Sharpening Your Vendor Management Tools
Because financial institutions rely heavily on vendors to perform tasks involving confidential information, the FFIEC makes us responsible for governing the vendor process. An effective vendor management program will identify, measure, monitor, control, and escalate the risks associated with vendor relationships. Meanwhile, the tools we use to measure vendor risk are improving. The SAS70 is being replaced with the SSAE-16. Service Organizations Control (SOC) reports are internal control reports on the services provided by a service organization. SOC reports provide valuable information users need to assess & address the risks associated with an outsourced service. In addition, examiners are clarifying what is meant by a Critical Vendor, and the tools we use to manage the vendor due diligence process have improved.
WordPress Announces Security Incident
According to a post on WordPress’ blog, Automattic [which runs the WordPress blogs] had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed.
Hadaway to Speak at EPCOR Payments Conference
We are pleased to announce that Dan Hadaway has been selected as a remunerated speaker for two sessions at this year’s EPCOR Payment Conference. The EPCOR Payments Conference is the premier conference events for payments professionals from financial institutions throughout the central United States.
Gone Phishing!
Due to recent events (RSA’s SecurID breach), I thought it would be prudent to create a “phishing” awareness poster.
‘Tricked’ RSA Worker Opened Backdoor to APT Attack
According to an article posted by govinfosecurity.com, a well-crafted e-mail with the subject line “2011 Recruitment Plan” tricked an RSA employee to retrieve from a junk-mail folder and open a message containing a virus that led to a sophisticated attack on the company’s information systems, a top technologist at the security vendor says in a blog.
Actions in Response to RSA Cyber Intrusion
An Information Advisory has been issued by the National Security Agency concerning recommended actions for SecurID users in response to the RSA cyber intrusion.
Fraudulent Emails Claiming to be from NACHA
he Electronic Payments Association has received reports that individuals and/or companies continue to receive fraudulent emails that have the appearance of having been sent from NACHA. These emails vary in content and appear to be transmitted from email addresses associated with the NACHA domain (@ nacha.org). Some bear the name of fictitious NACHA employees and/or departments.
Another Fraudulent E-mail [From the FDIC]
The Federal Deposit Insurance Corporation (FDIC) has received numerous reports of a fraudulent e-mail that has the appearance of being sent from the FDIC.
The e-mail appears to be sent from “[email protected]” and includes a subject line that states: “About your business account.”
Protected: Mobile Banking Tools
There is no excerpt because this is a protected post.
Reorganization of FinCEN’s Bank Secrecy Act Regulations
The FDIC, in conjunction with the other federal banking agencies and the State Liaison Committee of the Federal Financial Institutions Examination Council, is issuing a statement regarding the revision of the Bank Secrecy Act (BSA) regulations effective March 1, 2011. The rule does not alter existing BSA regulatory obligations or impose new requirements. However, banks may need to revise existing policies, procedures, and software monitoring systems to reflect the new citations.