, Anonymous,
threatened to take action for the city's water crisis in a YouTube
- N.Y. state police uncover horseracing hack for inside
information - A former jockey agent has been charged by the District
Attorney of Queens County, New York, with illegally accessing the
New York Racing Association's (NYRA) computer system to obtain
information that would help him find horses for his jockey to race.
- Missing drives contained PHI on 950K Centene customers - Six
hard drives containing personal and health information on clients of
health insurance company Centene Corp. have gone missing.
- Lawsuit dismissed in Georgia after state admits to massive
breach - Plaintiffs in Atlanta had a class-action lawsuit dismissed
on Monday following the state's acknowledgement it had put at risk
the data of six million voters.
- NCH Healthcare suffers data breach - NCH Healthcare Systems,
which operates two hospitals in the Naples, Fla. area, notified
employees and medical staff last week that two servers containing
some personal information were accessed by unauthorized personnel.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
This week concludes our
series on the FDIC's Supervisory Policy on Identity Theft.
6 of 6)
President’s Identity Theft Task Force
On May 10, 2006, the President issued an executive order
establishing an Identity Theft Task Force (Task Force). The Chairman
of the FDIC is a principal member of the Task Force and the FDIC is
an active participant in its work. The Task Force has been charged
with delivering a coordinated strategic plan to further improve the
effectiveness and efficiency of the federal government's activities
in the areas of identity theft awareness, prevention, detection, and
prosecution. On September 19, 2006, the Task Force adopted interim
recommendations on measures that can be implemented immediately to
help address the problem of identity theft. Among other things,
these recommendations dealt with data breach guidance to federal
agencies, alternative methods of "authenticating" identities, and
reducing access of identity thieves to Social Security numbers. The
final strategic plan is expected to be publicly released soon.
Financial institutions have an affirmative and continuing
obligation to protect the privacy of customers' nonpublic personal
information. Despite generally strong controls and practices by
financial institutions, methods for stealing personal data and
committing fraud with that data are continuously evolving. The FDIC
treats the theft of personal financial information as a significant
risk area due to its potential to impact the safety and soundness of
an institution, harm consumers, and undermine confidence in the
banking system and economy. The FDIC believes that its collaborative
efforts with the industry, the public and its fellow regulators will
significantly minimize threats to data security and consumers.
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
INFORMATION SECURITY RISK ASSESSMENT
Common elements of risk assessment approaches involve three phases:
information gathering, analysis, and prioritizing responses. Vendor
concerns add additional elements to the process.
Identifying and understanding risk requires the analysis of a
wide range of information relevant to the particular institution's
risk environment. Once gathered, the information can be catalogued
to facilitate later analysis. Information gathering generally
includes the following actions:
1) Obtaining listings of information system assets (e.g., data,
software, and hardware). Inventories on a device - by - device basis
can be helpful in risk assessment as well as risk mitigation.
Inventories should consider whether data resides in house or at a
2) Determining threats to those assets, resulting from people with
malicious intent, employees and others who accidentally cause
damage, and environmental problems that are outside the control of
the organization (e.g., natural disasters, failures of
interdependent infrastructures such as power, telecommunications,
3) Identifying organizational vulnerabilities (e.g., weak senior
management support, ineffective training, inadequate expertise or
resource allocation, and inadequate policies, standards, or
4) Identifying technical vulnerabilities (e.g., vulnerabilities in
hardware and software, configurations of hosts, networks,
workstations, and remote access).
5) Documenting current controls and security processes, including
both information technology and physical security.
6) Identifying security requirements and considerations (e.g.,
7) Maintaining the risk assessment process requires institutions
to review and update their risk assessment at least once a year, or
more frequently in response to material changes in any of the six
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue the series on the
National Institute of Standards and Technology (NIST) Handbook.
Section II. Management Controls Chapter 5
COMPUTER SECURITY POLICY
In discussions of computer security, the term policy has more than
one meaning. Policy is senior management's directives to create a
computer security program, establish its goals, and assign
responsibilities. The term policy is also used to refer to the
specific security rules for particular systems. Additionally, policy
may refer to entirely different matters, such as the specific
or fax security policy.
Policy means different things to different people. The term
"policy" is used in this chapter in a broad manner to refer to
important computer security-related decisions.
In this chapter the term computer security policy is defined as the
"documentation of computer security decisions"-which covers all the
types of policy described above. In making these decisions, managers
face hard choices involving resource allocation, competing
objectives, and organizational strategy related to protecting both
technical and information resources as well as guiding employee
behavior. Managers at all levels make choices that can result in
policy, with the scope of the policy's applicability varying
according to the scope of the manager's authority. In this chapter
we use the term policy in a broad manner to encompass all of the
types of policy described above-regardless of the level of manager
who sets the particular policy.
Managerial decisions on computer security issues vary greatly. To
differentiate among various kinds of policy, this chapter
categorizes them into three basic types:
1) Program policy is used to create an organization's computer
2) Issue-specific policies address specific issues of concern to
3) System-specific policies focus on decisions taken by management
to protect a particular system.
Procedures, standards, and guidelines are used to describe how
these policies will be implemented within an organization.
Familiarity with various types and components of policy will aid
managers in addressing computer security issues important to the
organization. Effective policies ultimately result in the
development and implementation of a better computer security program
and better protection of systems and information.
These types of policy are described to aid the reader's
understanding. It is not important that one categorizes specific
organizational policies into these three categories; it is more
important to focus on the functions of each.