My colleague and I recently delivered a webcast on the topic of internet banking authentication guidance, a topic that I've been spending a lot of tiem on lately. It was posted on the web for playback. Check it out!
Subject: Brace Yourself: Updated FFIEC Internet Banking Authentication Guidance is Out
Presented by Dave Dyk and Paul Rainbow, with Moss Adams LLP
http://www.mossadams.com/Industries/Financial-Services/Internet-Banking-Authentication
Webcast: Brace Yourself: Updated FFIEC Internet Banking Authentication Guidance is Out
Presented October 20, 2011 at 10:00 AM - 11:00 AM
Internet banking risks are increasing, and the regulators have taken notice. Fraudulent online ACH and wire transactions have increased in frequency, and are causing a shift in the risk and regulatory landscape. The FFIEC issued an update to regulatory guidance from 2005, focusing on risk assessment, multi-layered controls, and the importance of relying on appropriate controls. Regulators will begin assessing compliance with this guidance in 2012, so now is the time to prepare.
Is your institution ready? Participate in our webcast, as we answer your questions about Internet Banking Authentication.
Wednesday, November 30, 2011
Monday, November 28, 2011
PSU MPA Alumni Newsletter
I recently wrote an article for my alma mater alumni newsletter on career opportunities after an MPA.
Tuesday, July 26, 2011
The Rise of Privacy as a Discipline
When I began my career, the discipline of Information Security was professionalizing, and the related discipline of Privacy was not yet on the map of most of my peers. Privacy, as a discipline, has largely been driven by attorneys and major corporations, and ignored by startups and mid-sized organizations. I think that is changing -- the IT audit and consulting practitioners like myself are being asked to become experts in the field of privacy, and there is a lot of action in terms of privacy legislation. Lets take a look at some of the action:
First, I expect that the various state data privacy and breach notification laws will be superceded by a federal law. While the federal law will almost certainly be less stringent than some of the state laws, it will likely add some enforcement mechanism, standardize practices for organizations operating across state lines, and raise the visibility of the regulatory requirements. I think these are all good things, and am looking forward to seeing what the final looks like.
Second, we are seeing the federal government consider privacy explicitly in the NIST Special Publication 800 series security standards, which are used to drive FISMA compliance across the government. NIST just published a draft update to the SP 800-53 standard that includes a whole series of recommended baseline controls related to data privacy. I expect to see these drive quite a bit of activity among government agencies and contractors in coming years.
All things considered, I think that IT auditors and consultants like me are going to become practictioners of the discipline of both privacy and security. What do you think?
First, I expect that the various state data privacy and breach notification laws will be superceded by a federal law. While the federal law will almost certainly be less stringent than some of the state laws, it will likely add some enforcement mechanism, standardize practices for organizations operating across state lines, and raise the visibility of the regulatory requirements. I think these are all good things, and am looking forward to seeing what the final looks like.
Second, we are seeing the federal government consider privacy explicitly in the NIST Special Publication 800 series security standards, which are used to drive FISMA compliance across the government. NIST just published a draft update to the SP 800-53 standard that includes a whole series of recommended baseline controls related to data privacy. I expect to see these drive quite a bit of activity among government agencies and contractors in coming years.
All things considered, I think that IT auditors and consultants like me are going to become practictioners of the discipline of both privacy and security. What do you think?
Tuesday, June 7, 2011
Reasonable Security for Internet Banking
A closely watched case in Maine regarding the authentication security that is "reasonable" per UCC 4a for banks to provide to their customers is concluding in favor of the bank, at the expense of the customer who lost funds. I would love to do some analysis here on the blog, but why recreate what Brian Krebs and David Navetta have already documented so well?
Take a look at the story on the Krebs on Security blog here:
http://krebsonsecurity.com/2011/06/court-passwords-secret-questions-reasonable-ebanking-security
Take a look at the story on the Krebs on Security blog here:
http://krebsonsecurity.com/2011/06/court-passwords-secret-questions-reasonable-ebanking-security
Friday, June 3, 2011
New WIB Article regarding Internet Banking Fraud
I have been working recently to put together quarterly newsletter articles on IT security and regulatory topics for the Western Independent Bankers association newsletter. Take a look at the published first quarter topic, something that is a hot topic that I have been spending a lot of time on lately: the rise of account takeover and internet banking fraud. Enjoy!
http://bit.ly/Wib-IB-Fraud
http://bit.ly/Wib-IB-Fraud
Tuesday, May 3, 2011
Wednesday, April 20, 2011
Government 2.0 Transparency and the Long Tail
Recently, I have been contemplating a tough question, with a possibly disappointing result. Has the Internet made us better, or at least more informed, citizens? I would like to think so. However, the decline of trusted, mainstream newspaper reporting, coupled with the rampant rumors that circulate the internet like wildfire (despite the easy refutals from Snopes) have made me a bit of a cynic. I don’t think that the internet, with it’s really long tail of information, really has made us better citizens.
But, family friend asked me if I knew of any websites that helped promote government transparency. And, it turns out, that this is a bright spot. I have a few favorites, and I want to see if you do as well. Please take a look at these, and use the comments below to let me know if there some of your favorites that I have missed.
Congress
These two sites are amazing. They present a wealth of useful information about congresspeople, votes, proposed bills, sponsorship, money flow, and nearly any other bit of information someone might be interested in. In addition, the sites make it easy to subscribe to RSS feeds or contribute via various wikis to enhance the data set for others.
