Blog: Security and Compliance

In September 2016, the Federal Financial Institutions Examination Council (FFIEC) released an updated Information Security Booklet as part of the IT Examination Handbook. Among other contemporary concepts, the FFIEC placed an increased emphasis on the role of Information Security Officers (ISOs) in financial institutions. In section I.B Responsibility and Accountability (Page 5), the FFIEC provides a list of six key qualities of the ISO role. Here are the six qualities and a brief interpretation of how this can be applied in your organization.

1. Sufficient Authority

Each ISO should have sufficient authority to perform their assigned tasks. While the ISO ultimately reports to the board or senior management, they must also be a trusted employee (or group of employees) who is authorized to make organization-altering decisions on their own. In short, your ISO should be someone you can, and will, trust.

2. Stature within the Organization

Each ISO should have stature within the organization to perform their assigned tasks. In addition to being a trustworthy part of the organization, the ISO should also be a respected part of the organization. The role of the ISO is a position that should be held with esteem. This is a tone that is set from the top. If the board and senior management respect the role of the ISO, the organization's employees will respect it, as well.

3. Knowledge

Each ISO should have knowledge to perform their assigned tasks. The ISO is tasked with oversight of the information security program. This is a broad-scoped topic which requires knowledge of the physical, technical, and administrative functions of the organization. If no one employee has sufficient knowledge to make decisions for each of these areas, it may be wise to consider appointing multiple individuals to fill the organization's ISO role as a committee.

Click here to find out more about a 6 part webinar training series created specifically for ISOs.

4. Background

Each ISO should have background to perform their assigned tasks. Similar to knowledge, the ISO should have a history that involves information security. An employee can be trustworthy, respectable, and have knowledge of information security, but be lacking a foundation of experience. Information security is an ever-changing field. Appointing an ISO who does not have experience in the field is a risk to the organization's information security.

5. Training

Each ISO should have continued training to perform their assigned tasks. Since the field is ever-changing, it should not be assumed that the ISO has all the training required to perform their duty. As the threat environment changes, as new controls are implemented, as the industry advances, the board and senior management should expect the ISO or members of the ISO team to further their education through training.

6. Independence

Each ISO should have independence to perform their assigned tasks. It would be best to avoid conflicts of interest when selecting an ISO. For example, while knowledge of information technology (IT) is important, the ISO should not be the person responsible for implementing the organization's IT function. For community financial institutions, this is not always practical. So, if your organization finds independence difficult, it may be beneficial to appoint individuals from various departments to fill the organization's ISO role as a committee.

In Summary…

While the FFIEC may not be very prescriptive when it comes to appointing an ISO, by ensuring your organization's ISO is trustworthy, respectable, knowledgeable, experienced, interested in learning, and independent of other functions in the organization, your organization can lay the foundation for an effective information security program.


 

On September 9th, 2016, the Federal Financial Institutions Examination Council (FFIEC) released a revised Information Security booklet.  This booklet is one of eleven booklets that make up the FFIEC Information Technology Examination Handbook (FFIEC IT Handbook). The IT Handbook is designed to provide information and reference to financial institutions and examiners.  The Information Security booklet specifically “provides guidance to examiners and addresses factors necessary to assess the level of security risks to a financial institution’s information systems.”

To learn more about the new FFIEC Information Security Booklet, join us for a webinar on October 11th at 2:00pm CDT. Register now

To see other webinars offered by CoNetrix, visit our webinars page.

About the FFIEC: The FFIEC was established in 1979 per Title X of the Financial Institutions Regulatory and Interest Rate Control Act of 1978.  The FFIEC is comprised of the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administrator (NCUA), the Office of the Comptroller of the Currency (OCC), the State Liaison Committee (SLC), and the Consumer Financial Protection Bureau (CFPB).

 


 

Here are two links to articles discussing the NIST and their discouraging of SMS use for multi-factor authentication. The special publication by NIST actually says

If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance.”

https://techcrunch.com/2016/07/25/nist-declares-the-age-of-sms-based-2-factor-authentication-over/

 

https://www.engadget.com/2016/07/29/sms-two-factor-authentication-isn-t-being-banned/


 

During preparation for a meeting with a bank customer, I searched their name to investigate any new Internet presence not previously documented. I found a Facebook page (unofficial) that contained postings from May 2012 related to someone “checking in” at the bank’s location. At that time, if a Facebook page was nonexistent and someone checked-in, Facebook would create an “Unofficial Page” to act as a container for the associated comments.

Further research indicated this was a common Facebook practice at the time but is no longer being done. However, if there are pages that were dynamically created they continue to exist. When I shared this information with the bank they had no knowledge of this Facebook page.

There is a potential for reputational risk if someone makes negative comments and the institution has no way to remove the negative comments from the page since they have no administrative access.

