information technology audits
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma.
For more information go
On-site FFIEC IT Audits.
IT network administrator job in the Houston area
you know of someone that would like to work as a network
administrator in a community bank, please contact me Kinney Williams
All inquires will be kept confidential.
- GAO report slams Department of Defense cybersecurity practices -
Securing the upcoming election against cyberattack or influence is
rightfully garnering a great deal of attention, but a recent General
Accounting Office (GAO) report indicates the United States is doing
a poor job building weapon systems resistant to cyberattack.
Alabama Gov. Kay Ivey announces state's first security operations
center - The state becomes one of about a dozen that have opened a
SOC, creating a "one-stop shop" for cybersecurity resources and
Augmented reality could help solve the cybersecurity talent gap -
The threat of increasing cyberattacks has driven up demand for
talented and experienced security professionals. By next year, PwC
predicts there will be 1.5 million unfilled job openings.
Weak passwords outlawed out West, California law aims to secure IoT
devices - California passed has just passed a law effectively
banning weak passwords and enforcing other security measures to more
effectively secure connected devices.
Remember that lost memory stick from Heathrow Airport? The
terrorist's wet dream? So does the ICO - Operator fined £120k by UK
data watchdog - Heathrow Airport Limited (HAL) has been fined
£120,000 by the UK's data watchdog for the loss of an unencrypted
USB memory stick reportedly containing airport security data.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- China inserts microchips into motherboards used by Apple, CIA,
Amazon - A microchip planted by China on Supermicro motherboards
used by organizations, including the CIA, the U.S. military, Amazon
and Apple, left sensitive information vulnerable to hacking and
underscores the importance of locking down the security of the
supply chain whose vast tentacles reach out to touch organizations
around the globe.
Burgerville discloses year-long data breach, courtesy of FIN7
cybergang - Add fast-casual restaurant chain Burgerville to the list
of retail and hospitality companies victimized by the Eastern
European cybercrime group FIN7.
DDoS Attacks Target Multiple Games including Final Fantasy XIV - A
set of DDoS attacks plagued a series of gaming publishers including
Final Fantasy XIVís creator Square Enix and Ubisoft, respectively.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Expedited Funds Availability Act (Regulation CC)
Generally, the rules pertaining to the duty of an institution to
make deposited funds available for withdrawal apply in the
electronic financial services environment. This includes rules on
fund availability schedules, disclosure of policy, and payment of
interest. Recently, the FRB published a commentary that clarifies
requirements for providing certain written notices or disclosures to
customers via electronic means. Specifically, the commentary to the
regulations states that a financial institution satisfies the
written exception hold notice requirement, and the commentary to the
regulations states that a financial institution satisfies the
general disclosure requirement by sending an electronic version that
displays the text and is in a form that the customer may keep.
However, the customer must agree to such means of delivery of
notices and disclosures. Information is considered to be in a form
that the customer may keep if, for example, it can be downloaded or
printed by the customer. To reduce compliance risk, financial
institutions should test their programs' ability to provide
disclosures in a form that can be downloaded or printed.
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
INFORMATION SECURITY STRATEGY (2 of 2)
particular approach should consider: (1) policies, standards, and
procedures; (2) technology and architecture; (3) resource
dedication; (4) training; and (5) testing.
For example, an institution's management may be assessing the
proper strategic approach to intrusion detection for an Internet
environment. Two potential approaches were identified for
evaluation. The first approach uses a combination of network and
host intrusion detection sensors with a staffed monitoring center.
The second approach consists of daily access log review. The former
alternative is judged much more capable of detecting an attack in
time to minimize any damage to the institution and its data, albeit
at a much greater cost. The added cost is entirely appropriate when
customer data and institution processing capabilities are exposed to
an attack, such as in an Internet banking environment. The latter
approach may be appropriate when the primary risk is reputational
damage, such as when the only information being protected is an
information-only Web site, and the Web site is not connected to
other financial institution systems.
Strategies should consider the layering of controls. Excessive
reliance on a single control could create a false sense of
confidence. For example, a financial institution that depends solely
on a firewall can still be subject to numerous attack methodologies
that exploit authorized network traffic. Financial institutions
should design multiple layers of security controls and testing to
establish several lines of defense between the attacker and the
asset being attacked. To successfully attack the data, each layer
must be penetrated. With each penetration, the probability of
detecting the attacker increases.
Policies are the primary embodiment of strategy, guiding decisions
made by users, administrators, and managers, and informing those
individuals of their security responsibilities. Policies also
specify the mechanisms through which responsibilities can be met,
and provide guidance in acquiring, configuring, and auditing
information systems. Key actions that contribute to the success of a
security policy are:
1) Implementing through ordinary means, such as system
administration procedures and acceptable - use policies;
2) Enforcing policy through security tools and sanctions;
3) Delineating the areas of responsibility for users,
administrators, and managers;
4) Communicating in a clear, understandable manner to all
5) Obtaining employee certification that they have read and
understood the policy;
6) Providing flexibility to address changes in the environment;
7) Conducting annually a review and approval by the board of
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 17 - LOGICAL ACCESS CONTROL
of Access Controls
Logical access controls are closely related to many other controls.
Several of them have been discussed in the chapter.
Policy and Personnel. The most fundamental interdependencies
of logical access control are with policy and personnel. Logical
access controls are the technical implementation of system-specific
and organizational policy, which stipulates who should be able to
access what kinds of information, applications, and functions. These
decisions are normally based on the principles of separation of
duties and least privilege.
Audit Trails. As discussed earlier, logical access controls
can be difficult to implement correctly. Also, it is sometimes not
possible to make logical access control as precise, or fine-grained,
as would be ideal for an organization. In such situations, users may
either deliberately or inadvertently abuse their access. For
example, access controls cannot prevent a user from modifying data
the user is authorized to modify, even if the modification is
incorrect. Auditing provides a way to identify abuse of access
permissions. It also provides a means to review the actions of
system or security administrators.
Identification and Authentication. In most logical access
control scenarios, the identity of the user must be established
before an access control decision can be made. The access control
process then associates the permissible forms of accesses with that
identity. This means that access control can only be as effective as
the I&A process employed for the system.
Physical Access Control. Most systems can be compromised if
someone can physically access the machine (i.e., CPU or other major
components) by, for example, restarting the system with different
software. Logical access controls are, therefore, dependent on
physical access controls (with the exception of encryption, which
can depend solely on the strength of the algorithm and the secrecy
of the key).