information technology audits
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma.
For more information go
On-site FFIEC IT Audits.
- National Cybersecurity Awareness Month kicks off - Everyone may
enjoy tricks or treats in October, but in order to cut down on the
tricks, at least of the cyber variety, this is also the start of the
15th annual National Cybersecurity Awareness Month.
Exposed! Open and misconfigured servers in the cloud - Tesla had
one. Robocent had one. Walmart had one. GoDaddy had one.
Misconfigured servers and databases in the cloud – exposing with
critical information – are trending on the internet.
White House touts release of National Cyber Strategy - Eager to
demonstrate a commitment to cybersecurity amidst criticisms over
vulnerable election infrastructure, the White House yesterday
unveiled its National Cyber Strategy.
Uber efforts to hide breach, delayed notification leads to $148M
fine, settlement - A yearlong delay in notifying its drivers that
their personal information was stolen by hackers will cost Uber $148
million, according to a settlement reached by the ride-sharing
service and all 50 states and the District of Columbia.
Do you know where your data is? - Protecting data on overseas cloud
servers and navigating aggressive regulation promise to keep tech
lawyers employed for years to come, if the EU’s quick succession of
Privacy Shield, GDPR and the forthcoming ePrivacy Regulation
provides any indication of what’s in store.
Secret Service warns banks of ATM ‘Wiretapping’ attacks - Just over
a month after the FBI began warning global banks to be on the
lookout for the “Unlimited” ATM Cashout Blitz attacks that could
drain the machines of all their holdings, the Secret Service is
warning financial institutions of a surge in ATM “Wiretapping”
SaaS application security architectures are broken - Throughout 2017
and 2018 cyberattackers have attacked and successfully breached a
wide variety of cloud infrastructure and software-as-a-service (SaaS)
Financial Conduct Authority fines Tesco Bank £16.4m over 2016
security breach - The Financial Conduct Authority (FCA) has slapped
a £16.4m fine on Tesco Bank for the security vulnerabilities that
led to millions of pounds being pilfered from thousands of
customers’ online accounts two years ago.
DOD has lost 4,000 civilian cyber workers in the past year - The
Defense Department lost thousands of civilian cyber workers in the
past year, mainly in IT management and computer science-related
positions, a senior defense official testified at a Sept. 26 Senate
Halt, who goes there? Identity access management - In the heady days
of the 1970s, no one passed through the doors of Studio 54 without
famously being vetted by the trendy club’s bouncers – and with good
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Port of San Diego investigating cyberattack - The Port of San
Diego is probing a cyberattack similar to the costly SamSam attack
that crippled systems and services in Atlanta earlier this year.
DDoS attacks against NATO likely DNS amplification or NTP
reflection, expert suggests - A distributed denial-of-service (DDoS)
attack carried out against various NATO websites on Sunday was
likely a Domain Name Server (DNS) amplification attack or a Network
Time Protocol (NTP) reflection attack – or possibly some combination
of both – according to a DDoS expert.
Facebook breach exposes info on 50M users - A breach at Facebook
that was uncovered Tuesday has exposed information on almost 50
million users, forcing 90 million users to log out of their accounts
to safeguard their data.
Chegg forces password reset on 40 million users - Educational
technology company Chegg is resetting the passwords for 40 million
of its users after news broke last week that the firm was breached
in April of this year.
Exploited server in SingHealth cyber attack did not get security
update for 14 months, COI finds - A server exploited by hackers to
ultimately reach SingHealth's critical system, leading to
Singapore's worst data breach in June, had not received the
necessary security software updates for more than a year.
Canada’s Recipe Unlimited hit with cyberattack forcing some
locations to close - The Canadian restaurant chains owned by Recipe
Unlimited were hit late last week with a cyberattack that has forced
some of its locations to temporarily close.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Disclosures/Notices (Part 2 of 2)
In those instances where an electronic form of communication is
permissible by regulation, to reduce compliance risk institutions
should ensure that the consumer has agreed to receive disclosures
and notices through electronic means. Additionally, institutions may
want to provide information to consumers about the ability to
discontinue receiving disclosures through electronic means, and to
implement procedures to carry out consumer requests to change the
method of delivery. Furthermore, financial institutions advertising
or selling non-deposit investment products through on-line systems,
like the Internet, should ensure that consumers are informed of the
risks associated with non-deposit investment products as discussed
in the "Interagency Statement on Retail Sales of Non Deposit
Investment Products." On-line systems should comply with this
Interagency Statement, minimizing the possibility of customer
confusion and preventing any inaccurate or misleading impression
about the nature of the non-deposit investment product or its lack
of FDIC insurance.
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
INFORMATION SECURITY STRATEGY (1 of 2)
Action Summary - Financial institutions should develop a strategy
that defines control objectives and establishes an implementation
plan. The security strategy should include
1) Cost comparisons of different strategic approaches appropriate
to the institution's environment and complexity,
2) Layered controls that establish multiple control points
between threats and organization assets, and
3) Policies that guide officers and employees in implementing the
An information security strategy is a plan to mitigate risks while
complying with legal, statutory, contractual, and internally
developed requirements. Typical steps to building a strategy include
the definition of control objectives, the identification and
assessment of approaches to meet the objectives, the selection of
controls, the establishment of benchmarks and metrics, and the
preparation of implementation and testing plans.
The selection of controls is typically grounded in a cost
comparison of different strategic approaches to risk mitigation. The
cost comparison typically contrasts the costs of various approaches
with the perceived gains a financial institution could realize in
increased confidentiality, availability, or integrity of systems and
data. Those gains could include reduced financial losses, increased
customer confidence, positive audit findings, and regulatory
compliance. Any particular approach should consider: (1) policies,
standards, and procedures; (2) technology and architecture; (3)
resource dedication; (4) training; and (5) testing.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 17 - LOGICAL ACCESS CONTROL
of Access Controls
17.4.2 Decentralized Administration
In decentralized administration, access is directly controlled by
the owners or creators of the files, often the functional manager.
This keeps control in the hands of those most accountable for the
information, most familiar with it and its uses, and best able to
judge who needs what kind of access. This may lead, however, to a
lack of consistency among owners/creators as to procedures and
criteria for granting user accesses and capabilities. Also, when
requests are not processed centrally, it may be much more difficult
to form a systemwide composite view of all user accesses on the
system at any given time. Different application or data owners may
inadvertently implement combinations of accesses that introduce
conflicts of interest or that are in some other way not in the
organization's best interest. It may also be difficult to ensure
that all accesses are properly terminated when an employee transfers
internally or leaves an organization.
17.4.3 Hybrid Approach
A hybrid approach combines centralized and decentralized
administration. One typical arrangement is that central
administration is responsible for the broadest and most basic
accesses, and the owners/creators of files control types of accesses
or changes in users' abilities for the files under their control.
The main disadvantage to a hybrid approach is adequately defining
which accesses should be assignable locally and which should be
17.5 Coordinating Access Controls
It is vital that access controls protecting a system work together.
At a minimum, three basic types of access controls should be
considered: physical, operating system, and application. In general,
access controls within an application are the most specific.
However, for application access controls to be fully effective they
need to be supported by operating system access controls. Otherwise
access can be made to application resources without going through
the application. Operating system and application access controls
need to be supported by physical access controls.