FFIEC updates (finally) their Information Security IT Examination Handbook

Well, after ten years, the FFIEC has finally updated their Information Security IT Examination Handbook.

So probably some are wondering what this is and why should they care.  If you don't work in the financial industry, you may not be aware of all of this.

The FFIEC is the Federal Financial Institutions Examination Council, which is a government interagency body that sets down uniform principles, standards, and report forms regarding the examination of financial instituions.  The Council is make up of Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), the Consumer Financial Protection Bureau (CFPB), and the State Liaison Committee (SLC), which itself includes representatives from the Conference of State Bank Supervisors (CSBS), the American Council of State Savings Supervisors (ACSSS), and the National Association of State Credit Union Supervisors (NASCUS).

So basically if you work for banks or credit unions, you have dealt with this.  If you do IT Security consulting in this realm, you have come across them.

Updates to the CIS Critical Security Controls

Hopefully most people are aware of the Critical Security Controls, which are too often called the "SANS Top 20" or the like, even tho SANS no longer manages them.  (they do offer a course and cert on them.)

SANS actually turned them over to a group called the Council on CyberSecurity in 2013, and put out at least version 5.0 of the controls.  The Council merged with the Center for Internet Security in 2015, who released version 6.0.  Properly they are the CIS Critical Security Controls, or CIS CSC.

With v6.0, they did some revamping and re-ordering the controls.

And CIS has continued to support the CSC.  They have released some new items!