Forum for Information Security

By the way, its worth mentioning that the cost and effort of SOX compliance is driving many smaller businesses up the wall. See what a small community bank had to say about SOX:

http://www.sec.gov/news/press/4-497/rouchi031405.pdf

Not surprising really, when you consider that compliance costs run into millions of dollars and smaller companies JUST don’t have the internal resources, and external consultants are very expensive.

I don’t hear any comments from the consulting chaps.

They must be wishing that there’s a new SOX passed by Congress every year.

Comments?

RiOn

The news is out - the SEC, the regulator in charge of monitoring SOX compliance - has announced that the compliance deadline for small businesses (<75 Million USD market cap) - have until July 2006 (instead of July 2005) to establish and implement internal controls (Section 404 of SOX refers to internal controls and is a key part of the SOX).

RiOn

After the recent security breach at Card Systems, an Atlanta based payments processing service provider for Visa and Mastercard, there is a renewed focus on data security. 40 million cardholders’ details were exposed - thereby renewing concerns about security and privacy programs of payments intermediaries like Visa, Mastercard and Amex. Although all three have their own separate standards for information security, the question is whether the policies are actually enforced or whether there are gaps.

In the Card Systems instance, Visa executives, in an attempt to deflect criticism, said that Card Systems was storing customer data after they had processed the transactions - a clear violation of Visa’s CISP (see below for more information on CISP).

We can expect that Visa (and the others -MC and Amex) are going to crack down on third party providers - by insisting on compliance statements, and independent security audits at the minimum.

Watch this space for more details….

Visa Cardholder Information Security Program (CISP) “defines a standard for securing Visa cardholder data, wherever it is located. CISP compliance is required of all entities that store, process, or transmit Visa cardholder data.”

http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.html

Despite the emphasis on secure transactions, the threat of identity theft of personal and sensitive information has escalated. To protect its customers and set precedence for data security, Visa established the Cardholder Information Security Program (CISP), which supports the Payment Card Industry (PCI) Data Security Standard outlining 12 security requirements for all members, merchants, and vendors who process, transmit, or store Visa cardholder data.

The question is and always was: Are Security Policies by themselves effective? Or do they need to be enforceable?

Do post your comments.

Rion

This isn’t your father’s haker

Here’s an article on how the nature of the hackers on the Internet is changing. Where it used to be that the majority of the hackers out there were talented programmers or script kiddies, now a days the real hackers are working for organized crime and earning the big bucks.

There really hasn’t been much of a change to the nature of the Internet. Malware and hacking is following much the same pattern that the Internet did itself not too long ago. First, a few talented hacks got involved to explore what could be done. Then a larger audience began using what they’d developed. Then big business saw a possibility for profit and took over. The only difference is that it’s organized crime that’s seen the possible profit and organized the hackers.

In India, still the cyber laws are not fool proof to ensure the information security. Hence, to tackle these new ORGANIZED cyber crimes, its necessary to look at the business implications & potential of the loopholes present in the network. The vulnerabilities should not be classified as high, medium or low just on the basis of the historical data but even the technological advancements should be considered before the classification.

We know that companies operating out of London suffered huge losses because of yesterday’s terrorist attacks.

London, Madrid (Train Blasts), NY (9/11), Delhi (Attack on Parliament), Tokyo (Subway Gas Disaster)….

The message is quite clear.

No place is safe.

Its becoming not just important, but critical that companies plan for disasters (natural and manmade) - and incorporate Business Continuity Plans into their business models.

Are companies able to restore systems in the shortest possible time? Are they able to handle personnel contingencies? Are they able to identify which key components need to be available and guarantee their integrity?

These, and many other questions are answered in the first step of disaster recovery - Business Impact Assessment.

More on this. Watch this space.

RiOn

No one wants to write security policies, but every company needs one. Right?

Here is an example of what to avoid:

The general process is that the person assigned will copy a policy from another company, change the names, and submit it for acceptance. The result is that no requirements were identified, no issues were properly addressed, and a solution that was specifically developed for another company has been used as a best hope of solving the current company’s requirements.

