Tag: information security

  • Compliance Quick Bites – Tests vs. Exercises, and the Resiliency Factor

    Compliance Quick Bites – Tests vs. Exercises, and the Resiliency Factor

    One of several changes implemented in the 2019 FFIEC BCM Examination Handbook is a subtle but important differentiation between a BCMP “test” and an “exercise”. I discussed some of the more material changes here, but we’re starting to see examiner scrutiny into not just if, but exactly what and how you’re testing. According to the…

  • Can We Apply Similar Controls to Satisfy Both GLBA and GDPR?

    Can We Apply Similar Controls to Satisfy Both GLBA and GDPR?

    Hey Guru! Are the Gramm–Leach–Bliley Act (GLBA) and the General Data Protection Regulation (GDPR) similar enough to apply the same or equivalent set of layered controls? My understanding is that GDPR has placed a higher premium on the protection of a narrower definition of data. So, my question is more about whether FFIEC requirements for…

  • Critical Controls for Effective Cyber Defense – Converging Standards?

    Earlier this year the SANS Institute issued a document titled “Critical Controls for Effective Cyber Defense“.  Although not specific to financial institutions, it provides a useful prescriptive framework for any institution looking to defend their networks and systems from internal and external threats.  The document lists the top 20 controls institutions should use to prevent…

  • Risk Assessing iCloud (and other online backups) – UPDATE 2, DropBox

    Update 2 (8/2012) – Cloud-based storage vendor DropBox confirmed recently that a stolen employee password led to the theft of a “project document” that contained user e-mail addresses. Those addresses were then used to SPAM DropBox users.  The password itself was not stolen directly from the DropBox site, but from another site the employee used. …

  • Patch deployment – now or later? (with interactive poll!)

    We recently saw an examination finding that recommended that “Critical Patches be deployed within 24 hours of notice (of patch release)”.  This would seem to contradict the FFIEC guidance in the Information Security Handbook that states that the institution: “Apply the patch to an isolated test system and verify that the patch… (1) is compatible…

  • Risk Managing BYOD (bring your own device)

    Thanks in part to social media, users today often don’t differentiate between work and non-work activities, and they certainly don’t want to have to carry multiple work/non-work devices to keep them connected.    As a result, new multi-function, multi-purpose mobile devices are constantly being added to your secure financial institution network…and often in violation of your…