technology audits -
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma. For more information go
On-site FFIEC IT Audits.
- Lawmakers pass stringent California Consumer Privacy Act - After a
rush to get legislation done so a ballot measure slated for the
November election could be pulled by today's withdrawal deadline,
the California State Assembly Thursday passed the California
Consumer Privacy Act of 2018.
Equifax agrees to cybersecurity regulations set forth by 8 U.S.
States - Equifax agreed to a number of security measures put in
place by financial regulators in eight states in response to the
breach that compromised the personal information of more than 147
Women are the future? - There's no doubt that the women's movement,
however you define it, has had a positive effect on the plight of
women in security.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Exactis breach exposes 340M records, may compel GDPR-like reg in
U.S. - An exposed database at data broker Exactis exposed nearly 340
million records amounting to around two terabytes of information.
Spam and eggs: Red Hen restaurant's website apparently injected with
SEO spam links - The website for the restaurant that recently
refused to host White House Press Secretary Sarah Huckabee Sanders
was found unknowingly hosting hidden code linking to ads for Viagra
and other pharmaceuticals.
Ticketmaster Breach Exposes Supply Chain Risks - Ticketmaster is the
latest online vendor to report a breach that is the result of a
third-party widget. Event ticket retailer Ticketmaster publicly
disclosed a data breach at its United Kingdom division on June 27
that involved a subset of its global customer base.
Tread carefully: Adidas U.S. retail website breached - Several
million online retail customers of German shoe and apparel
manufacturer Adidas may have had their personal information
compromised in a data breach involving an unauthorized third party.
Facebook quizzes may have exposed 120 million users personal
information - Facebook's data privacy woes continue to grow as a
security researcher uncovered the social media's popular "tests“ not
only told users which Disney princess they were, but also exposed
the private data of about 120 million people who took the test.
File-Wiping Malware Placed Inside Gentoo Linux Code After GitHub
Account Hack - An unknown hacker has temporarily taken control over
the GitHub account of the Gentoo Linux organization and embedded
malicious code inside the operating system's distributions that
would delete user files.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Generally, Internet web sites are considered advertising by the
regulatory agencies. In some cases, the regulations contain special
rules for multiple-page advertisements. It is not yet clear what
would constitute a single "page" in the context of the Internet or
on-line text. Thus, institutions should carefully review their
on-line advertisements in an effort to minimize compliance risk.
In addition, Internet or other systems in which a credit
application can be made on-line may be considered "places of
business" under HUD's rules prescribing lobby notices. Thus,
institutions may want to consider including the "lobby notice,"
particularly in the case of interactive systems that accept
the top of the newsletter
FFIEC IT SECURITY -
This completes our
review of the OCC Bulletin about Infrastructure Threats and
Intrusion Risks. This week we review Information Sharing.
Information sharing among reliable and reputable experts can help
institutions reduce the risk of information system intrusions. The
OCC encourages management to participate in information-sharing
mechanisms as part of an effort to detect and respond to intrusions
and vulnerabilities. Mechanisms for information sharing are being
developed by many different organizations, each with a different
mission and operation. In addition, many vendors offer information
sharing and analysis services. Three organizations that are
primarily involved with the federal government's national
information security initiatives are the Financial Services
Information Sharing and Analysis Center (FS/ISAC), the Federal
Bureau of Investigation (FBI), and Carnegie Mellon University's
The FS/ISAC was formed in response to Presidential Decision
Directive 63: Critical Infrastructure Protection (May 22, 1998),
which encourages the banking, finance, and other industries to
establish information-sharing efforts in conjunction with the
federal government. The FS/ISAC allows financial services entities
to report incidents anonymously. In turn, the FS/ISAC rapidly
distributes information about attacks to the FS/ISAC members. Banks
can contact FS/ISAC by telephone at (888) 660-0134, e-mail at
firstname.lastname@example.org or their Web site at http://www.fsisac.com.
The FBI operates the National Information Protection Center
Infraguard outreach effort. Since Infraguard supports law
enforcement efforts, Infraguard members submit two versions of an
incident report. One complete version is used by law enforcement and
contains information that identifies the reporting member. The other
version does not contain that identifying information, and is
distributed to other Infraguard members. Banks can contact the FBI
by contacting local FBI field offices or via e-mail at
CERT/CC is part of a federally funded research and development
center at Carnegie Mellon University that helps organizations
identify vulnerabilities and recover from intrusions. It provides
up-to-date information on specific attacks (including viruses and
denial of service) and collates and shares information with other
organizations. CERT/CC does not require membership to report
problems. Banks can contact CERT/CC by phone at (412) 268-7090 or
e-mail at email@example.com.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 17 - LOGICAL ACCESS CONTROL
On many multiuser
systems, requirements for using (and prohibitions against the use
of) various computer resources vary considerably. Typically, for
example, some information must be accessible to all users, some may
be needed by several groups or departments, and some should be
accessed by only a few individuals. While it is obvious that users
must have access to the information they need to do their jobs, it
may also be required to deny access to non-job-related information.
It may also be important to control the kind of access that is
afforded (e.g., the ability for the average user to execute, but not
change, system programs). These types of access restrictions enforce
policy and help ensure that unauthorized actions are not taken.
Logical access controls provide a technical means of controlling
what information users can utilize, the programs they can run, and
the modifications they can make.
Access is the ability to do something with a computer
resource (e.g., use, change, or view). Access control is the means
by which the ability is explicitly enabled or restricted in some way
(usually through physical and system-based controls). Computer-based
access controls are called logical access controls. Logical access
controls can prescribe not only who or what (e.g., in the case of a
process) is to have access to a specific system resource but also
the type of access that is permitted. These controls may be built
into the operating system, may be incorporated into applications
programs or major utilities (e.g., database management systems or
communications systems), or may be implemented through add-on
security packages. Logical access controls may be implemented
internally to the computer system being protected or may be
implemented in external devices.
The term access is often confused with authorization and
! Access is the ability to do something with a computer resource.
This usually refers to a technical ability (e.g., read, create,
modify, or delete a file, execute a program, or use an external
! Authorization is the permission to use a computer resource.
Permission is granted, directly or indirectly, by the application or
! Authentication is proving (to some reasonable degree) that users
are who they claim to be.
Logical access controls can help protect:
! operating systems and other system software from unauthorized
modification or manipulation (and thereby help ensure the system's
integrity and availability);
! the integrity and availability of information by restricting the
number of users and processes with access; and
! confidential information from being disclosed to unauthorized