|
 |
 |
 |
 |
|
Your recent article referred to the patchwork of federal and state laws and regulations regarding corporate obligations to provide information security appear to becoming together to provide ever expanding coverage of corporate activity. Could you tell us more about these recent developments? TOM SMEDINGHOFF: Basically if you survey the legal landscape and you look at the state laws, the federal laws and even international laws, there are literally hundreds and hundreds of different laws that focus on information security obligations but when you stand back and look at those from a distance there are basically three trends that emerge from those laws.
Given the high cost of containing information security breaches, financial institutions have invested lots of time and money into developing incident response programs. But how do they know if their program is working properly? To assist financial institutions in this process, the Federal Deposit Insurance Corporation has published guidance on incident response program best practices—a how-to approach to keeping sensitive data from being accessed by unauthorized individuals. Many financial institutions are finding it challenging to assemble an incident response program (IRP) that not only meets minimum requirements as prescribed by financial institution regulators, but also provides for an effective methodology to manage security incidents for the benefit of the financial institution and its customers. Financial institutions are required to include incident response as part of their information security program. The federal financial institution regulatory agencies have issued interpretive guidance prescribing standard procedures that should be included in IRPs. In addition, at least 33 states have passed laws requiring that individuals be notified of a breach in the security of computerized personal information.
The financial services industry is one of the most highly regulated and closely supervised among those handling sensitive consumer information. Besides being subject to security breach disclosure laws at the state and federal levels, it must comply with industry-specific laws and regulations related to information security and privacy.
As a service-based business, financial institutions must provide customers with confidentiality or else risk losing their trust and their business. Protecting information is critical to maintaining trust. Because they generally don’t pass along losses associated with fraudulent transactions made on existing accounts to their customers, financial institutions incur significant losses from ID theft and account fraud. This is in addition to reputation damage and other costs incurred in responding to the security breach.
The Gramm-Leach-Bliley Act requires financial insitutions to not only limit the disclosure of customer information, but also to protect that information from unauthorized access and to notify customers about security breaches. Under the guidance issued by federal regulators, financial insitutions must establish and maintain comprehensive information security programs to identify and assess the risks to customer information and then address these risks by adopting appropriate security measures.
The revelation by TJX Companies, owner of T.J. Maxx and other retail brands, that at least 45.7 million credit and debit cards were compromised over several years highlights anew the risks associated with processing card transactions and the need to protect the information they contain.The breach eclipses the previous disclosure of 40 million compromised payment card records by CardSystems in 2005. Intruders gained access to TJX’s computer systems beginning in 2005 and continuing until January 2007. Although debit card PINs weren’t compromised, unencrypted magnetic stripe data, also known as “track 2 data,” was stolen on transactions that occurred before September 2003, the company said.
The Gramm Leach Bliley Act may not appear to have anything to link it to the Voice Over IP technology being implemented in financial institutions, but IT departments and Information Security officers should look closely at how the new phone systems may be audited under GLBA regulations. GLBA audits would focus more on data privacy, and specifically under Section 501 Subtitle A that requires companies ensure the security and confidentiality of customer records and information. They also need to protect against any anticipated threats or hazards to the security and integrity of these records, and protect t against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer.
At your institution you’re considered the person who has thought of every possible security angle, and when it comes to locking down the systems, networks and Internet based offerings, you’re confident that you’ve met or exceeded everyone’s expectations for privacy, security. You’ve even heard rumors that your superior is happy. Hold on. Did you forget something? The biggest hole not plugged in your security is sitting in plain view, probably near your workstation, or at least it’s in a public area. The culprit is the institution’s copier. If you’re a larger institution, they’re on the network too.
Financial institutions can expect increased scrutiny on information security policies in 2007 as regulators devise new oversight standards. In December, the Public Company Accounting Oversight Board (PCAOB), which establishes rules for compliance with Sarbanes-Oxley, proposed a new standard for Sarbox section 404, which governs internal controls over financial reporting, including IT controls. Separately, the Payment Card Industry data security standard will require merchants and payment processors to implement stringent IT security procedures, such as additional firewalls and access controls.
The Gramm-Leach-Bliley Act (GLBA) contains a rule, known as the Safeguard Rule, under which the Federal Trade Commission and other federal agencies have established standards for financial institutions relating to administrative, technical, and physical safeguards for customer information. The objectives are to ensure the security and confidentiality of customer records and information, protect against threats or hazards to the security or integrity of such records, and protect against unauthorized access to or use of such records that could result in substantial harm or inconvenience to any customer. The rule requires financial institutions to develop, implement, and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards. As part of its program, each financial institution must designate an employee or employees to coordinate its information security program. They must identify internal and external risks to the security, confidentiality, and integrity of customer information and assess the adequacy of safeguards, assure that contractors or service providers are capable of maintaining appropriate safeguards for customer information, and adjust the information security program in light of developments that may materially affect the entity's safeguards.
Zeroing in on the vulnerabilities of application security
Omar Herrera While we are not analyzing the ethical nature of a hacker, we must still consider a hacker to be a person who maintains a superior level of technical knowledge and abilities. Therefore, by definition we must then accept that there are hackers with good intentions (gurus) and hackers with bad intentions (cyber criminals)
Given the high cost of containing information security breaches, financial institutions have invested lots of time and money into developing incident response programs. But how do they know if their program is working properly?
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
RSS Syndication