FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for your bank in Texas, New Mexico, Colorado, and Oklahoma.  Please email R. Kinney Williams at examiner@yennik.com from your bank's domain and I will email you information and fees

FYI - COVID19 Updates from the Fed: Board of Governors, Recent Developments Federal Reserve Financial Services www.federalreserve.gov/covid-19.htm

Fed report castigates U.S. ability to fend off a cyberattack, suggests major reforms - The Cyberspace Solarium Commission issued a 182-page report stating the United States in dangerously insecure when it comes to defending itself from a cyberattack and offered a litany of recommendations to shore up the nation’s defenses. https://www.scmagazine.com/home/security-news/government-and-defense/fed-report-castigates-u-s-ability-to-fend-off-a-cyberattack-suggests-major-reforms/

GAO - Science & Tech Spotlight - A 5G wireless network will move data faster: potentially 20 times faster than 4G. But it isn’t just for phones - it’s expected to facilitate tech that will transform industries and maybe people’s lives. https://www.gao.gov/products/GAO-20-421SP

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Illinois public health agency website taken down by hackers - The website for a local Illinois health agency was taken down by a cyberattack this week, creating difficulties in distributing accurate information on the coronavirus outbreak. https://thehill.com/policy/cybersecurity/487282-illinois-public-health-agencys-website-taken-down-by-hackers

Crafty Web Skimming Domain Spoofs “https” - Earlier today, KrebsOnSecurity alerted the 10th largest food distributor in the United States that one of its Web sites had been hacked and retrofitted with code that steals credit card and login data. https://krebsonsecurity.com/2020/03/crafty-web-skimming-domain-spoofs-https/

Eight million EU retail sales records exposed on AWS MongoDB - A database hosed on Amazon Web Services holding eight million retail sales records from the European Union was left exposed compromising customer personal and financial information. https://www.scmagazine.com/home/security-news/8-million-eu-retail-sales-records-exposed-on-aws-mongodb/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Technical and Industry Expertise

• Assess the service provider’s experience and ability to provide the necessary services and supporting technology for current and anticipated needs.
• Identify areas where the institution would have to supplement the service provider’s expertise to fully manage risk.
• Evaluate the service provider’s use of third parties or partners that would be used to support the outsourced operations.
• Evaluate the experience of the service provider in providing services in the anticipated operating environment.
• Consider whether additional systems, data conversions, and work are necessary.
• Evaluate the service provider’s ability to respond to service disruptions.
• Contact references and user groups to learn about the service provider’s reputation and performance.
• Evaluate key service provider personnel that would be assigned to support the institution.
• Perform on-site visits, where necessary, to better understand how the service provider operates and supports its services.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.
  
  BUSINESS CONTINUITY CONSIDERATIONS
  
  Events that trigger the implementation of a business continuity plan may have significant security considerations. Depending on the event, some or all of the elements of the security environment may change. Different people may be involved in operations, at a different physical location, using similar but different machines and software which may communicate over different communications lines. Depending on the event, different tradeoffs may exist between availability, integrity, confidentiality, and accountability, with a different appetite for risk on the part of management.
  
  Business continuity plans should be reviewed as an integral part of the security process. Risk assessments should consider the changing risks that appear in business continuity scenarios and the different security posture that may be established. Strategies should consider the different risk environment and the degree of risk mitigation necessary to protect the institution in the event the continuity plans must be implemented. The implementation should consider the training of appropriate personnel in their security roles, and the implementation and updating of technologies and plans for back - up sites and communications networks. Testing these security considerations should be integrated with the testing of business continuity plan implementations.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Section II. Management Controls Chapter 5 - COMPUTER SECURITY POLICY
 
 5.1 Program Policy
 
 A management official, normally the head of the organization or the senior administration official, issues program policy to establish (or restructure) the organization's computer security program and its basic structure. This high-level policy defines the purpose of the program and its scope within the organization; assigns responsibilities (to the computer security organization) for direct program implementation, as well as other responsibilities to related offices (such as the Information Resources Management [IRM] organization); and addresses compliance issues.
 
 Program policy sets organizational strategic directions for security and assigns resources for its implementation.
 
 5.1.1 Basic Components of Program Policy
 
 Components of program policy should address:
 
 Purpose. Program policy normally includes a statement describing why the program is being established. This may include defining the goals of the program. Security-related needs, such as integrity, availability, and confidentiality, can form the basis of organizational goals established in policy. For instance, in an organization responsible for maintaining large mission-critical databases, reduction in errors, data loss, data corruption, and recovery might be specifically stressed. In an organization responsible for maintaining confidential personal data, however, goals might emphasize stronger protection against unauthorized disclosure.
 
 Scope. Program policy should be clear as to which resources-including facilities, hardware, and software, information, and personnel - the computer security program covers. In many cases, the program will encompass all systems and organizational personnel, but this is not always true. In some instances, it may be appropriate for an organization's computer security program to be more limited in scope.
 
 Responsibilities. Once the computer security program is established, its management is normally assigned to either a newly-created or existing office.
 
 Program policy establishes the security program and assigns program management and supporting responsibilities
 
 The responsibilities of officials and offices throughout the organization also need to be addressed, including line managers, applications owners, users, and the data processing or IRM organizations. This section of the policy statement, for example, would distinguish between the responsibilities of computer services providers and those of the managers of applications using the provided services. The policy could also establish operational security offices for major systems, particularly those at high risk or most critical to organizational operations. It also can serve as the basis for establishing employee accountability.
 
 At the program level, responsibilities should be specifically assigned to those organizational elements and officials responsible for the implementation and continuity of the computer security policy.
 
 Compliance. Program policy typically will address two compliance issues:
 
 1)  General compliance to ensure meeting the requirements to establish a program and the responsibilities assigned therein to various organizational components. Often an oversight office (e.g., the Inspector General) is assigned responsibility for monitoring compliance, including how well the organization is implementing management's priorities for the program.
 
 2)  The use of specified penalties and disciplinary actions. Since the security policy is a high-level document, specific penalties for various infractions are normally not detailed here; instead, the policy may authorize the creation of compliance structures that include violations and specific disciplinary action(s).
 
 Those developing compliance policy should remember that violations of policy can be unintentional on the part of employees. For example, nonconformance can often be due to a lack of knowledge or training.