|
 |
 |
 |
 |
|
The Information Security Media Group, Corp.(ISMG) today announced the launch of its two redesigned websites, www.BankInfoSecurity.com and www.CUInfoSecurity.com. The redesign offers easier navigation throughout the sites and access to even more information on topics, events and regulations that affect financial institutions.
Swart: There are a lot of issues that are gaining prominence in IT management today, and one of the most interesting seems to be IT governance. I was wondering if you could summarize IT governance and why it is getting so much attention lately. Manley: Richard, IT governance helps make sure that companies have the right systems and software in place to accomplish corporate goals. It drives efficiency and effectiveness of controls in a consistent manner, essentially making sure that the IT department and the operations department are dancing the same dance. IT governance can help align the IT strategy with the business strategy. As a result, KPMG has observed that companies are having more effective conversations related to risk management and the financial investment needs they require to develop a specific operating capability that meets the needs of the business within the overall organizational structure. It’s getting a lot of attention right now because the marketplace environment has changed so significantly, and business models continue to evolve as a result of merger and acquisition activity, alliances and outsourcing. More than ever, companies need to take stock of what IT capabilities exist in the organization, how it operates, how it is controlled, and whether it needs to be monitored on an ongoing basis.
Deloitte & Touche Report Says ID Management, Regulatory Compliance are Top Concerns Information security has risen to the “C-level” or board level and is seen as a critical issue at many financial institutions worldwide, according to a new global survey by Deloitte & Touche LLP. The currencies, cultures and compliance issues are unique in individual marketplaces, but many of the security challenges are truly global, says Mark Steinhoff, leader of the firm’s financial services industry’s security & privacy services practice, which has just released its 2007 Global Security Survey for Financial Services.
Steps to Take Against Phoned-in Threats The recent “hostage” by phone scam that hit numerous retail stores and several banks in more than four states points to a question for other financial institutions that were not targeted. (See FBI notice: http://www.fbi.gov/pressrel/pressrel07/extortion_threats083007.htm). What would your institution do in the event a caller phoned in a bomb threat and claimed to be ready to blow up the branch or office if money isn’t wired to an overseas account?
The management of electronic data used to be a “nice thing to do.” Nowadays, the proper archiving, retention and monitoring, filtering and encryption of electronic data isn’t an option but imperative for financial institutions in order to meet compliance with regulations and federal law, including the Federal Rules of Civil Procedure (FCRP).
According to Cynthia Jackson, a lawyer at Baker-McKenzie LLP, the need for a plan to manage electronic data means understanding the broad compliance issues, government mandates and e-discovery requirements a financial institution faces. Jackson is a recognized expert in global personnel-related initiatives.
The American Bankers Association and America’s Community Bankers, two of the nation’s banking associations for banks of all charter types and sizes, announced their respective boards have approved pursuing a merger. The associations said they intend to finalize the merger in the latter part of 2007
Financial institutions receive email from a wide variety of sources, and like other companies they’re facing the unwanted solicitation emails that range from replica watches to penny stock offerings. The employees at financial institutions are also faced with these emails that make it past filters and into their inboxes.
Common sense is something all bank directors are expected to possess, bank directors with years of experience seem to be brimming with it. But if you’re a new, or relatively new appointment to a board of directors at a bank,
When it comes to compliance with the FDIC’s recent Supervisory Letter on Identity Theft, financial institutions need to “beef up” their consumer education programs, along with looking more closely at their existing risk assessment programs to mitigate current and potential areas of vulnerabilities.
The banking industry is one of the most highly regulated and closely supervised among those handling sensitive consumer information. Besides being subject to security breach disclosure laws at the state and federal levels, it must comply with industry-specific laws and regulations related to information security and privacy.
ALAN ZAPANTA(ISMG): Now, recently, you have been conducting some compelling research regarding the skill level that the information security industry demands and the current curriculum that many colleges ascribe to. Could you please give us a brief overview? RICHARD SWART: Yes. I did this research in cooperation with the Center for Systems Security and Information Assurance, which is a consortium of about 120 universities mostly on the East Coast. And what we realized was a gap between the expectations of industry in terms of the skill levels that recent graduates should have and the type of training that universities were providing. So we did a parallel set of surveys where we were able to ask specific questions to both industry leaders and to professors to gauge how they were preparing students to enter the information security field and to try to identify where there was a mismatch between what the professors were doing and what the industry needed.
