Blog: Information Security Management

What We Learned from the FFIEC’s CAT FAQ

02

Nov

What We Learned from the FFIEC’s CAT FAQ

‚ÄčIn October of this year the Federal Financial Institutions Examination Council (FFIEC) released a Frequently Asked Questions (FAQ) Guide for the Cybersecurity Assessment Tool (CAT). Aside from forcing me to cram a large amount of acronyms into the title of this article, what does the FAQ tell us? The most important question and response to me was whether or not institutions must use the tool. Since Day 1 the FFIEC has maintained the stance that the tool is voluntary. The direct response in the FAQ is “No. Use of the Assessment by institutions is voluntary. Institution management may choose to…

Read more

What came first, the chicken or the risk assessment?

20

Apr

What came first, the chicken or the risk assessment?

If you compare regulatory guidance on cybersecurity risk assessment to the history of information security in the financial industry, there is a good bit of irony. According to pretty much every security standard or regulation that I know of, including the FFIEC, the risk assessment is supposed to dictate every aspect of the cybersecurity program, including the IT Audit plan. As you may know IT Audits have been in full swing for many years. To an extent that ‘audit’ has become a four-letter word to many IT professionals in the industry. Risk assessment, however, has always been lingering just around the…

Read more

EMV Migration and PCI Compliance for Financial Institutions

20

Oct

EMV Migration and PCI Compliance for Financial Institutions

As more cards move to EMV chips it makes sense to wonder how this will impact the Payment Card Industry (PCI) Data Security Standard (DSS). A good example can be seen by looking at Europe. In a mature EMV environment the fraud migrated to card-not-present transactions, so the security controls outlined in the standard still apply. And if you think about how the data is used in a financial institution, it isn’t the point of sale where financial institutions are involved. EMV provides stronger authentication for in-person transactions, but doesn’t add protection within the financial institutions where cards are issued and…

Read more

Using NIST Cybersecurity Framework to Assess Vendor Security

Vendor due diligence is the process of ensuring that the use of external IT service providers and other vendors does not create unacceptable potential for business disruption or negative impact on business performance. To accomplish this, you need to know company details such as ownership specifics, company size, products offered, and headquarters location. You need to understand the company’s financial position, or more specifically, are they financially stable enough to fulfill their obligations for the foreseeable future. You need to know if the vendor will do what they promise. You also need to know how well the vendor is going to protect…

Read more

What to Expect in 2015 Audits - Part 2

If you are doing Cybersecurity at a financial institution there are several key takeaways in NCUA Letter No. 15-CU-01, which was released earlier this year. The first major topic discussed in the letter is Cybersecurity, which includes six critical items: Encrypting sensitive data Developing a comprehensive information security policy Performing due diligence over third parties that handle credit union data Monitoring cybersecurity risk exposure Monitoring transactions Testing security measures In this two-part blog series I will be looking closer at each…

Read more

What to Expect in 2015 Audits

data-encryption If you handle Cybersecurity at a credit union, bank, or other financial institution there are several key takeaways from NCUA Letter No. 15-CU-01, released earlier this year. The letter discusses where examiners will focus audit activities this year, and the first major topic is Cybersecurity which includes six critical items: Encrypting sensitive data Developing a comprehensive information security policy Performing due diligence over third parties that handle credit union data Monitoring cybersecurity risk exposure Monitoring transactions Testing security measures In…

Read more

How to Automate Your Yearly FDIC/NCUA Vendor Due Diligence

AutomateDueDiligence Every small bank and credit union regardless of asset size has to perform yearly due diligence research on each of their critical vendors. We know as IT security professionals and you know as banking professionals that there has to be a more scalable way to manage these relationships, share the information across the organizations and ensure that everyone is held to the same standard. What is Vendor Risk Management? It is the process of ensuring that the use of external service providers and other vendors do not create unacceptable potential for business disruption or negative impact…

Read more

The Value of a Virtual CISO

SJPA_Captain_America_6 Pressing regulations, daily cyber attacks, complex IT systems, outsourced IT services, and the list goes on. Too much to do and too little time to make it happen. Unfortunately this is the new normal for executives and managers responsible for Information Security. Cyber attackers and their desire to steal from your organization won’t be going away in the foreseeable future. Nor will regulations intended to protect consumers. Most IT Managers get saddled with the role of Chief Information Security Officer (CISO) due to their technical knowledge. But this creates a conflict of interest. IT people live to get packets from…

Read more

FDIC and NCUA Vendor Management Requirements

FFIEC-Logo.svg The NCUA and FDIC requirements for managing third party relationships (a.k.a. vendors) are fairly straight-forward. The problems with meeting compliance, and protecting an institution, arise when dealing with multiple vendors for critical services. Different financial reports, security audit reports, reputation factors, etc etc etc. The FDIC and NCUA both require that banks and credit unions to: • Evaluate the overall effectiveness of the third-party relationship and the consistency of the relationship with the financial institution’s strategic goals. • Review any licensing or registrations to ensure the third party can legally perform its services. • Evaluate the third party’s financial condition at least…

Read more

Introducing our new private Beta product Vendor Intelligence

Rivial has always established our brand by doing quality security work, specializing in Risk Assessments, Business Continuity, Audits and now we’d like to announce that a private Beta is underway for our new product, Vendor Intelligence. To provide some context as to why we are creating this product, there are regulatory, legal, and financial reasons to keep tabs on your critical vendors, suppliers, and service providers. Rivial Vendor Intelligence makes it easy to perform quality due diligence without having to do the research yourself. Get accurate, rich data about your Vendors in user-friendly reports. Detailed reporting covers Engagement,…

Read more