|
 |
 |
 |
 |
|
Your recent article referred to the patchwork of federal and state laws and regulations regarding corporate obligations to provide information security appear to becoming together to provide ever expanding coverage of corporate activity. Could you tell us more about these recent developments? TOM SMEDINGHOFF: Basically if you survey the legal landscape and you look at the state laws, the federal laws and even international laws, there are literally hundreds and hundreds of different laws that focus on information security obligations but when you stand back and look at those from a distance there are basically three trends that emerge from those laws.
It’s always sitting there like the 800-pound gorilla in the room – the upcoming IT Audit at the institution. No one asks if it’s still there, because we all know it is. We’ve all gone through at least one IT audit, some successfully, others of us have been handed a list of recommendations from our auditors. One of the drivers behind an IT audit is the list of 114,000 new regulations (according to the OMB) passed in the U.S. since 1981, and these regulations include the Sarbanes Oxley Act (SOX). SOX is more than just 404 documentation. From proper retention, retrieval and disposition of audit data to corporate responsibility for financial reports to real-time disclosure, SOX places a comprehensive compliance burden on a financial instit
Given the high cost of containing information security breaches, financial institutions have invested lots of time and money into developing incident response programs. But how do they know if their program is working properly? To assist financial institutions in this process, the Federal Deposit Insurance Corporation has published guidance on incident response program best practices—a how-to approach to keeping sensitive data from being accessed by unauthorized individuals. Many financial institutions are finding it challenging to assemble an incident response program (IRP) that not only meets minimum requirements as prescribed by financial institution regulators, but also provides for an effective methodology to manage security incidents for the benefit of the financial institution and its customers. Financial institutions are required to include incident response as part of their information security program. The federal financial institution regulatory agencies have issued interpretive guidance prescribing standard procedures that should be included in IRPs. In addition, at least 33 states have passed laws requiring that individuals be notified of a breach in the security of computerized personal information.
Financial institutions can expect increased scrutiny on information security policies in 2007 as regulators devise new oversight standards. In December, the Public Company Accounting Oversight Board (PCAOB), which establishes rules for compliance with Sarbanes-Oxley, proposed a new standard for Sarbox section 404, which governs internal controls over financial reporting, including IT controls. Separately, the Payment Card Industry data security standard will require merchants and payment processors to implement stringent IT security procedures, such as additional firewalls and access controls.
Marcia Wilson- CUInfoSecurity.com Editor In the year 2005, there were over 53 million individuals affected by security breaches wherein their personal information was compromised. The ChoicePoint incident was considered one of the first highly publicized events where notification to the individuals affected was made. As the year closed, more than half the States’ Legislatures considered or approved bills to protect citizens’ personal information. Congress considered several bills that would make notification of a security breach mandatory nationwide. The cause of security breaches varies widely from compromised passwords, to stolen laptops, to lost backup tapes, dishonest insiders, online exposure, hackers, and even inadvertent disclosures such as sending out an email containing social security numbers to a mass mailing list. The onus of protecting personal information sits squarely on the data owner’s head. What can financial institutions do to make sure that employees do not participate either willingly or unwillingly in data disclosure?
By: CUinfosecurity.com Today, if you Google the phrase, “email retention,” 19.6 Million matches are found. If nothing else, that means that this topic is surrounded by industry buzz. With all of the complex regulations that only include vague policies on email retention, it is hard to assess whether or not you will soon be thrown into the deep end. While following behind the pace car that signifies “industry best practice,” it is
Robert Childs - Search Security Like many information security professionals, I spent the last year working with auditors to decipher the new world of compliance. The Sarbanes-Oxley Act has changed how auditors look at controls, in turn challenging IT and Finance departments to interpret the control requirements and implement compliant processes. We spent the better part of e
Given the high cost of containing information security breaches, financial institutions have invested lots of time and money into developing incident response programs. But how do they know if their program is working properly?
|
||||||||||||||||||||||||||||||||||||||||||||||||
RSS Syndication