Knowing what’s important to banking professionals is key to providing the information and news coverage needed in the financial services industry. Having a “finger on the pulse” is the best way to describe the formation of BankInfoSecurity.com’s inaugural Advisory Board. The new members of BankInfoSecurity.com’s Advisory Board are from every region of the country, and represent a wide range of asset sizes of national banks, community banks and savings and loan nstitutions. “Knowing what your peers are thinking, and how they’re approaching a certain issue helps you find what works at your bank,” said Linda McGlasson, Managing Editor of BankInfoSecurity.com.
The Gramm Leach Bliley Act may not appear to have anything to link it to the Voice Over IP technology being implemented in financial institutions, but IT departments and Information Security officers should look closely at how the new phone systems may be audited under GLBA regulations. GLBA audits would focus more on data privacy, and specifically under Section 501 Subtitle A that requires companies ensure the security and confidentiality of customer records and information. They also need to protect against any anticipated threats or hazards to the security and integrity of these records, and protect t against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer.
Being an information security officer at a financial institution isn’t an easy job, but imagine being the first Chief Information Security Officer at your institution, and the first one, period. Steve Katz shared his thoughts on information security from his unique perspective of being just that—the first CISO of a major financial institution. What many of us take for granted in our programs was hewn out of thin air by Steve since the mid 1980s. Steve Katz is a true luminary among the information security community. Known as the world’s first chief information security officer, Katz is widely regarded as one of the discipline’s thought leaders. In addition to his role since 1985 as a senior security executive for J.P. Morgan, Citibank/Citigroup and most recently Merrill Lynch, he has been a force at both industry and government levels in raising the visibility and shaping the direction of the security industry.
Today we're speaking with Alan Paller of the SANS Institute. For those of you who don't know, SANS is the most trusted and, by far, the largest source for information security training and certification in the world. It also develops, maintains, and makes available at no cost the largest collection of research documents about various aspects of information security, and it operates the Internet's early warning system, the Internet Storm Center. Their website is www.sans.org. Alan is the director of research for the Sans Institute, and he's responsible for overseeing all research projects ranging from the Sans' Step-by-Step Guides to the Sans Digest to the top 20 Internet Security Tricks. He's also the founder of the CIO Institute and earned his degrees in computer science and engineering from Cornell and MIT. Alan is the author of the EIS book Information Systems for Top Managers and How to Get the Best Presentation of your Life. In 2001, the President named Alan as one of the original members of the National Infrastructure Advisory Council; and in 2005, the Federal CIO Council chose him at its 2005 Azimuth Award winner, recognizing his vision and outstanding service to federal information technology.
Writing effective information security policy is more than just laying down a set of rules and procedures; it's a process unto itself, whose goal is to create a dynamic instrument that will protect a financial institution's most precious asset - information. Fortunately, resources exist to assist chief information security officers in formulating effective policy, such as Information Security Governance: Guidance for Boards of Directors and Executive Management, 2nd Edition, published in 2006 by the IT Governance Institute and available for free download at www.itgi.org.
Financial institutions can expect increased scrutiny on information security policies in 2007 as regulators devise new oversight standards. In December, the Public Company Accounting Oversight Board (PCAOB), which establishes rules for compliance with Sarbanes-Oxley, proposed a new standard for Sarbox section 404, which governs internal controls over financial reporting, including IT controls. Separately, the Payment Card Industry data security standard will require merchants and payment processors to implement stringent IT security procedures, such as additional firewalls and access controls.
Wish List from Financial Institutions to Our Customers As the weather outside gets colder and the year draws to an end, we're thinking of what would be some of the things we'd like to give and receive as gifts during the holidays. While your personal list may be longer than this, here's the 12 things we wish all of our customers and employees would do - loosely based on "The Twelve Days of Christmas". Hum along if you don't sing.
