|
 |
 |
 |
 |
|
The Information Security Media Group, Corp.(ISMG) today announced the launch of its two redesigned websites, www.BankInfoSecurity.com and www.CUInfoSecurity.com. The redesign offers easier navigation throughout the sites and access to even more information on topics, events and regulations that affect financial institutions.
Swart: There are a lot of issues that are gaining prominence in IT management today, and one of the most interesting seems to be IT governance. I was wondering if you could summarize IT governance and why it is getting so much attention lately. Manley: Richard, IT governance helps make sure that companies have the right systems and software in place to accomplish corporate goals. It drives efficiency and effectiveness of controls in a consistent manner, essentially making sure that the IT department and the operations department are dancing the same dance. IT governance can help align the IT strategy with the business strategy. As a result, KPMG has observed that companies are having more effective conversations related to risk management and the financial investment needs they require to develop a specific operating capability that meets the needs of the business within the overall organizational structure. It’s getting a lot of attention right now because the marketplace environment has changed so significantly, and business models continue to evolve as a result of merger and acquisition activity, alliances and outsourcing. More than ever, companies need to take stock of what IT capabilities exist in the organization, how it operates, how it is controlled, and whether it needs to be monitored on an ongoing basis.
Deloitte & Touche Report Says ID Management, Regulatory Compliance are Top Concerns Information security has risen to the “C-level” or board level and is seen as a critical issue at many financial institutions worldwide, according to a new global survey by Deloitte & Touche LLP. The currencies, cultures and compliance issues are unique in individual marketplaces, but many of the security challenges are truly global, says Mark Steinhoff, leader of the firm’s financial services industry’s security & privacy services practice, which has just released its 2007 Global Security Survey for Financial Services.
Steps to Take Against Phoned-in Threats The recent “hostage” by phone scam that hit numerous retail stores and several banks in more than four states points to a question for other financial institutions that were not targeted. (See FBI notice: http://www.fbi.gov/pressrel/pressrel07/extortion_threats083007.htm). What would your institution do in the event a caller phoned in a bomb threat and claimed to be ready to blow up the branch or office if money isn’t wired to an overseas account?
The management of electronic data used to be a “nice thing to do.” Nowadays, the proper archiving, retention and monitoring, filtering and encryption of electronic data isn’t an option but imperative for financial institutions in order to meet compliance with regulations and federal law, including the Federal Rules of Civil Procedure (FCRP).
According to Cynthia Jackson, a lawyer at Baker-McKenzie LLP, the need for a plan to manage electronic data means understanding the broad compliance issues, government mandates and e-discovery requirements a financial institution faces. Jackson is a recognized expert in global personnel-related initiatives.
Financial institutions receive email from a wide variety of sources, and like other companies they’re facing the unwanted solicitation emails that range from replica watches to penny stock offerings. The employees at financial institutions are also faced with these emails that make it past filters and into their inboxes.
The financial services industry is one of the most highly regulated and closely supervised among those handling sensitive consumer information. Besides being subject to security breach disclosure laws at the state and federal levels, it must comply with industry-specific laws and regulations related to information security and privacy.
As a service-based business, financial institutions must provide customers with confidentiality or else risk losing their trust and their business. Protecting information is critical to maintaining trust. Because they generally don’t pass along losses associated with fraudulent transactions made on existing accounts to their customers, financial institutions incur significant losses from ID theft and account fraud. This is in addition to reputation damage and other costs incurred in responding to the security breach.
The Gramm-Leach-Bliley Act requires financial insitutions to not only limit the disclosure of customer information, but also to protect that information from unauthorized access and to notify customers about security breaches. Under the guidance issued by federal regulators, financial insitutions must establish and maintain comprehensive information security programs to identify and assess the risks to customer information and then address these risks by adopting appropriate security measures.
Being an information security officer at a financial institution isn’t an easy job, but imagine being the first Chief Information Security Officer at your institution, and the first one, period. Steve Katz shared his thoughts on information security from his unique perspective of being just that—the first CISO of a major financial institution. What many of us take for granted in our programs was hewn out of thin air by Steve since the mid 1980s. Steve Katz is a true luminary among the information security community. Known as the world’s first chief information security officer, Katz is widely regarded as one of the discipline’s thought leaders. In addition to his role since 1985 as a senior security executive for J.P. Morgan, Citibank/Citigroup and most recently Merrill Lynch, he has been a force at both industry and government levels in raising the visibility and shaping the direction of the security industry.
