information technology audits
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma.
For more information go
On-site FFIEC IT Audits.
- GAO report slams Department of Defense cybersecurity practices -
Securing the upcoming election against cyberattack or influence is
rightfully garnering a great deal of attention, but a recent General
Accounting Office (GAO) report indicates the United States is doing
a poor job building weapon systems resistant to cyberattack.
UK.gov teams up with Five Eyes chums to emit spotters' guide for
miscreants' hack tools - The UK's National Cyber Security Centre and
its western intel pals have today put out a report spotlighting the
most commonly wielded hacking utilities.
35 million voter records from 19 states found for sale on Dark Web -
ore than 35 million voter records have been found for sale in a Dark
Web forum containing information on voters from 19 states with
prices ranging from $150 to $12,500.
New York CISO: State committed to helping its local municipalities
bolster cyber defenses - There are 62 counties in New York State,
and nearly 1,000 cities and towns within them. Many lack adequate
resources to devote to cybersecurity, but New York is committed to
making sure these local municipalities are nevertheless protected
against digital threats, according to the stateís CISO Deborah
Snyder, speaking today at a conference.
Anthem to pay record $16M for 2015 data breach - Anthem will pay a
record $16 million to settle potential privacy violations stemming
from its massive data breach 2015 data breach which compromised the
data of nearly 80 million current and former patients.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Mail mix up sends Michigan Medicine letters to the wrong people -
For the second time this year healthcare provider Michigan Medicine
is notifying patients that some of their personally identifiable
information may have been exposed, this time due to a mailing error.
Icelandís largest phishing campaign imitated police - Iceland fell
victim to the largest phishing campaign to target the nation, a
complex scheme which involved impersonating law enforcement
Ransomware hits Madison County Idaho government - A ransomware
attack held hostage Madison County, Idahoís services, ranging from
the sanitation department to the county treasurerís office.
FitMetrix data exposed on unprotected Elasticsearch servers - A trio
of unprotected Elasticsearch servers hosted by Amazon Web Service
(AWS) left 113.5 million records of fitness tracking company
FitMetrix customers exposed, according to the security researcher
who discovered the databases.
BEC attack scams Texas school district out of $600,000 - The
Henderson, Texas school district was hit with a business email
compromise (BEC) attack resulting in a $600,000 loss for the
Pentagon data breach exposed 30,000 travel records - The U.S.
Department of Defense suffered a data breach through a third-party
vendor resulting in at least 30,000 service members and employees
having some of their personal and payment card information
North Carolina water utility ONWASA taken down by ransomware - The
Onslow Water and Sewer Authority (ONWASA) in Jacksonville, N.C. was
hit with a ransomware attack over the weekend that has all but shut
down its computer operations.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Over the next few weeks we will cover the FDIC's paper "Risk
Assessment Tools and Practices or Information System Security" dated
July 7, 1999. This is our first selection for your reading.
Whether financial institutions contract with third-party providers
for computer services such as Internet banking, or maintain computer
services in-house, bank management is responsible for ensuring that
systems and data are protected against risks associated with
emerging technologies and computer networks. If a bank is relying on
a third-party provider, management must generally understand the
provider's information security program to effectively evaluate the
security system's ability to protect bank and customer data.
The FDIC has previously issued guidance on information security
concerns such as data privacy and confidentiality, data integrity,
authentication, non-repudiation, and access control/system design.
This paper is designed to supplement Financial Institution Letter
131-97, "Security Risks Associated With the Internet," dated
December 18, 1997, and to complement the FDIC's safety and soundness
electronic banking examination procedures. Related guidance can be
found in the FFIEC Information Systems Examination Handbook.
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
The goal of logical and administrative access control is to
restrict access to system resources. Access should be provided only
to authorized individuals whose identity is established, and their
activities should be limited to the minimum required for business
purposes. Authorized individuals (users) may be employees, TSP
employees, vendors, contractors, customers, or visitors.
An effective control mechanism includes numerous controls to
safeguard and limit access to key information system assets. This
section addresses logical and administrative controls, including
access rights administration and authentication through network,
operating system, application, and remote access. A subsequent
section addresses physical security controls.
ACCESS RIGHTS ADMINISTRATION (1 of 5)
Action Summary - Financial institutions should have an effective
process to administer access rights. The process should include the
1) Assign users and system resources only the access required to
perform their required functions,
2) Update access rights based on personnel or system changes,
3) Periodically review users' access rights at an appropriate
frequency based on the risk to the application or system, and
4) Design appropriate acceptable-use policies and require users
to sign them.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 17 - LOGICAL ACCESS CONTROL
of Access Controls
17.7 Cost Considerations
Incorporating logical access controls into a computer system
involves the purchase or use of access control mechanisms, their
implementation, and changes in user behavior.
Direct Costs. Among the direct costs associated with the use
of logical access controls are the purchase and
support of hardware, operating systems, and applications that
provide the controls, and any add-on security packages. The most
significant personnel cost in relation to logical access control is
usually for administration (e.g., initially determining, assigning,
and keeping access rights up to date). Label-based access control is
available in a limited number of commercial products, but at greater
cost and with less variety of selection. Role-based systems are
becoming more available, but there are significant costs involved in
customizing these systems for a particular organization. Training
users to understand and use an access control system is another
Indirect Costs. The primary indirect cost associated with
introducing logical access controls into a computer system is the
effect on user productivity. There may be additional overhead
involved in having individual users properly determine (when under
their control) the protection attributes of information. Another
indirect cost that may arise results from users not being able to
immediately access information necessary to accomplish their jobs
because the permissions were incorrectly assigned (or have changed).
This situation is familiar to most organizations that put strong
emphasis on logical access controls.