News Updates by Bradley Martin

Wednesday
Mar182015

FFIEC Cybersecurity Priorities for 2015

The FFIEC a press release March 17, 2015 announcing its Cybersecurity Priorities for 2015.

This combined with the new Appendix J should have all our teams focused on security issues and technology service providers for this year and the years to come. J

Happy St. Patrick’s Day!  

 http://www.ffiec.gov/press/pr031715.htm

 

FFIEC Focuses on Cybersecurity, Will Debut Self-Assessment Tool

The Federal Financial Institutions Examination Council (FFIEC) today provided an overview of its cybersecurity priorities for the remainder of 2015.

The priorities include seven workstreams that stem from last year’s pilot assessment of cybersecurity readiness at more than 500 financial institutions. The planned work includes the development and issuance of a self-assessment tool that financial institutions can use to evaluate their readiness to identify, mitigate and respond to cyber threats. The FFIEC also will enhance their incident analysis, crisis management, training, and policy development and expand their focus on technology service providers’ cybersecurity preparedness. Additionally, the FFIEC will continue to improve its collaboration with other agencies and communicate on the importance of cybersecurity awareness and best practices among financial industry participants and regulators.

Work is underway in the following workstreams:

•Cybersecurity Self-Assessment Tool—The FFIEC plans to issue a self-assessment tool this year to assist institutions in evaluating their inherent cybersecurity risk and their risk management capabilities.

•Incident Analysis—FFIEC members will enhance their processes for gathering, analyzing, and sharing information with each other during cyber incidents.

•Crisis Management—The FFIEC will align, update, and test emergency protocols to respond to system-wide cyber incidents in coordination with public-private partnerships.

•Training—The FFIEC will develop training programs for the staff of its members on evolving cyber threats and vulnerabilities.

•Policy Development—The FFIEC will update and supplement its Information Technology Examination Handbook to reflect rapidly evolving cyber threats and vulnerabilities with a focus on risk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management, and incident management and resilience.

•Technology Service Provider Strategy—The FFIEC’s members will expand their focus on technology service providers’ ability to respond to growing cyber threats and vulnerabilities.

•Collaboration with Law Enforcement and Intelligence Agencies—The FFIEC will build upon existing relationships with law enforcement and intelligence agencies to share information on the growing cybersecurity threats and response techniques.

The FFIEC has published several resources to help financial institutions improve their cybersecurity, including additional information regarding the cybersecurity assessment conducted in 2014. They are available on the FFIEC website at http://www.ffiec.gov/cybersecurity.htm.

 

 

Friday
Feb062015

Financial Regulators Release New Appendix to Business Continuity Planning Booklet Appendix J: Strengthening the Resilience of Outsourced Technology Services

The Federal Financial Institutions Examination Council (FFIEC) members today issued a revised Business Continuity Planning Booklet (BCP Booklet), which is part of the FFIEC Information Technology Examination Handbook (IT Handbook). The update consists of the addition of a new appendix, entitled Strengthening the Resilience of Outsourced Technology Services.
-
The BCP Booklet contains guidance to assist examiners in evaluating financial institution and service provider risk management processes to ensure the availability of critical financial services. The booklet also was designed to provide guidance to financial institutions about the implementation of their business continuity planning processes.
-
The appendix highlights that a financial institution’s reliance on third-party service providers to perform or support critical operations does not relieve a financial institution of its responsibility to ensure that outsourced activities are conducted in a safe and sound manner. An effective third-party management program should provide the framework for financial institution management to identify, measure, monitor, and mitigate the risks associated with outsourcing. Specifically, a financial institution should ensure that its third-party service providers do not negatively affect its ability to appropriately recover IT systems and return critical functions to normal operations in a timely manner. The appendix highlights and strengthens the BCP Booklet in four specific areas:
•Third-Party Management
•Third-Party Capacity
•Testing with Third-Party Technology Service Providers
•Cyber Resilience
-
The IT Handbook is a collaborative effort of the Information Technology Subcommittee of the FFIEC’s Task Force on Supervision. The Information Technology Subcommittee promotes uniform and effective information on technology-related policies and supervisory programs for financial institutions and their service providers. The IT Handbook is available online at http://ithandbook.ffiec.gov/

The Federal Financial Institutions Examination Council (FFIEC) members today issued a revised Business Continuity Planning Booklet (BCP Booklet), which is part of the FFIEC Information Technology Examination Handbook (IT Handbook). The update consists of the addition of a new appendix, entitled Strengthening the Resilience of Outsourced Technology Services.

