information technology audits
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's
perspective to the FFIEC information technology audit for bankers in
Texas, New Mexico, Colorado, and Oklahoma.
For more information go
On-site FFIEC IT Audits.
- Proper Disposal of Electronic Devices - Why is it important to
dispose of electronic devices safely? - In addition to effectively
securing sensitive information on electronic devices, it is
important to follow best practices for electronic device disposal.
Computers, smartphones, and cameras allow you to keep a great deal
of information at your fingertips, but when you dispose of, donate,
or recycle a device you may inadvertently disclose sensitive
information which could be exploited by cyber criminals.
FDIC Still Isn’t Protecting Its Sensitive Information, Audit Finds -
The agency isn’t patching vulnerabilities quickly enough or fixing
longstanding information security weaknesses.
Pinpointing risky employee behaviors enables IT leaders to reduce
risk - In the first half of 2018, more than 4.5 billion digital
records were compromised in data breaches, according to research
from Gemalto’s “2018: Data Privacy and New Regulations Take Center
Catching all Threats – Known, Unknown, and Unknown Unknown - Before
They Can Harm You - At a news briefing in 2002, when then U.S.
Secretary of Defense Donald Rumsfeld, famously broke down threats
into three categories of “knowability”: “Known knowns,” are the
threats we are fully aware of; “known unknowns,” are the things we
know we don’t know; and finally, the “unknown unknowns” – those
threats that we don’t even know we don’t know.
Chicago, Galloway Township (N.J.) schools hit with cyberattacks - A
pair of U.S. school districts were hit with two very different, but
still damaging, cyberattacks in the last week.
Dark web markets sell off victims’ account data for as little as a
buck - Having your online account hacked is bad enough, but learning
that your precious account details were sold for a little as $1 on
the dark web adds insult to injury.
Supreme Court rejects industry challenge of 2015 net neutrality
rules - But lawsuits over Pai's net neutrality repeal and California
law will continue. The US Supreme Court has declined to hear the
broadband industry's challenge of Obama-era net neutrality rules.
5 steps for securing connected medical devices - Patients expect
hospitals to be safe havens, but more and more we’re seeing that the
weakest and most critical assets in hospital networks are the very
instruments needed to save lives: medical devices. With the increase
in connected medical devices, the risk for malicious attacks is
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Radisson Member Rewards program breached - The Radisson Hotel
Group reported its Radisson Rewards program was hit with a data
breach sometime before October 1 exposing member’s personally
Aussie shipbuilder Austal hit with data breach - Australian
shipbuilder Austal Limited’s data management system was hit with a
data breach that exposed staff contact information, but the company
does not believe any sensitive defense data was involved.
FIFA readies for data breach reveal - Football’s governing body FIFA
is bracing for the release on Friday by a group of European media
outlets of a report containing the details of a data breach the
sports organization suffered in March 2018.
Mail mix up sends Michigan Medicine letters to the wrong people -
For the second time this year healthcare provider Michigan Medicine
is notifying patients that some of their personally identifiable
information may have been exposed, this time due to a mailing error.
Magecart infiltrates U.K. online retailer Kitronik payment system -
U.K. electronics retailer Kitronik has told customers the Magecart
gang managed to infiltrate the company’s payment system gaining
access to some of their information.
30 spies dead after Iran cracked CIA comms network with, er, Google
search - new claim - Uncle Sam's snoops got sloppy with online chat,
it seems - Iran apparently infiltrated the communications network of
CIA agents who allowed their secret websites, used to exchange
messages with informants, to be crawled by Google.
HSBC suffers data breach, customer banking info exposed - HSBC
confirmed today it suffered a data breach last month affecting about
one percent of its U.S. accounts and exposing an extensive amount of
Leaky MongoDB server exposes personal info on 700K Amex India
customers - An unsecured MongoDB server has exposed personal data on
689,272 American Express India customers.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the FDIC
paper "Risk Assessment Tools and Practices or Information System
A thorough and proactive risk assessment is the first step in
establishing a sound security program. This is the ongoing process
of evaluating threats and vulnerabilities, and establishing an
appropriate risk management program to mitigate potential monetary
losses and harm to an institution's reputation. Threats have the
potential to harm an institution, while vulnerabilities are
weaknesses that can be exploited.
The extent of the information security program should be
commensurate with the degree of risk associated with the
institution's systems, networks, and information assets. For
example, compared to an information-only Web site, institutions
offering transactional Internet banking activities are exposed to
greater risks. Further, real-time funds transfers generally pose
greater risks than delayed or batch-processed transactions because
the items are processed immediately. The extent to which an
institution contracts with third-party vendors will also affect the
nature of the risk assessment program.
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Access Rights Administration (4 of 5)
The access rights process programs the system to
allow the users only the access rights they were granted. Since
access rights do not automatically expire or update, periodic
updating and review of access rights on the system is necessary.
Updating should occur when an individual's business needs for system
use changes. Many job changes can result in an expansion or
reduction of access rights. Job events that would trigger a removal
of access rights include transfers, resignations, and terminations.
Institutions should take particular care to remove promptly the
access rights for users who have remote access privileges, and those
who administer the institution's systems.
Because updating may not always be accurate, periodic review of
user accounts is a good control to test whether the access right
removal processes are functioning, and whether users exist who
should have their rights rescinded or reduced. Financial
institutions should review access rights on a schedule commensurate
Access rights to new software and hardware present a unique
problem. Typically, hardware and software are installed with default
users, with at least one default user having full access rights.
Easily obtainable lists of popular software exist that identify the
default users and passwords, enabling anyone with access to the
system to obtain the default user's access. Default user accounts
should either be disabled, or the authentication to the account
should be changed. Additionally, access to these default accounts
should be monitored more closely than other accounts.
Sometimes software installs with a default account that allows
anonymous access. Anonymous access is appropriate, for instance,
where the general public accesses an informational web server.
Systems that allow access to or store sensitive information,
including customer information, should be protected against
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 18 - AUDIT TRAILS
18.1 Benefits and Objectives
18.1.2 Reconstruction of Events
Audit trails can also be used to reconstruct events after a problem
has occurred. Damage can be more easily assessed by reviewing audit
trails of system activity to pinpoint how, when, and why normal
operations ceased. Audit trail analysis can often distinguish
between operator-induced errors (during which the system may have
performed exactly as instructed) or system-created errors (e.g.,
arising from a poorly tested piece of replacement code). If, for
example, a system fails or the integrity of a file (either program
or data) is questioned, an analysis of the audit trail can
reconstruct the series of steps taken by the system, the users, and
the application. Knowledge of the conditions that existed at the
time of, for example, a system crash, can be useful in avoiding
future outages. Additionally, if a technical problem occurs (e.g.,
the corruption of a data file) audit trails can aid in the recovery
process (e.g., by using the record of changes made to reconstruct
18.1.3 Intrusion Detection
Intrusion detection refers to the process of identifying
attempts to penetrate a system and gain unauthorized access.
If audit trails have been designed and implemented to record
appropriate information, they can assist in intrusion detection.
Although normally thought of as a real-time effort, intrusions can
be detected in real time, by examining audit records as they are
created (or through the use of other kinds of warning
flags/notices), or after the fact (e.g., by examining audit records
in a batch process).
Real-time intrusion detection is primarily aimed at outsiders
attempting to gain unauthorized access to the system. It may also be
used to detect changes in the system's performance indicative of,
for example, a virus or worm attack. There may be difficulties in
implementing real-time auditing, including unacceptable system
After-the-fact identification may indicate that unauthorized access
was attempted (or was successful). Attention can then be given to
damage assessment or reviewing controls that were attacked.