|
 |
 |
 |
 |
|
Your recent article referred to the patchwork of federal and state laws and regulations regarding corporate obligations to provide information security appear to becoming together to provide ever expanding coverage of corporate activity. Could you tell us more about these recent developments? TOM SMEDINGHOFF: Basically if you survey the legal landscape and you look at the state laws, the federal laws and even international laws, there are literally hundreds and hundreds of different laws that focus on information security obligations but when you stand back and look at those from a distance there are basically three trends that emerge from those laws.
It’s always sitting there like the 800-pound gorilla in the room – the upcoming IT Audit at the institution. No one asks if it’s still there, because we all know it is. We’ve all gone through at least one IT audit, some successfully, others of us have been handed a list of recommendations from our auditors. One of the drivers behind an IT audit is the list of 114,000 new regulations (according to the OMB) passed in the U.S. since 1981, and these regulations include the Sarbanes Oxley Act (SOX). SOX is more than just 404 documentation. From proper retention, retrieval and disposition of audit data to corporate responsibility for financial reports to real-time disclosure, SOX places a comprehensive compliance burden on a financial instit
Given the high cost of containing information security breaches, financial institutions have invested lots of time and money into developing incident response programs. But how do they know if their program is working properly?
Financial institutions can expect increased scrutiny on information security policies in 2007 as regulators devise new oversight standards. In December, the Public Company Accounting Oversight Board (PCAOB), which establishes rules for compliance with Sarbanes-Oxley, proposed a new standard for Sarbox section 404, which governs internal controls over financial reporting, including IT controls. Separately, the Payment Card Industry data security standard will require merchants and payment processors to implement stringent IT security procedures, such as additional firewalls and access controls.
The arms race against phishers, strengthening firewalls, FFIEC authentication deadline issues and the constantly evolving risk management model were among the many topics covered by the FINSEC 2006 conference speakers last week in New York. The security strategies and tools and techniques presentations covered in the two-day conference were led by eleven information security experts from national banks and financial firms. The most highly-sought after seat was in the FFIEC Authentication Guidance talk led by Diana Kelley, VP and Service Director from the Burton Group. It was standing room only within five minutes of the start, showing many of the FIN SEC 2006 attendees wanted to know how the authentication guidelines will apply to their institutions. The Tower Group has estimated that only 20 percent of institutions will have security systems implemented by the end of the year.
Marcia Wilson- BankInfoSecurity.com Editor In the year 2005, there were over 53 million individuals affected by security breaches wherein their personal information was compromised. The ChoicePoint incident was considered one of the first highly publicized events where notification to the individuals affected was made. As the year closed, more than half the States’ Legislatures considered or approved bills to protect citizens’ personal information. Congress considered several bills that would make notification of a security breach mandatory nationwide. The cause of security breaches varies widely from compromised passwords, to stolen laptops, to lost backup tapes, dishonest insiders, online exposure, hackers, and even inadvertent disclosures such as sending out an email containing social security numbers to a mass mailing list. The onus of protecting personal information sits squarely on the data owner’s head. What can banks do to make sure that employees do not participate either willingly or unwillingly in data disclosure?
By: Lila Buchalski, Editor, Bankinfosecurity.com Today, if you Google the phrase, “email retention,” 19.6 Million matches are found. If nothing else, that means that this topic is surrounded by industry buzz. With all of the complex regulations that only include vague policies on email retention, it is hard to assess whether or not you will soon be thrown into the deep end. While following behind the pace car that signifies “industry best practice,” it is
Robert Childs - Search Security Like many information security professionals, I spent the last year working with auditors to decipher the new world of compliance. The Sarbanes-Oxley Act has changed how auditors look at controls, in turn challenging IT and Finance departments to interpret the control requirements and implement compliant processes. We spent the better part of e
Mike Lamkin - 10.11.2005
|
||||||||||||||||||||||||||||||||||||||||||||||||||
RSS Syndication