- Is your web site compliant with the American Disability Act?
For the past 20 years, our bank web site audits have covered the
ADA guidelines. Help reduce any liability, please
contact me for more information at
FYI - The FDIC and
the OCC do not have a requirement that financial institutions
change third-party vendors on a periodic basis. Any such
decision is a management decision not a regulatory decision.
OCC To Consider Fintech Charter Applications, Seeks Comment -
Comptroller of the Currency Thomas J. Curry today announced that the
Office of the Comptroller of the Currency would move forward with
considering applications from financial technology companies to
become special purpose national banks.
Banking malware allows bad guys to lock, reset phone passwords -
Cybercriminals have updated a two-year old banking app scam that
grabs control of a victim's smartphone, locks them out and then
drains their bank account while the person struggles to regain
control of their device.
Back to basics.....Why cybersecurity must start over before it can
move forward - Cybersecurity as a field is only 20 years old. With
that, it's not surprising that the current state of maturity is not
where we, as professionals, expect it to be.
Mastercard and Visa push EMV liability deadline to 2020 for
automated fuel pumps - Citing technological and regulatory
challenges, Mastercard and Visa have postponed their liability
deadlines for merchants to employ EMV chip card technology at
automated fuel pumps, from October 2017 to October 2020.
'Fatal' flaws found in medical implant software - Security flaws
found in 10 different types of medical implants could have "fatal"
consequences, warn researchers.
Russia accuses hostile foreign powers of plot to undermine its banks
- Russia has accused unnamed foreign spies of launching a concerted
effort to undermine its domestic banking system.
Insurers grapple with cyber-attacks that spill over into physical
damage - AS HACKERS wreak havoc with depressing regularity, the
insurance industry finds itself forced to contemplate a whole new
set of risks.
White House Plans to Retire Outdated Cyber Regulations - White House
cyber officials have identified 63 different policy directives,
regulations or other requirements they plan to retire, the
government’s chief information security officer said Wednesday.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Erasmus University breach wider than first announced - Rotterdam,
Netherlands-based Erasmus University announced a breach a few weeks
ago, but at that time it was believed not much more than student
names, addresses and logins were stolen. However, yesterday further
details were announced.
Misconfigured drive exposes locations of explosives used by oil
industry - Oil company Allied-Horizontal Wireline Services (AHWS)
are reported to have misconfigured a storage device, which has
resulted in the leak of the locations where it stores the explosives
Japan's Shiheido cosmetics firm hit with breach - A Japanese press
agency reported that stolen data includes customers' names and
addresses, as well as financial data – including credit card
information – of as many as 56,000 customers.
Ransomware blamed for cyber attack which forced hospitals to cancel
operations and shut down systems - An NHS hospital trust which was
forced to shut down systems and cancel operations as a result of a
cyberattack has revealed that a ransomware infection was the source
of the problem.
Russian central bank, private banks lose $31 mln in cyber attacks -
Hackers stole more than 2 billion rubles ($31 million) from
correspondent accounts at the Russian central bank and from accounts
in commercial banks, the bank said on Friday, the latest example of
an escalation of cyber attacks on financial institutions around the
DailyMotion breached, 85 million accounts made off with - One of the
internet's foremost video hosting platforms has been breached and
hackers have made off with tens of millions of account details.
Ohio's Henry County hit with ransomware, 17,000 residents affected -
Ohio's Henry County was hit with a ransomware attack on Oct. 31 with
more than 17,000 voting records might have been compromised.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Board and Management Oversight - Principle 1: The
Board of Directors and senior management should establish effective
management oversight over the risks associated with e-banking
activities, including the establishment of specific accountability,
policies and controls to manage these risks. (Part 1 of 2)
Vigilant management oversight is essential for the provision of
effective internal controls over e-banking activities. In addition
to the specific characteristics of the Internet distribution channel
discussed in the Introduction, the following aspects of e-banking
may pose considerable challenge to traditional risk management
1) Major elements of the delivery channel (the Internet and related
technologies) are outside of the bank's direct control.
2) The Internet facilitates delivery of services across multiple
national jurisdictions, including those not currently served by the
institution through physical locations.
3) The complexity of issues that are associated with e-banking and
that involve highly technical language and concepts are in many
cases outside the traditional experience of the Board and senior
In light of the unique characteristics of e-banking, new e-banking
projects that may have a significant impact on the bank's risk
profile and strategy should be reviewed by the Board of Directors
and senior management and undergo appropriate strategic and
cost/reward analysis. Without adequate up-front strategic review and
ongoing performance to plan assessments, banks are at risk of
underestimating the cost and/or overestimating the payback of their
In addition, the Board and senior management should ensure that the
bank does not enter into new e-banking businesses or adopt new
technologies unless it has the necessary expertise to provide
competent risk management oversight. Management and staff expertise
should be commensurate with the technical nature and complexity of
the bank's e-banking applications and underlying technologies.
