Internet Banking News

July 9, 2023

Newsletter Content	FFIEC IT Security	FFIEC & ADA Web Site Audits
Web Site Compliance	NIST Handbook	Penetration Testing

Does Your Financial Institution need an affordable cybersecurity Internet security audit? Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing. The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses. For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

FFIEC IT audits - I am performing FFIEC IT audits for banks and credit unions. I am a former bank examiner with years of IT auditing experience. Please contact R. Kinney Williams at examiner@yennik.com from your bank's email and I will send you information and fees. All correspondence is confidential.

MISCELLANEOUS CYBERSECURITY NEWS:

CISA Eyes C-SCRM Training Resources, Information Hub - The Cybersecurity and Infrastructure Security Agency (CISA) plans to release a training program to help Federal agencies better understand and operationalize cyber supply chain risk management (C-SCRM), CISA’s C-SCRM Project Management Office Lead said today. https://www.meritalk.com/articles/cisa-eyes-c-scrm-training-resources-information-hub/

CISA issues updated cloud security resources for federal agencies - The agency says the new documentation will help government departments implement cloud cybersecurity best practices. https://fedscoop.com/cisa-issues-updated-cloud-security-resources-for-federal-agencies/

Here’s how to use cyber threat intelligence to augment incident response - Security pros use cyber threat intelligence (CTI) in a variety of ways, including to support and augment incident response (IR). https://www.scmagazine.com/perspective/incident-response/heres-how-to-use-cyber-threat-intelligence-to-augment-incident-response

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

‘A regional disaster’: Cyberattacks on health care facilities have ripple effects, study says - The authors of the study concluded that the hospital disruptions tied to a cyberattack “should be considered a regional disaster.” https://thehill.com/policy/cybersecurity/4071736-a-regional-disaster-cyberattacks-on-health-care-facilities-have-ripple-effects-study-says/

Siemens Energy, UCLA latest confirmed victims in MOVEit hack - A major energy provider in Europe, a top U.S. vendor for the electric sector and a branch of one of the largest universities in America are the latest entities to be swept up in the MOVEit hack. https://www.scmagazine.com/news/business-continuity/siemens-ucla-victims-moveit

Return to the top of the newsletter

WEB SITE COMPLIANCE - Fair Housing Act

   A financial institution that advertises on-line credit products that are subject to the Fair Housing Act must display the Equal Housing Lender logotype and legend or other permissible disclosure of its nondiscrimination policy if required by rules of the institution's regulator.

   Home Mortgage Disclosure Act (Regulation C)

   The regulations clarify that applications accepted through electronic media with a video component (the financial institution has the ability to see the applicant) must be treated as "in person" applications. Accordingly, information about these applicants' race or national origin and sex must be collected. An institution that accepts applications through electronic media without a video component, for example, the Internet or facsimile, may treat the applications as received by mail.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series from the FDIC "Security Risks Associated with the Internet."

    SECURITY MEASURES

    Firewalls - Description, Configuration, and Placement

    A firewall is a combination of hardware and software placed between two networks which all traffic, regardless of the direction, must pass through. When employed properly, it is a primary security measure in governing access control and protecting the internal system from compromise.

    The key to a firewall's ability to protect the network is its configuration and its location within the system. Firewall products do not afford adequate security protection as purchased. They must be set up, or configured, to permit or deny the appropriate traffic. To provide the most security, the underlying rule should be to deny all traffic unless expressly permitted. This requires system administrators to review and evaluate the need for all permitted activities, as well as who may need to use them. For example, to protect against Internet protocol (IP) spoofing, data arriving from an outside network that claims to be originating from an internal computer should be denied access. Alternatively, systems could be denied access based on their IP address, regardless of the origination point. Such requests could then be evaluated based on what information was requested and where in the internal system it was requested from. For instance, incoming FTP requests may be permitted, but outgoing FTP requests denied.

    Often, there is a delicate balance between what is necessary to perform business operations and the need for security. Due to the intricate details of firewall programming, the configuration should be reassessed after every system change or software update. Even if the system or application base does not change, the threats to the system do. Evolving risks and threats should be routinely monitored and considered to ensure the firewall remains an adequate security measure. If the firewall system should ever fail, the default should deny all access rather than permit the information flow to continue. Ideally, firewalls should be installed at any point where a computer system comes into contact with another network. The firewall system should also include alerting mechanisms to identify and record successful and attempted attacks and intrusions. In addition, detection mechanisms and procedures should include the generation and routine review of security logs.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

  Section II. Management Controls Chapter 5 - COMPUTER SECURITY POLICY

  5.2 Issue-Specific Policy

  Whereas program policy is intended to address the broad organization-wide computer security program, issue-specific policies are developed to focus on areas of current relevance and concern (and sometimes controversy) to an organization. Management may find it appropriate, for example, to issue a policy on how the organization will approach contingency planning (centralized vs. decentralized) or the use of a particular methodology for managing risk to systems. A policy could also be issued, for example, on the appropriate use of a cutting-edge technology (whose security vulnerabilities are still largely unknown) within the organization. Issue-specific policies may also be appropriate when new issues arise, such as when implementing a recently passed law requiring additional protection of particular information. Program policy is usually broad enough that it does not require much modification over time, whereas issue-specific policies are likely to require more frequent revision as changes in technology and related factors take place.

  In general, for issue-specific and system-specific policy, the issuer is a senior official; the more global, controversial, or resource-intensive, the more senior the issuer.

  5.2.1 Example Topics for Issue-Specific Policy

  Both new technologies and the appearance of new threats often require the creation of issue-specific policies. There are many areas for which issue-specific policy may be appropriate. Two examples are explained below.

  Internet Access. Many organizations are looking at the Internet as a means for expanding their research opportunities and communications. Unquestionably, connecting to the Internet yields many benefits - and some disadvantages. Some issues an Internet access policy may address include who will have access, which types of systems may be connected to the network, what types of information may be transmitted via the network, requirements for user authentication for Internet-connected systems, and the use of firewalls and secure gateways.

  E-Mail Privacy. Users of computer e-mail systems have come to rely upon that service for informal communication with colleagues and others. However, since the system is typically owned by the employing organization, from time-to-time, management may wish to monitor the employee's e-mail for various reasons (e.g., to be sure that it is used for business purposes only or if they are suspected of distributing viruses, sending offensive e-mail, or disclosing organizational secrets.) On the other hand, users may have an expectation of privacy, similar to that accorded U.S. mail. Policy in this area addresses what level of privacy will be accorded e-mail and the circumstances under which it may or may not be read.

  Other potential candidates for issue-specific policies include: approach to risk management and contingency planning, protection of confidential/proprietary information, unauthorized software, acquisition of software, doing computer work at home, bringing in disks from outside the workplace, access to other employees' files, encryption of files and e-mail, rights of privacy, responsibility for correctness of data, suspected malicious code, and physical emergencies.

PLEASE NOTE: Some of the above links may have expired, especially those from news organizations. We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.