Today we're speaking with Alan Paller of the SANS Institute. For those of you who don't know, SANS is the most trusted and, by far, the largest source for information security training and certification in the world. It also develops, maintains, and makes available at no cost the largest collection of research documents about various aspects of information security, and it operates the Internet's early warning system, the Internet Storm Center. Their website is www.sans.org. Alan is the director of research for the Sans Institute, and he's responsible for overseeing all research projects ranging from the Sans' Step-by-Step Guides to the Sans Digest to the top 20 Internet Security Tricks. He's also the founder of the CIO Institute and earned his degrees in computer science and engineering from Cornell and MIT. Alan is the author of the EIS book Information Systems for Top Managers and How to Get the Best Presentation of your Life. In 2001, the President named Alan as one of the original members of the National Infrastructure Advisory Council; and in 2005, the Federal CIO Council chose him at its 2005 Azimuth Award winner, recognizing his vision and outstanding service to federal information technology.
Writing effective information security policy is more than just laying down a set of rules and procedures; it's a process unto itself, whose goal is to create a dynamic instrument that will protect a financial institution's most precious asset - information. Fortunately, resources exist to assist chief information security officers in formulating effective policy, such as Information Security Governance: Guidance for Boards of Directors and Executive Management, 2nd Edition, published in 2006 by the IT Governance Institute and available for free download at www.itgi.org.
Financial institutions can expect increased scrutiny on information security policies in 2007 as regulators devise new oversight standards. In December, the Public Company Accounting Oversight Board (PCAOB), which establishes rules for compliance with Sarbanes-Oxley, proposed a new standard for Sarbox section 404, which governs internal controls over financial reporting, including IT controls. Separately, the Payment Card Industry data security standard will require merchants and payment processors to implement stringent IT security procedures, such as additional firewalls and access controls.
Wish List from Financial Institutions to Our Customers As the weather outside gets colder and the year draws to an end, we're thinking of what would be some of the things we'd like to give and receive as gifts during the holidays. While your personal list may be longer than this, here's the 12 things we wish all of our customers and employees would do - loosely based on "The Twelve Days of Christmas". Hum along if you don't sing.
If your financial institution is facing an IT regulatory exam soon, you'll want to be ready for it. Despite the best efforts of your team, will your institution be ready? CUInfoSecurity.com's webinar will prepare your team for this arduous task. In the meantime, we interviewed Susan Orr, an ex-federal examiner, who will lead the webinar, to illuminate your path to prepare for an IT regulatory exam. CUIS: If you were to narrow down to the top items that institutions should focus on in preparing for an IT regulatory exam, what should the number one concern be?
Security and internal controls now begin in the board room. Two laws have been passed by Congress, the Gramm-Leach-Bliley Act of 1999 (GLBA) and the Sarbanes Oxley Act of 2002 (SOX), which have refocused the spotlight on a financial institution's board of directors. The role of a board member has grown in importance and complexity since the adoption of these two laws. GLBA re-emphasized the board's involvement in overseeing operations and implementing the appropriate policies, procedures, and controls to ensure the security, confidentiality and integrity to customer's financial information. Under GLBA a financial institution must develop a comprehensive written security program that encompasses administrative, technical, and physical controls. Board involvement is imperative in the development, implementation and maintenance of this program.
Financial institutions are subject to a slew of laws and regulations aimed at information security. There's Gramm-Leach-Bliley (privacy), Federal Financial Institutions Examination Council (authentication and online banking), and Payment Card Industry (card security). There's also California's and other states' data breach disclosure laws, and the Sarbanes-Oxley Act, which requires IT to test the effectiveness of controls over financial-reporting systems. And the European Union's privacy laws, etc. While these laws and regulations do a good job of defining the scope of information security and spelling out the role of information security in risk management, they have little to say about what constitutes effective information security or how to achieve it. Fortunately, the International Standards Organization has developed two standards that do precisely that, and by adhering to them financial institutions can go a long way toward satisfying regulatory compliance requirements.
