|
 |
 |
 |
 |
|
Your recent article referred to the patchwork of federal and state laws and regulations regarding corporate obligations to provide information security appear to becoming together to provide ever expanding coverage of corporate activity. Could you tell us more about these recent developments? TOM SMEDINGHOFF: Basically if you survey the legal landscape and you look at the state laws, the federal laws and even international laws, there are literally hundreds and hundreds of different laws that focus on information security obligations but when you stand back and look at those from a distance there are basically three trends that emerge from those laws.
Given the high cost of containing information security breaches, financial institutions have invested lots of time and money into developing incident response programs. But how do they know if their program is working properly?
The line forms on the left, as state banking associations representing banks from three New England states have filed a class action lawsuit against TJX Companies Inc., in response to the company’s credit and debit card breach in which more than 45 million cards may have been compromised. More banks are expected to join the lawsuit.
The banking industry is one of the most highly regulated and closely supervised among those handling sensitive consumer information. Besides being subject to security breach disclosure laws at the state and federal levels, it must comply with industry-specific laws and regulations related to information security and privacy.
The revelation by TJX Companies, owner of T.J. Maxx and other retail brands, that at least 45.7 million credit and debit cards were compromised over several years highlights anew the risks associated with processing card transactions and the need to protect the information they contain.
The Gramm Leach Bliley Act may not appear to have anything to link it to the Voice Over IP technology being implemented in financial institutions, but IT departments and Information Security officers should look closely at how the new phone systems may be audited under GLBA regulations. GLBA audits would focus more on data privacy, and specifically under Section 501 Subtitle A that requires companies ensure the security and confidentiality of customer records and information. They also need to protect against any anticipated threats or hazards to the security and integrity of these records, and protect t against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer.
At your institution you’re considered the person who has thought of every possible security angle, and when it comes to locking down the systems, networks and Internet based offerings, you’re confident that you’ve met or exceeded everyone’s expectations for privacy, security. You’ve even heard rumors that your superior is happy. Hold on. Did you forget something? The biggest hole not plugged in your security is sitting in plain view, probably near your workstation, or at least it’s in a public area. The culprit is the institution’s copier. If you’re a larger institution, they’re on the network too.
Financial institutions can expect increased scrutiny on information security policies in 2007 as regulators devise new oversight standards. In December, the Public Company Accounting Oversight Board (PCAOB), which establishes rules for compliance with Sarbanes-Oxley, proposed a new standard for Sarbox section 404, which governs internal controls over financial reporting, including IT controls. Separately, the Payment Card Industry data security standard will require merchants and payment processors to implement stringent IT security procedures, such as additional firewalls and access controls.
The Gramm-Leach-Bliley Act (GLBA) contains a rule, known as the Safeguard Rule, under which the Federal Trade Commission and other federal agencies have established standards for financial institutions relating to administrative, technical, and physical safeguards for customer information. The objectives are to ensure the security and confidentiality of customer records and information, protect against threats or hazards to the security or integrity of such records, and protect against unauthorized access to or use of such records that could result in substantial harm or inconvenience to any customer. The rule requires financial institutions to develop, implement, and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards. As part of its program, each financial institution must designate an employee or employees to coordinate its information security program. They must identify internal and external risks to the security, confidentiality, and integrity of customer information and assess the adequacy of safeguards, assure that contractors or service providers are capable of maintaining appropriate safeguards for customer information, and adjust the information security program in light of developments that may materially affect the entity's safeguards.
Who knows? Maybe two and three–factor authentication will become a thing of the past and five–factor authentication will take its place. The same issue with encryption has been encountered over the years. With this example in mind, does it make sense for law to be involved in the technological details? I think not. The law should stay focused on making sure that “inappropriate access and unauthorized use” is not tolerated, and the technologists focuses on how to achieve these goals.
To the Board of Directors Federal Deposit Insurance Corporation: We reviewed information systems general controls[Footnote 1] in connection with our calendar year 2001 financial statement audits of the Federal Deposit Insurance Corporation’s (FDIC) Bank Insurance Fund, Savings Association Insurance Fund, and FSLIC (Federal Savings and Loan Insurance Corporation) Resolution Fund.[Footnote 2] Effective information system controls are essential to ensuring that financial information is adequately protected from inadvertent or deliberate misuse, fraudulent use, improper disclosure, or destruction. Such controls also affect the security and reliability of nonfinancial information, such as personnel and bank examination information maintained by FDIC. Our evaluation included a follow-up review of the information security weaknesses identified at FDIC in our financial statement audits for calendar year 2000.[Footnote 3]
This report summarizes weaknesses in information systems controls over FDIC’s computer systems. We are also issuing a report designated for “Limited Official Use Only,” which describes in more detail the computer security weaknesses identified and offers specific recommendations for correcting them.
Zeroing in on the vulnerabilities of application security
Omar Herrera While we are not analyzing the ethical nature of a hacker, we must still consider a hacker to be a person who maintains a superior level of technical knowledge and abilities. Therefore, by definition we must then accept that there are hackers with good intentions (gurus) and hackers with bad intentions (cyber criminals)
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
RSS Syndication