Frequently Asked Questions to Supplement - OCC Bulletin 2013-29 -
The Office of the Comptroller of the Currency (OCC) is issuing
frequently asked questions (FAQ) to supplement OCC Bulletin 2013-29,
“Third-Party Relationships: Risk Management Guidance,” issued
October 30, 2013.
The Behavioral Economics of Why Executives Underinvest in
Cybersecurity - Determining the ROI for any cybersecurity
investment, from staff training to AI-enabled authentication
managers, can best be described as an enigma shrouded in mystery.
Cybercriminals switch from automated attacks methods to targeting
humans - It would seem people are their own worst enemy when it
comes to protecting their data and cybercriminals have fully taken
advantage of this fact.
Quantum-powered random numbers could provide key to better
cryptography - True randomness is impossible to achieve with
conventional hardware, and some applications are terrible at it, but
are our current random number generators 'good enough' and is it
worth using quantum technology to achieve better randomness?
Memory-based attacks on printers on the rise, says HP - Increase in
use of printers as an attack vector for hackers: recommended that
purchasing decisions include security considerations, not just
Crying wolf: Combatting cybersecurity alert fatigue - Not only must
security pros contend with ever-increasing attacks to their
networks, they also must finagle the tool sets guarding their
systems to make certain settings are as they should be, reports Greg
Government System Integrators Where Cybersecurity Ninjas Most Want
To Work - Using a metric identified in the 2016 Center for Strategic
and International Studies (CSIS) report Recruiting and Retaining
Cyber Ninjas, we identified 57 large government IT system
integrators that have built teams of cyber ninjas at rates ahead of
their peers and eight of those firms that have had remarkable
success in recruiting and retaining ninjas.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- China-based Apple contractors caught selling customer data -
Authorities in China have unmasked a massive underground market
where Apple contractors were selling user data of Apple's Chinese
Al Jazeera sites being hacked, FBI assisting in investigation - An
FBI team is onsite in Qatar following "systematic and continual
hacking attempts" on the websites and other digital platforms of the
Al Jazeera Media Network.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue the series
regarding FDIC Supervisory Insights regarding
Programs. (4 of 12)
Assessing security incidents and identifying the unauthorized
access to or misuse of customer information essentially involve
organizing and developing a documented risk assessment process for
determining the nature and scope of the security event. The goal is
to efficiently determine the scope and magnitude of the security
incident and identify whether customer information has been
Containing and controlling the security incident involves
preventing any further access to or misuse of customer information
or customer information systems. As there are a variety of potential
threats to customer information, organizations should anticipate the
ones that are more likely to occur and develop response and
containment procedures commensurate with the likelihood of and the
potential damage from such threats. An institution's information
security risk assessment can be useful in identifying some of these
potential threats. The containment procedures developed should focus
on responding to and minimizing potential damage from the threats
identified. Not every incident can be anticipated, but institutions
should at least develop containment procedures for reasonably
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
SERVICE PROVIDER OVERSIGHT - SAS 70 REPORTS
Frequently TSPs or user groups will contract with an accounting
firm to report on security using Statement on Auditing Standards 70
(SAS 70), an auditing standard developed by the American Institute
of Certified Public Accountants. SAS 70 focuses on controls and
control objectives. It allows for two types of reports. A SAS 70
Type I report gives the service provider's description of controls
at a specific point in time, and an auditor's report. The auditor's
report will provide an opinion on whether the control description
fairly presents the relevant aspects of the controls, and whether
the controls were suitably designed for their purpose.
A SAS 70 Type II report expands upon a Type I report by addressing
whether the controls were functioning. It provides a description of
the auditor's tests of the controls. It also provides an expanded
auditor's report that addresses whether the controls that were
tested were operating with sufficient effectiveness to provide
reasonable, but not absolute, assurance that the control objectives
were achieved during the specified period.
Financial institutions should carefully evaluate the scope and
findings of any SAS 70 report. The report may be based on different
security requirements than those established by the institution. It
may not provide a thorough test of security controls unless
requested by the TSP or augmented with additional coverage.
Additionally, the report may not address the effectiveness of the
security process in continually mitigating changing risks.
Therefore, financial institutions may require additional reports to
oversee the security program of the service provider.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
11.2 Step 2: Identifying the Resources That Support Critical
Support Critical Functions:
! Human Resources
! Processing Capability
! Computer-Based Services
! Data and Applications
! Physical Infrastructure
! Documents and Papers
People are perhaps an organization's most obvious resource. Some
functions require the effort of specific individuals, some require
specialized expertise, and some only require individuals who can be
trained to perform a specific task. Within the information
technology field, human resources include both operators (such as
technicians or system programmers) and users (such as data entry
clerks or information analysts).
11.2.2 Processing Capability
Contingency Planning Teams - To understand what resources
are needed from each of the six resource categories and to
understand how the resources support critical functions, it is often
necessary to establish a contingency planning team. A typical team
contains representatives from various organizational elements, and
is often headed by a contingency planning coordinator. It has
representatives from the following three groups:
1) business-oriented groups , such as representatives from
2) facilities management; and
3) technology management.
Various other groups are called on as needed including financial
management, personnel, training, safety, computer security, physical
security, and public affairs.
Traditionally contingency planning has focused on processing power
(i.e., if the data center is down, how can applications dependent on
it continue to be processed?). Although the need for data center
backup remains vital, today's other processing alternatives are also
important. Local area networks (LANs), minicomputers, workstations,
and personal computers in all forms of centralized and distributed
processing may be performing critical tasks.
Please don't hesitate to email me (firstname.lastname@example.org)
if you have any questions.
Have a great week,
CFE, CISM, CGEIT, CRISC
IT Security Auditor
Our cybersecurity pen-test firewall audit
meets the independent diagnostic test
requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with
Bliley Act 501(b).
a hacker's perspective, which will help
your IT staff identify real-world weaknesses.
There is no charge if you are not satisfied with our service.
For more information, please call R. Kinney Williams at 806-798-7119, send
an email to
email@example.com, or visit
Information Systems Audit and Control Association
Society of Financial Examiners
Association of Credit Union Internal Auditors
The Institute of Internal Auditors