- Our cybersecurity testing
meets the independent pen-test requirements outlined in
the FFIEC Information Security booklet as well as
the penetration study complies
with the FFIEC Cybersecurity Assessment Tool regarding
resilience testing. Independent
pen-testing is part of any financial institution's cybersecurity
defense. To receive due diligence information, agreement
and, cost saving fees, please complete the information form at
All communication is kept strictly confidential.
- White House to hire its first chief information security officer -
The new hire will have "oversight of relevant agency cybersecurity
practices, and implementation across federal information technology
system," according to the job description.
A Worldwide Survey of Encryption Products - Data security is a
worldwide problem, and there is a wide world of encryption solutions
available to help solve this problem.
FBI budget calls for big boost to battle encryption - The FBI is
requesting $38 million in funding to combat the risk of “going dark”
- a 23-percent increase over what the agency spent last year to
counter the growing use of encryption technology.
- Drone shooter pleads guilty - Technically Incorrect: A New Jersey
man who nailed a drone that hovered somewhere near his house has
pleaded guilty to criminal mischief.
- 'Right to be forgotten' extended to all Google domains in EU - To
extend the “right to be forgotten” ruling, Google will start
removing certain search results across all domains in the European
- Insiders pose greater threat to businesses than outsiders - The
Insider Threat is the most dangerous way to gain inside access to
- Russian police prevented massive banking sector cyber-attack -The
Russian Interior Ministry's department of cyber-crimes announced
that it has uncovered a criminal group which had planned a series of
massive cyber-attacks on the Russian banking system and
international payment systems.
- Recognizing and overcoming insider threats - Cyber attacks can
come from anywhere. It could be a nation state trying to unlock your
recent break-through in advanced manufacturing techniques or perhaps
a competitor trying to discover your sales prospect list.
- California AG data breach report: 24M records compromised in 2015
- California's attorney general Kamala Harris released the state's
third data breach report and found an increase in both the number of
breaches and size of breaches reported in previous years.
- 44% of ransomware victims in the UK have paid to recover their
data - A Bitdefender global study with respondents from the UK, the
US, France, Germany, Denmark and Romania was conducted by iSense
Solutions to discover what motivates victims to pay ransoms and how
much they value their data.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Hollywood hospital hit with ransomware: Hackers demand $3.6
million as ransom - No matter where you work, you don’t want to be
told there is an “internal emergency” and you can’t use the
computers, but that is precisely the situation at a Hollywood
hospital which is a ransomware victim.
- This Android Trojan steals banking creds and wipes your phone - A
new Trojan banker for Android is capable of wiping compromised
smartphones as well stealing online banking credentials, security
researchers are warn.
- FireEye flaw enabled attackers to whitelist malware files -
Security researchers has uncovered a flaw that allows malware to
dodge FireEye's analysis engine and end up whitelisted.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Equal Credit Opportunity Act (Regulation B)
The regulations clarifies the rules concerning the taking of credit
applications by specifying that application information entered
directly into and retained by a computerized system qualifies as a
written application under this section. If an institution makes
credit application forms available through its on-line system, it
must ensure that the forms satisfy the requirements.
The regulations also clarify the regulatory requirements that apply
when an institution takes loan applications through electronic
media. If an applicant applies through an electronic medium (for
example, the Internet or a facsimile) without video capability that
allows employees of the institution to see the applicant, the
institution may treat the application as if it were received by
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
INFORMATION SECURITY RISK ASSESSMENT
This phase ranks the risk (outcomes and probabilities)
presented by various scenarios produced in the analysis phase to
prioritize management's response. Management may decide that since
some risks do not meet the threshold set in their security
requirement, they will accept those risks and not proceed with a
mitigation strategy. Other risks may require immediate corrective
action. Still others may require mitigation, either fully or
partially, over time. Risks that warrant action are addressed in the
information security strategy.
In some borderline instances, or if planned controls cannot fully
mitigate the risk, management may need to review the risk assessment
and risk ranking with the board of directors or a delegated
committee. The board should then document its acceptance of the risk
or authorize other risk mitigation measures.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue the series on the
National Institute of Standards and Technology (NIST) Handbook.
Section II. Management Controls Chapter 5 - COMPUTER SECURITY
5.2 Issue-Specific Policy
Whereas program policy is intended to address the broad
organization-wide computer security program, issue-specific policies
are developed to focus on areas of current relevance and concern
(and sometimes controversy) to an organization. Management may find
it appropriate, for example, to issue a policy on how the
organization will approach contingency planning (centralized vs.
decentralized) or the use of a particular methodology for managing
risk to systems. A policy could also be issued, for example, on the
appropriate use of a cutting-edge technology (whose security
vulnerabilities are still largely unknown) within the organization.
Issue-specific policies may also be appropriate when new issues
arise, such as when implementing a recently passed law requiring
additional protection of particular information. Program policy is
usually broad enough that it does not require much modification over
time, whereas issue-specific policies are likely to require more
frequent revision as changes in technology and related factors take
In general, for issue-specific and system-specific policy, the
issuer is a senior official; the more global, controversial, or
resource-intensive, the more senior the issuer.
5.2.1 Example Topics for Issue-Specific Policy
Both new technologies and the appearance of new threats often
require the creation of issue-specific policies. There are many
areas for which issue-specific policy may be appropriate. Two
examples are explained below.
Internet Access. Many organizations are looking at the
Internet as a means for expanding their research opportunities and
communications. Unquestionably, connecting to the Internet yields
many benefits - and some disadvantages. Some issues an Internet
access policy may address include who will have access, which types
of systems may be connected to the network, what types of
information may be transmitted via the network, requirements for
user authentication for Internet-connected systems, and the use of
firewalls and secure gateways.
E-Mail Privacy. Users of computer e-mail systems have come
to rely upon that service for informal communication with colleagues
and others. However, since the system is typically owned by the
employing organization, from time-to-time, management may wish to
monitor the employee's e-mail for various reasons (e.g., to be sure
that it is used for business purposes only or if they are suspected
of distributing viruses, sending offensive e-mail, or disclosing
organizational secrets.) On the other hand, users may have an
expectation of privacy, similar to that accorded U.S. mail. Policy
in this area addresses what level of privacy will be accorded e-mail
and the circumstances under which it may or may not be read.
Other potential candidates for issue-specific policies include:
approach to risk management and contingency planning, protection of
confidential/proprietary information, unauthorized software,
acquisition of software, doing computer work at home, bringing in
disks from outside the workplace, access to other employees' files,
encryption of files and e-mail, rights of privacy, responsibility
for correctness of data, suspected malicious code, and physical