November 16, 2010 6:07 PM
Posted by: David Schneier
Audit,
bcp,
compliance,
general controls,
GLBA,
NCUA,
regulatory,
Regulatory Compliance,
risk,
risk assessment,
SecurityMy practice recently wrapped up an engagement in which we conducted a tabletop test of a client's business continuity plan. As always with such exercises, it's interesting to find out how much distance exists between what's documented in an institution's policy/program and how business is...
November 2, 2010 2:33 PM
Posted by: David Schneier
assessment,
Audit,
controls,
GLBA,
NCUA,
regulatory,
Regulatory Compliance,
risk assessmentI was in the midst of writing my weekly blog post focusing on threadbare thin compliance efforts when I was distracted by news of a potential terrorist incident. As you likely know by now, it appears that Al-Qaeda was either attempting to send explosive devices onto airplanes or was conducting a...
October 22, 2010 3:20 AM
Posted by: David Schneier
anti-malware,
anti-virus,
assessment,
Audit,
hack,
HIPAA,
regulations,
regulatory,
Regulatory Compliance,
scanning,
vulnerabilityI read a blog post last week from my friend Ed Moyle in which he discussed a story about how a professor at the University of North Carolina-Chapel Hill was demoted because a server used in her research project was hacked. A committee had concluded that it was the professor's fault that the...
October 1, 2010 7:41 PM
Posted by: David Schneier
Audit,
bank,
banking,
compliance,
credit union,
CU,
FDIC,
FFIEC,
financial,
financial institutions,
personally identifiable informaiton,
regulations,
regulatory,
Regulatory Compliance,
security PIIGrowing up I was a huge fan of the sitcom "The Odd Couple." Some of my favorite catch phrases have in some part been influenced by lines of dialogue that I memorized. One in particular serves as the best pure definition for a phenomenon I encounter frequently enough in my audit/compliance...
September 20, 2010 8:28 PM
Posted by: David Schneier
Audit,
compliance,
exam,
examination,
GLBA,
HIPAA,
NCUA,
NERC,
PCI,
regulatory,
Regulatory Compliance,
risk,
risk assessment,
SOXI stumbled upon an old nemesis of mine recently and the bad taste it left in my mouth continues to offend my senses.
In an industry where there are standards that define how standards should be written and websites dedicated to dissecting each standard so that everyone can understand what the...
August 25, 2010 4:07 PM
Posted by: David Schneier
Audit,
business continuity,
business continuity planning,
compliance,
FDIC,
GLBA,
NCUA,
penetration test,
penetration testing,
regulatory,
Regulatory Compliance,
risk,
risk assessment,
Security,
security awareness,
social engineering,
Vendor Management,
vulnerability testSummer at home officially ended this morning as my children returned to school. Beyond the fact that I consider it cruel and inhuman punishment to resume academic activities before Labor Day, it also serves as a wake-up call that we're well past mid-year on the traditional calendar and eying the...
August 16, 2010 2:43 PM
Posted by: David Schneier
Audit,
bank,
banking,
cloud,
cloud computing,
credit union,
FDIC,
GLBA,
merger,
NCUA,
NPPI,
PII,
regulatory,
Regulatory Compliance,
risk,
risk assessmentEarlier this month, I blogged about my concerns regarding a drop-off in information security oversight by banking regulators. In this age of safety and soundness first, everything else is second, if at all. It's more than a week later and I'm not feeling any better about things; as a matter of...
August 2, 2010 9:29 PM
Posted by: David Schneier
Audit,
bank,
banking,
bcp,
CISO,
compliance,
compliance officer,
FDIC,
FIL,
GLBA,
information security,
regulatory,
Regulatory Compliance,
Security,
vulnerability testWe were watching a baseball game the other night when one of Microsoft's recent IE8 security commercials aired. It's the one where a fictitious bank is set up and people off the street, deceived by its appearance, wind up turning over boat loads of personally identifiable information (PII)...
June 14, 2010 6:57 AM
Posted by: David Schneier
Audit,
compliance,
governance,
GRC,
regulations,
Regulatory Compliance,
risk,
risk assessmentI just had an article published in Information Security magazine on GRC titled "Demystifying governance, risk and compliance." It's a piece...
