- Our cybersecurity testing
meets the independent pen-test requirements outlined in
the FFIEC Information Security booklet as well as
the penetration study complies
with the FFIEC Cybersecurity Assessment Tool regarding
resilience testing. Independent
pen-testing is part of any financial institution's cybersecurity
defense. To receive due diligence information, agreement
and, cost saving fees, please complete the information form at
All communication is kept strictly confidential.
- California Says Companies Should Embrace NSA-developed Data
Protections - The state of California has put companies on notice
that they should be following a basic set of 20 information security
controls developed by the U.S. government's top code breakers.
German police can now use spyware to monitor suspects - Spyware can
only be installed when lives are at risk or nation is threatened.
German police are now permitted to infect a suspect's computers, and
mobile devices with special trojan software to monitor
communications made with the systems, the country's interior
ministry has confirmed.
Jersey man gets 30 months for sabotaging former employer's servers -
The U.S. Department of Justice yesterday announced that a N.J. man
was sentenced to 30 months in prison for sending malicious code to
the software company that formerly employed him as an information
Feds spank Asus with 20-year audit probe for router security blunder
- One vendor down, who's next? Asus has settled its case with the US
Federal Trade Commission (FTC) after hackers pwned nearly 13,000
home routers via an unpatched security flaw.
UK citizens relaxed about government snooping, survey reports - A
majority of the UK population believe the government should be able
to monitor mass communications in the interests of national
VA sets goal of eliminating cyber material weaknesses by 2017 - The
Veterans Affairs Department has a plan to finally get rid of more
than two dozen long-standing cybersecurity weaknesses throughout the
next 18 months.
EU adds detail to Privacy Shield agreement, prepares to give it
force of law - The European Commission has detailed the steps
businesses must take to comply with the Privacy Shield data
protection agreement reached with U.S. authorities earlier this
month, and published a draft of the order that will give it force of
Here Comes the Post-Safe Harbor EU Privacy Crackdown - The U.S. and
EU are putting the finishing touches on “Privacy Shield,” the
successor to their struck-down Safe Harbor data-transfer agreement,
but it’s not quite there yet. And in the meantime, companies still
sending people’s personal data from the EU to the U.S. under the
Safe Harbor scheme are breaking the law.
- Hacking the Pentagon could earn you some cash - A pilot program
aims to help the US Defense Department beef up its networks by
finding any vulnerabilities that could be exploited. Think you could
hack your way into the Pentagon? A new competition will challenge
qualified security pros to do just that.
Financial Institution Letters - FDIC Announces
Webinar for National Consumer Protection Week 2016:
Cybersecurity Resources for Financial Institution Customers - The
FDIC's Division of Depositor and Consumer Protection and Division of
Risk Management Supervision will host a free webinar on March 9,
2016, from 2:00 p.m. to 3:00 p.m., titled Cybersecurity Resources to
Help Your Customers Protect Themselves.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- York Hospital breach compromises PII of 1,400 employees - York
Hospital in Maine reported a breach of employees' identifying
information. The hospital says patient information was not targeted.
IRS now says 700K taxpayers accounts accessed - The Internal Revenue
Service (IRS) has dramatically increased the number of citizens
impacted by the May 2015 breach to 700,000 from the original 114,000
Snapchat payroll data snagged in phishing scam - The personal
information of a number of former and current Snapchat employees was
compromised after an employee fell for a phishing scheme.
Ransomware holds data hostage in two German hospitals - Two German
hospitals have fallen victim to a ransomware attack that has left
them unable to access their systems. It is thought the clean-up
operation to remove all traces of the malware could take weeks.
Financial system breached at UC Berkeley campus, exposing 80K
records - The University of California, Berkeley, is in
damage-control mode after discovering that cyberattackers recently
breached a system containing the Social Security and bank account
numbers of approximately 80,000 students, faculty members and
Reinvented ransomware shifts from pwning PC to wrecking websites - 'CTB
Locker' targets WordPress, offers live chat to help victims pay up -
A new ransomware variant appears to be ripping through WordPress
sites encrypting data and demanding a payment of half a bitcoin to
Wendy's breach losses may exceed those of Target, Home Depot
incidents - The financial loss to credit unions affected by the
Wendy's data breach uncovered earlier this month appears to be on
pace to surpass damages incurred from the high-profile Target and
Home Depot breach incidents, according to a report from Krebs on
- Direct deposits rerouted after Illinois State University data
breach - An attacker compromised the accounts of 13 Illinois State
University (ISU) employees and diverted their direct-deposit payroll
payments to another account.