If your financial institution is facing an IT regulatory exam soon, you'll want to be ready for it. Despite the best efforts of your team, will your institution be ready? BankInfoSecurity.com's webinar will prepare your team for this arduous task. In the meantime, we interviewed Susan Orr, an ex-FDIC examiner, who will lead the webinar, to illuminate your path to prepare for an IT regulatory exam. BIS: If you were to narrow down to the top items that institutions should focus on in preparing for an IT regulatory exam, what should the number one concern be?
Security and internal controls now begin in the board room. Two laws have been passed by Congress, the Gramm-Leach-Bliley Act of 1999 (GLBA) and the Sarbanes Oxley Act of 2002 (SOX), which have refocused the spotlight on a financial institution's board of directors. The role of a board member has grown in importance and complexity since the adoption of these two laws. GLBA re-emphasized the board's involvement in overseeing operations and implementing the appropriate policies, procedures, and controls to ensure the security, confidentiality and integrity to customer's financial information. Under GLBA a financial institution must develop a comprehensive written security program that encompasses administrative, technical, and physical controls. Board involvement is imperative in the development, implementation and maintenance of this program.
Financial institutions are subject to a slew of laws and regulations aimed at information security. There's Gramm-Leach-Bliley (privacy), Federal Financial Institutions Examination Council (authentication and online banking), and Payment Card Industry (card security). There's also California's and other states' data breach disclosure laws, and the Sarbanes-Oxley Act, which requires IT to test the effectiveness of controls over financial-reporting systems. And the European Union's privacy laws, etc. While these laws and regulations do a good job of defining the scope of information security and spelling out the role of information security in risk management, they have little to say about what constitutes effective information security or how to achieve it. Fortunately, the International Standards Organization has developed two standards that do precisely that, and by adhering to them banks can go a long way toward satisfying regulatory compliance requirements.
The results are in, and BankInfoSecurity.com would like to present the Top 10 financial information security articles on this website from 2006. All articles have been posted since January, and include any articles through the last week in July. Not surprisingly, the number one article referred to actual financial services workers being fooled by a harmless, yet planned CD scam. This can only underly the importance many banks and financial institutions put on educating employees as a starting point to a strong information security program. Rounding off the top 10 are two articles related to phishing, a trend which indicates the problem will continue to be a nuisance to any institution offering online money account access.
The CSO Magazine Security Sensor, a bi-annual survey of 420 chief security officers (CSOs) and senior security executives conducted by IDG's CSO magazine, reveals business resiliency and disaster recovery as the top ranking priority for security chiefs in 2006 - up from the third most important priority in 2004. Conversely, educating employees about security policies slipped from the top priority in 2003 to the third most important priority in 2006. Yet while business preservation and disaster recovery top the list of business priorities, the money isn't on the table: the top factor driving security investment in 2006 is regulation and compliance (43%), with only 5% of respondents ranking risk of financial loss as a top priority and a mere three percent 3% investing due to security concerns about the threat of terrorism and war. "It's very likely that the fallout from Hurricane Katrina and the latest upheaval in U.S. Port security matters have driven home the importance of contingency planning for the nation's CSOs," says Derek Slater, editor of CSO magazine. "However, CSOs' short-term fiscal priorities reflect an immediate need to comply with government and industry mandates such as Sarbanes-Oxley. While CSOs recognize the strong need to plan for business continuity, they don't seem able to secure the money to take necessary steps at this time, and that's a big risk."
There are many unpleasant tasks in life and work. Monitoring employee behavior is one of those unpleasant tasks. Management has to take a strong role in insuring that liability does not come the company's way, i.e., Risk Management. New regulations hold management responsible for employee behavior which can cause the company to be subject to monetary loss, criminal charges, and civil lawsuits. The buck stops here. Most of us don't want to be Big Brother. We don't like the idea of "spying" on our employees. We don't like the taste of infringing on someone's privacy because we value our own. However, what you don't know will hurt you and may hurt you in a court of law. Fortunately technology has made our job a lot easier.
The demands of new regulations, including the Sarbanes-Oxley Act, Gramm-Leach-Bliley, the Patriot Act, and disclosure statutes for security breaches, are forcing banks to implement stringent information security measures. The auditing of information technology - once a rather staid component of a an auditing firm's practice - has gone gangbusters with the explosion of legislation and the publicity surrounding hacking incidents and losses of customer data. Banks today must be prepared to undergo top-to-bottom audits aimed at finding chinks in their information security architectures, and then go about remediating deficiencies. Where should they look? Before a bank can interpret and act upon the findings of an audit, it must understand the audit's scope. According to the Information Systems and Control Association, a security audit is broken down into seven categories: systems understanding, security management, security administration, system configuration, access controls, file & directory protection, and reporting & auditing.
