- Obsession with regulatory compliance doesn't guarantee
good cybersecurity - Companies should spend less time
worrying about meeting the minimal requirements for cybersecurity
regulation compliance, and instead concentrate on how to protect
their most sensitive data and operations.
OCCís ďAudit Firm RotationĒ letter dated October
12, 2016 states "There is no OCC guidance or directive to examiners
that would require or promote the termination of a third-party
relationship due to the length of the relationship."
You can find the complete letter at
- Is your web site compliant with the American Disability Act?
For the past 20 years, our web site audits have included the
guidelines of the ADA. Help reduce any liability, please
contact me for more information at
Millennials changing the face of cybersecurity - It's official -
there are now more millennials than baby boomers and their influence
on information security is starting to have its impact, according to
a recent report.
FCC requires ISPs to get customer opt-in before sharing data - The
American Civil Liberties Union (ACLU) Thursday claimed a victory for
privacy after the Federal Communications Commission (FCC) voted to
require internet service providers to obtain opt-in permission from
customers to use or share their personal data.
Cyber Commandís teams reach initial operating capability; Clapper
says itís time to separate them from NSA - The time has come to
split U.S. Cyber Command from the National Security Agency and
assign separate leaders to each organization, the nationís top
intelligence official said Tuesday.
OMB floats new rules of the road for IT modernization - The Obama
White House is offering new guidelines on how agencies should go
about modernizing legacy IT systems.
New approaches needed to combat next-gen threats - Conventional
approaches have not been successful in mitigating the security risks
facing enterprises, speakers told an audience Thursday evening at
the Rethink Cyber NYC event.
75% of healthcare industry hit with malware, report - The healthcare
vertical is at particular risk from ransomware. This is just one of
the findings of the "2016 Healthcare Industry Cybersecurity Report,"
a just released survey from SecurityScorecard, a security rating and
continuous risk monitoring platform.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Student discovers security flaw in Virgin Media recruitment system
- A student has discovered a security vulnerability in the software
which Virgin Media uses for recruitment and job applications.
Appointments on hold as (computer) virus wreaks havoc with NHS trust
systems - Major medical issues diverted to neighbouring hospitals -
An NHS trust shut down all of its IT systems today and has all but
ground to a halt in general after a virus compromised them on
Lost thumb drives bedevil U.S. banking agency - The drives contained
privacy information and their loss is "a major information security
incident" - A U.S. banking regulator says an employee downloaded a
large amount of data from its computer system a week before he
retired and is now unable to locate the thumb drives he stored it
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering some of the
issues discussed in the "Risk Management Principles for Electronic
Banking" published by the Basel Committee on Bank Supervision.
Risk management challenges
The Electronic Banking Group (EBG) noted that the fundamental
characteristics of e-banking (and e-commerce more generally) posed a
number of risk management challenges:
The speed of change
relating to technological and customer service innovation in
e-banking is unprecedented. Historically, new banking applications
were implemented over relatively long periods of time and only after
in-depth testing. Today, however, banks are experiencing competitive
pressure to roll out new business applications in very compressed
time frames - often only a few months from concept to production.
This competition intensifies the management challenge to ensure that
adequate strategic assessment, risk analysis and security reviews
are conducted prior to implementing new e-banking applications.
