- NIST as Enforcer? House Committee Passes Bill to Expand Agency's
Responsibilities - Republicans on the House Science Committee
forwarded legislation Wednesday that would vastly increase the
operational responsibilities of the government’s cybersecurity
standards agency and task that body with auditing other federal
agencies’ cyber protections.
FCC puts data security protections on hold - Chairman Ajit Pai
followed through on a promise to stop a new rule from taking effect,
one which would have required internet service providers to take
steps to protect consumer personal data.
Yahoo CEO forgoes bonus as 32M breach victims revealed - A recent
regulatory filing from Yahoo has revealed more victims of its 2014
breach. This time, it is not just users but Yahoo's senior
One million Yahoo and Gmail account passwords for sale on the dark
web - More than 1 million Yahoo and Gmail accounts – including
usernames, email addresses and plain text passwords – are reportedly
for sale on the dark web.
House Bill Would Give Companies Some Leeway to Hack Back - House
legislation floated Friday would give companies attacked by hackers
free rein to penetrate those hackers' networks so long as they don’t
destroy anything while they’re there.
Experts not surprised by CIA's leaked cyber weapons, but stunned
agency failed to protect them - Upon publishing a batch of documents
that exposed various cyber espionage tools allegedly used by the
CIA, WikiLeaks claimed that the anonymous source who supplied the
so-called Vault 7 materials wanted to spark discussion around the
use of cyber weapons.
You've Got Ransomware, Now What? - So, the unthinkable has happened:
your corporate server (or maybe just a few employees) has been
infected with ransomware. At least you're not alone.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- New malware attack shutters London hospital - A previously unseen
malware is being blamed for an attack on a London hospital that
forced the facility to shut down a segment of its systems for a few
days as a precautionary measure.
Here’s Why Amazon’s Cloud Suffered a Meltdown This Week - Apparently
all it takes to bring down the Internet isn't a virus or malware or
a well-organized, state-sponsored attack. A typo will do the trick.
Data on 3.2K patients exposed at Vanderbilt University Medical
Center - Two employees in the patient transport department of
Vanderbelt University Medical Center accessed patient data.
Major spam operation suffers data leak containing 1.4 billion
records - A spamming group called River City Media, led by well
known spammers Alvin Slocombe and Matt Ferrisi, has had its database
of 1.4 billion records leaked.
Data of 7.5M Georgia voters at risk - The FBI has been called in to
investigate the possibility of a breach at Kennesaw State
University's Center for Election Systems, the organization that
oversees the state of Georgia's election operations and voting
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Board and Management Oversight
- Principle 12: Banks
should take appropriate measures to ensure adherence to customer
privacy requirements applicable to the jurisdictions to which the
bank is providing e-banking products and services.
Maintaining a customer's information privacy is a key
responsibility for a bank. Misuse or unauthorized disclosure of
confidential customer data exposes a bank to both legal and
reputation risk. To meet these challenges concerning the
preservation of privacy of customer information, banks should make
reasonable endeavors to ensure that:
1) The bank's customer privacy policies and standards take
account of and comply with all privacy regulations and laws
applicable to the jurisdictions to which it is providing e-banking
products and services.
2) Customers are made aware of the bank's privacy policies and
relevant privacy issues concerning use of e-banking products and
3) Customers may decline (opt out) from permitting the bank to
share with a third party for cross-marketing purposes any
information about the customer's personal needs, interests,
financial position or banking activity.
4) Customer data are not used for purposes beyond which they are
specifically allowed or for purposes beyond which customers have
5) The bank's standards for customer data use must be met when
third parties have access to customer data through outsourcing
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE
Financial institution system development, acquisition, and
maintenance functions should incorporate agreed upon security
controls into software prior to development and implementation.
Management should integrate consideration of security controls into
each phase of the system development process. For the purposes of
this section, system development could include the internal
development of customized systems, the creation of database systems,
or the acquisition of third-party developed software. System
development could include long-term projects related to large
mainframe-based software projects with legacy source code or rapid
Web-based software projects using fourth-generation programming. In
all cases, institutions need to prioritize security controls
SOFTWARE DEVELOPMENT AND ACQUISITION
Financial institutions should develop security control requirements
for new systems, system revisions, or new system acquisitions.
Management will define the security control requirements based on
their risk assessment process evaluating the value of the
information at risk and the potential impact of unauthorized access
or damage. Based on the risks posed by the system, management may
use a defined methodology for determining security requirements,
such as ISO 15408, the Common Criteria.23 Management may also refer
to published, widely recognized industry standards as a baseline for
establishing their security requirements. A member of senior
management should document acceptance of the security requirements
for each new system or system acquisition, acceptance of tests
against the requirements, and approval for implementing in a
Development projects should consider automated controls for
incorporation into the application and the need to determine
supporting manual controls. Financial institutions can implement
appropriate security controls with greater cost effectiveness by
designing them into the original software rather than making
subsequent changes after implementation. When evaluating purchased
software, financial institutions should consider the availability of
products that have either been independently evaluated or received
security accreditation through financial institution or information
technology-related industry groups.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Section III. Operational Controls - Chapter 10
10.1.1 Groundbreaking -- Position Definition
Early in the process of defining a position, security issues should
be identified and dealt with. Once a position has been broadly
defined, the responsible supervisor should determine the type of
computer access needed for the position. There are two general
principles to apply when granting access: separation of duties
and least privilege.
Separation of duties refers to dividing roles and
responsibilities so that a single individual cannot subvert a
critical process. For example, in financial systems, no single
individual should normally be given authority to issue checks.
Rather, one person initiates a request for a payment and another
authorizes that same payment. In effect, checks and balances need to
be designed into both the process as well as the specific,
individual positions of personnel who will implement the process.
Ensuring that such duties are well defined is the responsibility of
Least privilege refers to the security objective of granting
users only those accesses they need to perform their official
duties. Data entry clerks, for example, may not have any need to run
analysis reports of their database. However, least privilege does
not mean that all users will have extremely little functional
access; some employees will have significant access if it is
required for their position. However, applying this principle may
limit the damage resulting from accidents, errors, or unauthorized
use of system resources. It is important to make certain that the
implementation of least privilege does not interfere with the
ability to have personnel substitute for each other without undue
delay. Without careful planning, access control can interfere with