OCC’s “Audit Firm Rotation” letter dated October
12, 2016 states "There is no OCC guidance or directive to examiners
that would require or promote the termination of a third-party
relationship due to the length of the relationship."
You can find the complete letter at
- Is your web site compliant with the American Disability Act?
For the past 20 years, our web site audits have included the
guidelines of the ADA. Help reduce any liability, please
contact me for more information at
U.S. bank regulators propose enhanced cybersecurity risk management
plan - Three U.S. financial regulatory agencies on Wednesday
submitted their first draft of a joint proposal to impose enhanced
cybersecurity risk management standards on major banking
institutions and their suppliers.
What Skilled Cybersecurity Pros Want - For seasoned cybersecurity
professionals, motivation for sticking with their current jobs
doesn't mean big management promotions or higher salaries, a new
Center for Strategic and International Studies (CSIS) report finds.
Healthcare data breaches increase, but fewer records compromised -
The healthcare industry saw 37 data breaches take place in September
with about 250,000 patient records being compromised, but this was a
major decrease from the 8.8 million records breached in August.
Local authorities say data breaches are 'accidents waiting to
happen' - Local authorities hold sensitive and private information
about all of us that we wouldn't want getting into the hands of the
Only 39% of companies have a formal BYOD policy - More and more
workers today are bringing their personal devices such as laptops,
mobile phones and tablets to the office to use for work. While this
practice leads to greater productivity, it can pose a security risk.
Interior CDM effort 'immature,' says watchdog report - More than a
year after it projected having Continuous Diagnostics and Mitigation
Phase 1 protections in place, the Interior Department still has work
to do on its cybersecurity efforts, according to a partially
redacted report released by the agency's inspector general on Oct.
Mobile hacking firm Cellebrite's firmware made available to public
by reseller - Israeli mobile forensics firm Cellebrite, which works
closely with law enforcement, security and military agencies to
bypass security measures on locked phones, could have some of their
methods exposed after a reseller partner reportedly made the
company's firmware and software publicly available to download.
72% of UK internet users prefer to use mobile data over public Wi-Fi
- Security fears and complicated sign-up forms are hindering
internet users in the UK from using public Wi-Fi.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- 3.2M payment cards affected in massive Indian POS breach - One of
the biggest breaches in India has compromised as many as 3.2 million
payment cards as banks scramble to replace cards and request users
to change security codes.
Prosecutors say contractor stole 50TB of NSA data - The government
is preparing to charge the suspect under the Espionage Act. An NSA
contractor siphoned off dozens of hard drives' worth of data from
government computers over two decades, prosecutors will allege on
St. Jude Faces New Safety Charges From Muddy Waters Capital - St.
Jude Medical Inc. is facing new allegations from short-seller Muddy
Waters LLC that its pacemakers and defibrillators, life-saving
devices used by thousands of people worldwide, can be easily hacked
and turned against the patients relying on them.
Mirai botnets linked to massive DDoS attacks on Dyn DNS, Flashpoint
says - Mirai botnets like the ones recently used in distributed
denial of service (DDoS) attacks on a French internet service
provider and a well-known security researcher were at least partly
responsible for the waves of DDoS attacks against Dyn DNS that took
down Twitter, Spotify, Netflix, GitHub, Amazon and Reddit and other
DDoS attack Friday hits Twitter, Reddit, Spotify and others - The
East Coast was under siege on Friday morning from a large-scale
distributed denial of service (DDoS) attack that brought down more
than a dozen prominent websites, including Twitter, Spotify,
Netflix, GitHub, Amazon and Reddit. The initial attack was followed
later in the day by at least two more waves of attack.
Hacker 'drags and drops' 43.4 million Weebly user accounts in mega
breach - Web hosting service Weebly has confirmed a major data
breach, following a LeakedSource.com report stating that 43.4
million accounts were stolen from the company's main database in
February 2016. This number would effectively comprise Weebly's
entire 40 million-plus customer base.
U.S. vigilante hacker takes over Russian Foreign Ministry site - A
self-described patriotic American vigilante hacker named Jester
reportedly took over the Russian Ministry of Foreign Affairs website
on Friday in retaliation for alleged Russian cyberattacks on the
Hacked Cameras, DVRs Powered Today’s Massive Internet Outage - A
massive and sustained Internet attack that has caused outages and
network congestion today for a large number of Web sites was
launched with the help of hacked “Internet of Things” (IoT) devices,
such as CCTV video cameras and digital video recorders, new data
Silver Creek Fitness & Physical Therapy patient info compromised -
Silver Creek Fitness & Physical Therapy of California suffered a
data breach through a third-part contractor that exposed their
clients personally identifiable information to include Social
Security and Medicare numbers.
Unencrypted pager messaging exposes critical infrastructure data -
Workers at industrial complexes, some operating critical
infrastructure, are endangering confidential data, and perhaps the
public's physical safety, by using unencrypted pager messaging on
Baystate Health hit with phishing attack, patient records vulnerable
- Baystate Health, of Springfield, Mass., reported that several
employees last week responded to a phishing email compromising
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Banking organizations have been delivering electronic services to
consumers and businesses remotely for years. Electronic funds
transfer, including small payments and corporate cash management
systems, as well as publicly accessible automated machines for
currency withdrawal and retail account management, are global
fixtures. However, the increased world-wide acceptance of the
Internet as a delivery channel for banking products and services
provides new business opportunities for banks as well as service
benefits for their customers.
Continuing technological innovation and competition among existing
banking organizations and new market entrants has allowed for a much
wider array of electronic banking products and services for retail
and wholesale banking customers. These include traditional
activities such as accessing financial information, obtaining loans
and opening deposit accounts, as well as relatively new products and
services such as electronic bill payment services, personalized
financial "portals," account aggregation and business-to-business
market places and exchanges.
Notwithstanding the significant benefits of technological
innovation, the rapid development of e-banking capabilities carries
risks as well as benefits and it is important that these risks are
recognized and managed by banking institutions in a prudent manner.
These developments led the Basel Committee on Banking Supervision to
conduct a preliminary study of the risk management implications of
e-banking and e-money in 1998. This early study demonstrated a clear
need for more work in the area of e-banking risk management and that
mission was entrusted to a working group comprised of bank
supervisors and central banks, the Electronic Banking Group (EBG),
which was formed in November 1999.
The Basel Committee released the EBG's Report on risk management
and supervisory issues arising from e-banking developments in
October 2000. This Report inventoried and assessed the major risks
associated with e-banking, namely strategic risk, reputational risk,
operational risk (including security and legal risks), and credit,
market, and liquidity risks. The EBG concluded that e-banking
activities did not raise risks that were not already identified by
the previous work of the Basel Committee. However, it noted that
e-banking increase and modifies some of these traditional risks,
thereby influencing the overall risk profile of banking. In
particular, strategic risk, operational risk, and reputational risk
are certainly heightened by the rapid introduction and underlying
technological complexity of e-banking activities.
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
Firewall Policy (Part 1 of 3)
A firewall policy states management's expectations for how the
firewall should function and is a component of the overall security
policy. It should establish rules for traffic coming into and going
out of the security domain and how the firewall will be managed and
updated. Therefore, it is a type of security policy for the
firewall, and forms the basis for the firewall rules. The firewall
selection and the firewall policy should stem from the ongoing
security risk assessment process. Accordingly, management needs to
update the firewall policy as the institution's security needs and
the risks change. At a minimum, the policy should address:
! Firewall topology and architecture,
! Type of firewall(s) being utilized,
! Physical placement of the firewall components,
! Monitoring firewall traffic,
! Permissible traffic (generally based on the premise that all
traffic not expressly allowed is denied, detailing which
applications can traverse the firewall and under what exact
circumstances such activities can take place),
! Firewall updating,
! Coordination with intrusion detection and response mechanisms,
! Responsibility for monitoring and enforcing the firewall policy,
! Protocols and applications permitted,
! Regular auditing of a firewall's configuration and testing of the
firewall's effectiveness, and
! Contingency planning.
Financial institutions should also appropriately train and manage
their staffs to ensure the firewall policy is implemented properly.
Alternatively, institutions can outsource the firewall management,
while ensuring that the outsourcer complies with the institution's
specific firewall policy.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 8 - SECURITY AND PLANNING IN THE COMPUTER SYSTEM LIFE
8.4.4 Operation and
Many security activities take place during the operational phase of
a system's life. In general these fall into three areas: (1)
security operations and administration; (2) operational assurance;
and (3) periodic re-analysis of the security.
22.214.171.124 Security Operations and Administration
Operation of a system involves many security activities discussed
throughout this handbook. Performing backups, holding training
classes, managing cryptographic keys, keeping up with user
administration and access privileges, and updating security software
are some examples.
126.96.36.199 Operational Assurance
Security is never perfect when a system is implemented. In
addition, system users and operators discover new ways to
intentionally or unintentionally bypass or subvert security. Changes
in the system or the environment can create new vulnerabilities.
Strict adherence to procedures is rare over time, and procedures
become outdated. Thinking risk is minimal, users may tend to bypass
security measures and procedures.
During the operational phase of a system life cycle, major and
minor changes will occur. Operational assurance is one way of
becoming aware of these changes whether they are new vulnerabilities
(or old vulnerabilities that have not been corrected), system
changes, or environmental changes. Operational assurance is the
process of reviewing an operational system to see that security
controls, both automated and manual, are functioning correctly and
To maintain operational assurance, organizations use two basic
methods: system audits and monitoring. These terms are used loosely
within the computer security community and often overlap. A system
audit is a one-time or periodic event to evaluate security.
Monitoring refers to an ongoing activity that examines either the
system or the users. In general, the more "real-time" an activity
is, the more it falls into the category of monitoring.
Operational assurance examines whether a system is operated
according to its current security requirements. This includes both
the actions of people who operate or use the system and the
functioning of technical controls.