information technology audits
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma.
For more information go
On-site FFIEC IT Audits.
- Cybersecurity job gap grows to 3 million, report - High pay, job
satisfaction and strong demand are still not enough reason to entice
people to enter the cybersecurity workforce as a new study shows the
workforce gap increasing to almost three million globally.
Anthem Pays OCR $16 Million in Record HIPAA Settlement Following
Largest U.S. Health Data Breach in History - Anthem, Inc. has agreed
to pay $16 million to the U.S. Department of Health and Human
Services, Office for Civil Rights (OCR) and take substantial
corrective action to settle potential violations of the Health
Insurance Portability and Accountability Act (HIPAA) Privacy and
Security Rules after a series of cyberattacks led to the largest
U.S. health data breach in history and exposed the electronic
protected health information of almost 79 million people.
Cybersecurity Preparedness Resource - As part of the FDIC's
Community Banking Initiative, the agency is adding to its
cybersecurity awareness resources for financial institutions. This
includes two new vignettes for the Cyber Challenge, which consists
of exercises that are intended to encourage discussions of
operational risk issues and the potential impact of information
technology disruptions on common banking functions.
Swedes inserting microchips under their skin - Thousands of Swedes
are possibly exchanging privacy for convenience by having microchips
the size of a grain of rice embedded under their skin so they can do
a variety of things – from accessing buildings and riding the rail
to obtaining etickets for events.
Six tips to stop phishing attacks - With phishing and email-related
attacks still among the top methods cybercriminals use to gain
access to their target’s system, Check Point has put together a
six-point plan to help spot and defeat these attacks.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Questions about the 2018 ERS OnLine Security Incident - On August
17, 2018, the Employees Retirement System of Texas (ERS) learned
about a security issue in our password-protected portal called ERS
OnLine. A now-corrected security flaw allowed certain ERS members
who logged in with their username and password, and used a specific
function to input search criteria, to view some member information
that was not theirs.
North Carolina water utility ONWASA taken down by ransomware - The
Onslow Water and Sewer Authority (ONWASA) in Jacksonville, N.C. was
hit with a ransomware attack over the weekend that has all but shut
down its computer operations.
ObamaCare portal breach compromises data of 75,000 patients - Threat
actors compromised the information of 75,000 patients after
breaching an ObamaCare (Affordable Care Act) enrollment portal last
Saudi investment conference website hacked, defaced - The website of
the Saudi Arabian investment conference, referred to as “Davos in
the Desert,” was hacked Monday and desecrated with anti-Saudi
messages and a “Photoshopped” image of Crown Prince preparing to
execute journalist Jamal Khashoggi, who was killed in the Saudi
consulate in Istanbul in early October.
Cathay Pacific data breach exposes PII of 9.4 million customers -
Cathay Pacific airline reported a data breach today that affected
9.4 million customers exposing a large range of personally
identifiable information and a limited amount of credit card data.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the FDIC paper "Risk Assessment Tools and
Practices or Information System Security."
To ensure the security of information systems and data, financial
institutions should have a sound information security program that
identifies, measures, monitors, and manages potential risk exposure.
Fundamental to an effective information security program is ongoing
risk assessment of threats and vulnerabilities surrounding networked
and/or Internet systems. Institutions should consider the various
measures available to support and enhance information security
programs. The appendix to this paper describes certain vulnerability
assessment tools and intrusion detection methods that can be useful
in preventing and identifying attempted external break-ins or
internal misuse of information systems. Institutions should also
consider plans for responding to an information security incident.
the top of the newsletter
FFIEC IT SECURITY -
our series on the FFIEC interagency Information Security Booklet.
SECURITY CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Access Rights Administration (2 of 5)
System devices, programs, and data are system resources. Each
system resource may need to be accessed by other system resources
and individuals in order for work to be performed. Access beyond the
minimum required for work to be performed exposes the institution's
systems and information to a loss of confidentiality, integrity, and
availability. Accordingly, the goal of access rights administration
is to identify and restrict access to any particular system resource
to the minimum required for work to be performed. The financial
institution's security policy should address access rights to system
resources and how those rights are to be administered.
Management and information system administrators should critically
evaluate information system access privileges and establish access
controls to prevent unwarranted access. Access rights should be
based upon the needs of the applicable user or system resource to
carry out legitimate and approved activities on the financial
institution's information systems. Policies, procedures, and
criteria need to be established for both the granting of appropriate
access rights and for the purpose of establishing those legitimate
activities. Formal access rights administration for users consists
of four processes:
! An enrollment process to add new users to the system;
! An authorization process to add, delete, or modify authorized
user access to operating systems, applications, directories, files,
and specific types of information;
! An authentication process to identify the user during subsequent
! A monitoring process to oversee and manage the access rights
granted to each user on the system.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 18 - AUDIT TRAILS
Audit trails maintain a record of system activity both by system
and application processes and by user activity of systems and
applications. In conjunction with appropriate tools and procedures,
audit trails can assist in detecting security violations,
performance problems, and flaws in applications.
Audit trails may be used as either a support for regular system
operations or a kind of insurance policy or as both of these. As
insurance, audit trails are maintained but are not used unless
needed, such as after a system outage. As a support for operations,
audit trails are used to help system administrators ensure that the
system or resources have not been harmed by hackers, insiders, or
This chapter focuses on audit trails as a technical control, rather
than the process of security auditing, which is a review and
analysis of the security of a system. This chapter discusses the
benefits and objectives of audit trails, the types of audit trails,
and some common implementation issues.
The Difference Between Audit Trails and Auditing
An audit trail is a series of records of computer events,
about an operating system, an application, or user activities. A
computer system may have several audit trails, each devoted to a
particular type of activity.
Auditing is the review and analysis of management,
operational, and technical controls. The auditor can obtain valuable
information about activity on a computer system from the audit
trail. Audit trails improve the auditability of the computer system.
Auditing is discussed in the assurance chapter.