Articles

By: (CISA, CISSP)
Publication: The Kansas Banker, August 2018

2018 August KBA One of the challenges community banks face in selecting an IT audit partner is the confidence they are comparing apples to apples when reviewing security-testing proposals. Not only do the definition of terms vary, some audit firms sell an "IT Audit" that is nothing more than a GLBA regulatory compliance audit. Though confirming your Information Security Program meets your examiners' expectations is important, an audit without a thorough internal network assessment really is not an IT audit. Your technical controls like patch management, malware protection, user access controls, Internet content filtering, file access controls, etc. are where the rubber meets the road. If these controls are not functioning as intended, it becomes a moot point you have them faithfully listed in your InfoSec Risk Assessment and Policies.

Read Full Article

 

By: (Network+, CISA)
Publication: The Kansas Banker, July 2018

KBA July 2018Several months ago, I stumbled across a comic that was a perfect representation of the battle institutions and IT departments face every day. It was a boxing ring, with a ring announcer introducing the participants in the corners of the ring. One corner contained firewalls, encryption, antivirus software, and other layers of data security while the opposing corner contained "Dave," a hapless user wearing a shirt emblazoned with the words "Human Error." This comic is both funny, because many of us know a "Dave," and disheartening, because no matter how much money and time are spent on network layout, configuration, and security, the harsh reality is it only takes one user on the other side of the mouse, clicking on the wrong item, to wreak havoc on your network. While incidents are still going to occur, they can be reduced with routine and thorough employee security awareness training.

Read Full Article

 

By: (CISA, CISSP)
Publication: The Kansas Banker, April/May Issue

KBA Cover April, May 2018“The sky is falling.” This is how one security writer described the initial panic experienced by the IT world early this year. Two unprecedented vulnerabilities named Meltdown and Spectre were reported on January 3, 2018.

These two vulnerabilities were and are a big deal because they are hardware vulnerabilities affecting any device with a silicon chip. This includes microprocessors on workstations and servers, mobile phones, tablets, cloud services, and other platforms. There were several matters which made these vulnerabilities seem scarier than other vulnerabilities.

Technical Aspects of the Vulnerabilities

Read Full Article

 

By: (Security+)
Publication: Nebraska Banker, March/April 2018

NBA March/April 2018What is the Internet of Things (IoT)?

For the purposes of this article, you can think of the IoT as the global network of “things” that are connected to the internet. This includes the obvious things (e.g., smartphones, computers, wearables, etc.) and the less obvious (e.g., A.I. devices, office automation, coffeepots, smart TVs, etc.).

If you work in technology, you should be aware of the IoT, as it is certainly a trendy topic. As a trendy and often misunderstood arena, the IoT has not historically been discussed in-depth during security awareness training. This means that even if you are aware of the dangers presented by the IoT, your employees may not be as mindful.

Read Full Article

 

By: (Security+, ISACA Cybersecurity Fundamentals)
Publication: The Kansas Banker, February 2018

KBA February 2018You have probably heard this before now, but the greatest threat to an organization's information security is the people. Attackers are aware of the human element, and they create schemes to exploit us. The best way to combat this weakness is to train and test employees.

The goal of information security awareness training is to create a change in employee behavior and to create a security-minded culture inside your institution. A change in culture will not happen overnight, and it may take longer for some employees to make adjustments to their behavior, but it is possible.

Read Full Article

 

By: (CISA, CISSP, CRISC)
Publication: The Nebraska Banker, Jan/Feb 2018

NBA Jan/Feb 2018 Issue Over the past few years, as cybersecurity threats have risen, the need for financial institutions to designate an Information Security Officer (ISO) has increased.

What does this ISO role look like?  In this article, we will examine what the Federal Financial Institutions Examination Council (FFIEC) handbooks say about an information security officer. For the purposes of this article, we will refer to the Chief Information Security Officer, Information Security Officer, and Corporate Information Security Officer similarly, and use the acronym "ISO" to encompass the collection of job titles.

 

What is an Information Security Officer?

Read Full Article

 

By: (Security+)
Publication: The Community Banker, Winter 2017

VACB Winter 2017The thought of reviewing a financial statement can be scary. While financial statements have similar elements, they are far from standardized and can be complicated to understand. Here are six tips to help simplify the scope of financial statement reviews.

Obtain Financial Statements

The first and easiest step in conducting a successful financial statement review is obtaining the financial statements.

Publicly Traded Companies are required to submit audited financial statements to the Securities and Exchange Commission (SEC) at least annually. The largest and most complex companies submit even more frequently. Often, these financial statements are published online and can be found with a quick web search. I find that searching “[Company Name] Financial Statements” or “[Company Name] Form 10-K” frequently turns up what I need.

Read Full Article

 

By: (Network+, CISA)
Publication: The Kansas Banker , Oct/ Nov 2017

KBA October / November 2017From our desktops to our phones, we are a connected society. We check email, social networking sites, news sites, message boards, and a large variety of other websites on a daily basis without thinking about the security implications of having billions of devices connected to countless interconnected servers that are run by people we have never met through an Internet infrastructure that was created without security in mind. While this is scary enough to think of from a personal standpoint, it has even larger implications for businesses that store and transmit confidential company and customer data. There are, however, actions that can be taken to help mitigate some of the security concerns that go hand-in-hand with Internet browsing.

Read Full Article

 

By: (Security+)
Publication: Nebraska Banker, Sept/Oct 2017

NBA September/October 2017A SOC report is one of the most valuable due diligence documents you can obtain from your vendors. A SOC report describes a vendor's systems and indicates if those systems are designed to protect you, as a user. While the first step in obtaining a SOC report from your vendor is fairly simple, the second step involves reviewing the report, which requires a bit more effort.

This article will highlight the basics of reviewing a SOC report. SOC reports have fantastic structure. You can find most of the information you need in the brief Independent Service Auditors Report section of the document.

Read Full Article

 

By: (GCIH, GPEN, GWAPT)
Publication: The Community Banker, Fall 2017

The Community Banker Fall 2017Recently I took my five year old daughter to the doctor for a general wellness check-up and her dreaded kindergarten immunizations. They were the standard immunizations children receive at various points in life. When the nurse was finished, she mentioned that we both needed to get the flu vaccine in a couple of months. I began to think about the flu vaccine. Each fall we hear about it from media, doctors, and pharmacies. The Centers for Disease Control and Prevention website states that the seasonal influenza (flu) vaccine is designed to protect against the three or four influenza viruses research indicates are most likely to spread and cause illness among people during the upcoming flu season. Some years the flu vaccine is very effective since the prediction of flu viruses that would be circulating was right. However, other years the vaccine is not effective at all, resulting in flu outbreaks across the country.

Read Full Article