|
 |
 |
 |
 |
|
Over 3,700 security professionals gathered in Las Vegas early this month to preview the latest threats and to see firsthand what new attacks and compromises are coming. This year’s conference was substantially bigger than last year’s and included significant representation from vendors and the white hat legitimate security community. Unfortunately, the news from Black Hat is not good for banking and finance executives. > Listen to the Black Hat Conference 2007 vendor interviews Numerous experts demonstrated attacks that could be launched without creating malicious script. Many features of commonly used protocols, when used in creative ways, can expose users and companies to significant vulnerabilities. One of the more interesting presentations was by Bryan Sullivan and Billy Hoffman of SPI Dynamics on the vulnerabilities of AJAX applications. Many banks and other financial organizations are adopting AJAX to give their users a richer web experience.
No matter who the vendor is, or how long they’ve supplied their service or item to your institution, you need a written contract. Even the company who supplies your bottled water needs a simple form contract.
They’re doing work for you, and are handling data that would be considered sensitive by your regulators.
Manual processes leave financial institutions open to insider threats, said a study showing that nearly 60 percent of U.S. businesses and government agencies report they don't have the information or the technology to deal with insider threats to their network. This is according to a new study done by the Ponemon Institute. “For the financial services industry there are some important implications in terms of account takeover, authentication credential and a very big risk of a harmful event if someone gains control of part of a financial institution’s network,” said Larry Ponemon, President of the Ponemon Institute.
The small bank market depends on its leading vendors for its latest technologies, including remote capture, and fraud and security applications, according to a report completed last month. In the new report, Evaluating the Vendors of Small Banks' Core Banking Systems, Aite Group evaluated and compared the small-bank core systems, cross-selling strategies, and successes of eight of the leading technology providers in the U.S. small-bank market.
Financial institutions can expect increased scrutiny on information security policies in 2007 as regulators devise new oversight standards. In December, the Public Company Accounting Oversight Board (PCAOB), which establishes rules for compliance with Sarbanes-Oxley, proposed a new standard for Sarbox section 404, which governs internal controls over financial reporting, including IT controls. Separately, the Payment Card Industry data security standard will require merchants and payment processors to implement stringent IT security procedures, such as additional firewalls and access controls.
The results are in, and BankInfoSecurity.com would like to present the Top 10 financial information security articles on this website from 2006. All articles have been posted since January, and include any articles through the last week in July. Not surprisingly, the number one article referred to actual financial services workers being fooled by a harmless, yet planned CD scam. This can only underly the importance many banks and financial institutions put on educating employees as a starting point to a strong information security program. Rounding off the top 10 are two articles related to phishing, a trend which indicates the problem will continue to be a nuisance to any institution offering online money account access.
EMC Corp.'s recent acquisition of RSA Inc. underscores the convergence of information security and storage. EMC, which sells large storage systems for use in corporate data centers, bought RSA - a manufacturer of encryption software and devices - to provide it with identity and access management technologies and encryption and key management software, which will help EMC deliver information lifecycle management. RSA manufactures password tokens that companies can give to customers and employees in order to securely authenticate users; Bank of America employs these tokens in its SiteKey system for securing online access to banking applications.
The contract management software market is moving toward a merger and acquisition spree. Choosing the right vendor can be a risky proposition. This does not mean organizations should delay a contract management purchase. Instead, it means decision makers should carefully weigh the pros and cons of purchasing an Oracle or SAP module versus a best-of-breed solution. Base Requirements In order to obtain the business benefits from contract management software, the application must have the following functionality:
Contracts perform a critical role in determining the value of a business relationship. For organizations managing large volumes of contracts, contract management software can help improve relationships with vendors and customers, decrease inflated costs, and ensure compliance. Contract Lifecycle Management (CLM) CLM is a systematic process for the creation, execution, compliance, and analysis of corporate contracts for the purpose of reducing costs, maximizing operational efficiency, and minimizing risk. More specifically, CLM includes: Creation. Negotiate, edit, and finalize contract terms. Ensure proper terms, clauses, and controls. Activation. Establish central contract repository and clause library. Integration with contract data with core business systems. Compliance. Proactively track compliance with pricing, service, and regulatory requirements at the point of intersection. Analysis. Assess contract performance and risk during active life and at end of term.
Info-Tech believes that an enterprise can optimize CLM with customers and suppliers by implementing a contract management application.
|
||||||||||||||||||||||||||||||||||||||||||||||||||||
RSS Syndication