-
Ask the Guru: Vendor vs. Service Provider
Hey GuruI recently had an FDIC examiner tell me that we needed to make a better distinction between a vendor and a service provider. His point seemed to be that by lumping them together in our vendor management program we were “over-analyzing” them. He suggested that we should be focused instead only on those few…
-
Critical Controls for Effective Cyber Defense – Converging Standards?
Earlier this year the SANS Institute issued a document titled “Critical Controls for Effective Cyber Defense“. Although not specific to financial institutions, it provides a useful prescriptive framework for any institution looking to defend their networks and systems from internal and external threats. The document lists the top 20 controls institutions should use to prevent…
-
Ask the Guru: Fedline in the lobby
Hey Guru, I have a question about Fedline. Will regulators write us up for having Fedline on a PC in the lobby of the bank? Possibly, I have seen that. The issue is with the extreme sensitivity of data processed on that device, so if you want to leave it where it is, your response…
-
Incident Response in an Outsourced World
UPDATE – On June 6th the FFIEC formed the Cybersecurity and Critical Infrastructure Working Group, designed to enhance communications between and among the FFIEC members agencies as well as other key financial industry committees and councils. The goal of this group will undoubtedly be to increase the defense and resiliency of financial institutions to cyber…
-
The Financial Institutions Examination Fairness and Reform Act – Redux
This new bill (H.R. 1553) introduced on April 15th is actually a word-for-word duplicate of H.R. 3461 which I wrote about here. The previous bill died in committee, but H.R. 1553 has a few more sponsors. Now, I know what you are thinking…that there is no such thing as “good” regulation. But bear with…
-
The Problem with PEN Tests
This is a true story, the names have been changed to protect the guilty. Al Akazam (not his real name) is an IT consultant with a solid background inRead the rest of the article
