Skip to content
BOL Conferences
Page 2 of 2 1 2
Thread Options
#202611 - 07/09/04 03:54 PM Re: Pending FDIC IT Exam
Anonymous
Unregistered

I have provided supporting information to the poster of the original document. I will not publish this specific information in a public forum. There are a variety of professional codes of conduct and ethics to which I subscribe that prevent me from doing so.

If you recall, my original objection was that this document was posted containing identifiable and sensitive information (information that should have classified the document) about the Bank, its systems and processes. Properly sanitized (all specific Bank and vendor info removed), this document is OK for distribution.

However, I can say that the document by itself yields a moderate amount of intelligence about a number of facets of the Bank’s operations, that heretofore were unknown – that with the introduction of the original document are now known. Known by everyone who saw the original document or downloaded it – if it had not been revoked, the distribution would have been wider.

Using the information in the original document, combined with “other information” (validated vulnerabilities) known by me and others relating to the named service provider, their network designs, implementations, equipment and methods, vendors of that particular service provider – and their products, logical access policies, personnel safety and security practices, schedules of bank activities, etc – allows an individual possessing this information and drawing the correct conclusions the ability to identify and/or perform specific and targeted malicious acts (electronic / physical) against a bank and its employees that could result in a significant information breach or employee harm.

Just because other individuals don’t posses this “other information”, and hence can not draw the same conclusion, does not mean that substantial risk (especially risk in aggregate) does not exist or that this information should not be deemed sensitive and thus classified as such. In fact, relatively more risk exists after the document was posted, than before. I identified at least 1 high risk, system/vendor-based vulnerability that the Bank is now addressing with the proper service providers. This system/vendor-based vulnerability was not discovered the Bank’s 3rd party IT audit performed by the local CPA firm, the recent OCC IT examination, or the service provider’s MDPS examinations.

Just because regulators examine service providers doesn’t mean that vulnerabilities within the service providers’ systems or their partners’ systems, or the intersection of these systems don’t exist - you would be foolish to believe otherwise.

I also do not appreciate the rudeness expressed by those who on one hand, profess to understand and practice sound risk management and its implications on the banking business model and on the other hand ask that a bank’s specific vulnerabilities be exposed in a public forum and then attempt to insult and chide someone for not posting it. You have missed the point.

Nonetheless, I have enjoyed this discourse.

-g

Return to Top
eBanking / Technology
#202612 - 07/09/04 05:30 PM Re: Pending FDIC IT Exam
Jay-Risk Offline
Gold Star
Joined: May 2004
Posts: 274
New England
Quote:

You have missed the point.






Anon,

There is only one point. It is that we have an anonymous poster who, wanting to save face, continues to cite as his defense some very general textbook-type issues which he maintains caused Jim Pankey, a registered poster, to expose Jim's institution to risk.

The other more important point, obviously overlooked and unaddressed by you, remains the fact that you continue to post anonymously. You seemingly fail to comprehend that in a thread where contributors offer opinions and suggestions regarding internal safeguards and mitigation methods, you, as an anonymous poster, are the risk. It doesn't matter to me if you are an examiner, which I doubted long ago, or worked for the CIA.

You have offered very general, high-level, textbook-type challenges to Jim's matrix which, mind you, was offered by Jim as a helpful hint as part of a general discussion. If there was real risk, something would have already happened...and nothing has happened. It is also noteworthy from Jim's post that your "analysis" was apparently not viewed as earthmoving, if you get my drift.

I don't care what your reason is for not registering, but don't cite textbook risks if you're not willing to abide by these same textbook dictums that also address anonymity. You can't argue basic textbook violations of information resource protection, claiming there is a major risk caused by Jim's posting his matrix, then at the same time feel you're being picked on and spoken to rudely because someone disagrees with your position, or because you won't register. The basic security tenet on any professional workplace thread dealing with sensitive security topics is that one does not discuss these issues, or solutions to same, with a poster who refuses to offer an identifier. Without registration, there is no ability to interact, such as through a PM. Your refusal to become a valid registered poster on this type of thread is a point that you refuse to address in your own posts, yet you harp unendingly on Jim's harmless matrix.

