information technology audits
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma.
For more information go
On-site FFIEC IT Audits.
- Pentagon reveals a Do Not Buy software list as a cybersecurity
measure - The U.S. Department of Defense has instructed its
procurers and contractors to stop buying software that may have
Chinese or Russian connections to help defend these institutions
against a possible cyberattack.
Reddit Got Hacked Thanks to a Woefully Insecure Two-Factor Setup -
Reddit said in a blog post Wednesday that a hacker broke into the
company's systems in June and gained access to a variety of data,
including user emails, source code, internal files, and “all Reddit
data from 2007 and before.”
U.S. Congress passes bill forcing tech companies to disclose foreign
software probes - The U.S. Congress is sending President Donald
Trump legislation that would force technology companies to disclose
if they allowed countries like China and Russia to examine the inner
workings of software sold to the U.S. military.
U.S. Treasury calls for national data breach notification and
increased data protections - The U.S. Treasury is calling for
sweeping changes in fin-tech consumer protections, including an
increased control given to consumers over their data and a national
data breach notification standard.
Atlanta ransomware recovery cost now at $17 million, reports say -
The cost to rebuild Atlanta's computer network after it was hit with
a SamSam ransomware attack in March continues to climb with a new
report now placing the tab at $17 million, almost six times the
DOE to vet grid's ability to reboot after a cyberattack - The
Department of Energy is planning an unprecedented, "hands-on" test
of the grid's ability to bounce back from a blackout caused by
hackers, E&E News has learned.
Spam still the most common cyber crime technique, according to
recent research - With spam emails being around for more than 40
years, cybercriminals have always found new ways to us them to catch
victims out, having gauged “click rates rising from 13.4% in the
second half of 2017 to 14.2% in 2018.”
DOD cracks down on geolocation devices and services - Defense
Department personnel can no longer use geolocation features on any
device -- personal or government issued -- in areas used for
military operations, according to a DOD policy memo released Aug. 6.
Cybercriminals waste no time breaking into experimental honeypot
designed to look like ICS environment - A research honeypot set up
to look like an electric company's power transmission substation
network was compromised by a dark web hacker within two days of it
going online -- yet another sign that industrial control systems are
increasingly becoming targets of not just nation-states, but also
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Phishing attack compromised the data of 1.4 million UnityPoint
Health patients - UnityPoint Health in Des Moines, Iowa, is warning
patients of a data breach that could impact 1.4 million patients.
Salesforce API error left data accessible - An error involving in a
Salesforce marketing cloud API could have allowed third parties to
access data or for data to be corrupted.
Third-party misconfiguration exposes TCM Bank consumer data - A
third-party website misconfiguration resulted in the exposure of
sensitive data by credit card issuer TCM Bank leaked applicant data
for 16 months.
Taiwanese Semiconductor product knocked offline due to malware - The
Taiwan Semiconductor Manufacturing Co. (TSMC) had several factories
knocked offline late last week due to a cyberattack.
MongoDB database exposes more than 2 million Mexican patients - A
MongoDB database containing the health care information of more than
2 million patients in Mexico was left exposed, revealing sensitive
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Electronic Fund Transfer Act, Regulation E (Part 1 of 2)
Generally, when online banking systems include electronic fund
transfers that debit or credit a consumer's account, the
requirements of the Electronic Fund Transfer Act and Regulation E
apply. A transaction involving stored value products is covered by
Regulation E when the transaction accesses a consumer's account
(such as when value is "loaded" onto the card from the consumer's
deposit account at an electronic terminal or personal computer).
Financial institutions must provide disclosures that are clear and
readily understandable, in writing, and in a form the consumer may
keep. An Interim rule was issued on March 20, 1998 that allows
depository institutions to satisfy the requirement to deliver by
electronic communication any of these disclosures and other
information required by the act and regulations, as long as the
consumer agrees to such method of delivery.
Financial institutions must ensure that consumers who sign up for
a new banking service are provided with disclosures for the new
service if the service is subject to terms and conditions different
from those described in the initial disclosures. Although not
specifically mentioned in the commentary, this applies to all new
banking services including electronic financial services.
The Federal Reserve Board Official Staff Commentary (OSC) also
clarifies that terminal receipts are unnecessary for transfers
initiated online. Specifically, OSC regulations provides that,
because the term "electronic terminal" excludes a telephone operated
by a consumer, financial institutions need not provide a terminal
receipt when a consumer initiates a transfer by a means analogous in
function to a telephone, such as by a personal computer or a
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
INFORMATION SECURITY RISK ASSESSMENT
Action Summary -Financial institutions must maintain an
ongoing information security risk assessment program that
1) Gathers data regarding the information and technology assets
of the organization, threats to those assets, vulnerabilities,
existing security controls and processes, and the current security
standards and requirements;
2) Analyzes the probability and impact associated with the known
threats and vulnerabilities to its assets; and
3) Prioritizes the risks present due to threats and
vulnerabilities to determine the appropriate level of training,
controls, and testing necessary for effective mitigation.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 17 - LOGICAL ACCESS CONTROL
17.2 Policy: The Impetus for Access Controls
Logical access controls are a technical means of implementing
policy decisions. Policy is made by a management official
responsible for a particular system, application, subsystem, or
group of systems. The development of an access control policy may
not be an easy endeavor. It requires balancing the often-competing
interests of security, operational requirements, and
user-friendliness. In addition, technical constraints have to be
This chapter discusses issues relating to the technical
implementation of logical access controls - not the actual policy
decisions as to who should have what type of access. These decisions
are typically included in system-specific policy.
Once these policy decisions have been made, they will be
implemented (or enforced) through logical access controls. In doing
so, it is important to realize that the capabilities of various
types of technical mechanisms (for logical access control) vary
A few simple examples of specific policy issues are provided below;
it is important to recognize, however, that comprehensive
system-specific policy is significantly more complex.
1. The director of an organization's personnel office could decide
that all clerks can update all files, to increase the efficiency of
the office. Or the director could decide that clerks can only view
and update specific files, to help prevent information browsing.
2. In a disbursing office, a single individual is usually
prohibited from both requesting and authorizing that a particular
payment be made. This is a policy decision taken to reduce the
likelihood of embezzlement and fraud.
3. Decisions may also be made regarding access to the system
itself. In the government, for example, the senior information
resources management official may decide that agency systems that
process information protected by the Privacy Act may not be used to
process public-access database applications.
17.3 Technical Implementation Mechanisms
Many mechanisms have been developed to provide internal and
external access controls, and they vary significantly in terms of
precision, sophistication, and cost. These methods are not mutually
exclusive and are often employed in combination. Managers need to
analyze their organization's protection requirements to select the
most appropriate, cost-effective logical access controls.