Earlier this year the SANS Institute issued a document titled “Critical Controls for Effective Cyber Defense“. Although not specific to financial institutions, it provides a useful prescriptive framework for any institution looking to defend their networks and systems from internal and external threats. The document lists the top 20 controls institutions should use to prevent […]
Risk Assessing iCloud (and other online backups) – UPDATE 2, DropBox
Update 2 (8/2012) – Cloud-based storage vendor DropBox confirmed recently that a stolen employee password led to the theft of a “project document” that contained user e-mail addresses. Those addresses were then used to SPAM DropBox users. The password itself was not stolen directly from the DropBox site, but from another site the employee used. […]
Patch deployment – now or later? (with interactive poll!)
We recently saw an examination finding that recommended that “Critical Patches be deployed within 24 hours of notice (of patch release)”. This would seem to contradict the FFIEC guidance in the Information Security Handbook that states that the institution: “Apply the patch to an isolated test system and verify that the patch… (1) is compatible […]
Risk Managing BYOD (bring your own device)
Thanks in part to social media, users today often don’t differentiate between work and non-work activities, and they certainly don’t want to have to carry multiple work/non-work devices to keep them connected. As a result, new multi-function, multi-purpose mobile devices are constantly being added to your secure financial institution network…and often in violation of your […]
FDIC changing annual IT report to Board?
Based on recent examination findings, it would appear that the FDIC is changing what they expect to see in the annual information security report to the Board of Directors. The requirement for the report is established in the FFIEC Information Security Handbook where it states that a written report to the board should describe the […]
The “Security Breach” and your Incident Response Program
Last week Wells Fargo said that some of their customers in South Carolina and Florida received portions of other customers’ bank statements in the mail as the result of a printer error. Essentially a printer malfunction caused some printed statements to contain a portion of another customer’s statement to be appended to the bottom. A […]
Risk Assessing Internet Banking – Two Different Approaches
One of the big “must do” take-aways from the updated FFIEC Authentication Guidance was the requirement for all institutions to conduct risk assessments. Not just prior to implementing electronic banking services, but periodically throughout the relationship if certain factors change, such as: changes in the internal and external threat environment, including those discussed in the […]
Audits vs. Examinations
As I speak with those in financial institutions responsible for responding to audit and examination requests, I find that there is considerable confusion over the differences between the two. And some of this confusion is understandable…there is certainly some overlap between them, but there are also considerable differences in the nature and scope of each […]
Top 5 Compliance Trends for 2011 – Part 5
As I write this, the only case to go to trial of a Bank suing the Merchant over account takeover losses is awaiting the jury’s decision. The result may redefine the liability, and by definition the roles and responsibilities, of both the financial institution and the merchant when it comes to securing electronic transactions. It […]
Dodd-Frank and regulatory compliance
In an excellent article by Lori Moore of ATTUS Technologies, she states that there are multiple reasons why bank examiners may be ramping up scrutiny: “Examiners who may already be on the defensive in regard to criticism about their actions prior to the fall 2008. Examiners who now have the Dodd-Frank Act on their side, […]