web sites and associated retail and wholesale business applications
are typically integrated as much as possible with legacy computer
systems to allow more straight-through processing of electronic
transactions. Such straight-through automated processing reduces
opportunities for human error and fraud inherent in manual
processes, but it also increases dependence on sound systems design
and architecture as well as system interoperability and operational
E-banking increases banks'
dependence on information technology, thereby increasing the
technical complexity of many operational and security issues and
furthering a trend towards more partnerships, alliances and
outsourcing arrangements with third parties, many of whom are
unregulated. This development has been leading to the creation of
new business models involving banks and non-bank entities, such as
Internet service providers, telecommunication companies and other
4) The Internet is ubiquitous and global by nature. It is an open
network accessible from anywhere in the world by unknown parties,
with routing of messages through unknown locations and via fast
evolving wireless devices. Therefore, it significantly magnifies the
importance of security controls, customer authentication techniques,
data protection, audit trail procedures, and customer privacy
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
Firewall Policy (Part 2 of 3)
Firewalls are an essential control for a financial institution with
an Internet connection and provide a means of protection against a
variety of attacks. Firewalls should not be relied upon, however, to
provide full protection from attacks. Institutions should complement
firewalls with strong security policies and a range of other
controls. In fact, firewalls are potentially vulnerable to attacks
! Spoofing trusted IP addresses;
! Denial of service by overloading the firewall with excessive
requests or malformed packets;
! Sniffing of data that is being transmitted outside the network;
! Hostile code embedded in legitimate HTTP, SMTP, or other traffic
that meet all firewall rules;
! Attacks on unpatched vulnerabilities in the firewall hardware or
! Attacks through flaws in the firewall design providing relatively
easy access to data or services residing on firewall or proxy
! Attacks against machines and communications used for remote
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 8 - SECURITY AND PLANNING IN THE COMPUTER SYSTEM LIFE
Computer systems and the environments in which they operate change
continually. In response to various events such as user complaints,
availability of new features and services, or the discovery of new
threats and vulnerabilities, system managers and users modify the
system and incorporate new features, new procedures, and software
The environment in which the system operates also changes.
Networking and interconnections tend to increase. A new user group
may be added, possibly external groups or anonymous groups. New
threats may emerge, such as increases in network intrusions or the
spread of personal computer viruses. If the system has a
configuration control board or other structure to manage technical
system changes, a security specialist can be assigned to the board
to make determinations about whether (and if so, how) changes will
Security should also be considered during system upgrades (and
other planned changes) and in determining the impact of unplanned
changes. When a change occurs or is planned, a determination is made
whether the change is major or minor. A major change, such as
reengineering the structure of the system, significantly affects the
system. Major changes often involve the purchase of new hardware,
software, or services or the development of new software modules.
An organization does not need to have a specific cutoff for
major-minor change decisions. A sliding scale between the two can be
implemented by using a combination of the following methods:
! Major change. A major change requires analysis to
determine security requirements. The process described above can be
used, although the analysis may focus only on the area(s) in which
the change has occurred or will occur. If the original analysis and
system changes have been documented throughout the life cycle, the
analysis will normally be much easier. Since these changes result in
significant system acquisitions, development work, or changes in
policy, the system should be reaccredited to ensure that the
residual risk is still acceptable.
! Minor change. Many of the changes made to a system do not
require the extensive analysis performed for major changes, but do
require some analysis. Each change can involve a limited risk
assessment that weighs the pros (benefits) and cons (costs) and that
can even be performed on-the-fly at meetings. Even if the analysis
is conducted informally, decisions should still be appropriately
documented. This process recognizes that even "small" decisions
should be risk-based.
Security change management helps develop new security requirements.
188.8.131.52 Periodic Reaccreditation
Periodically, it is useful to formally reexamine the security of a
system from a wider perspective. The analysis, which leads to
reaccredidation, should address such questions as: Is the security
still sufficient? Are major changes needed?
The reaccredidation should address high-level security and
management concerns as well as the implementation of the security.
It is not always necessary to perform a new risk assessment or
certification in conjunction with the re-accreditation, but the
activities support each other (and both need be performed
periodically). The more extensive system changes have been, the more
extensive the analyses should be (e.g., a risk assessment or
re-certification). A risk assessment is likely to uncover security
concerns that result in system changes. After the system has been
changed, it may need testing (including certification). Management
then reaccredits the system for continued operation if the risk is
It is important to consider legal requirements for records
retention when disposing of computer systems. For federal systems,
system management officials should consult with their agency office
responsible for retaining and archiving federal records.