FFIEC
information technology audits
-
As a former bank examiner
with over 40 years IT audit experience, I will bring an examiner's perspective
to the FFIEC information technology audit for your bank in
Texas, New Mexico, Colorado, and Oklahoma.
Please email R. Kinney Williams at
examiner@yennik.com from your bank's domain and I will email you information
and fees
FYI
- Five tips for managing remote workers during a pandemic - Is your
organization ready to securely support a wide range of remote
workers in the wake of a global pandemic?
https://www.scmagazine.com/home/opinion/executive-insight/five-tips-for-managing-remote-workers-during-a-pandemic/
Surveillance campaign against Libyans uses fake Johns Hopkins
COVID-19-tracking map - It�s not just opportunistic,
financially-motivated criminals who are seizing on the novel
coronavirus pandemic to conduct cyberattacks. Operators of spyware
are also exploiting the health crisis to boost their surveillance
efforts.
https://www.cyberscoop.com/covid-19-spyware-libya-lookout-johns-hopkins-map/
France warns of new ransomware gang targeting local governments -
CERT France says some local governments have been infected with a
new version of the Pysa (Mespinoza) ransomware.
https://www.zdnet.com/article/france-warns-of-new-ransomware-gang-targeting-local-governments/
NIST asks for public comments on new cybersecurity risk management
document - The National Institute of Standards and Technology is
asking for public comments on a new report that provides insight
into how organizations can integrate cybersecurity into enterprise
risk management.
https://www.fifthdomain.com/civilian/2020/03/20/nist-asks-for-public-comments-on-new-cybersecurity-risk-management-document/
https://nvlpubs.nist.gov/nistpubs/ir/2020/NIST.IR.8286-draft.pdf
Free cybersecurity tools coming online to protect WFH staffers -
Several cybersecurity firms are going the extra mile to help
customers set up a safe environment for their telecommuting
workforce.
https://www.scmagazine.com/home/security-news/news-archive/coronavirus/free-cybersecurity-tools-coming-online-to-protect-wfh-staffers/
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
FYI
- Five billion records exposed in open �data breach database� - More
than five billion records were exposed after a Keepnet Labs
Elasticsearch �data breach database� housing a trove of security
incidents from the last seven years was left unprotected.
https://www.scmagazine.com/home/security-news/database-security/five-billion-records-exposed-in-open-data-breach-database/
Rogers� vendor leaves database open - A third-party service provider
to Rogers Communications left open a database used for marketing
purposes, exposing customer PII.
https://www.scmagazine.com/home/security-news/data-breach/rogers-vendor-leaves-database-open/
https://www.bleepingcomputer.com/news/security/rogers-data-breach-exposed-customer-info-in-unsecured-database/
Food Delivery Website in Germany Targeted by DDoS Attackers -
Malicious individuals targeted a food delivery website located in
Germany with a distributed denial-of-service (DDoS) attack.
https://www.tripwire.com/state-of-security/security-data-protection/food-delivery-website-in-germany-targeted-by-ddos-attackers/
Maze ransomware attackers extort vaccine testing facility - The
cybercriminal gang behind Maze ransomware has been extorting a
UK-based clinical research organization that�s been preparing to
play a potential role in testing vaccine candidates for the novel
coronavirus, despite assurances that they would not harm any health
care organizations during the COVID-19 crisis.
https://www.scmagazine.com/home/security-news/ransomware/maze-ransomware-attackers-extort-vaccine-testing-facility/
FSB contractor breach exposes secret cyber weapons program
leveraging IoT vulnerabilities - The hack of an FSB contractor has
exposed details of the Russian intelligence agency�s cyber weapons
program aimed at exploiting vulnerabilities in IoT devices.
https://www.scmagazine.com/home/security-news/fsb-contractor-breach-exposes-secret-cyber-weapons-program-leveraging-iot-vulnerabilities/
COVID-19 Vaccine Test Center Hit By Cyber Attack, Stolen Data Posted
Online - A medical facility on standby to help test any coronavirus
vaccine has been hit by a ransomware group that promised not to
target medical organizations.
https://www.forbes.com/sites/daveywinder/2020/03/23/covid-19-vaccine-test-center-hit-by-cyber-attack-stolen-data-posted-online/#156e1df18e55
South Carolina Fire Department Servers Disabled by Hacker- Staff at
the Bluffton Township Fire Department discovered they could not log
into their computers Sunday and alerted IT staff, who discovered
that records, files and email communications had been encrypted.
https://www.govtech.com/security/South-Carolina-Fire-Department-Servers-Disabled-by-Hacker.html
Security Breach Disrupts Fintech Firm Finastra - Finastra, a company
that provides a range of technology solutions to banks worldwide,
said today it was shutting down key systems in response to a
security breach discovered this morning.
https://krebsonsecurity.com/2020/03/security-breach-disrupts-fintech-firm-finastra/
Healthcare data breach: Medical device manufacturer discloses
phishing attack - A US-based manufacturer of medical devices for
diabetes patients has revealed that customer data was exposed during
a phishing attack that breached five employee email accounts in
January.
https://portswigger.net/daily-swig/healthcare-data-breach-medical-device-manufacturer-discloses-phishing-attack
FSB contractor breach exposes secret cyber weapons program
leveraging IoT vulnerabilities - The hack of an FSB contractor has
exposed details of the Russian intelligence agency�s cyber weapons
program aimed at exploiting vulnerabilities in IoT devices.
https://www.scmagazine.com/home/security-news/fsb-contractor-breach-exposes-secret-cyber-weapons-program-leveraging-iot-vulnerabilities/
Tupperware site hacked with credit card skimmer - Tupperware hasn�t
yet put a lid on a targeted cyberattack that uses a credit card
skimmer to collect customer payment information at checkout on the
tupperware[.]com site and some of its local sites.
https://www.scmagazine.com/home/security-news/tupperware-site-hacked-with-credit-card-skimmer/
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of Outsourced
Technology Services
Due Diligence in Selecting a Service Provider
Operations and Controls
� Determine adequacy of the
service provider�s standards, policies and procedures relating
to internal controls, facilities management (e.g., access
requirements, sharing of facilities, etc.), security (e.g.,
systems, data, equipment, etc.), privacy protections,
maintenance of records, business resumption contingency
planning, systems development and maintenance, and employee
background checks.
