information technology audits
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma.
For more information go
On-site FFIEC IT Audits.
- Fiserv Flaw Exposed Customer Data at Hundreds of Banks - Fiserv,
Inc., a major provider of technology services to financial
institutions, just fixed a glaring weakness in its Web platform that
exposed personal and financial details of countless customers across
hundreds of bank Web sites, KrebsOnSecurity has learned.
How to stop falling behind on cybersecurity training - Today's
fast-paced digital world means the number of cyberthreats are
multiplying by the minute and organizations' IT environments are in
a constant state of flux.
Census Bureau Must Fix 3,100 Cyber Vulnerabilities Before 2020 Count
- The preparation for the 2020 Census is laboring under constricted
timelines, unfixed cyber vulnerabilities and ballooning IT costs,
according to a Government Accountability Office report released
Carbanak/Cobalt/FIN7 Group Targets Russian, Romanian Banks in New
Attacks - Latest campaign by the hard-to-kill cybercrime group hides
malicious code behind legitimate files, Windows processes.
Calif. Senate approves net neutrality rules, sends bill to governor
- Governor has until September 30 to sign net neutrality bill into
law. The California Senate today voted to approve the toughest
state-level net neutrality bill in the US, one day after the
California Assembly took the same action.
Premera Blue Cross accused of destroying evidence in data breach
lawsuit - Class-action lawsuit plaintiffs claim US health insurer
Premera Blue Cross intentionally destroyed evidence despite ongoing
Department officials also weren’t tracking who used the system or if
they were sharing passwords. The State Department’s consular
division isn’t sufficiently protecting the data on a computer system
it uses to analyze whether people seeking U.S. visas are being
forthright about who they are and where they’ve traveled, according
to an audit released Tuesday.
GAO - Urgent Actions Are Needed to Address Cybersecurity Challenges
Facing the Nation.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Missouri state Democrat mishap ends in University of Missouri
phishing attempt - A Missouri State Democratic Party email seeking
interns helped jumpstart a phishing attempt after the email
accidentally ended up in the inboxes of most faculty, staff and
student inboxes at the University of Missouri.
Cisco Data Center Network Manager flaw allows unauthorized access to
sensitive information - A vulnerability in Cisco's Data Center
Network Manager could allow a remote attacker to gain access to
Air Canada mobile app breach potentially impacts about 20,000
profiles - Air Canada yesterday warned customers of "unusual login
behavior" on its mobile app between Aug. 22 and 24, during which
time a portion of its account profiles may have been accessed in
Chinese hotel chain warns of massive customer data theft - 130
million could be impacted by Huazhu Group hack - China’s largest
hotel chain is investigating an apparent data theft that is said to
involve as many as half a billion pieces of information.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
"Member FDIC" Logo - When is it required?
The FDIC believes that every bank's home page is to some extent an
advertisement. Accordingly, bank web site home pages should contain
the official advertising statement unless the advertisement is
subject to exceptions such as advertisements for loans, securities,
trust services and/or radio or television advertisements that do not
exceed thirty seconds.
Whether subsidiary web pages require the official advertising
statement will depend upon the content of the particular page.
Subsidiary web pages that advertise deposits must contain the
official advertising statement. Conversely, subsidiary web pages
that relate to loans do not require the official advertising
the top of the newsletter
FFIEC IT SECURITY -
Electronic Fund Transfer
Act, Regulation E (Part 2 of 2)
Federal Reserve Board Official Staff Commentary (OSC) also clarifies
that terminal receipts are unnecessary for transfers initiated
on-line. Specifically, OSC regulations provides that, because the
term "electronic terminal" excludes a telephone operated by a
consumer, financial institutions need not provide a terminal receipt
when a consumer initiates a transfer by a means analogous in
function to a telephone, such as by a personal computer or a
Additionally, the regulations clarifies that a written
authorization for preauthorized transfers from a consumer's account
includes an electronic authorization that is not signed, but
similarly authenticated by the consumer, such as through the use of
a security code. According to the OSC, an example of a consumer's
authorization that is not in the form of a signed writing but is,
instead, "similarly authenticated" is a consumer's authorization via
a home banking system. To satisfy the regulatory requirements, the
institution must have some means to identify the consumer (such as a
security code) and make a paper copy of the authorization available
(automatically or upon request). The text of the electronic
authorization must be displayed on a computer screen or other visual
display that enables the consumer to read the communication from the
Only the consumer may authorize the transfer and not, for example,
a third-party merchant on behalf of the consumer.
Pursuant to the regulations, timing in reporting an unauthorized
transaction, loss, or theft of an access device determines a
consumer's liability. A financial institution may receive
correspondence through an electronic medium concerning an
unauthorized transaction, loss, or theft of an access device.
Therefore, the institution should ensure that controls are in place
to review these notifications and also to ensure that an
investigation is initiated as required.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 17 - LOGICAL ACCESS CONTROL
126.96.36.199 Security Labels
A security label is a designation assigned to a resource (such as a
file). Labels can be used for a variety of purposes, including
controlling access, specifying protective measures, or indicating
additional handling instructions. In many implementations, once this
designator has been set, it cannot be changed (except perhaps under
carefully controlled conditions that are subject to auditing).
When used for access control, labels are also assigned to user
sessions. Users are permitted to initiate sessions with specific
labels only. For example, a file bearing the label "Organization
Proprietary Information" would not be accessible (readable) except
during user sessions with the corresponding label. Moreover, only a
restricted set of users would be able to initiate such sessions. The
labels of the session and those of the files accessed during the
session are used, in turn, to label output from the session. This
ensures that information is uniformly protected throughout its life
on the system.
Data Categorization - One tool that is used to increase the
ease of security labeling is categorizing data by similar protection
requirements. For example, a label could be developed for
"organization proprietary data." This label would mark information
that can be disclosed only to the organization's employees. Another
label, "public data" could be used to mark information that is
available to anyone.
Labels are a very strong form of acacias control; however, they are
often inflexible and can be expensive to administer. Unlike
permission bits or access control lists, labels cannot ordinarily be
changed. Since labels are permanently linked to specific
information, data cannot be disclosed by a user copying information
and changing the access to that file so that the information is more
accessible than the original owner intended. By removing users'
ability to arbitrarily designate the accessibility of files they
own, opportunities for certain kinds of human errors and malicious
software problems are eliminated. In the example above, it would not
be possible to copy Organization Proprietary Information into a file
with a different label. This prevents inappropriate disclosure, but
can interfere with legitimate extraction of some information.
Labels are well suited for consistently and uniformly enforcing
access restrictions, although their administration and inflexibility
can be a significant deterrent to their use.
For systems with stringent security requirements (such as those
processing national security information), labels may be useful in