This publication is not from one of the Federal or State Banking Agencies, but given our extremely diverse audience, this will be of interest to organizations and individuals responsible for developing and maintaining security plans and programs. The objective of system security planning is to improve protection of information system resources. All federal systems have some level of sensitivity and require protection as part of good management practice. The protection of a system must be documented in a system security plan. The completion of system security plans is a requirement of the Office of Management and Budget (OMB) Circular A-130, "Management of Federal Information Resources," Appendix III, "Security of Federal Automated Information Resources," and "Title III of the E-Government Act, entitled the Federal Information Security Management Act (FISMA)". The purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The system security plan also delineates responsibilities and expected behavior of all individuals who access the system. The system security plan should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system. It should reflect input from various managers with responsibilities concerning the system, including information owners, the system owner, and the senior agency information security officer (SAISO). Additional information may be included in the basic plan and the structure and format organized according to agency needs, so long as the major sections described in this document are adequately covered and readily identifiable.
Determining if a candidate possesses the skills necessary to fill an information security position effectively before hiring him/her is not a trivial task. There are many methods one can use to gauge the effectiveness of a candidate's background. It is important to note that for some positions, it might be very difficult to find a perfect candidate (sometimes even finding a single candidate might be quite difficult). Banks should realize that they need to be somewhat flexible, and define some thresholds above that make the hiring process cost-effective. Training less experienced candidates may be a viable option when cost and time to fulfill all requirements is flexible.
Omar Herrera Information security personnel in Banks Banks have specific requirements for the experience and abilities of their information security personnel. However, it is becoming harder for qualified professionals to satisfy requirements from these institutions. While information security personnel can be trained in specialized areas of information security, they still need to have relevant general information security background and a minimum number of years of experience in the industry.
Andrew Miller - BankInfoSecurity.com Editor In October, the Federal Financial Institutions Examination Council (FFIEC) issued guidance for authentication in the Internet banking environment. Financial institutions are expected to achieve compliance by year-end 2006. The guidance states: "The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.
Pete Boergermann - BankInfoSecurity.com Contributor Gone are the days when we could just throw a hub on a closet shelf, run a few network cables, connect some PCs and a server to it and have a network. Logs? What logs? Why would we want to look at them? Times have changed and most devices connected to your network have logging capabilities. These devices have the ability to produce large amounts of valuable data. But it can be overwhelming to manage. A new industry that creates technology to manage security event logs is just starting up. As this technology matures, we may end up with products that can correlate the data between devices and alert us to events on a global multi-device level. Maybe these new products will be able to learn and adapt to new event information, possibly make assessments based on trends, then send only the alerts that need to be acted upon. Now that securing of our networks is so important we should be asking questions like: “What do we log, and why?” “How often do we need to look at it and who should review them?” Then reality hits and these comments come to mind… ”I really have other things I need to do” “Reviewing them is boring and time consuming.” “I will get to them tomorrow.”
You have all heard the horror stories of companies that have implemented a technology before it was robust enough to support real operations. However for every Hershey Foods or Value America story, there are dozens of Capital Ones, Fidelity’s, State Street’s and other industry giants who were able to take advantage of advanced IT technology to leapfrog their companies into the forefront of their respective industries.
