information technology audits
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma.
For more information go
On-site FFIEC IT Audits.
- Musical.ly�s $5.7M FTC fine largest yet under COPPA - Musical.ly,
the social networking app now known as TikTok, illegally gathered
and used children�s personal data, and must now pay a $5.7million
fine for violating the Children�s Online Privacy Protection Act
(COPPA), the Federal Trade Commission (FTC) said Wednesday.
Why the cyber fast track is stalled at DOD - The Pentagon is having
trouble bringing on cyber workers through the Cyber Excepted
Service, thanks to too few personnel and a backlogged and
complicated security clearance process.
TSA's pipeline security team has five employees - The Transportation
Security Administration division responsible for securing the
nation's 2.7 million miles of pipeline currently has just five
dedicated full-time employees, none with cybersecurity expertise,
according to a TSA official.
United Airlines CISO: To soar, security teams must focus on
business, not technology - Many corporate IT security organizations
are starting to realign their strategies by taking less of a
technology-focused approach and instead prioritizing what�s most
important from a global business perspective according to Emily
Heath, VP and CISO at United Airlines.
Sonic hit by $5 million suit over 2017 data breach - The drive-in
fast food chain Sonic is being sued by the American Airlines Federal
Credit Union for $5 million in an attempt to recoup money the credit
union lost due to Sonic�s data breach in 2017.
Vendor risk management - The SC Labs team this month took a deep
dive into vendor risk management (VRM) solutions. According to
Gartner, VRM is the process of ensuring that service providers and
IT suppliers don�t create an unacceptable potential for business
disruption or negative impact on business performance.
More than 1,500 feds applied for first Cyber Reskilling Academy
cohort - More than 1,500 federal employees applied to be part of the
first cohort of the Federal Cyber Reskilling Academy, a three-month
training program that will offer cybersecurity and technology
education to federal employees not currently working in IT
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Dow Jones database holding 2.4 million records of politically
exposed persons - A cybersecurity researcher found the Down Jones
Watchlist residing in an open Elasticsearch database containing 2.4
million records of politicians, criminals and national and
international sanction lists.
Rush University Medical Center data breach, 45,000 patients affected
- About 45,000 Rush University Medical Center patients had their
data exposed when a third-party employee mistakenly exposed a file
containing the data to an unauthorized individual.
More healthcare facilities affected by Wolverine Solutions Group
data breach come forward - Hundreds healthcare facilities and more
than one million patients had their information compromised when
their shared third-party vendor Wolverine Solutions Group (WSG)
suffered a ransomware attack in September 2018.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering some of the
issues discussed in the "Risk Management Principles for Electronic
Banking" published by the Basel Committee on Bank Supervision.
Risk management principles (Part 1 of 2)
Based on the early work of the Electronic Banking Group EBG,
the Committee concluded that, while traditional banking risk
management principles are applicable to e-banking activities, the
complex characteristics of the Internet delivery channel dictate
that the application of these principles must be tailored to fit
many online banking activities and their attendant risk management
challenges. To this end, the Committee believes that it is incumbent
upon the Boards of Directors and banks' senior management to take
steps to ensure that their institutions have reviewed and modified
where necessary their existing risk management policies and
processes to cover their current or planned e-banking activities.
Further, as the Committee believes that banks should adopt an
integrated risk management approach for all banking activities, it
is critical that the risk management oversight afforded e-banking
activities becomes an integral part of the banking institution's
overall risk management framework.
To facilitate these developments, the Committee asked the EBG to
identify the key risk management principles that would help banking
institutions expand their existing risk oversight policies and
processes to cover their e-banking activities and, in turn, promote
the safe and sound electronic delivery of banking products and
These Risk Management Principles for Electronic Banking, which are
identified in this Report, are not put forth as absolute
requirements or even "best practice" but rather as guidance to
promote safe and sound e-banking activities. The Committee believes
that setting detailed risk management requirements in the area of
e-banking might be counter-productive, if only because these would
be likely to become rapidly outdated by the speed of change related
to technological and product innovation. Therefore the principles
included in the present Report express supervisory expectations
related to the overall objective of banking supervision to ensure
safety and soundness in the financial system rather than stringent
The Committee is of the view that such supervisory expectations
should be tailored and adapted to the e-banking distribution channel
but not be fundamentally different to those applied to banking
activities delivered through other distribution channels.
Consequently, the principles presented below are largely derived and
adapted from supervisory principles that have already been expressed
by the Committee or national supervisors over a number of years. In
some areas, such as the management of outsourcing relationships,
security controls and legal and reputational risk management, the
characteristics and implications of the Internet distribution
channel introduce a need for more detailed principles than those
expressed to date.
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
Protocols and Ports (Part 1 of 3)
Network communications rely on software protocols to ensure the
proper flow of information. A protocol is a set of rules that allows
communication between two points in a telecommunications connection.
Different types of networks use different protocols. The Internet
and most intranets and extranets, however, are based on the TCP/IP
layered model of protocols. That model has four layers, and
different protocols within each layer. The layers, from bottom to
top, are the network access layer, the Internet layer, the
host-to-host layer, and the application layer. Vulnerabilities and
corresponding attack strategies exist at each layer. This becomes an
important consideration in evaluating the necessary controls.
Hardware and software can use the protocols to restrict network
access. Likewise, attackers can use weaknesses in the protocols to
The primary TCP/IP protocols are the Internet protocol (IP) and
the transmission control protocol (TCP). IP is used to route
messages between devices on a network, and operates at the Internet
layer. TCP operates at the host-to-host layer, and provides a
connection-oriented, full - duplex, virtual circuit between hosts.
Different protocols support different services for the network. The
different services often introduce additional vulnerabilities. For
example, a third protocol, the user datagram protocol (UDP) is also
used at the host-to-host layer. Unlike TCP, UDP is not connection -
oriented, which makes it faster and a better protocol for supporting
broadcast and streaming services. Since UDP is not
connection-oriented, however, firewalls often do not effectively
filter it. To provide additional safeguards, it is often blocked
entirely from inbound traffic or additional controls are added to
verify and authenticate inbound UDP packets as coming from a trusted
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 19 - CRYPTOGRAPHY
188.8.131.52 Secret Key Electronic
An electronic signature can be
implemented using secret key message authentication codes (MACs).
For example, if two parties share a secret key, and one party
receives data with a MAC that is correctly verified using the shared
key, that party may assume that the other party signed the data.
This assumes, however, that the two parties trust each other. Thus,
through the use of a MAC, in addition to data integrity, a form of
electronic signature is obtained. Using additional controls, such as
key notarization and key attributes, it is possible to provide an
electronic signature even if the two parties do not trust each
Systems incorporating message authentication technology have been
approved for use by the federal government as a replacement for
written signatures on electronic documents.
184.108.40.206 Public Key Electronic
Another type of electronic signature
called a digital signature is implemented using public key
cryptography. Data is electronically signed by applying the
originator's private key to the data. (The exact mathematical
process for doing this is not important for this discussion.) To
increase the speed of the process, the private key is applied to a
shorter form of the data, called a "hash" or "message digest,"
rather than to the entire set of data. The resulting digital
signature can be stored or transmitted along with the data. The
signature can be verified by any party using the public key of the
signer. This feature is very useful, for example, when distributing
signed copies of virus-free software. Any recipient can verify that
the program remains virus-free. If the signature verifies properly,
then the verifier has confidence that the data was not modified
after being signed and that the owner of the public key was the
NIST has published standards for a
digital signature and a secure hash for use by the federal
government in FIPS 186, Digital Signature Standard and FIPS
180, Secure Hash Standard.