Ask TrustCC a Question: Monitoring Vendor Access Controls

QUESTION:

A client stated,

I would be interested in your insights on third party service provider access to customer data and the use of group logins. Group login IDs are not allowed under our policy. We have a new vendor that uses group IDs for some of their support staff, and has informed us that this is their practice with the other banks that they work with. We are working with the business unit that manages the relationship to mitigate this to bring it into compliance with our policy. Read the rest of this entry ?

Hardening Procedures

As an IT audit and penetration testing firm, one of the key areas we see as deficient in most organizations is system hardening, specifically pre-deployment hardening procedures. These procedures provide guidelines to securing computer systems prior to installation for official business use. It is sometimes difficult to determine why organizations may not have hardening procedures.  Read the rest of this entry ?

Why are Operating Systems and other Software full of Security Holes?

It’s been a bit more than ten years now since the security industry began calling attention to buggy software development practices.  And despite the security industry’s best efforts, most software development companies continue to produce code with security flaws. Read the rest of this entry ?

Are you “at the mercy of your service provider”?

We received an email today from a credit union examiner in the eastern United States.  We had the privilege of providing him a week of IT training earlier in the year through our relationship with NASCUS.  He wrote, “So many of these small to medium size shops are at the mercy of the service provider and therefore rely on them for everything… what kind of detail should a vendor provide to the credit union about IT controls?” Read the rest of this entry ?