- Our cybersecurity testing meets
the independent pen-test requirements outlined in the FFIEC Information Security booklet. Independent pen-testing is part of any financial institution's cybersecurity defense.
To receive due diligence information, agreement and, cost saving fees,
please complete the information form at
https://yennik.com/forms-vista-info/external_vista_info_form.htm. All communication is kept strictly confidential.
- White House Details Draft Contractor Data Breach Rules - Agencies
could have a template for data breach contract clauses as early as
this fall, according to a detailed draft policy.
- VW Has Spent Two Years Trying to Hide a Big Security Flaw - Got a
VW, Fiat, Audi, Ferrari, Porsche or Maserati? Then you might want to
check the model.
- Chip Card ATM ‘Shimmer’ Found in Mexico - Fraud experts in Mexico
have discovered an unusual ATM skimming device that can be inserted
into the mouth of the cash machine’s card acceptance slot and used
to read data directly off of chip-enabled credit or debit cards.
- FAA: software upgrade, not ERAM, likely caused flight
cancellations, delays - A software upgrade to Federal Aviation
Administration (FAA) radar operations in Virginia, not the
long-delayed and much-anticipated En Route Automation Modernization
(ERAM) system, likely caused the problems that compelled the agency
to issue a flight restriction in the busy corridor and forcing
airlines to cancel hundreds of flights.
- Hackers might have stolen IRS data on more than 300,000 households
- More taxpayers than originally thought had personal information
stolen in a hack that used a surprisingly simple method.
- Cyber threats could put lives at risk, Q2 2015 report explores -
Trend Micro's Q2 2015 threat report hit on several issues in the
security space, including those that pose an actual physical threat
to the public, a string of powerful attacks on government entities
and an increase in attacks by lone wolf operators.
- China arrests 15,000 during cybercrime sweep - The Chinese
Ministry of Public Security (MPS) arrested 15,000 people for
cybercrimes as part of a long-term operation dubbed “Cleaning the
Internet,” Reuters reported.
- Hackers post Ashley Madison's customer details online - Last month
the website Ashley Madison was hacked, and now the names, addresses,
phone numbers, encrypted passwords and credit card transaction
details of around 32 million of its 37 million registered customers
appear to have been posted on the dark web.
- Target settles with Visa following 2013 breach - Following a data
breach of Target's computer systems during the 2013 holiday shopping
season that affected 40 million card accounts and the personally
identifiable information (PII) of as many as 70 million people, the
Minneapolis-based mass retailer agreed on Tuesday to a settlement
with card issuer Visa.
- Outsourcing IT security continues to grow, study finds - Spending
on the outsourcing of IT functions is rising at a rate that is in
step with IT operational budgets as a whole, according to a new
report, "IT Outsourcing Statistics 2015/16," from IT research firm.
- Contractor that vetted Snowden settles with government for $30M -
The investigative services provider and government contractor that
vetted Edward Snowden agreed to a $30 million settlement with the
U.S. government on Wednesday.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- University of Virginia announces breach, says attack came from
China - The University of Virginia announced Friday that attackers
originating from China illegally accessed portions of its
information technology systems, but that no personal information
appears to have been affected.
- Illinois Department of Corrections data breach hits more than
1,000 employees - The Illinois Department of Corrections (IDOC) is
notifying more than 1,000 employees that their personal information
was included in a response to a civilian Freedom of Information Act
- Tremco staffer loses laptop, contained data on thousands of
employees - Ohio-based manufacturer Tremco is notifying
approximately 3,700 employees that a human resources employee left a
company-issued laptop containing personal information on an
airplane, and that the laptop has not yet been recovered.
- Credit card data possibly compromised for 93K Web.com customers -
Web.com, which provides solutions to help small businesses succeed
online, is notifying approximately 93,000 customers that their
personal information – including some credit card data – may have
been compromised in a breach.
- Colorado's OIT notifies 3,000 residents of data breach -
Colorado's Office of Information Technology (OIT) is notifying more
than 3,000 residents that a technical error resulted in letters
containing their personal information being mailed to the wrong
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of
Outsourced Technology Services
Due Diligence in Selecting a Service Provider - Contract Issues
The institution should generally include in the contract the types
of audit reports the institution is entitled to receive (e.g.,
financial, internal control and security reviews). The contract can
specify audit frequency, cost to the institution associated with the
audits if any, as well as the rights of the institution and its
agencies to obtain the results of the audits in a timely manner. The
contract may also specify rights to obtain documentation regarding
the resolution of audit
disclosed deficiencies and inspect the processing facilities and
operating practices of the service provider. Management should
consider, based upon the risk assessment phase, the degree to which
independent internal audits completed by service provider audit
staff can be used and the need for external audits and reviews
(e.g., SAS 70 Type I and II reviews). (AICPA Statement of Auditing
Standards 70 “Reports of Processing of Transactions by Service
Organizations,” known as SAS 70 Reports, are one commonly used form
of external review. Type I SAS 70 reports review the service
provider’s policies and procedures. Type II SAS 70 reports provide
tests of actual controls against policies and procedures.)