The BCP Booklet contains guidance to assist examiners in evaluating financial institution and service provider risk management processes to ensure the availability of critical financial services. The booklet also was designed to provide guidance to financial institutions about the implementation of their business continuity planning processes.

The appendix highlights that a financial institution’s reliance on third-party service providers to perform or support critical operations does not relieve a financial institution of its responsibility to ensure that outsourced activities are conducted in a safe and sound manner. An effective third-party management program should provide the framework for financial institution management to identify, measure, monitor, and mitigate the risks associated with outsourcing. Specifically, a financial institution should ensure that its third-party service providers do not negatively affect its ability to appropriately recover IT systems and return critical functions to normal operations in a timely manner. The appendix highlights and strengthens the BCP Booklet in four specific areas: •Third-Party Management•Third-Party Capacity•Testing with Third-Party Technology Service Providers•Cyber Resilience

-

The IT Handbook is a collaborative effort of the Information Technology Subcommittee of the FFIEC’s Task Force on Supervision. The Information Technology Subcommittee promotes uniform and effective information on technology-related policies and supervisory programs for financial institutions and their service providers. The IT Handbook is available online at http://ithandbook.ffiec.gov/

Thursday
Jan292015

Cyber resilience: a financial stability perspective (Bank of England)

"Expect the cyber threat to be ever-present, ever-evolving and networks to be penetrated" - read this speach from Bank of England on Cyber resilience: a financial stability perspective... 

 

http://www.bankofengland.co.uk/publications/Documents/speeches/2015/speech792.pdf

 

Wednesday
Apr232014

Tomas J. Curry April 16 2014 OCC Remarks

http://www.occ.gov/news-issuances/speeches/2014/pub-speech-2014-59.pdf

the Speech can be found at the link above...

What most thought was going to be a speech on Cybersecurity and the perils of the cloud and use of the Internet, actually turned into a larger concern regarding Third Party Risk Management. 

In summary....

Curry points out that banks use of third party technolgoies is ever increasing and interconnected.  and the concern is managing the risk associted with interconnected services and their dependances. In otherwords, a single vendor may not be considered crtical on it's own, but it's connections to other applications and the level of dependence may actually add to the Risk... 

The level of dependance FIs are an area of deep concern with Curry pointing out that the OCC as taken “serious enforcement actions” against “some of our large institutions” for mis-management of third party relationships.

 

Thursday
Apr102014

FFIEC and Heartbleed 

FFIEC issues a Pressrelease today regarding the Heartbleed vulnerability in OpenSSL...

A vulnerability that has been in the wild for 2 years with the release of OpenSSL 1.0.1 beta... and up patched in 1.0.1g

http://www.ffiec.gov/press/pr041014.htm

OpenSSL Security Advosiry was issued on April 7, 2014. 

https://www.openssl.org/news/secadv_20140407.txt 

And TOR Project summed it up iwth it's Blog Post... 

Ars Technica's Dan Goodin hasd a well written article out on 4/8/2014 giving us more information on the defect.  Check out Dan's Article here... 

History: 

 v0.9.8 / July 5, 2005 

 v1.0.0 / March 29, 2010 

 v1.0.1 March 14, 2012 

 Successor of 1.0.0h 

 Supports TLS v1.2 

 SRP support 

 TLS "Heartbeat" RFC 6520 / February 2012 

 TLS is based on reliable protocols, but there is not necessarily a feature available to keep the connection alive without continuous data transfer. The Heartbeat Extension as described in this document overcomes these limitations. The user can use the new HeartbeatRequest message, which has to be answered by the peer with a HeartbeartResponse immediately. 

 v1.0.1g - Now available 

 v1.0.2 - in beta release, coming soon.