- Our cybersecurity testing
meets the independent pen-test requirements outlined in
the FFIEC Information Security booklet as well as
the penetration study complies
with the FFIEC Cybersecurity Assessment Tool regarding
resilience testing. Independent
pen-testing is part of any financial institution's cybersecurity
defense. To receive due diligence information, agreement
and, cost saving fees, please complete the information form at
All communication is kept strictly confidential.
- Businesses are still scared of reporting cyberattacks to the
police - Report suggests organisations, be it because of
embarrassment or ignorance, aren't seeking help from the authorities
when they're victims of cybercrime.
Dwolla dwamned for destroywing defwences: $100k fine for insecurity
- Payment upstart encouraged people to send passport scans, SSNs in
plain email - Updated US payment processor Dwolla has been slapped
with a US$100,000 fine for wrongly claiming it was super secure.
Breach: Before and after - It may be a tired mantra for those
dealing with the prospect of data breaches – “It's not if, it's
when” – but it's no less true today.
UK firms at risk due to employees' lack of cyber-security awareness
- UK organisations are putting their reputation, customer trust and
competitive advantage at greater risk by failing to provide their
staff with effective cyber-security awareness and ability to defend
against cyber-attacks, according to a new report.
Dwolla to pay $100K fine after regulatory probe into deceptive
cybersecurity - In a move that signals regulators may be adopting a
new approach in dealing with the fast-growing financial technology
sector, the Consumer Financial Protection Bureau (CFPB) fined
Iowa-based digital payment platform Dwolla for allegedly making
false representations about the company's cybersecurity practices.
Home Depot creates $19.5M fund to settle breach class action suit -
Home Depot has created a $19.5 million fund to settle a class action
suit related to the 2014 breach that affected about 56 million of
the home improvement chain's customers.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Pirates, Ships, And A Hacked CMS: Inside Verizon's Breach
Investigations - Pirates used hacked information from a global
shipping company’s servers to target and capture cargo ships on the
high seas, and a water utility’s valves and ducts were hijacked:
these are some of the more dramatic scenarios representing cases
Verizon’s breach team investigated in the past year.
Cox investigates possible data breach: report - Cox Communications
is investigating a possible breach exposing the personal information
of 40,000 of its employees.
Pirates hack into shipping company's CMS for insights on cargo to
plunder - Real-life pirates—the swashbuckling kind, not digital
thieves—are hacking into the systems of shipping companies in order
to get a sneak preview of their cargo, allowing them to more
efficiently target and raid ships.
Seagate Phish Exposes All Employee W-2’s- Email scam artists last
week tricked an employee at data storage giant Seagate Technology
into giving away W-2 tax documents on all current and past
employees, KrebsOnSecurity has learned.
Stolen laptop exposes PII of over 200K Premier Healthcare patients -
Premier Healthcare, a Bloomington, Indiana-based healthcare
provider, suffered a data breach when a thief stole a laptop
containing patient information from the company's billing
Extended stay: Data-stealing malware hides on Rosen Hotels' payment
card network for over year - Guests who recently lodged at Rosen
Hotels & Resorts properties in theme-park destination Orlando, Fla.
must hope their data hasn't been taken for a wild ride, after the
hospitality company announced its properties have suffered a
long-undiscovered payment card data breach.
- Finland's foreign ministry hacked by Russian or Chinese spies
- Finland's foreign ministry computer network has been infiltrated
by spies, foreign minister Erkki Tuomioja has revealed to the media.
- Oncology clinic breached, patient data stolen - 21st Century
Oncology was asked by the Federal Bureau of Investigation to delay
notification of patients that there information had been taken when
a third-party gained unauthorized access to one of its databases,
the cancer clinic said in a Wednesday notification letter to
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Generally, Internet web sites are considered advertising by the
regulatory agencies. In some cases, the regulations contain special
rules for multiple-page advertisements. It is not yet clear what
would constitute a single "page" in the context of the Internet or
on-line text. Thus, institutions should carefully review their
on-line advertisements in an effort to minimize compliance risk.
In addition, Internet or other systems in which a credit
application can be made on-line may be considered "places of
business" under HUD's rules prescribing lobby notices. Thus,
institutions may want to consider including the "lobby notice,"
particularly in the case of interactive systems that accept
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
INFORMATION SECURITY STRATEGY (1 of 2)
Action Summary - Financial institutions should develop a strategy
that defines control objectives and establishes an implementation
plan. The security strategy should include
1) Cost comparisons of different strategic approaches appropriate
to the institution's environment and complexity,
2) Layered controls that establish multiple control points between
threats and organization assets, and
3) Policies that guide officers and employees in implementing the
An information security strategy is a plan to mitigate risks while
complying with legal, statutory, contractual, and internally
developed requirements. Typical steps to building a strategy include
the definition of control objectives, the identification and
assessment of approaches to meet the objectives, the selection of
controls, the establishment of benchmarks and metrics, and the
preparation of implementation and testing plans.
The selection of controls is typically grounded in a cost
comparison of different strategic approaches to risk mitigation. The
cost comparison typically contrasts the costs of various approaches
with the perceived gains a financial institution could realize in
increased confidentiality, availability, or integrity of systems and
data. Those gains could include reduced financial losses, increased
customer confidence, positive audit findings, and regulatory
compliance. Any particular approach should consider: (1) policies,
standards, and procedures; (2) technology and architecture; (3)
resource dedication; (4) training; and (5) testing.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue the series on the
National Institute of Standards and Technology (NIST) Handbook.
Section II. Management Controls Chapter 5 - COMPUTER SECURITY
5.3.2 Operational Security Rules
After management determines the security objectives, the rules for
operating a system can be laid out, for example, to define
authorized and unauthorized modification. Who (by job category,
organization placement, or name) can do what (e.g., modify, delete)
to which specific classes and records of data, and under what
The degree of specificity needed for operational security rules
varies greatly. The more detailed the rules are, up to a point, the
easier it is to know when one has been violated. It is also, up to a
point, easier to automate policy enforcement. However, overly
detailed rules may make the job of instructing a computer to
implement them difficult or computationally complex.
In addition to deciding the level of detail, management should
decide the degree of formality in documenting the system-specific
policy. Once again, the more formal the documentation, the easier it
is to enforce and to follow policy. On the other hand, policy at the
system level that is too detailed and formal can also be an
administrative burden. In general, good practice suggests a
reasonably detailed formal statement of the access privileges for a
system. Documenting access controls policy will make it
substantially easier to follow and to enforce. Another area that
normally requires a detailed and formal statement is the assignment
of security responsibilities. Other areas that should be addressed
are the rules for system usage and the consequences of
Policy decisions in other areas of computer security, such as those
described in this handbook, are often documented in the risk
analysis, accreditation statements, or procedural manuals. However,
any controversial, atypical, or uncommon policies will also need
formal statements. Atypical policies would include any areas where
the system policy is different from organizational policy or from
normal practice within the organization, either more or less
stringent. The documentation for a typical policy contains a
statement explaining the reason for deviation from the
organization's standard policy.
Sample Operational Security Rule:
Personnel clerks may update fields for weekly attendance, charges
to annual leave, employee addresses, and telephone numbers.
Personnel specialists may update salary information. No employees
may update their own records.