Sharpening Your Vendor Management Tools

Because financial institutions rely heavily on vendors to perform tasks involving confidential information, the FFIEC makes us responsible for governing the vendor process. An effective vendor management program will identify, measure, monitor, control, and escalate the risks associated with vendor relationships. Meanwhile, the tools we use to measure vendor risk are improving. The SAS70 is being replaced with the SSAE-16. Service Organizations Control (SOC) reports are internal control reports on the services provided by a service organization. SOC reports provide valuable information users need to assess & address the risks associated with an outsourced service. In addition, examiners are clarifying what is meant by a Critical Vendor, and the tools we use to manage the vendor due diligence process have improved.

WordPress Announces Security Incident

According to a post on WordPress’ blog, Automattic [which runs the WordPress blogs] had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed.

Hadaway to Speak at EPCOR Payments Conference

We are pleased to announce that Dan Hadaway has been selected as a remunerated speaker for two sessions at this year’s EPCOR Payment Conference. The EPCOR Payments Conference is the premier conference events for payments professionals from financial institutions throughout the central United States.

Gone Phishing!

Due to recent events (RSA’s SecurID breach), I thought it would be prudent to create a “phishing” awareness poster.

‘Tricked’ RSA Worker Opened Backdoor to APT Attack

According to an article posted by govinfosecurity.com, a well-crafted e-mail with the subject line “2011 Recruitment Plan” tricked an RSA employee to retrieve from a junk-mail folder and open a message containing a virus that led to a sophisticated attack on the company’s information systems, a top technologist at the security vendor says in a blog.

Fraudulent Emails Claiming to be from NACHA

he Electronic Payments Association has received reports that individuals and/or companies continue to receive fraudulent emails that have the appearance of having been sent from NACHA. These emails vary in content and appear to be transmitted from email addresses associated with the NACHA domain (@ nacha.org). Some bear the name of fictitious NACHA employees and/or departments.

Another Fraudulent E-mail [From the FDIC]

The Federal Deposit Insurance Corporation (FDIC) has received numerous reports of a fraudulent e-mail that has the appearance of being sent from the FDIC.

The e-mail appears to be sent from “[email protected]” and includes a subject line that states: “About your business account.”

Reorganization of FinCEN’s Bank Secrecy Act Regulations

The FDIC, in conjunction with the other federal banking agencies and the State Liaison Committee of the Federal Financial Institutions Examination Council, is issuing a statement regarding the revision of the Bank Secrecy Act (BSA) regulations effective March 1, 2011. The rule does not alter existing BSA regulatory obligations or impose new requirements. However, banks may need to revise existing policies, procedures, and software monitoring systems to reflect the new citations.