Category: From the Field

  • FDIC changing annual IT report to Board?

    Based on recent examination findings, it would appear that the FDIC is changing what they expect to see in the annual information security report to the Board of Directors.  The requirement for the report is established in the FFIEC Information Security Handbook where it states that a written report to the board should describe the…

  • Bank Directors and Officers targeted in 2011

    The final numbers are in for 2011, and it was a record year for Director and Officer (D&O) lawsuits by the FDIC.  In 2011 alone, 264 defendants were named in FDIC lawsuits.  To put that in perspective, that’s more than twice the number sued in the previous 2 years combined.  Some of the most frequently…

  • Another incident management table-top training exercise

    I’ve mentioned before that financial institutions would be wise to use news reports of security incidents as “what if” table-top training exercises.  Here is another one that just occurred a couple of days ago: Test scenario: You receive a subpoena from a government agency requesting financial information on several customers.  The subpoena includes names and…

  • FDIC offers “Insight” on Mobile Banking

    Although not considered official supervisory guidance, the most recent FDIC Supervisory Insights newsletter offers an instructive early look into how the agency might examine this emerging electronic banking delivery method in the future.  (Before you tune out and decide to wait for the formal guidance, remember it was the Winter 2009 issue that first introduced…

  • Thankful for…Dodd-Frank?

    I made a similar post last year about this time, so I thought I would continue the “Thanks-giving” tradition here…and no, I haven’t completely lost my mind about Dodd-Frank.  Let me explain.  Over the past year I’ve had the opportunity to give several presentations to various groups on the impact of Dodd-Frank (DFA) on community…

  • Access Rights a frequent finding

    In reviewing recent audit and examination findings, the issue of access rights and permissions is coming up with increasing regularity.  Making sure that end-users have no more access rights than absolutely necessary to do their job is one of the best information security controls.  According to the FFIEC, formal access rights administration for users consists…