FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.  For more information go to On-site FFIEC IT Audits.

FYI - Cybersecurity job gap grows to 3 million, report - High pay, job satisfaction and strong demand are still not enough reason to entice people to enter the cybersecurity workforce as a new study shows the workforce gap increasing to almost three million globally. https://www.scmagazine.com/home/security-news/cybersecurity-job-gap-grows-to-3-million-report/

Anthem Pays OCR $16 Million in Record HIPAA Settlement Following Largest U.S. Health Data Breach in History - Anthem, Inc. has agreed to pay $16 million to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules after a series of cyberattacks led to the largest U.S. health data breach in history and exposed the electronic protected health information of almost 79 million people. https://www.hhs.gov/about/news/2018/10/15/anthem-pays-ocr-16-million-record-hipaa-settlement-following-largest-health-data-breach-history.html

Cybersecurity Preparedness Resource - As part of the FDIC's Community Banking Initiative, the agency is adding to its cybersecurity awareness resources for financial institutions. This includes two new vignettes for the Cyber Challenge, which consists of exercises that are intended to encourage discussions of operational risk issues and the potential impact of information technology disruptions on common banking functions. https://www.fdic.gov/news/news/financial/2018/fil18063.html

Swedes inserting microchips under their skin - Thousands of Swedes are possibly exchanging privacy for convenience by having microchips the size of a grain of rice embedded under their skin so they can do a variety of things – from accessing buildings and riding the rail to obtaining etickets for events. https://www.scmagazine.com/home/security-news/swedes-inserting-microchips-under-their-skin/

Six tips to stop phishing attacks - With phishing and email-related attacks still among the top methods cybercriminals use to gain access to their target’s system, Check Point has put together a six-point plan to help spot and defeat these attacks. https://www.scmagazine.com/home/security-news/sc-security-ops-center/six-tips-to-stop-phisherman/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Questions about the 2018 ERS OnLine Security Incident - On August 17, 2018, the Employees Retirement System of Texas (ERS) learned about a security issue in our password-protected portal called ERS OnLine. A now-corrected security flaw allowed certain ERS members who logged in with their username and password, and used a specific function to input search criteria, to view some member information that was not theirs. https://www.ers.texas.gov/Statement-and-Frequently-Asked-Questions-about-the-2018-ERS-OnLine-Security-Incident

North Carolina water utility ONWASA taken down by ransomware - The Onslow Water and Sewer Authority (ONWASA) in Jacksonville, N.C. was hit with a ransomware attack over the weekend that has all but shut down its computer operations. https://www.scmagazine.com/home/security-news/north-carolina-water-utility-onwasa-taken-down-by-ransomware/

ObamaCare portal breach compromises data of 75,000 patients - Threat actors compromised the information of 75,000 patients after breaching an ObamaCare (Affordable Care Act) enrollment portal last month. https://www.scmagazine.com/home/security-news/obamacare-portal-breach-compromises-data-of-75000-patients/

Saudi investment conference website hacked, defaced - The website of the Saudi Arabian investment conference, referred to as “Davos in the Desert,” was hacked Monday and desecrated with anti-Saudi messages and a “Photoshopped” image of Crown Prince preparing to execute journalist Jamal Khashoggi, who was killed in the Saudi consulate in Istanbul in early October. https://www.scmagazine.com/home/security-news/saudi-investment-conference-website-hacked-defaced/

Cathay Pacific data breach exposes PII of 9.4 million customers - Cathay Pacific airline reported a data breach today that affected 9.4 million customers exposing a large range of personally identifiable information and a limited amount of credit card data. https://www.scmagazine.com/home/security-news/cathay-pacific-data-breach-exposes-pii-of-9-4-million-customers/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 
  
  To ensure the security of information systems and data, financial institutions should have a sound information security program that identifies, measures, monitors, and manages potential risk exposure. Fundamental to an effective information security program is ongoing risk assessment of threats and vulnerabilities surrounding networked and/or Internet systems. Institutions should consider the various measures available to support and enhance information security programs. The appendix to this paper describes certain vulnerability assessment tools and intrusion detection methods that can be useful in preventing and identifying attempted external break-ins or internal misuse of information systems. Institutions should also consider plans for responding to an information security incident.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SECURITY CONTROLS - IMPLEMENTATION
  
  LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 
  
  Access Rights Administration (2 of 5)
  
  System devices, programs, and data are system resources. Each system resource may need to be accessed by other system resources and individuals in order for work to be performed. Access beyond the minimum required for work to be performed exposes the institution's systems and information to a loss of confidentiality, integrity, and availability. Accordingly, the goal of access rights administration is to identify and restrict access to any particular system resource to the minimum required for work to be performed.  The financial institution's security policy should address access rights to system resources and how those rights are to be administered.
  
  Management and information system administrators should critically evaluate information system access privileges and establish access controls to prevent unwarranted access.  Access rights should be based upon the needs of the applicable user or system resource to carry out legitimate and approved activities on the financial institution's information systems.  Policies, procedures, and criteria need to be established for both the granting of appropriate access rights and for the purpose of establishing those legitimate activities.  Formal access rights administration for users consists of four processes:
  
  ! An enrollment process to add new users to the system;
  
  ! An authorization process to add, delete, or modify authorized user access to operating systems, applications, directories, files, and specific types of information;
  
  ! An authentication process to identify the user during subsequent activities; and
  
  ! A monitoring process to oversee and manage the access rights granted to each user on the system.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 18 - AUDIT TRAILS
 
 Audit trails maintain a record of system activity both by system and application processes and by user activity of systems and applications. In conjunction with appropriate tools and procedures, audit trails can assist in detecting security violations, performance problems, and flaws in applications.
 
 Audit trails may be used as either a support for regular system operations or a kind of insurance policy or as both of these. As insurance, audit trails are maintained but are not used unless needed, such as after a system outage. As a support for operations, audit trails are used to help system administrators ensure that the system or resources have not been harmed by hackers, insiders, or technical problems.
 
 This chapter focuses on audit trails as a technical control, rather than the process of security auditing, which is a review and analysis of the security of a system. This chapter discusses the benefits and objectives of audit trails, the types of audit trails, and some common implementation issues.
 
 The Difference Between Audit Trails and Auditing
 
 An audit trail is a series of records of computer events, about an operating system, an application, or user activities. A computer system may have several audit trails, each devoted to a particular type of activity.
 
 Auditing is the review and analysis of management, operational, and technical controls. The auditor can obtain valuable information about activity on a computer system from the audit trail. Audit trails improve the auditability of the computer system. Auditing is discussed in the assurance chapter.