- Our cybersecurity testing
meets the independent pen-test requirements outlined in
the FFIEC Information Security booklet as well as
the penetration study complies
with the FFIEC Cybersecurity Assessment Tool regarding
resilience testing. Independent
pen-testing is part of any financial institution's cybersecurity
defense. To receive due diligence information, agreement
and, cost saving fees, please complete the information form at
All communication is kept strictly confidential.
- California AG Says Not Adopting Critical Security Controls
Indicates "Failure to Provide Reasonable Security" - Data breaches
hitting more Californians - A report released Tuesday from the
California Attorney General’s Office found that between 2012 and
2015, there were 657 data breaches in the state, which compromised
over 49 million records of Californians’ personal information.
LA hospital coughs up $17,000 to free PCs held to ransom by hackers
- How to make an infection go away in US healthcare system – throw
money at it - A hospital in Los Angeles, California, has paid a
US$17,000 (£11,900, AU$23,800) ransom to hackers who injected its
computers with malware that scrambled its files.
41 percent of younger IT pros have hacked - A new survey of IT
professionals casts light on some of the trust issues that plague
the information security marketplace.
Utah systems attacked up to 300M times daily - The State of Utah,
home of the National Security Agency (NSA) data center and the Hill
Air Force Base, receives as many as 300,000,000 attacks per day, a
local broadcast station reported.
U.S. Navy charts a new course to avoid cyberattacks - The U.S. Navy
may not be going back to the age of wooden ships and sails, but to
defend against cyberattacks the service is stepping back from its
current level of hyper-connectivity and instead looking at ways to
limit which systems are networked at any given time.
- Jersey man gets 30 months for sabotaging former employer's servers
- The U.S. Department of Justice yesterday announced that Nikhil
Nilesh Shah, 33, of Union, N.J., was sentenced to 30 months in
prison for sending malicious code to the software company that
formerly employed him as an information technology manager.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Vulnerabilities in healthcare devices show up woeful lack of
security - Healthcare sector "10 to 15 years behind" in security
according to expert - Healthcare security is lagging behind the rest
of the security industry and will reach “breaking point” soon if
action is not taken, according to a security advocate.
Kankakee Valley REMC breach affects more than 17K - Kankakee Valley
REMC reported a possible data breach after a cybersecurity audit
revealed a foreign Internet Protocol address had accessed a storage
device on the cooperative's network.
Linode probe into 2015 crack finds fake 2FA creds flaw - New API,
policies and open source manager added to ward off future stolen
creds attacks - Hosting outfit Linode has announced a slew of
changes to its user procedures after a long analysis of the attack
that led to a system-wide password reset in January. It's also
determined that the breach was the result of customer credential
Linux Mint website hacked to trick users into downloading version
with "backdoor" - A hacker modified a version of Linux Mint to
contain a backdoor, then hacked the project's website to trick users
into downloading the malicious version.
uKnowKids database error exposed info on 1.7K kids - Security
Researcher Chris Vickery was accused of unethical hacking after he
discovered an exposed database containing sensitive information that
belonged to uKnowKids.com, an Arlington, Va.-based company that
helps parents monitor their children's online activities.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Advertisement Of Membership
The FDIC and NCUA consider every insured depository institution's
online system top-level page, or "home page", to be an
advertisement. Therefore, according to these agencies'
interpretation of their rules, financial institutions subject to the
regulations should display the official advertising statement on
their home pages unless subject to one of the exceptions described
under the regulations. Furthermore, each subsidiary page of an
online system that contains an advertisement should display the
official advertising statement unless subject to one of the
exceptions described under the regulations. Additional information
about the FDIC's interpretation can be found in the Federal
Register, Volume 62, Page 6145, dated February 11, 1997.
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
INFORMATION SECURITY RISK ASSESSMENT
KEY RISK ASSESSMENT PRACTICES (1 of 2)
A risk assessment is the key driver of the information security
process. Its effectiveness is directly related to the following key
1) Multidisciplinary and Knowledge - based Approach - A consensus
evaluation of the risks and risk mitigation practices followed by
the institution requires the involvement of a broad range of users,
with a range of expertise and business knowledge. Not all users may
have the same opinion of the severity of various attacks, the
importance of various controls, and the importance of various data
elements and information system components. Management should apply
a sufficient level of expertise to the assessment.
2) Systematic and Central Control - Defined procedures and central
control and coordination help to ensure standardization,
consistency, and completeness of risk assessment policies and
procedures, as well as coordination in planning and performance.