- Personal details of 40K Cox employees shows up on dark web -
Personal details of 40,000 employees of Cox Communications, an ISP
and cable provider, have shown up for sale on the dark web.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Truth in Lending Act (Regulation Z)
The commentary to regulation Z was amended recently to clarify that
periodic statements for open-end credit accounts may be provided
electronically, for example, via remote access devices. The
regulations state that financial institutions may permit customers
to call for their periodic statements, but may not require them to
do so. If the customer wishes to pick up the statement and the plan
has a grace period for payment without imposition of finance
charges, the statement, including a statement provided by electronic
means, must be made available in accordance with the "14-day rule,"
requiring mailing or delivery of the statement not later than 14
days before the end of the grace period.
Provisions pertaining to advertising of credit products should be
carefully applied to an on-line system to ensure compliance with the
regulation. Financial institutions advertising open-end or
closed-end credit products on-line have options. Financial
institutions should ensure that on-line advertising complies with
the regulations. For on-line advertisements that may be deemed to
contain more than a single page, financial institutions should
comply with the regulations, which describe the requirements for
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
INFORMATION SECURITY RISK ASSESSMENT
KEY RISK ASSESSMENT PRACTICES (2 of 2)
4) Accountable Activities - The responsibility for performing risk
assessments should reside primarily with members of management in
the best position to determine the scope of the assessment, and the
effectiveness of risk reduction techniques. For a mid - sized or
large institution, that organization will likely be the business
unit. The information security officer(s) are responsible for
overseeing the performance of each risk assessment and the
integration of the risk assessments into a cohesive whole. Senior
management is accountable for abiding by the board of directors'
guidance for risk acceptance and mitigation decisions.
5) Documentation - Documentation of the risk assessment process
and procedures assists in ensuring consistency and completeness, as
well as accountability. Documentation of the analysis and results
provides a useful starting point for subsequent assessments,
potentially reducing the effort required in those assessments.
Documentation of risks accepted and risk mitigation decisions is
fundamental to achieving accountability for risk decisions.
6) Enhanced Knowledge - Risk assessment increases management's
knowledge of the institution's mechanisms for storing, processing,
and communicating information, as well as the importance of those
mechanisms to the achievement of the institution's objectives.
Increased knowledge allows management to respond more rapidly to
changes in the environment. Those changes can range from new
technologies and threats to regulatory requirements.
7) Regular Updates - Risk assessments should be updated as new
information affecting information security risks are identified
(e.g., a new threat, vulnerability, adverse test result, hardware
change, software change or configuration change). At least once a
year, senior management should review the entire risk assessment to
ensure relevant information is appropriately considered.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue the series on the
National Institute of Standards and Technology (NIST) Handbook.
Section II. Management Controls Chapter 5 - COMPUTER SECURITY
5.3 System-Specific Policy
Program policy and issue-specific policy both address policy from a
broad level, usually encompassing the entire organization. However,
they do not provide sufficient information or direction, for
example, to be used in establishing an access control list or in
training users on what actions are permitted. System-specific policy
fills this need. It is much more focused, since it addresses only
Many security policy decisions may apply only at the system level
and may vary from system to system within the same organization.
While these decisions may appear to be too detailed to be policy,
they can be extremely important, with significant impacts on system
usage and security. These types of decisions can be made by a
management official, not by a technical system administrator. (The
impacts of these decisions, however, are often analyzed by technical
To develop a cohesive and comprehensive set of security policies,
officials may use a management process that derives security rules
from security goals. It is helpful to consider a two-level model for
system security policy: security objectives and operational security
rules, which together comprise the system-specific policy. Closely
linked and often difficult to distinguish, however, is the
implementation of the policy in technology.
System-specific security policy includes two components: security
objectives and operational security rules. It is often accompanied
by implementing procedures and guidelines.
5.3.1 Security Objectives
The first step in the management process is to define security
objectives for the specific system. Although, this process may start
with an analysis of the need for integrity, availability, and
confidentiality, it should not stop there. A security objective
needs to more specific; it should be concrete and well defined. It
also should be stated so that it is clear that the objective is
achievable. This process will also draw upon other applicable
Security objectives consist of a series of statements that describe
meaningful actions about explicit resources. These objectives should
be based on system functional or mission requirements, but should
state the security actions that support the requirements.
Development of system-specific policy will require management to
make trade-offs, since it is unlikely that all desired security
objectives will be able to be fully met. Management will face cost,
operational, technical, and other constraints.
Sample Security Objective: Only individuals in the
accounting and personnel departments are authorized to provide or
modify information used in payroll processing.