-
Ask the ISO: What Makes a Good Password?
Hey Chuck! Our auditor is telling us we need longer passwords. I’ve done some reading and asked around on this, and I’ve heard everything from 8 to 15 characters. How long should our passwords be? Ask a simple question, get… a different answer from every person you ask. Frustratingly enough, they all might be right.…
-
COMPLIANCEGURU.COM WEBSITE PRIVACY POLICY STATEMENT
Safe Systems is committed to maintaining the privacy of your personal information. The following discloses our information gathering and dissemination practices for this site. This policy applies strictly to interactions with the complianceguru.com website (wholly owned and operated by Safe Systems, Inc.), and does not apply to any other services provided by Safe Systems, Inc.…
-
Ask the ISO — How Can I Manage Email Risks?
Hey Chuck, A bank I used to work for had a bad scare recently – they got hit with ransomware!! Best they can tell, an email attachment was the culprit. That bank is very similar to my current bank, and I thought they had a solid Information Security program while I was there. As the…
-
Ask the Guru: Cybersecurity “Risk Appetite”
Hey Guru I saw multiple references to the term “risk appetite” in the FFIEC Cybersecurity Assessment Tool. What exactly is risk appetite, and how can I address this in my institution? They just released Management Handbook contains 10 new references to “risk appetite”, including a requirement that the Board has defined the institution’s risk appetite and it’s risk tolerance levels.…
-
FFIEC Issues Update to Business Continuity Guidance
The FFIEC just issued new BCP Guidance in the form of a 16 page addendum to the existing 2008 IT Handbook on Business Continuity Planning. It is titled “Appendix J: Strengthening the Resilience of Outsourced Technology Services”, and it has significant implications for both financial institutions and service providers, and across the entire business relationship…
-
Say What You Do…But Do What You Say
Feedback from recent regulatory examinations indicates a potentially troublesome trend; regulators are actually reading your policies. Traditionally, regulatory findings are concentrated in policy weaknesses. Either polices don’t exist (social media and mobile banking for example), or they do exist but need “expansion”. (“Expansion” is a vague and often used-term in examination findings to indicate a…