Adequate expertise is essential regardless of whether the bank's
e-banking systems and services are managed in-house or outsourced to
third parties. Senior management oversight processes should operate
on a dynamic basis in order to effectively intervene and correct any
material e-banking systems problems or security breaches that may
occur. The increased reputational risk associated with e-banking
necessitates vigilant monitoring of systems operability and customer
satisfaction as well as appropriate incident reporting to the Board
and senior management.
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
IMPLEMENTATION - APPLICATION
2 of 2)
Institution management should consider a number of issues regarding
application-access control. Many of these issues could also apply to
oversight of operating system access:
! Implementing a robust authentication method consistent with the
criticality and sensitivity of the application. Historically, the
majority of applications have relied solely on user IDs and
passwords, but increasingly applications are using other forms of
authentication. Multi-factor authentication, such as token and PKI-based
systems coupled with a robust enrollment process, can reduce the
potential for unauthorized access.
! Maintaining consistent processes for assigning new user access,
changing existing user access, and promptly removing access to
! Communicating and enforcing the responsibilities of programmers
(including TSPs and vendors), security administrators, and business
line owners for maintaining effective application-access control.
Business line managers are responsible for the security and privacy
of the information within their units. They are in the best position
to judge the legitimate access needs of their area and should be
held accountable for doing so. However, they require support in the
form of adequate security capabilities provided by the programmers
or vendor and adequate direction and support from security
! Monitoring existing access rights to applications to help ensure
that users have the minimum access required for the current business
need. Typically, business application owners must assume
responsibility for determining the access rights assigned to their
staff within the bounds of the AUP. Regardless of the process for
assigning access, business application owners should periodically
review and approve the application access assigned to their staff.
! Setting time-of-day or terminal limitations for some applications
or for the more sensitive functions within an application. The
nature of some applications requires limiting the location and
number of workstations with access. These restrictions can support
the implementation of tighter physical access controls.
! Logging access and events.
! Easing the administrative burden of managing access rights by
utilizing software that supports group profiles. Some financial
institutions manage access rights individually and it often leads to
inappropriate access levels. By grouping employees with similar
a common access profile (e.g., tellers, loan operations, etc.),
business application owners and security administrators can better
assign and oversee access rights. For example, a teller performing a
two-week rotation as a proof operator does not need year-round
access to perform both jobs. With group profiles, security
administrators can quickly reassign the employee from a teller
profile to a proof operator profile. Note that group profiles are
used only to manage access rights; accountability for system use is
maintained through individuals being assigned their own unique
identifiers and authenticators.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 9 - Assurance
9.1.2 Selecting Assurance Methods
The accrediting official makes the final decision about how much and
what types of assurance are needed for a system. For this decision
to be informed, it is derived from a review of security, such as a
risk assessment or other study (e.g., certification), as deemed
appropriate by the accrediting official. The accrediting
official needs to be in a position to analyze the pros and cons of
the cost of assurance, the cost of controls, and the risks to the
organization. At the end of the accreditation process, the
accrediting official will be the one to accept the remaining risk.
Thus, the selection of assurance methods should be coordinated with
the accrediting official.
In selecting assurance methods, the need for assurance should be
weighed against its cost. Assurance can be quite expensive,
especially if extensive testing is done. Each method has strengths
and weaknesses in terms of cost and what kind of assurance is
actually being delivered. A combination of methods can often provide
greater assurance, since no method is foolproof, and can be less
costly than extensive testing.
The accrediting official is not the only arbiter of assurance. Other
officials who use the system should also be consulted. (For example,
a Production Manager who relies on a Supply System should provide
input to the Supply Manager.) In addition, there may be constraints
outside the accrediting official's control that also affect the
selection of methods. For instance, some of the methods may unduly
restrict competition in acquisitions of federal information
processing resources or may be contrary to the organization's
privacy policies. Certain assurance methods may be required by
organizational policy or directive.
9.2 Planning and Assurance
Assurance planning should begin during the planning phase of the
system life cycle, either for new systems or a system upgrades.
Planning for assurance when planning for other system requirements
makes sense. If a system is going to need extensive testing, it
should be built to facilitate such testing.
Planning for assurance helps a manager make decisions about what
kind of assurance will be cost-effective. If a manager waits until a
system is built or bought to consider assurance, the number of ways
to obtain assurance may be much smaller than if the manager had
planned for it earlier, and the remaining assurance options may be