- Lawmakers Back Down from Pushing NIST into Cyber Auditing Role -
House Science Committee lawmakers have pared back a controversial
bill that would have tasked the government’s cyber standards agency
with auditing federal agencies’ cyber protections.
Hilton to pay $700,000 over credit card data breaches - Hilton
Worldwide Holdings Inc agreed to pay $700,000 and bolster security
to resolve probes into two
data breaches that exposed more than 363,000 credit card numbers,
the attorneys general of New York and Vermont announced on Tuesday.
Third-party contractor may have deactivated Trump's Twitter account
- The person that deactivated President Donald Trump's Twitter
account briefly Thursday, originally pegged by the company as human
error by an employee, reportedly was instead a third-party
Texas National Guard spent $373,000 on stingray equipment - The
Texas National Guard last year spent more than $373,000 to install
two of its DRT 1301C “portable receiver systems” in two RC-26
Americans worry about cybercrime more than they worry about car
theft - American's are worrying more about becoming cybercrime
victims far more so than becoming victims of conventional crimes.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Another misconfigured Amazon S3 server leaks data of 50,000
Australian employees - Another misconfigured Amazon server has
resulted in the exposure of personal data - this time on 50,000
Australian employees that were left unsecure by a third-party
Malaysia investigating reported leak of 46 million mobile users'
data - Malaysia is investigating an alleged attempt to sell the data
of more than 46 million mobile phone subscribers online, in what
appears to be one of the largest leaks of customer data in Asia.
Trump signs Cyber Crime Fighting Act to train up local and state law
enforcement - With a flourish of President Donald Trump's pen
Thursday, state and local law enforcement got the tools and training
needed to fight cybercrime as the Strengthening State and Local
Cyber Crime Fighting Act of 2017 became law.
Asian content distributor Crunchyroll blames DNS hijack for
malicious redirection - Asian entertainment website Crunchyroll.com
is blaming a DNS hijack attack after site visitors in the early
morning of Nov. 4 were redirected to a malicious website designed to
infect them with malware.
Estonia suspends national 760,000 ID cards found prone to encryption
vulnerability - Estonia on Friday blocked the certificates of
760,000 national ID cards in response to a cryptographic
vulnerability that researchers have discovered is even more
dangerous than originally reported.
Hundreds of school websites redirected pro-ISIS web page - Pro-ISIS
hackers hijacked the websites of roughly 800 U.S. schools and
educational districts on Monday, after compromising their web
hosting provider, various news outlets have reported.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of
Outsourced Technology Services
Due Diligence in Selecting a Service Provider
Some of the factors that institutions should consider when
performing due diligence in selecting a service provider are
categorized and listed below. Institutions should review the service
provider’s due diligence process for any of its significant
supporting agents (i.e., subcontractors, support vendors, and other
parties). Depending on the services being outsourced and the level
of in-house expertise, institutions should consider whether to hire
or consult with qualified independent sources. These sources include
consultants, user groups, and trade associations that are familiar
with products and services offered by third parties. Ultimately, the
depth of due diligence will vary depending on the scope and
importance of the outsourced services as well as the risk to the
institution from these services.
the top of the newsletter
FFIEC IT SECURITY -
We conclude our series on the FFIEC
interagency Information Security Booklet.
MONITORING AND UPDATING
Financial institutions should evaluate the information gathered to
determine the extent of any required adjustments to the various
components of their security program. The institution will need to
consider the scope, impact, and urgency of any new threat. Depending
on the new threat or vulnerability, the institution will need to
reassess the risk and make changes to its security process (e.g.,
the security strategy, the controls implementation, or the security
Institution management confronts routine security issues and events
on a regular basis. In many cases, the issues are relatively
isolated and may be addressed through an informal or targeted risk
assessment embedded within an existing security control process. For
example, the institution might assess the risk of a new operating
system vulnerability before testing and installing the patch. More
systemic events like mergers, acquisitions, new systems, or system
conversions, however, would warrant a more extensive security risk
assessment. Regardless of the scope, the potential impact and the
urgency of the risk exposure will dictate when and how controls are
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 13 -
AWARENESS, TRAINING, AND EDUCATION
Security education is more in-depth than security training and is
targeted for security professionals and those whose jobs require
expertise in security.
Techniques. Security education is normally outside the scope of
most organization awareness and training programs. It is more
appropriately a part of employee career development. Security
education is obtained through college or graduate classes or through
specialized training programs. Because of this, most computer
security programs focus primarily on awareness and training, as does
the remainder of this chapter.
An effective computer security awareness and training (CSAT)
program requires proper planning, implementation, maintenance, and
periodic evaluation. The following seven steps constitute one
approach for developing a CSAT program.
Step 1: Identify Program Scope, Goals, and Objectives.
Step 2: Identify Training Staff.
Step 3: Identify Target Audiences.
Step 4: Motivate Management and Employees.
Step 5: Administer the Program.
Step 6: Maintain the Program.
Step 7: Evaluate the Program.