information technology audits
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma.
For more information go
On-site FFIEC IT Audits.
- IRS commissioner looks for hiring authority to onboard IT talent
in weeks, not months - IRS Commissioner Chuck Rettig has urged
members of a House Appropriations subcommittee to give the agency
the authority to hire short-term cyber and IT talent more quickly
and pay them at a rate beyond the pay scale for career employees.
Study: 67 percent of hotel websites grant third parties access to
personal booking data, reservations - A study of more than 1,500
hotels in 54 countries found that 67 percent of their websites leak
booking reference codes to third-party partners, allowing them to
potentially access guests’ booking details and personal information.
Hackers publish info on FBI National Academy alum - Hackers posted
personal information on FBI, Secret Service and other federal
employees as well as police officers nicked from three websites
associated with the FBI National Academy (FBINAA).
Big Companies Thought Insurance Covered a Cyberattack. They May Be
Wrong. - Within days of a cyberattack, warehouses of the snack foods
company Mondelez International filled with a backlog of Oreo cookies
and Ritz crackers.
Cyber is among new USAF competitive career categories - The Air
Force is rolling out seven new competitive career categories for
officers that will include cyber, intelligence, and space as a way
to boost promotion, training and talent retention, the service
announced April 11.
North Dakota's IT department takes charge of cybersecurity for the
entire - North Dakota Gov. Doug Burgum signed a bill Friday making
his state’s Information Technology Department the first in the
country to manage cybersecurity operations across all of the state’s
public organizations, including local governments, schools, courts
and the state legislature.
European Commission: No evidence Kaspersky software is malicious -
The European Commission yesterday acknowledged in a public document
that it possesses no evidence to support the notion that software
from Russia-based Kaspersky Lab software is malicious.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Ransomware knocks Greenville, N.C. offline - Greenville, N.C., has
effectively been knocked offline by a ransomware attack with the
city IT department having shut down the majority of its servers to
limit the extent of the attack.
Massive SIM swap fraud leaves traditional 2FA users at risk - As
two-factor authentication becomes more popular, threat actors have
proven once again how this security feature can be exploited if not
VPN apps found insecurely storing session cookies - Researchers with
National Defense ISAC Remote Access Working Group discovered
multiple Virtual Private Networks (VPN) applications were insecurely
storing authentication and/or session cookies in memory logs and
How the city of Ottawa was stung by email fraud - The city of
Ottawa’s financial staff have been criticized by its auditor general
for failing to follow its money transfer rules after the
municipality’s treasurer was tricked into wiring over $100,000 in
what is known as a business email compromise scam.
Garfield County, Utah falls victim to ransomware, pays attackers -
Garfield County, Utah became the latest municipality to not only be
hit with a ransomware attack, but succumb to the attackers demand
and pay the ransom.
Microsoft web mail services breached after support agent’s
credentials are compromised - Hackers reportedly compromised a
Microsoft Corp. support agent’s credentials, allowing them to gain
unauthorized access to the company’s various web-based email
services, including Outlook, MSN and Hotmail, for at least three
months in 2019.
Microsoft Email Hack Shows the Lurking Danger of Customer Support -
On Friday night, Microsoft sent notification emails to an unknown
number of its individual email users—across Outlook, MSN, and
Hotmail—warning them about a data breach.
Student hacks online school government election - A student running
for class president of Berkley High School in California hacked into
the email accounts of his fellow students in order to swing the
school’s first ever online election his way.
Report: Ecuadorian websites besieged by cyberattacks following
Julian Assange’s arrest - Since Julian Assange’s arrest and removal
from London’s Ecuadorian embassy last week, the websites of
Ecuador’s public institutions have been subjected to roughly 40
million cyberattacks, Agence France-Presse reported yesterday.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering some of the
issues discussed in the "Risk Management Principles for Electronic
Banking" published by the Basel Committee on Bank Supervision.
Board and Management Oversight -
Principle 2: The Board of Directors and senior management should
review and approve the key aspects of the bank's security control
The Board of Directors and senior management should oversee
the development and continued maintenance of a security control
infrastructure that properly safeguards e-banking systems and data
from both internal and external threats. This should include
establishing appropriate authorization privileges, logical and
physical access controls, and adequate infrastructure security to
maintain appropriate boundaries and restrictions on both internal
and external user activities.
Safeguarding of bank assets is one of the Board's fiduciary duties
and one of senior management's fundamental responsibilities.
However, it is a challenging task in a rapidly evolving e-banking
environment because of the complex security risks associated with
operating over the public Internet network and using innovative
To ensure proper security controls for e-banking activities, the
Board and senior management need to ascertain whether the bank has a
comprehensive security process, including policies and procedures,
that addresses potential internal and external security threats both
in terms of incident prevention and response. Key elements of an
effective e-banking security process include:
1) Assignment of explicit management/staff responsibility for
overseeing the establishment and maintenance of corporate security
2) Sufficient physical controls to prevent unauthorized physical
access to the computing environment.
3) Sufficient logical controls and monitoring processes to prevent
unauthorized internal and external access to e-banking applications
4) Regular review and testing of security measures and controls,
including the continuous tracking of current industry security
developments and installation of appropriate software upgrades,
service packs and other required measures.
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
A firewall is a collection of components (computers, routers, and
software) that mediate access between different security domains.
All traffic between the security domains must pass through the
firewall, regardless of the direction of the flow. Since the
firewall serves as a choke point for traffic between security
domains, they are ideally situated to inspect and block traffic and
coordinate activities with network IDS systems.
Financial institutions have four primary firewall types from which
to choose: packet filtering, stateful inspection, proxy servers, and
application-level firewalls. Any product may have characteristics of
one or more firewall types. The selection of firewall type is
dependent on many characteristics of the security zone, such as the
amount of traffic, the sensitivity of the systems and data, and
applications. Over the next few weeks we will discussed the
different types of firewalls.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 20 -
ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM
illustrates how a hypothetical government agency (HGA) deals with
computer security issues in its operating environment. It follows
the evolution of HGA's initiation of an assessment of the threats to
its computer security system all the way through to HGA's
recommendations for mitigating those risks. In the real world, many
solutions exist for computer security problems. No single solution
can solve similar security problems in all environments. Likewise,
the solutions presented in this example may not be appropriate for
This example can be used to
help understand how security issues are examined, how
some potential solutions are analyzed, how their cost
and benefits are weighed, and ultimately how management
accepts responsibility for risks.
This case study is
provided for illustrative purposes only, and should not be construed
as guidance or specific recommendations to solving specific security
issues. Because a comprehensive example attempting to illustrate all
handbook topics would be inordinately long, this example necessarily
simplifies the issues presented and omits many details. For
instance, to highlight the similarities and differences among
controls in the different processing environments, it addresses some
of the major types of processing platforms linked together in a
distributed system: personal computers, local-area networks,
wide-area networks, and mainframes; it does not show how to secure
This section also
highlights the importance of management's acceptance of a particular
level of risk--this will, of course, vary from organization to
organization. It is management's prerogative to decide what level of
risk is appropriate, given operating and budget environments and
other applicable factors.