information technology audits
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma.
For more information go
On-site FFIEC IT Audits.
- RiskSec preview: Angelo Longo, CISO at Resorts Casino Hotel -
We’ve all heard how IoT technologies have and will continue to cause
massive challenges to the execution and maintenance of security
controls for organizations.
A v-CISO’s Take on the 5 Issues Facing Cybersecurity - There’s a
quiet shift going on in the business community, one that has the
potential of tipping the scales against cyber criminals; and it has
nothing to do with AI, machine learning or any other shiny, new
Elizabeth Warren wants jail time for CEOs in Equifax-style breaches
- Should more CEOs go to jail after data breaches? Elizabeth Warren
thinks so. In 2017, criminals stole the personal data of about 143
million people from the credit rating system Equifax.
Motel 6 to pay $12M for sharing guest info with ICE - Motel 6 will
pay a $12 million settlement to Washington state after employees at
several of the chain’s locations shared information – without a
warrant – on 80,000 guests in the state with Immigration and Customs
Enforcement (ICE) over a two-year period.
Groups Offer Ideas for Improving Healthcare Cybersecurity - Several
industry groups have offered suggestions - ranging from better cyber
information sharing to new regulatory "safe harbors" for entities
complying with best practices - to Sen. Mark Warner, D-Va., in
response to his recent request for input on how the healthcare
sector can improve its cybersecurity posture.
Yahoo offers $117 million to settle 2016 data breach suit - Yahoo
has more than doubled its proposed data breach settlement payout to
$117.5 million after having a smaller amount rejected by a
California judge in January.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Pharma firm Bayer hit with WINNTI malware - The German drug
manufacturer Bayer reported it was hit with a cyberattack launched
from China that used WINNTI malware that resided on its network for
at least one year.
Chinese HR firms and recruiting agencies found to leak more than
half a billion resumes - Chinese companies were discovered leaking
more than half a billion resumes on the web via poorly secured
ElasticSearch and MongoDB databases.
Georgia Tech stung with 1.3 million-person data breach - Georgia
Tech is reporting that it suffered a data breach when a Georgia
Institute of Technology web app exposed the information on 1.3
million current and former students, student applicants along with
Nevada data center used to distribute Dridex, GandCrab malware right
under the FBI's nose - Scammers used data centers located in the
United States to launch nasty strains of malware against
English-speaking web users, according to Bromium research published
Phishing attacker gains access to Baystate Medical Center patient
records - Baystate Medical Center reportedly suffered a data breach
possibly impacting 12,000 patients.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering some of the
issues discussed in the "Risk Management Principles for Electronic
Banking" published by the Basel Committee on Bank Supervision.
Board and Management Oversight - Principle 1: The
Board of Directors and senior management should establish effective
management oversight over the risks associated with e-banking
activities, including the establishment of specific accountability,
policies and controls to manage these risks. (Part 2 of 2)
Finally, the Board and senior management should ensure that
its risk management processes for its e-banking activities are
integrated into the bank's overall risk management approach. The
bank's existing risk management policies and processes should be
evaluated to ensure that they are robust enough to cover the new
risks posed by current or planned e-banking activities. Additional
risk management oversight steps that the Board and senior management
should consider taking include:
1) Clearly establishing the banking organization's risk appetite
in relation to e-banking.
2) Establishing key delegations and reporting mechanisms,
including the necessary escalation procedures for incidents that
impact the bank's safety, soundness or reputation (e.g. networks
penetration, employee security infractions and any serious misuse of
3) Addressing any unique risk factors associated with ensuring the
security, integrity and availability of e-banking products and
services, and requiring that third parties to whom the banks has
outsourced key systems or applications take similar measures.
4) Ensuring that appropriate due diligence and risk analysis are
performed before the bank conducts cross-border e-banking
The Internet greatly facilitates a bank's ability to distribute
products and services over virtually unlimited geographic territory,
including across national borders. Such cross-border e-banking
activity, particularly if conducted without any existing licensed
physical presence in the "host country," potentially subjects banks
to increased legal, regulatory and country risk due to the
substantial differences that may exist between jurisdictions with
respect to bank licensing, supervision and customer protection
requirements. Because of the need to avoid inadvertent
non-compliance with a foreign country's laws or regulations, as well
as to manage relevant country risk factors, banks contemplating
cross-border e-banking operations need to fully explore these risks
before undertaking such operations and effectively manage them.
Depending on the scope and complexity of e-banking activities, the
scope and structure of risk management programs will vary across
banking organizations. Resources required to oversee e-banking
services should be commensurate with the transactional functionality
and criticality of systems, the vulnerability of networks and the
sensitivity of information being transmitted.
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
Routing (Part 2 of 2)
Routers and switches are sometimes difficult to locate. Users may
install their own devices and create their own unauthorized subnets.
Any unrecognized or unauthorized network devices pose security
risks. Financial institutions should periodically audit network
equipment to ensure that only authorized and maintained equipment
resides on their network.
DNS hosts, routers and switches are computers with their own
operating system. If successfully attacked, they can allow traffic
to be monitored or redirected. Financial institutions must restrict,
log, and monitor administrative access to these devices. Remote
administration typically warrants an encrypted session, strong
authentication, and a secure client. The devices should also be
appropriately patched and hardened.
Packets are sent and received by devices using a network interface
card (NIC) for each network to which they connect. Internal
computers would typically have one NIC card for the corporate
network or a subnet. Firewalls, proxy servers, and gateway servers
are typically dual-homed with two NIC cards that allow them to
communicate securely both internally and externally while limiting
access to the internal network.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 19 - CRYPTOGRAPHY
19.5 Cost Considerations
Using cryptography to protect
information has both direct and indirect costs. Cost is determined
in part by product availability; a wide variety of products exist
for implementing cryptography in integrated circuits, add-on boards
or adapters, and stand-alone units.
19.5.1 Direct Costs
The direct costs of cryptography
- Acquiring or implementing the
cryptographic module and integrating it into the computer
system. The medium (i.e., hardware, software, firmware, or
combination) and various other issues such as level of security,
logical and physical configuration, and special processing
requirements will have an impact on cost.
- Managing the cryptography and,
in particular, managing the cryptographic keys, which includes
key generation, distribution, archiving, and disposition, as
well as security measures to protect the keys, as appropriate