For services involving access to open networks, such as
Internet-related services, special attention should be paid to
security. The institution may wish to include contract terms
requiring periodic audits to be performed by an independent party
with sufficient expertise. These audits may include penetration
testing, intrusion detection, and firewall configuration. The
institution should receive sufficiently detailed reports on the
findings of these ongoing audits to adequately assess security
without compromising the service provider’s security. It can be
beneficial to both the service provider and the institution to
contract for such ongoing tests on a coordinated basis given the
number of institutions that may contract with the service provider
and the importance of the test results to the institution.
Contractual terms should discuss the frequency and type of reports
the institution will receive (e.g., performance reports, control
audits, financial statements, security, and business resumption
testing reports). Guidelines and fees for obtaining custom reports
should also be discussed.
the top of the newsletter
FFIEC IT SECURITY
We continue the
series from the FDIC "Security Risks Associated with the
System Architecture and Design
Measures to address access control and system security start with
the appropriate system architecture. Ideally, if an Internet
connection is to be provided from within the institution, or a Web
site established, the connection should be entirely separate from
the core processing system. If the Web site is placed on its own
server, there is no direct connection to the internal computer
system. However, appropriate firewall technology may be necessary to
protect Web servers and/or internal systems.
Placing a "screening router" between the firewall and other servers
provides an added measure of protection, because requests could be
segregated and routed to a particular server (such as a financial
information server or a public information server). However, some
systems may be considered so critical, they should be completely
isolated from all other systems or networks. Security can also be
enhanced by sending electronic transmissions from external sources
to a machine that is not connected to the main operating system.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 20 -
ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM
Mitigating Vulnerabilities Related to the Continuity of Operations
recommended that COG institute a program of periodic internal
training and awareness sessions for COG personnel having contingency
plan responsibilities. The assessment urged that COG undertake a
rehearsal during the next three months in which selected parts of
the plan would be exercised. The rehearsal should include attempting
to initiate some aspect of processing activities at one of the
designated alternative sites. HGA's management agreed that
additional contingency plan training was needed for COG personnel
and committed itself to its first plan rehearsal within three
After a short
investigation, HGA divisions owning applications that depend on the
WAN concluded that WAN outages, although inconvenient, would not
have a major impact on HGA. This is because the few time-sensitive
applications that required WAN-based communication with the
mainframe were originally designed to work with magnetic tape
instead of the WAN, and could still operate in that mode; hence
courier-delivered magnetic tapes could be used as an alternative
input medium in case of a WAN outage. The divisions responsible for
contingency planning for these applications agreed to incorporate
into their contingency plans both descriptions of these procedures
and other improvements.
With respect to
mainframe outages, HGA determined that it could not easily make
arrangements for a suitable alternative site. HGA also obtained and
examined a copy of the mainframe facility's own contingency plan.
After detailed study, including review by an outside consultant, HGA
concluded that the plan had major deficiencies and posed significant
risks because of HGA's reliance on it for payroll and other
services. This was brought to the attention of the Director of HGA,
who, in a formal memorandum to the head of the mainframe's owning
agency, called for (1) a high-level interagency review of the plan
by all agencies that rely on the mainframe, and (2) corrective
action to remedy any deficiencies found.
HGA's management agreed
to improve adherence to its virus-prevention procedures. It agreed
(from the point of view of the entire agency) that information
stored on PC hard disks is frequently lost. It estimated, however,
that the labor hours lost as a result would amount to less than a
person year--which HGA management does not consider to be
unacceptable. After reviewing options for reducing this risk, HGA
concluded that it would be cheaper to accept the associated loss
than to commit significant resources in an attempt to avoid it. COG
volunteered, however, to set up an automated program on the LAN
server that e-mails backup reminders to all PC users once each
quarter. In addition, COG agreed to provide regular backup services
for about 5 percent of HGA's PCs; these will be chosen by HGA's
management based on the information stored on their hard disks.