information technology audits
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma.
For more information go
On-site FFIEC IT Audits.
- House Approves DHS Authority to Address Supply Chain Risk, Bar
Contractors - The House of Representatives on Tuesday agreed by
voice vote to approve HR 6430, the Securing the Homeland Security
Supply Chain Act of 2018, which grants the Department of Homeland
Security (DHS) Secretary authority to exclude certain contractors
from doing business with the Federal government to address “urgent
national security interests” and curb supply chain risks.
How did Equifax, a consumer reporting agency, respond to that event?
Equifax said that it investigated factors that led to the breach and
tried to identify and notify people whose personal information was
When cybersecurity pros go bad, Silence cybergang makes noise with
$800,000 in ATM thefts - A low-profile cybergang appropriately named
Silence specializing in ATM bank theft and possibly comprised of two
former or current cybersecurity workers has so far stolen more than
$800,000 during a two-year-long crime spree.
Russian man extradited to U.S. for ‘massive’ financial hacking
campaign - A Russian man allegedly part of a series of hacks
targeting the financial industry and resulting in the theft of data
on more than 80 million people, has been extradited from the nation
of Georgia to the U.S., the Manhattan U.S. Attorney’s office said.
White House further restricts mobile devices in West Wing - he
proclivity of former White House aide Omarosa Manigault Newman to
record conversations with colleagues, including the president and
her firing in the Situation Room by Chief of Staff John Kelly, has
prompted the administration to further restrict staffers use of
mobile devices in the West Wing.
‘Pass’ words: Philadelphia Eagles are the NFL team most often
referenced in credentials - Proud Philadelphia Eagles fans might
want to think of a more secure way to honor their Super Bowl-winning
NFL franchise than using their team name as a user password.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Hackers steal data on 380,000 British Airways customers - British
Airways has resolved an August breach that resulted in data being
stolen from about 380,000 customers and the company is treating a
probe of the incident with some “urgency.”
Park by Phone data breach affects 5,000 customers - A data breach at
Cork City Park by Phone service in Ireland has affected more than
Veeam MongoDB left unsecured, 440 million records exposed - The
Swiss-based data company Veeam exposed more than 445 million records
when it used a misconfigured MongoDB hosted on Amazon Web Services
that did not require any password to access.
Canadian town bows to ransomware attack, will pay attackers - The
small Canadian town of Midland, Ontario plans to pay off the
malicious actors who shut down the municipalities compute system
with a ransomware attack on Sept. 1.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Fair Housing Act
A financial institution that advertises on-line credit products
that are subject to the Fair Housing Act must display the Equal
Housing Lender logotype and legend or other permissible disclosure
of its nondiscrimination policy if required by rules of the
Home Mortgage Disclosure Act (Regulation C)
The regulations clarify that applications accepted through
electronic media with a video component (the financial institution
has the ability to see the applicant) must be treated as "in person"
applications. Accordingly, information about these applicants' race
or national origin and sex must be collected. An institution that
accepts applications through electronic media without a video
component, for example, the Internet or facsimile, may treat the
applications as received by mail.
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
INFORMATION SECURITY RISK ASSESSMENT
This phase ranks the risk (outcomes and probabilities)
presented by various scenarios produced in the analysis phase to
prioritize management's response. Management may decide that since
some risks do not meet the threshold set in their security
requirement, they will accept those risks and not proceed with a
mitigation strategy. Other risks may require immediate corrective
action. Still others may require mitigation, either fully or
partially, over time. Risks that warrant action are addressed in the
information security strategy.
In some borderline instances, or if planned controls cannot fully
mitigate the risk, management may need to review the risk assessment
and risk ranking with the board of directors or a delegated
committee. The board should then document its acceptance of the risk
or authorize other risk mitigation measures.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 17 - LOGICAL ACCESS CONTROL
External access controls are a means of controlling interactions
between the system and outside people, systems, and services.
External access controls use a wide variety of methods, often
including a separate physical device (e.g., a computer) that is
between the system being protected and a network.
188.8.131.52 Port Protection Devices
Fitted to a communications port of a host computer, a port
protection device (PPD) authorizes access to the port itself, prior
to and independent of the computer's own access control functions. A
PPD can be a separate device in the communications stream, or it may
be incorporated into a communications device (e.g., a modem). PPDs
typically require a separate authenticator, such as a password, in
order to access the communications port.
One of the most common PPDs is the dial-back modem. A typical
dial-back modem sequence follows: a user calls the dial-back modem
and enters a password. The modem hangs up on the user and performs a
table lookup for the password provided. If the password is found,
the modem places a return call to the user (at a previously
specified number) to initiate the session. The return call itself
also helps to protect against the use of lost or compromised
accounts. This is, however, not always the case. Malicious hackers
can use such advance functions as call forwarding to reroute calls.