Zeroing in on the vulnerabilities of application security
Financially Sophisticated Board Members Aren't Necessarily Good for the Company
Wharton Boards of directors were heavily blamed by many for not nipping the Enron, WorldCom and other corporate scandals in the bud. Depending on who was doing the criticizing, directors were at wo
Banks Face Added Risks in a Tough New Regulatory Arena
Bankers Trust was an aggressive and entrepreneurial commercial bank that developed some of the basic risk management tools now used throughout the banking industry. (It merged with Deutsche Bank in 199
Omar Herrera While we are not analyzing the ethical nature of a hacker, we must still consider a hacker to be a person who maintains a superior level of technical knowledge and abilities. Therefore, by definition we must then accept that there are hackers with good intentions (gurus) and hackers with bad intentions (cyber criminals)
By: Lila Buchalski, Editor, Bankinfosecurity.com Today, if you Google the phrase, “email retention,” 19.6 Million matches are found. If nothing else, that means that this topic is surrounded by industry buzz. With all of the complex regulations that only include vague policies on email retention, it is hard to assess whether or not you will soon be thrown into the deep end. While following behind the pace car that signifies “industry best practice,” it is
qqq
Robert Childs - Search Security Like many information security professionals, I spent the last year working with auditors to decipher the new world of compliance. The Sarbanes-Oxley Act has changed how auditors look at controls, in turn challenging IT and Finance departments to interpret the control requirements and implement compliant processes. We spent the better part of e
Most banks are surprisingly vulnerable to identity theft, according to a hired gun who makes his living by penetrating their security systems. Description: Final Rule Among the most significant changes, the final ru
What you will learn from this tip: How using five security best practices gets you closer to compliance with the PCI Data Security Standard and helps mitigate common threats to e-business. The media has been abuzz with a series of reports from vendors such as DSW (Designer Shoe Warehouse) and Polo Ralph Lauren regarding disturbing losses of credit card information.
If we analyze the impact of certain types of security incidents (e.g. system intrusion, fraud, denial of service, leak of confidential information) on several types of industries, we will see that the impact will be higher on banks and financial institutions than any other organization. If you study the security issues surrounding information technology dependency, you will see that this is one b
George CapehartIn a previous column we talked about some of the characteristics of Web services systems that have implications for Information Security and identified some of the kinds of security problems that arise in systems that are implemented in this paradigm. One of the sets of problems that was mentioned was Emergent Risks. In this article, we will talk a little more about them and give examples from two different ki
The four federal banking agencies--the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of Thrift Supervision--today published an interagency advance notice of proposed rulemaking (ANPR) regarding potential revisions to the existing risk-based capital framework.
New data shows that on average, businesses are spending an eye-popping amount of money every month in IT resources to fight the spyware plague. FaceTime Communications, an IT security provider, surveyed more than 1,000 IT managers and end users. The key finding: spyware and other unsanctioned downloads are resulting in average monthly costs of $130,000. The survey also found that spyware incursions appear to be growing at a rate twice that of computer virus incidents. Much of
Mike Lamkin - 10.11.2005
Omar A. Herrera Reyna – CISA, CISSP Introduction There is a widespread use of credit and debit cards for shopping online. However, there use for e-banking (e.g. payments, money tra
Practice 1: Recognize Information Resources as Essential Organizational Assets That Must Be Protected "Information technology is an integral and critical ingredient for the successful functioning of major U.S. companies." -- Deloitte & Touche LLP Survey of American Business Leaders, November 1996
October 27 - GAO recognizes the importance of strong financial systems and internal controls to ensure our accountability, integrity, and reliability. To achieve a high level of quality, management maintains a quality control program and seeks advice and evaluation from both internal and external sources. GAO is committed to fulfilling the internal control objectives of 31 U.S.C. 3512, formerly the Federal Managers’ Financial Integrity Act (FMFIA). Alth
To provide a common understanding of what is needed and expected in information technology security programs, NIST developed and published Generally Accepted Principles and Practices for Securing Information Technology Systems (Special Pub 800-14) in September 1996. Its eight principles are listed below. 1. Computer Security Supports the Mission of the Organization 2. Computer Security Is an Integral Element of Sound Management 3. Computer Security Should Be Cost-Effe
To help verify a user's identity in the case of a lost password, many Web applications use secret questions. By answering a pre-selected question, a user can demonstrate some personal knowledge of the account owner. A classic example is asking to provide a mother's maiden name.
We all know the threats posed by spyware to enterprise networks: user ID and password theft, financial loss, productivity drain, intellectual property theft. Security practitioners have two defenses at their disposal: the human and the technical. While the technology for combating spyware is improving, antivirus vendors have only recently started adding functionality to target it. That means the best defense is the human one – employees and end users. They can help in the battle against spywar
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
RSS Syndication