� Determine if the service provider provides sufficient security
precautions, including, when appropriate, firewalls, encryption,
and customer identity authentication, to protect institution
resources as well as detect and respond to intrusions.
� Review audit reports of the service provider to determine
whether the audit scope, internal controls, and security
safeguards are adequate.
� Evaluate whether the institution will have complete and timely
access to its information maintained by the provider.
� Evaluate the service provider�s knowledge of regulations that
are relevant to the services they are providing. (e.g.,
Regulation E, privacy and other consumer protection regulations,
Bank Secrecy Act, etc.).
� Assess the adequacy of the service provider�s insurance
coverage including fidelity, fire, liability, data losses from
errors and omissions, and protection of documents in transit.
Financial Condition
� Analyze the service provider�s
most recent audited financial statements and annual report as
well as other indicators (e.g., publicly traded bond ratings),
if available.
� Consider factors such as how long the service provider has
been in business and the service provider�s market share for a
given service and how it has fluctuated.
� Consider the significance of the institution�s proposed
contract on the service provider�s financial condition.
� Evaluate technological expenditures. Is the service provider�s
level of investment in technology consistent with supporting the
institution�s activities? Does the service provider have the
financial resources to invest in and support the required
technology?
Return to
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
INSURANCE (Part 1 of 2)
Financial institutions have used insurance coverage as an
effective method to transfer risks from themselves to insurance
carriers. Insurance coverage is increasingly available to cover
risks from security breaches or denial of service attacks. For
example, several insurance companies offer e - commerce insurance
packages that can reimburse financial institutions for losses from
fraud, privacy breaches, system downtime, or incident response. When
evaluating the need for insurance to cover information security
threats, financial institutions should understand the following
points:
! Insurance is not a substitute for an effective security program.
! Traditional fidelity bond coverage may not protect from losses
related to security intrusions.
! Availability, cost, and covered risks vary by insurance company.
! Availability of new insurance products creates a more dynamic
environment for these factors.
! Insurance cannot adequately cover the reputation and compliance
risk related to customer relationships and privacy.
! Insurance companies typically require companies to certify that
certain security practices are in place.
Return to the top of
the newsletter
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue the series on the
National Institute of Standards and Technology (NIST) Handbook.
Section II. Management Controls Chapter 5 - COMPUTER SECURITY
POLICY
5.2 Issue-Specific Policy
Whereas program policy is intended to address the broad
organization-wide computer security program, issue-specific policies
are developed to focus on areas of current relevance and concern
(and sometimes controversy) to an organization. Management may find
it appropriate, for example, to issue a policy on how the
organization will approach contingency planning (centralized vs.
decentralized) or the use of a particular methodology for managing
risk to systems. A policy could also be issued, for example, on the
appropriate use of a cutting-edge technology (whose security
vulnerabilities are still largely unknown) within the organization.
Issue-specific policies may also be appropriate when new issues
arise, such as when implementing a recently passed law requiring
additional protection of particular information. Program policy is
usually broad enough that it does not require much modification over
time, whereas issue-specific policies are likely to require more
frequent revision as changes in technology and related factors take
place.
In general, for issue-specific and system-specific policy, the
issuer is a senior official; the more global, controversial, or
resource-intensive, the more senior the issuer.
5.2.1 Example Topics for Issue-Specific Policy
Both new technologies and the appearance of new threats often
require the creation of issue-specific policies. There are many
areas for which issue-specific policy may be appropriate. Two
examples are explained below.
Internet Access. Many organizations are looking at the
Internet as a means for expanding their research opportunities and
communications. Unquestionably, connecting to the Internet yields
many benefits - and some disadvantages. Some issues an Internet
access policy may address include who will have access, which types
of systems may be connected to the network, what types of
information may be transmitted via the network, requirements for
user authentication for Internet-connected systems, and the use of
firewalls and secure gateways.
E-Mail Privacy. Users of computer e-mail systems have come
to rely upon that service for informal communication with colleagues
and others. However, since the system is typically owned by the
employing organization, from time-to-time, management may wish to
monitor the employee's e-mail for various reasons (e.g., to be sure
that it is used for business purposes only or if they are suspected
of distributing viruses, sending offensive e-mail, or disclosing
organizational secrets.) On the other hand, users may have an
expectation of privacy, similar to that accorded U.S. mail. Policy
in this area addresses what level of privacy will be accorded e-mail
and the circumstances under which it may or may not be read.
Other potential candidates for issue-specific policies include:
approach to risk management and contingency planning, protection of
confidential/proprietary information, unauthorized software,
acquisition of software, doing computer work at home, bringing in
disks from outside the workplace, access to other employees' files,
encryption of files and e-mail, rights of privacy, responsibility
for correctness of data, suspected malicious code, and physical
emergencies. |