That is the point...the only point. And I have not missed it.

Return to Top
#202613 - 07/09/04 06:02 PM Re: Pending FDIC IT Exam
Paragon Offline
Diamond Poster
Paragon
Joined: Dec 2003
Posts: 2,164
I also do not appreciate the rudeness expressed by those who on one hand, profess to understand and practice sound risk management and its implications on the banking business model and on the other hand ask that a bank’s specific vulnerabilities be exposed in a public forum and then attempt to insult and chide someone for not posting it. You have missed the point.




You have gone over the edge. THERE WAS NOTHING POSTED THAT COULD HAVE BEEN USED AGAINST THE INSTITUTION. You have not provided an example to back up your claim and it's far from rude to point that fact out. We are here to assist one other with this important task, not to avoid posting general information that may help. Now if someone starts posting passwords, that would worry me a lot, but that's not going to happen.

You display a "the sky is falling" attitude, so how can you possibly justify posting anything, even an opinion, in a open forum. You must know that we can track you down, correct? So, knowing simply how you think and what you think relating to these matters may hurt your institution (given the views you have expressed), correct? Given your view of these matters, should you be posting at all?

Return to Top
#202614 - 07/10/04 08:29 PM Re: Pending FDIC IT Exam
Risk Officer Offline
100 Club
Joined: Apr 2001
Posts: 205
Dallas
This has been an interesting discussion, to say the least. My intention is not to keep the banter going, but just to say that I appreciate each of your insights. In regards to -g, I have always found his/her insights very relevant and on target, and would prefer anonymous posts to no posts.
_________________________
My opinions are just that...my opinions.

Return to Top
#202615 - 07/13/04 05:11 PM Re: Pending FDIC IT Exam
Red Offline
Gold Star
Red
Joined: Dec 2002
Posts: 345
New England
Thank you for sharing this document. It was helpful to me.
_________________________
Its risky business, but someone has to do it.

Return to Top
#202616 - 08/05/04 10:07 PM Re: Pending FDIC IT Exam
Paragon Offline
Diamond Poster
Paragon
Joined: Dec 2003
Posts: 2,164
Quote:

Having just completed an OCC IT Audit and an external IT Audit I'm glad it's over for now.
::Removed Link::
Please feel free to ask me anything.




As if anyone really cares (except for me) - the subject (of this thread) IT exam (FDIC & State) is now complete - no exceptions.

Something that may be of interest: User Access Codes at the module level, e.g. for example, DDA, SAV, Loans, etc. are subject to examination, e.g. does the user require access? Access, of course, is not always equal with some assigned maintenance/inquiry and some only inquiry - exam procedures go to that level with 'liberal' access not supportable. Examination to this level surprised me, but that step is specifically included in the audit scope.

Return to Top
#202617 - 08/06/04 01:00 PM Re: Pending FDIC IT Exam
Jay-Risk Offline
Gold Star
Joined: May 2004
Posts: 274
New England
Quote:

IT exam (FDIC & State) is now complete - no exceptions





Paragon,

Congratulations! Standalone IT examinations (versus having IT looked at in combination with safety and soundness exams) have become increasingly stressful and complex. You never really know what the actual focus will be until they arrive, and oftentimes everything you've prepared in response to the request letter is only a portion of the risk areas ultimately targeted during the onsite examination. Once again, great job!

Return to Top
#202618 - 08/06/04 03:09 PM Re: Pending FDIC IT Exam
Paragon Offline
Diamond Poster
Paragon
Joined: Dec 2003
Posts: 2,164
I appreciate your comments - it is interesting that the exam scope is known, but the focus - hot buttons - always change. My theory is that once any examiner detects an issue that issue is shared and becomes a hot button throughout the system. I just wish that there was a reliable way to share those hot button issues, as discovered, at the bank level.

Return to Top
Page 2 of 2 1 2

Moderator:  Andy_Z