information technology audits
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma.
For more information go
On-site FFIEC IT Audits.
- FTC Offers Small Businesses Free Cybersecurity Resources -
Cybersecurity for Small Businesses campaign kicks off. The Federal
Trade Commission's (FTC) newly launched national initiative to
educate small business owners about cybersecurity threats and
defenses began with a "listening tour" last year.
City Pays $2K in Ransomware, Stirs ‘Never Pay’ Debate - Many
municipalities hit with ransomware don’t have much of a choice when
it comes to paying up, experts say.
Yahoo agrees to $50 million breach settlement, victims eligible for
compensation - Yahoo agreed to pay a $50 million settlement and
provide two years of credit monitoring services to 200 million
people whose information was compromised in the 2013-2014 breach.
1 billion reasons why compliance matters - The European Union’s
General Data Protection Regulation (GDPR) is starting to show its
teeth as regulators evaluate penalties for Facebook after a
high-profile security breach of user data.
Court orders Mirai developer to shell out $8.6 million in damages -
A federal court last Friday ordered one of the co-developers of the
Mirai IoT botnet to pay $8.6 million in restitution and serve six
months of home incarceration as punishment for using the malware to
launch DDoS attacks against Rutgers University, where he was
studying at the time.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Cathay Pacific data breach exposes PII of 9.4 million customers -
Cathay Pacific airline reported a data breach today that affected
9.4 million customers exposing a large range of personally
identifiable information and a limited amount of credit card data.
British Airways data breach victim list grows - British Airways
discovered an additional 185,000 customer payment cards had been
compromised while investigating an earlier data breach that affected
Data breach compromises 64,000 Tomorrowland festival attendees -
Threat actors managed to access the information of 64,000
Tomorrowland festival-goers who attended the 2014 event in Boom,
Federal employee infects gov’t network with Russian malware through
adult video websites - An employee at the U.S. Geological Survey
(USGS) infected his agency’s network with Russian malware delivered
via adult websites.
Eurostar customers forced to reset passwords after breach - Eurostar
is forcing all of its customers to reset their passwords following
an incident in which an unauthorized individual attempted to access
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the FDIC
paper "Risk Assessment Tools and Practices or Information System
INFORMATION SECURITY PROGRAM
A financial institution's board of directors and senior
management should be aware of information security issues and be
involved in developing an appropriate information security program.
A comprehensive information security policy should outline a
proactive and ongoing program incorporating three components:
Prevention measures include sound security policies,
well-designed system architecture, properly configured firewalls,
and strong authentication programs. This paper discusses two
additional prevention measures: vulnerability assessment tools and
penetration analyses. Vulnerability assessment tools generally
involve running scans on a system to proactively detect known
vulnerabilities such as security flaws and bugs in software and
hardware. These tools can also detect holes allowing unauthorized
access to a network, or insiders to misuse the system. Penetration
analysis involves an independent party (internal or external)
testing an institution's information system security to identify
(and possibly exploit) vulnerabilities in the system and surrounding
processes. Using vulnerability assessment tools and performing
regular penetration analyses will assist an institution in
determining what security weaknesses exist in its information
Detection measures involve analyzing available information
to determine if an information system has been compromised, misused,
or accessed by unauthorized individuals. Detection measures may be
enhanced by the use of intrusion detection systems (IDSs) that act
as a burglar alarm, alerting the bank or service provider to
potential external break-ins or internal misuse of the system(s)
Another key area involves preparing a response program to
handle suspected intrusions and system misuse once they are
detected. Institutions should have an effective incident response
program outlined in a security policy that prioritizes incidents,
discusses appropriate responses to incidents, and establishes
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Access Rights Administration (3 of 5)
The enrollment process establishes the user's
identity and anticipated business needs to information and systems.
New employees, IT outsourcing relationships, and contractors may
also be identified, and the business need for access determined
during the hiring or contracting process.
During enrollment and thereafter, an authorization process
determines user access rights. In certain circumstances the
assignment of access rights may be performed only after the manager
responsible for each accessed resource approves the assignment and
documents the approval. In other circumstances, the assignment of
rights may be established by the employee's role or group
membership, and managed by pre - established authorizations for that
group. Customers, on the other hand, may be granted access based on
their relationship with the institution.
Authorization for privileged access should be tightly controlled.
Privileged access refers to the ability to override system or
application controls. Good practices for controlling privileged
! Identifying each privilege associated with each system
! Implementing a process to allocate privileges and allocating
those privileges either on a need - to - use or an event - by -
event basis,! Documenting the granting and administrative limits on
! Finding alternate ways of achieving the business objectives,
! Assigning privileges to a unique user ID apart from the one used
for normal business use,
! Logging and auditing the use of privileged access,
! Reviewing privileged access rights at appropriate intervals and
regularly reviewing privilege access allocations, and
! Prohibiting shared privileged access by multiple users.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 18 - AUDIT TRAILS
8.1 Benefits and
Audit trails can provide a means to help accomplish several
security-related objectives, including individual accountability,
reconstruction of events, intrusion detection, and problem analysis.
An event is any action that happens on a computer system.
Examples include logging into a system, executing a program, and
opening a file.
18.1.1 Individual Accountability
Audit trails are a technical mechanism that help managers maintain
individual accountability. By advising users that they are
personally accountable for their actions, which are tracked by an
audit trail that logs user activities, managers can help promote
proper user behavior. Users are less likely to attempt to circumvent
security policy if they know that their actions will be recorded in
an audit log.
For example, audit trails can be used in concert with access
controls to identify and provide information about users suspected
of improper modification of data (e.g., introducing errors into a
database). An audit trail may record "before" and "after" versions
of records. (Depending upon the size of the file and the
capabilities of the audit logging tools, this may be very
resource-intensive.) Comparisons can then be made between the actual
changes made to records and what was expected. This can help
management determine if errors were made by the user, by the system
or application software, or by some other source.
Audit trails work in concert with logical access controls, which
restrict use of system resources. Granting users access to
particular resources usually means that they need that access to
accomplish their job. Authorized access, of course, can be misused,
which is where audit trail analysis is useful. While users cannot be
prevented from using resources to which they have legitimate access
authorization, audit trail analysis is used to examine their
actions. For example, consider a personnel office in which users
have access to those personnel records for which they are
Audit trails can reveal that an individual is printing far more
records than the average user, which could indicate the selling of
personal data. Another example may be an engineer who is using a
computer for the design of a new product. Audit trail analysis could
reveal that an outgoing modem was used extensively by the engineer
the week before quitting. This could be used to investigate whether
proprietary data files were sent to an unauthorized party.