- Is your web site compliant with the American Disability Act?
For the past 20 years, our web site audits have included the
guidelines of the ADA. Help reduce any liability, please
contact me for more information at
Agencies issue advanced notice of proposed rulemaking on enhanced
cyber risk management standards - The three federal banking
regulatory agencies today approved an advance notice of proposed
rulemaking (ANPR) inviting comment on a set of potential enhanced
cybersecurity risk-management and resilience standards that would
apply to large and interconnected entities under their supervision.
Lawmakers question DOJ's appeal of Microsoft Irish data case - Four
U.S. lawmakers are questioning a Department of Justice decision to
appeal a July court decision quashing a search warrant that would
have required Microsoft to disclose contents of emails stored on a
server in Ireland.
Enterprises need a culture of cybersecurity, says PCI Security
Standards Council - Building a culture of cybersecurity within
enterprises is essential in today's fast-paced world of online
transactions, according to a blog post on the website of the PCI
Security Standards Council.
European ATM cyberattacks up 28%, those using dynamite up 30% - The
increasing security provided by EMV, or chip cards, may be
compelling European criminals to eschew the use of malware in favor
of explosives to steal money from ATMs.
Cybersecurity spending to exceed $100B worldwide by 2020 -
nternational Data Corp. (IDC) is forecasting a major uptick in
worldwide revenues for companies that produce cybersecurity-related
hardware, software and services by 2020.
Open source products could greatly increase digital risks - Security
teams need to focus on keeping their open source libraries up to
date after a recent study found that nearly 97 percent of Java
applications assessed in the study contained at least one component
with a known vulnerability.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Personal info on more than 58 million people spills onto the web
from data slurp biz - Modern Business Solutions keeping quiet - A
US-based data aggregator that trades people's personal information
with the automotive industry and real estate companies has seemingly
spilled the private information of more than 58 million people
Nearly 6,000 online stores hit by hackers - Thousands of retailers
have been hit by credit card detail stealing malware. They way the
hackers got in? unpatched software flaws.
UK Banks not reporting cyber-attacks - Reuters has reported that UK
banks, some of the largest in the world, are not sharing information
under reporting attacks by a long way.
Texas school district's student data potentially compromised -
Names, birthdates, social security numbers/state ID numbers, email
addresses and zip codes from SunGard students K-12 who attended
school in the district during the 2013-2014 school year.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Legal and Reputational Risk Management
To protect banks against business, legal and reputation risk,
e-banking services must be delivered on a consistent and timely
basis in accordance with high customer expectations for constant and
rapid availability and potentially high transaction demand. The bank
must have the ability to deliver e-banking services to all end-users
and be able to maintain such availability in all circumstances.
Effective incident response mechanisms are also critical to minimize
operational, legal and reputational risks arising from unexpected
events, including internal and external attacks, that may affect the
provision of e-banking systems and services. To meet customers'
expectations, banks should therefore have effective capacity,
business continuity and contingency planning. Banks should also
develop appropriate incident response plans, including communication
strategies, that ensure business continuity, control reputation risk
and limit liability associated with disruptions in their e-banking
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
Firewall Services and Configuration
Firewalls may provide some additional services:
! Network address translation (NAT) - NAT readdresses outbound
packets to mask the internal IP addresses of the network. Untrusted
networks see a different host IP address from the actual internal
address. NAT allows an institution to hide the topology and address
schemes of its trusted network from untrusted networks.
! Dynamic host configuration protocol (DHCP) - DHCP assigns IP
addresses to machines that will be subject to the security controls
of the firewall.
! Virtual Private Network (VPN) gateways - A VPN gateway provides
an encrypted tunnel between a remote external gateway and the
internal network. Placing VPN capability on the firewall and the
remote gateway protects information from disclosure between the
gateways but not from the gateway to the terminating machines.
Placement on the firewall, however, allows the firewall to inspect
the traffic and perform access control, logging, and malicious code
One common firewall implementation in financial institutions
hosting Internet applications is a DMZ, which is a neutral Internet
accessible zone typically separated by two firewalls. One firewall
is between the institution's private network and the DMZ and then
another firewall is between the DMZ and the outside public network.
The DMZ constitutes one logical security domain, the outside public
network is another security domain, and the institution's internal
network may be composed of one or more additional logical security
domains. An adequate and effectively managed firewall can ensure
that an institution's computer systems are not directly accessible
to any on the Internet.
Financial institutions have a variety of firewall options from
which to choose depending on the extent of Internet access and the
complexity of their network. Considerations include the ease of
firewall administration, degree of firewall monitoring support
through automated logging and log analysis, and the capability to
provide alerts for abnormal activity.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 8 - SECURITY AND PLANNING IN THE COMPUTER SYSTEM LIFE
System security accreditation is the formal authorization by the
accrediting (management) official for system operation and an
explicit acceptance of risk. It is usually supported by a review of
the system, including its management, operational, and technical
controls. This review may include a detailed technical evaluation
(such as a Federal Information Processing Standard 102
certification, particularly for complex, critical, or high-risk
systems), security evaluation, risk assessment, audit, or other such
review. If the life cycle process is being used to manage a project
(such as a system upgrade), it is important to recognize that the
accreditation is for the entire system, not just for the new
The best way to view computer security accreditation is as a form
of quality control. It forces managers and technical staff to work
together to find the best fit for security, given technical
constraints, operational constraints, and mission requirements. The
accreditation process obliges managers to make critical decisions
regarding the adequacy of security safeguards. A decision based on
reliable information about the effectiveness of technical and
non-technical safeguards and the residual risk is more likely to be
a sound decision.
After deciding on the acceptability of security safeguards and
residual risks, the accrediting official should issue a formal
accreditation statement. While most flaws in system security are not
severe enough to remove an operational system from service or to
prevent a new system from becoming operational, the flaws may
require some restrictions on operation (e.g., limitations on dial-in
access or electronic connections to other organizations). In some
cases, an interim accreditation may be granted, allowing the system
to operate requiring review at the end of the interim period,
presumably after security upgrades have been made.
Sample Accreditation Statement
In accordance with (Organization Directive), I hereby issue an
accreditation for (name of system). This accreditation is my formal
declaration that a satisfactory level of operational security is
present and that the system can operate under reasonable risk. This
accreditation is valid for three years. The system will be
re-evaluated annually to determine if changes have occurred
affecting its security.