Information on "claiming" these pages is located at https://www.facebook.com/help/community/question/?id=649876991815701

 


 

Today the FFIEC released a Cybersecurity Assessment Tool to help financial institutions identify their risks and assess their cybersecurity preparedness.  The assessment tool is designed to provide a repeatable and measurable process for banks and credit unions to measure their cybersecurity preparedness over time.

The FFIEC tool consists of pdf documents including an Overview for Chief Executive Officers and Boards of Directors, a User's Guide, an Inherent Risk Profile, a Cybersecurity Maturity, and some Additional Resources.

CoNetrix is working on a FREE online, interactive tool to assist banks and credit unions in completing the new FFIEC cybersecurity assessment.  This easy to use SaaS will allow financial institutions to answer questions provided in the FFIEC documents, view and analyze inherent risk and cybersecurity maturity, and run various reports.  To learn more about the new Tandem Cybersecurity tool, visit https://conetrix.com/cybersecurity.

 


 

Yesterday, during a webinar titled "Cybersecurity - The Basics", the NCUA provided information on a new Fraud and Cyber Security Initiative grant of up to $7,500 for low-income designated (LID) credit unions.[more] The grant, which must be applied for by June 30, 2015, is designed to help LID credit unions with building and enhancing cyber security to help protect member information.

In order to assist credit unions with their information and cyber security needs, CoNetrix has created a webpage with information about the grant, including a few bundled offerings centered on cyber security.  Additionally, CoNetrix is sponsoring several free webinars to educate about the grant and our offerings.  You can register for the webinars and learn more at www.conetrix.com/ncuagrant/  


 
 

Today the Federal Financial Institutions Examination Council (FFIEC) issued an update to the FFIEC IT Handbook, BCP Booklet.  The update included a new appendix entitled Strengthening the Resilience of Outsourced Technology Services.  The appendix highlights and expands on the BCP Booklet in four specific areas: third-party management, third-party capacity, testing with third-party technology service providers, and cyber resilience.  To learn more, visit https://www.ffiec.gov/press/pr020615.htm  

 

On December 3rd, the Texas Bankers Association (TBA), Independent Bankers Association of Texas (IBAT), and SWACHA hosted a cybersecurity event for banking executives, board members, and senior management called, “Executive Leadership of Cybersecurity (ELOC)”. At the conference, the Financial Services Information Sharing and Analysis Center (FS-ISAC) announced the availability of a free threat information sharing appliance that financial institutions can use to enter, store, and share threat information. The appliance is called Soltra Edge and the website says it “takes large amounts of complex threat information across communities, people and devices and analyzes, prioritizes, and routes it to users in real-time.” [more]

Here is some initial information:

  • The appliance is a free download that is distributed as a virtual machine. It runs CentOS and is accessed via a web interface. Setup appears fairly simple, especially for a customer that is already running VMware. The database stores information using Structured Threat Information eXpression (STIX) and information can be shared by setting up feeds using the Trusted Automated eXchange of Indicator Information (TAXII) protocol.
  • Making use of the appliance is not as easy as the setup. It is a brand new product that is trying to gain acceptance, so it is still under development and does not have all the features that they eventually want it to have.
    • The appliance is distributed with an empty database. The financial institution can load threat information using the web interface (manual data entry), import from a CSV file, import from a STIX file, or import from a TAXII feed.
    • Initially, most of community financial institutions will likely want to receive threat information from a TAXII feed rather than enter and store/share their own threat information. Each TAXII feed must be setup individually. Here are the ones we know about so far:
      • FS-ISAC has one available with a couple of caveats – 1) the financial institution will probably need to join FS-ISAC (for pricing information, visit https://www.fsisac.com/join) and 2) the last post on the Soltra forum indicated that this feed needs to be upgraded in order to work with Edge v.2. 
      • There is a free feed at hailataxii.com, but it is not yet clear who is providing the information or how useful it is.
    • So far, reporting seems VERY basic. Queries can be manually entered into the web interface, but that was the only reporting feature shown during a Soltra webinar. The Soltra forums have some discussion about integrating the appliance with some security information and event management (SIEM) systems such as Splunk, but that is still in development. Also, many community financial institutions do not currently have a SIEM system installed.
    • There are plans to import threat data directly from firewalls, IPS/IDS, etc., but that is also under development and reporting on that information would still be an issue.

 

 


 

On October 6, 2014, ISACA launched the Cybersecurity Fundamentals Certificate.  The Cybersecurity Fundamentals Certificate is aligned with the Skills Framework for the Information Age (SFIA) and the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework. [more] It tests for foundational cybersecurity knowledge in five areas:

  1. Cybersecurity concepts
  2. Cybersecurity architecture principles
  3. Cybersecurity of networks, systems, applications and data
  4. The security implications of emerging technology
  5. Incident response

To see ISACA's press release visit http://www.isaca.org/About-ISACA/Press-room/News-Releases/2014/Pages/ISACA-Launches-New-Cybersecurity-Certificate.aspx