Transparency Through Data
Across all levels of government in recent years, a technocrat-driven trend (and I use technocrat in a very positive term here, considering myself to be one) to provide transparency and utility has sprung up by providing raw public data in easy to consume formats (such as RSS feeds, downloadable files, GIS datasets, etc). Some good examples are:
Each of these sites can feed community-developed applications or other websites. Government may not be the best entity to develop great apps with interfaces that benefit the public, but they have the data. So getting the data loaded onto sites like these helps bridge that gap, and is inexpensive and easy to do also!
Other eGovernment Trends
In my work, I often am involved with local governments exploring the topic of eGovernment. With limited resources, city governments often are struggling to decide which services they should invest in to build an online channel. In recent years, a lot of mid-sized cities have begun rolling out three services that I am especially excited about, as I believe they provide great value:
Concluding
But, family friend asked me if I knew of any websites that helped promote government transparency. And, it turns out, that this is a bright spot. I have a few favorites, and I want to see if you do as well. Please take a look at these, and use the comments below to let me know if there some of your favorites that I have missed.
Congress
These two sites are amazing. They present a wealth of useful information about congresspeople, votes, proposed bills, sponsorship, money flow, and nearly any other bit of information someone might be interested in. In addition, the sites make it easy to subscribe to RSS feeds or contribute via various wikis to enhance the data set for others.
Transparency Through Data
Across all levels of government in recent years, a technocrat-driven trend (and I use technocrat in a very positive term here, considering myself to be one) to provide transparency and utility has sprung up by providing raw public data in easy to consume formats (such as RSS feeds, downloadable files, GIS datasets, etc). Some good examples are:
- Data.Gov – This federal site is sponsored by President Obama’s CIO, Vivek Kundra. I have been very impressed with Mr. Kundra, both for his efforts here, as well as his push to embrace cloud computing, risk and cost management of large IT spending, and consideration of IT from an “enterprise” perspective across the government. This site in particular is a cool repository for a wide variety of government data sets that can be accessed by anyone.
- data.oregon.gov – Oregon got a late start to the game, but I think that given our budget limitations and reluctance to spend much on enterprise IT, we have put together a decent set of tools.
- civicapps.org – This is probably the site that feels closest to home for me (because it is), and that has really directly benefited my life. It is exciting because it was put together by a consortium of public bodies in the area, including the City of Portland, TriMet, Metro, the County, and others. And, it was coupled with a community contest to develop apps and tools using the data. Several really great apps were developed. Back in 2002-2005, I worked for the City of Portland in an IT position where I supported some underlying infrastructure for PortlandMaps. I was very proud to have been associated with that site, which really was ahead of its’ time. I think that the CivicApps site, too, is showing how Portland is a trendsetter in this area (and obviously we have followed the lead of some other cities as well).
Each of these sites can feed community-developed applications or other websites. Government may not be the best entity to develop great apps with interfaces that benefit the public, but they have the data. So getting the data loaded onto sites like these helps bridge that gap, and is inexpensive and easy to do also!
Transparency Data Sets here in Oregon
- Oregon Transparency Site – Built by the same team at Oregon Department of Administrative Services that rolled out the data repository, the transparency site is an example of what states are doing to try and provide repositories for financial data that can be easily searched. But, as OSPIRG notes, this site doesn’t include the state’s quasi-public entities, which is a big reason we scored a “B” instead of an “A” in a recent annual report on the subject.
- Oregon Capitol News GovDocs – Many mainstream media outlets have made it a practice to make public records requests for salary and spending data, and to post that data in a searchable format. Here in Oregon, we have a nice central repository for salary, contract, and related data sets from some of the largest public agencies. (* Note - Funded partly by the libertarian-leaning Cascade Policy Institute, but a good resource nonetheless).
- Oregon Center for Public Progress – Maybe they aren’t on the cutting edge of technology, but I’ve been impressed by the analysis of OCPP, a think tank focused on state policy issues (especially tax policy). Although nonpartisan, they might lean slightly to the left; but they use real facts, which is why they earn a mention here along with other great transparency resources.
Other eGovernment Trends
- Non-emergency online police reporting – Like my home town of Gresham, many cities are allowing non-emergency police reports to be filed online. This allows citizens to receive a police report number, and provide the right information to police in a quick and accurate way. This encourages reporting of minor crime, like vandalism or property theft, that might otherwise go unreported. And it is efficient, saving time for officers on the street. Citizens love it.
- Service requests & apps – In my ‘spare time’, I serve as the president of my homeowners association. Because of that, I am frequently noticing minor city code violations in our city neighborhoods (overgrown grass, graffiti, litter, abandoned cars, etc). The Ask Gresham site is a good example of a general-purpose City service request system. It allows citizens to easily submit code compliance complaints, requests for various city services (I recently reported a pedestrian traffic light out), or to just ask a question. Systems like this can be rolled out easily so long as there is a human “traffic manager” to take the requests and ensure that it is routed appropriately. It also allows users to log into the site, to determine if the request has been acted on or closed. Some larger cities, like Portland, are rolling out services like this in the format of a smartphone app. This has the benefit of allowing citizens to easily attach locations via GPS, and to attach photos.
- During the economic downturn that dramatically impacted city planning and building departments, many have helped to mitigate the fiscal problems by becoming more efficient through the use of electronic plan review. These systems allow for electronic submission of plans in a variety of formats, and then streamline the review process. They provide efficiency for the government, and for developers, and are very popular services.
Concluding
Looking at the political drivel that gets passed around the internet without basis in fact, it is easy to conclude that the internet has not made us better citizens. But, I think that there is an aspect to the internet that allows those of us who are engaged to take advantage of the ‘long tail’ to access public data and services more efficiently. This is a very positive trend, and something we should all actively be pushing for.
Subscribe to:
Posts (Atom)