The CSO Magazine Security Sensor, a bi-annual survey of 420 chief security officers (CSOs) and senior security executives conducted by IDG's CSO magazine, reveals business resiliency and disaster recovery as the top ranking priority for security chiefs in 2006 - up from the third most important priority in 2004. Conversely, educating employees about security policies slipped from the top priority in 2003 to the third most important priority in 2006. Yet while business preservation and disaster recovery top the list of business priorities, the money isn't on the table: the top factor driving security investment in 2006 is regulation and compliance (43%), with only 5% of respondents ranking risk of financial loss as a top priority and a mere three percent 3% investing due to security concerns about the threat of terrorism and war. "It's very likely that the fallout from Hurricane Katrina and the latest upheaval in U.S. Port security matters have driven home the importance of contingency planning for the nation's CSOs," says Derek Slater, editor of CSO magazine. "However, CSOs' short-term fiscal priorities reflect an immediate need to comply with government and industry mandates such as Sarbanes-Oxley. While CSOs recognize the strong need to plan for business continuity, they don't seem able to secure the money to take necessary steps at this time, and that's a big risk."
There are many unpleasant tasks in life and work. Monitoring employee behavior is one of those unpleasant tasks. Management has to take a strong role in insuring that liability does not come the company's way, i.e., Risk Management. New regulations hold management responsible for employee behavior which can cause the company to be subject to monetary loss, criminal charges, and civil lawsuits. The buck stops here. Most of us don't want to be Big Brother. We don't like the idea of "spying" on our employees. We don't like the taste of infringing on someone's privacy because we value our own. However, what you don't know will hurt you and may hurt you in a court of law. Fortunately technology has made our job a lot easier.
The demands of new regulations, including the Sarbanes-Oxley Act, Gramm-Leach-Bliley, the Patriot Act, and disclosure statutes for security breaches, are forcing financial institutions to implement stringent information security measures. The auditing of information technology - once a rather staid component of a an auditing firm's practice - has gone gangbusters with the explosion of legislation and the publicity surrounding hacking incidents and losses of customer data. Financial institutions today must be prepared to undergo top-to-bottom audits aimed at finding chinks in their information security architectures, and then go about remediating deficiencies. Where should they look? Before a institution can interpret and act upon the findings of an audit, it must understand the audit's scope. According to the Information Systems and Control Association, a security audit is broken down into seven categories: systems understanding, security management, security administration, system configuration, access controls, file & directory protection, and reporting & auditing.
Determining if a candidate possesses the skills necessary to fill an information security position effectively before hiring him/her is not a trivial task. There are many methods one can use to gauge the effectiveness of a candidate's background. It is important to note that for some positions, it might be very difficult to find a perfect candidate (sometimes even finding a single candidate might be quite difficult). Financial institutions should realize that they need to be somewhat flexible, and define some thresholds above that make the hiring process cost-effective. Training less experienced candidates may be a viable option when cost and time to fulfill all requirements is flexible.
Omar Herrera Information security personnel in Financial Institutions Financial institution have specific requirements for the experience and abilities of their information security personnel. However, it is becoming harder for qualified professionals to satisfy requirements from these institutions. While information security personnel can be trained in specialized areas of information security, they still need to have relevant general information security background and a minimum number of years of experience in the industry.
Andrew Miller - CUInfoSecurity.com Editor In October, the Federal Financial Institutions Examination Council (FFIEC) issued guidance for authentication in the Internet banking environment. Financial institutions are expected to achieve compliance by year-end 2006. The guidance states: "The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.
Pete Boergermann - CUInfoSecurity.com Contributor Gone are the days when we could just throw a hub on a closet shelf, run a few network cables, connect some PCs and a server to it and have a network. Logs? What logs? Why would we want to look at them? Times have changed and most devices connected to your network have logging capabilities. These devices have the ability to produce large amounts of valuable data. But it can be overwhelming to manage. A new industry that creates technology to manage security event logs is just starting up. As this technology matures, we may end up with products that can correlate the data between devices and alert us to events on a global multi-device level. Maybe these new products will be able to learn and adapt to new event information, possibly make assessments based on trends, then send only the alerts that need to be acted upon. Now that securing of our networks is so important we should be asking questions like: “What do we log, and why?” “How often do we need to look at it and who should review them?” Then reality hits and these comments come to mind… ”I really have other things I need to do” “Reviewing them is boring and time consuming.” “I will get to them tomorrow.”
