Regulatory Reality:

information security


March 6, 2013  5:19 PM

Security Standards: What’s in a name?



Posted by: David Schneier
assess, assessment, assessments, Audit, auditor, audits, CISO, community bank, control, controls, credit union, credit unions, data security, framework, information security, information security office, infrastructure, ISO, risk assess, risk assessment, risk assessments, risk management, risk-based

I had an interesting phone call recently with someone in a CISO-type position.  They were looking for a consultant to help them keep a seat warm working with information security risk assessments and were hoping to find a resource with practical experience using the NIST 800-53 standard.  It was...

October 22, 2012  2:09 PM

Are banks unfairly scrutinized?



Posted by: David Schneier
ACH, assess, assessment, assessments, Audit, auditor, audits, banking, banks, business, CISA, CISO, community bank, compliance, credit unions, CU, exam, examination, examinations, examiner, examiners, exams, FFIEC, financial institutions, general controls, GLBA, identify theft, identity theft, information security, information security office, Information Technology General Controls, internal audit, internal controls, ITGC, NPPI, observations, oversight, personally identifiable informaiton, PII, privacy, risk assess, risk assessment, risk assessments, risk management, risk-based, risks

A few years back when I first cut over to working somewhat exclusively with financial institutions I memorized an elevator speech that still somewhat defines who I am and what I do professionally.  Part of the speech pointed out that my firm helped "banks and credit unions meet regulatory...


September 21, 2012  3:44 PM

Are self-assessments the right way to go?



Posted by: David Schneier
assess, assessment, assessments, Audit, bank, banking, CISO, CISSP, compliance, compliance officer, compliant, credit union, credit unions, CU, disaster, disaster recovery, DR, enterprise risk, enterprise risk management, ERM, exam, examination, examinations, examiner, examiners, exams, framework, governance, GRC, guidance, information security, information security office, infrastructure, ISO, oversight, policy, procedure, regulation, regulations, regulations audit, regulatory, regulatory guidance, risk assess, risk assessment, risk assessments, risk management, risk-based, risks, technology

About a decade ago a family member chastised me for having an auto repair shop do my oil changes for me.  She (yeah, you’re reading that right – “she”) pointed out how ridiculously easy it was to drain the old oil, replace it with the new stuff and check a wide variety of fluid levels,...


August 21, 2012  2:21 PM

Has PayPal lost its collective mind?



Posted by: David Schneier
checking account, checks, credit, credit card, cyber security, data security, hack, hacker, hackers, hacking, identify theft, identity management, identity theft, information security, NPPI, password, password theft, phish, phishing, PII, privacy, regulation, regulations

I'm not much of a shopper.  I decide what it is I need/want to buy, assess the market place to determine quality and price and once I have a generally strong sense for both make a decision and move forward.  My wife on the other hand loves the constant trolling, scouring and scouting of just...


July 29, 2012  6:39 PM

Credit Card Breaches: The times they need a changin’



Posted by: David Schneier
ATM, bank, banking, banks, breach, checking account, community bank, credit, credit card, cyber security, data security, evidence, financial institutions, hack, hacker, hackers, hacking, id theft, identity theft, information security, network, oversight, PCI, personally identifiable informaiton, PII, regulation, regulations, Security, security breach, theft

If my blogging about credit card breaches has a bit of a deja vu feel to it you're not crazy, I last touched on it less than six months ago.  Sadly I was handed a new update this week in the form of my bank card being cancelled from right out underneath me again.   For those of you keeping score...


July 6, 2012  3:18 AM

Risk: The core issue behind regulatory requirements



Posted by: David Schneier
assess, assessment, assessments, Audit, audits, bank, banking, banks, compliance, compliant, control, credit union, credit unions, CU, enterprise risk, enterprise risk management, ERM, exam, examination, examinations, examiner, exams, FDIC, Federal Reserve Bank, FFIEC, financial institutions, framework, FRB, general controls, GLBA, governance, GRC, guidance, information security, information security office, infrastructure, NCUA, PII, policy, procedure, regulation, regulations, regulations audit, risk assessment, risk assessments, Risk IT, risk management, risk rating, risk-based, risks, threats, vendor, Vendor Management, vendor risk, vendor risk assessment

There's a joke of sorts within my personal circle of family and friends regarding what it is that I do these days.  Ask me and I'll tell you that I'm a regulatory compliance expert who advises financial institutions on how to comply with the myriad rules and regulations governing information...


September 5, 2010  5:17 AM

Managing today’s privacy threats and security risks



Posted by: David Schneier
CISO, compliance, Facebook, GLBA, information security, ISO, LinkedIn, NCUA, PII, regulatory, Regulatory Compliance, Security, social network

A few months back, the big blinking light in the middle of the information security radar was a story about how someone had harvested all sorts of personal...

Bookmark and Share     0 Comments     RSS Feed     Email a friend


August 2, 2010  9:29 PM

Where’s the information security oversight?



Posted by: David Schneier
Audit, bank, banking, bcp, CISO, compliance, compliance officer, FDIC, FIL, GLBA, information security, regulatory, Regulatory Compliance, Security, vulnerability test

We were watching a baseball game the other night when one of Microsoft's recent IE8 security commercials aired.  It's the one where a fictitious bank is set up and people off the street, deceived by its appearance, wind up turning over boat loads of personally identifiable information (PII)...


June 25, 2010  4:08 PM

Security pros need to practice vigilance not avoidance



Posted by: David Schneier
controls, firewall, firewalls, hackers, hacking, information security, regulatory, Regulatory Compliance, Security, social network, web filters

A week or so ago, I received an invitation from a professional friend of mine to connect via Facebook.  He's someone whose brain I've picked time and again as he's one of the brightest information security people I've worked with but more importantly, he's also someone who I enjoy talking to, and...


June 17, 2010  3:36 PM

Should it be this easy to bypass network security?



Posted by: David Schneier
cyber security, firewall, information security, network, penetration test, penetration testing, Regulatory Compliance, vulnerability

A few weeks back, I went online to pay my cable bill.  There's a long story behind the struggles I've had in doing so since becoming a customer, but I'll save that for another time.   Part of the longer story, though, involves my bookmarking the sign-on page where I can access my account and make...


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: