information technology audits
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma.
For more information go
On-site FFIEC IT Audits.
Password manager flaws can expose data on compromised devices,
report says - Flaws in top password managers can expose the very
data they are supposed to protect, a study by researchers.
The role of the CISO during a cyber crisis - The role of a chief
information security officer (CISO) can never be miscategorized as
Wendy’s to pay $50M in data breach settlement - Wendy’s has agreed
to pay $50 million to settle negligence claims following its
2015-2016 data breach that affected more than 1,000 of the burger
White House Orders Agencies to Defend the Skies From Cyberattacks -
In its National Strategy for Aviation Security, the Trump
administration called on the government to be more proactive in
spotting threats to U.S. airspace.
Computers vulnerable to attack through USB ports, report -
University of Cambridge and Rice University researchers have created
a platform that allows cyberattacks to be conducted through a
variety of computer peripherals through their USB-C port.
UK consumers more likely to abandon a breached company - Yanks and
Brits may both have a soft spot in their hearts for beer and sports,
but when it comes to trusting a company that has suffered a data
breach, these two groups of people have quite different opinions.
ODNI, OPM planning series of sweeping updates to federal personnel
vetting system - The Trump administration is planning to roll out a
series of sweeping changes to suitability, credentialing and
security clearance procedures that officials say will bring more
speed and efficiency to a process that’s been stuck in the past for
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- 42,000 patients data compromised AdventHealth Medical Group data
breach - AdventHealth Medical Group Pulmonary and Sleep Medicine
officials are warning up to 42,000 of their patients of a
16-month-long data breach at the facility that exposed their
personal and health information.
Tampa mayor’s Twitter hacked, used to send bomb and ballistic
missile threats - A hacker took over the Twitter account of Tampa
Mayor Bob Buckhorn and sent out a fake ballistic missile warning and
a bomb threat from the compromised account.
Misconfigured database exposes 974,000 University of Washington
Medicine patients - Almost one million University of Washington (UW)
Medicine personal health information files were exposed for most of
December 2018 due to a misconfigured database.
Undisclosed number of TurboTax accounts breached - Intuit, the
company behind tax preparation software TurboTax, said users’
accounts may have been accessed by an unauthorized party.
SEDC stored millions of utility customers’ passwords in plaintext -
An anonymous independent researcher found millions of utility
customers’ passwords had previously been stored in plaintext.
Payroll Provider Gives Extortionists a Payday
Payroll software provider Apex Human Capital Management suffered a
ransomware attack this week that severed payroll management services
for hundreds of the company’s customers for nearly three days.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering some of the issues discussed in the "Risk
Management Principles for Electronic Banking" published by the Basel
Committee on Bank Supervision.
Risk management challenges
The Electronic Banking Group (EBG) noted that the fundamental
characteristics of e-banking (and e-commerce more generally) posed a
number of risk management challenges:
The speed of change
relating to technological and customer service innovation in
e-banking is unprecedented. Historically, new banking applications
were implemented over relatively long periods of time and only after
in-depth testing. Today, however, banks are experiencing competitive
pressure to roll out new business applications in very compressed
time frames - often only a few months from concept to production.
This competition intensifies the management challenge to ensure that
adequate strategic assessment, risk analysis and security reviews
are conducted prior to implementing new e-banking applications.
web sites and associated retail and wholesale business applications
are typically integrated as much as possible with legacy computer
systems to allow more straight-through processing of electronic
transactions. Such straight-through automated processing reduces
opportunities for human error and fraud inherent in manual
processes, but it also increases dependence on sound systems design
and architecture as well as system interoperability and operational
E-banking increases banks'
dependence on information technology, thereby increasing the
technical complexity of many operational and security issues and
furthering a trend towards more partnerships, alliances and
outsourcing arrangements with third parties, many of whom are
unregulated. This development has been leading to the creation of
new business models involving banks and non-bank entities, such as
Internet service providers, telecommunication companies and other
4) The Internet is ubiquitous and global by nature. It is an open
network accessible from anywhere in the world by unknown parties,
with routing of messages through unknown locations and via fast
evolving wireless devices. Therefore, it significantly magnifies the
importance of security controls, customer authentication techniques,
data protection, audit trail procedures, and customer privacy
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
Computer networks often extend connectivity far beyond the
financial institution and its data center. Networks provide system
access and connectivity between business units, affiliates, TSPs,
business partners, customers, and the public. This increased
connectivity requires additional controls to segregate and restrict
access between various groups and information users.
A typical approach to securing a large network involves dividing
the network into logical security domains. A logical security domain
is a distinct part of a network with security policies that differ
from other domains. The differences may be far broader than network
controls, encompassing personnel, host, and other issues.
Typical network controls that distinguish security domains include
access control software permissions, dedicated lines, filtering
routers, firewalls, remote-access servers, and virtual private
networks. This booklet will discuss additional access controls
within the applications and operating systems residing on the
network in other sections. Before selecting the appropriate
controls, financial institutions should map and configure the
network to identify and control all access control points. Network
configuration considerations could include the following actions:
! Identifying the various applications and user-groups accessed
via the network;
! Identifying all access points to the network including various
telecommunications channels (e.g., wireless, Ethernet, frame relay,
dedicated lines, remote dial - up access, extranets, Internet);
! Mapping the internal and external connectivity between various
! Defining minimum access requirements for network services (i.e.,
most often referenced as a network services access policy); and
! Determining the most appropriate network configuration to ensure
adequate security and performance.
With a clear understanding of network connectivity, the financial
institution can avoid introducing security vulnerabilities by
minimizing access to less - trusted domains and employing encryption
for less secure connections. Institutions can then determine the
most effective deployment of protocols, filtering routers,
firewalls, gateways, proxy servers, and/or physical isolation to
restrict access. Some applications and business processes may
require complete segregation from the corporate network (e.g., no
connectivity between corporate network and wire transfer system).
Others may restrict access by placing the services that must be
accessed by each zone in their own security domain, commonly called
a "demilitarized zone" (DMZ).
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 19 - CRYPTOGRAPHY
What Is an Electronic Signature?
electronic signature is a cryptographic mechanism that
performs a similar function to a written signature. It is
used to verify the origin and contents of a message. For
example, a recipient of data (e.g., an e-mail message) can
verify who signed the data and that the data was not
modified after being signed. This also means that the
originator (e.g., sender of an e-mail message) cannot
falsely deny having signed the data.
systems store and process increasing numbers of paper-
based documents in
electronic form. Having documents in electronic form permits rapid
processing and transmission and improves overall efficiency.
However, approval of a paper document has traditionally been
indicated by a written signature. What is needed, therefore, is the
electronic equivalent of a written signature that can be recognized
as having the same legal status as a written signature. In addition
to the integrity protections, discussed above, cryptography can
provide a means of linking a document with a particular person, as
is done with a written signature. Electronic signatures can use
either secret key or public key cryptography; however, public key
methods are generally easier to use.
signatures provide extremely strong proof that a message has not
been altered and was signed by a specific key.137
However, there are other mechanisms besides cryptographic-based
electronic signatures that perform a similar function. These
mechanisms provide some assurance of the origin of a message, some
verification of the message's integrity, or both.
- Examination of the
transmission path of a message. When messages are sent across a
network, such as the Internet, the message source and the
physical path of the message are recorded as a part of the
message. These can be examined electronically or manually to
help ascertain the origin of a message.
- Use of a
value-added network provider. If two or more parties are
communicating via a third party network, the network provider
may be able to provide assurance that messages originate from a
given source and have not been modified.
statements. The recipient of an electronic message may confirm
the message's origin and contents by sending back an