You have all heard the horror stories of companies that have implemented a technology before it was robust enough to support real operations. However for every Hershey Foods or Value America story, there are dozens of Capital Ones, Fidelity’s, State Street’s and other industry giants who were able to take advantage of advanced IT technology to leapfrog their companies into the forefront of their respective industries.
Zeroing in on the vulnerabilities of application security
Omar Herrera While we are not analyzing the ethical nature of a hacker, we must still consider a hacker to be a person who maintains a superior level of technical knowledge and abilities. Therefore, by definition we must then accept that there are hackers with good intentions (gurus) and hackers with bad intentions (cyber criminals)
By: CUinfosecurity.com Today, if you Google the phrase, “email retention,” 19.6 Million matches are found. If nothing else, that means that this topic is surrounded by industry buzz. With all of the complex regulations that only include vague policies on email retention, it is hard to assess whether or not you will soon be thrown into the deep end. While following behind the pace car that signifies “industry best practice,” it is
Robert Childs - Search Security Like many information security professionals, I spent the last year working with auditors to decipher the new world of compliance. The Sarbanes-Oxley Act has changed how auditors look at controls, in turn challenging IT and Finance departments to interpret the control requirements and implement compliant processes. We spent the better part of e
Most financial institutions are surprisingly vulnerable to identity theft, according to a hired gun who makes his living by penetrating their security systems.
What you will learn from this tip: How using five security best practices gets you closer to compliance with the PCI Data Security Standard and helps mitigate common threats to e-business. The media has been abuzz with a series of reports from vendors such as DSW (Designer Shoe Warehouse) and Polo Ralph Lauren regarding disturbing losses of credit card information.
If we analyze the impact of certain types of security incidents (e.g. system intrusion, fraud, denial of service, leak of confidential information) on several types of industries, we will see that the impact will be higher on financial institutions than any other organization. If you study the security issues surrounding information technology dependency, you will see that this is one b
Omar A. Herrera Reyna – CISA, CISSP Introduction There is a widespread use of credit and debit cards for shopping online. However, there use for e-banking (e.g. payments, money tra
Practice 1: Recognize Information Resources as Essential Organizational Assets That Must Be Protected "Information technology is an integral and critical ingredient for the successful functioning of major U.S. companies." -- Deloitte & Touche LLP Survey of American Business Leaders, November 1996
October 27 - GAO recognizes the importance of strong financial systems and internal controls to ensure our accountability, integrity, and reliability. To achieve a high level of quality, management maintains a quality control program and seeks advice and evaluation from both internal and external sources. GAO is committed to fulfilling the internal control objectives of 31 U.S.C. 3512, formerly the Federal Managers’ Financial Integrity Act (FMFIA). Alth
To provide a common understanding of what is needed and expected in information technology security programs, NIST developed and published Generally Accepted Principles and Practices for Securing Information Technology Systems (Special Pub 800-14) in September 1996. Its eight principles are listed below. 1. Computer Security Supports the Mission of the Organization 2. Computer Security Is an Integral Element of Sound Management 3. Computer Security Should Be Cost-Effe
To help verify a user's identity in the case of a lost password, many Web applications use secret questions. By answering a pre-selected question, a user can demonstrate some personal knowledge of the account owner. A classic example is asking to provide a mother's maiden name.
We all know the threats posed by spyware to enterprise networks: user ID and password theft, financial loss, productivity drain, intellectual property theft. Security practitioners have two defenses at their disposal: the human and the technical. While the technology for combating spyware is improving, antivirus vendors have only recently started adding functionality to target it. That means the best defense is the human one – employees and end users. They can help in the battle against spywar
ALAN ZAPANTA(ISMG): Now, recently, you have been conducting some compelling research regarding the skill level that the information security industry demands and the current curriculum that many colleges ascribe to. Could you please give us a brief overview? RICHARD SWART: Yes. I did this research in cooperation with the Center for Systems Security and Information Assurance, which is a consortium of about 120 universities mostly on the East Coast. And what we realized was a gap between the expectations of industry in terms of the skill levels that recent graduates should have and the type of training that universities were providing. So we did a parallel set of surveys where we were able to ask specific questions to both industry leaders and to professors to gauge how they were preparing students to enter the information security field and to try to identify where there was a mismatch between what the professors were doing and what the industry needed.
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
RSS Syndication