Central control and coordination will also facilitate an
organizational view of risks and lessons learned from the risk
3) Integrated Process - A risk assessment provides a foundation
for the remainder of the security process by guiding the selection
and implementation of security controls and the timing and nature of
testing those controls. Testing results, in turn, provide evidence
to the risk assessment process that the controls selected and
implemented are achieving their intended purpose. Testing can also
validate the basis for accepting risks.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue the series on the
National Institute of Standards and Technology (NIST) Handbook.
Section II. Management Controls Chapter 5 - COMPUTER SECURITY
5.2.2 Basic Components of Issue-Specific Policy
As suggested for program policy, a useful structure for
issue-specific policy is to break the policy into its basic
Issue Statement. To formulate a policy on an issue, managers
first must define the issue with any relevant terms, distinctions,
and conditions included. It is also often useful to specify the goal
or justification for the policy - which can be helpful in gaining
compliance with the policy. For example, an organization might want
to develop an issue-specific policy on the use of "unofficial
software," which might be defined to mean any software not approved,
purchased, screened, managed, and owned by the organization.
Additionally, the applicable distinctions and conditions might then
need to be included, for instance, for software privately owned by
employees but approved for use at work, and for software owned and
used by other businesses under contract to the organization.
Statement of the Organization's Position. Once the issue is
stated and related terms and conditions are discussed, this section
is used to clearly state the organization's position (i.e.,
management's decision) on the issue. To continue the previous
example, this would mean stating whether use of unofficial software
as defined is prohibited in all or some cases, whether there are
further guidelines for approval and use, or whether case-by-case
exceptions will be granted, by whom, and on what basis.
Applicability. Issue-specific policies also need to include
statements of applicability. This means clarifying where, how, when,
to whom, and to what a particular policy applies. For example, it
could be that the hypothetical policy on unofficial software is
intended to apply only to the organization's own on-site resources
and employees and not to contractors with offices at other
locations. Additionally, the policy's applicability to employees
traveling among different sites and/or working at home who need to
transport and use disks at multiple sites might need to be
Roles and Responsibilities. The assignment of roles and
responsibilities is also usually included in issue-specific
policies. For example, if the policy permits unofficial software
privately owned by employees to be used at work with the appropriate
approvals, then the approval authority granting such permission
would need to be stated. (Policy would stipulate, who, by position,
has such authority.) Likewise, it would need to be clarified who
would be responsible for ensuring that only approved software is
used on organizational computer resources and, perhaps, for
monitoring users in regard to unofficial software.
Compliance. For some types of policy, it may be appropriate
to describe, in some detail, the infractions that are unacceptable,
and the consequences of such behavior. Penalties may be explicitly
stated and should be consistent with organizational personnel
policies and practices. When used, they should be coordinated with
appropriate officials and offices and, perhaps, employee bargaining
units. It may also be desirable to task a specific office within the
organization to monitor compliance.
Points of Contact and Supplementary Information. For any
issue-specific policy, the appropriate individuals in the
organization to contact for further information, guidance, and
compliance should be indicated. Since positions tend to change less
often than the people occupying them, specific positions may be
preferable as the point of contact. For example, for some issues the
point of contact might be a line manager; for other issues it might
be a facility manager, technical support person, system
administrator, or security program representative. Using the above
example once more, employees would need to know whether the point of
contact for questions and procedural information would be their
immediate superior, a system administrator, or a computer security
Guidelines and procedures often accompany policy. The issue-specific
policy on unofficial software, for example, might include procedural
guidelines for checking disks brought to work that had been used by
employees at other locations.
Some Helpful Hints on Policy
To be effective, policy requires visibility. Visibility aids
implementation of policy by helping to ensure policy is fully
communicated throughout the organization. Management presentations,
videos, panel discussions, guest speakers, question/answer forums,
and newsletters increase visibility. The organization's computer
security training and awareness program can effectively notify users
of new policies. It also can be used to familiarize new employees
with the organization's policies.
Computer security policies should be introduced in a manner that
ensures that management's unqualified support is clear, especially
in environments where employees feel inundated with policies,
directives, guidelines, and procedures. The organization's policy is
the vehicle for emphasizing management's commitment to computer
security and making clear their expectations for employee
performance, behavior, and accountability.
To be effective, policy should be consistent with other existing
directives, laws, organizational culture, guidelines, procedures,
and the organization's overall mission. It should also be integrated
into and consistent with other organizational policies (e.g.,
personnel policies). One way to help ensure this is to coordinate
policies during development with other organizational offices.