A robust IT security policy is key to any enterprise IT security program. If there are flaws and loopholes in the security policy, then these problems are likely to get compunded later.

Food for thought…

RiOn

Most US Banks use the SAS70 standard as a management and control review system to comply with regulatory stipulations. European Banks mainly go for the EU Data Directive (which covers security and privacy) and BS7799. Banks in Australia / NZ use the AS/NZS4444 (which is a derivative of BS7799). In India, we don’t have a security standard that banks must necessarily implement, nor do we have guidelines from the Reserve Bank or the Ministry of Finance.

Logically, tweaking a standard like the ISO17799 should work fine - depending on reporting and compliance requirements, additional controls should be specified and implemented. This is where the RBI or even an industry body can provide inputs which can be incorporated into a variant of the standard.

More on estanlishing a security standard for use by Indian Banks later.

Post your comments online.

RiOn

Just while we were on the topic of financial institutions and security breaches, VISA and MASTERCARD disclosed recently that up to 40 million subscribers may have had their details ‘exposed’ by hackers who got into Card Systems Inc (an Atlanta, GA based transactions processing company) through open back doors. CardSystems tried initially to ‘hush’ it up, VISA and MASTERCARD got mad, and the rest is well, take a guess…

In this instance, it all came down to one individual with unauthorized access.

There you have it - one person can cause everything to come undone. In my opinion, its practically next to impossible to stop the one individual who’s capable and has done his homework, from getting into systems - it is certainly possible these days with our know how to come up with an effective ALERT and RESPONSE mechanism. Its not much good to shrug and say ‘but I didn’t know much about it…’

CNN’s take on the episode: http://money.cnn.com/2005/06/17/news/master_card/

Goes to show - even if you have strict Security Standards,like Visa and Mastercard already do, its one thing implementing security in your own backyard and another to get a supplier / partner to implement and enforce the same high standards.

This is actually a big deal. The media from Moscow to Medina had a field day - and the companies didn’t quite know where to hide. And PR people are scrambling to stop the blood letting.

More later. Although I would place a safe bet on Card Systems being flooded with class action lawsuits and probably having to seek Chapter 11 sometime this year because of the compensation amounts, contract termination fees etc which are all very likely to hit them.

Let me know what you think of it all,

RiOn

The issue of identity theft is now the biggest official cybercrime segment, report watchdogs and security agencies.

Here’s the latest
http://deseretnews.com/dn/view/0,1249,600145529,00.html

Would you believe it? Employees at Bank of America and Wachovia (two of the largest banks in the US) stole tens of thousands of client records and offered them for sale to third parties - in clear violations of the institutions’ code of conduct and security policies. Bank Am spends 250 Million USD each year on security, and employs hundreds of people whose sole job is to ensure information security.

Many banks today already have internal systems and controls in place which are set up on a ‘need to know’ basis - i.e. information that an employee sees has a direct relation with his / her job function, and only that information is disclosed. Additionally, there are strict background checks and induction training programs which iterate and emphasise security policies, employee codes of conduct, etc.

But do they work?

Are bank procedures reliable?

Can we rely on banks (or for that matter anyone) to put in place ‘adequate’ safeguards to protect our personal information?

We already have an answer to the question above…can we trust banks to be honest and sincere when it comes to disclosure, especially when it comes to security breaches and other events which may affect their business. I.e. banks don’t like bad news, and if there’s something that they like even less, its to be the bearer of ill tidings.

Which brings us to Compliance, one of the focus areas for this discussion forum. The Office of the Comptroller for Currency (OCC) has legislation in place which forces banks to disclose security breaches and to take corrective steps, etc. Just to give some teeth to the legislation, one of the penalties listed is ‘loss of license’… says it all, doesn’t it?

Bottom Line: Privacy of Information is going to be a BIG BIG thing if it isn’t already.

If you’ve got any feedback / comments - just go ahead, post ‘em!

Rion

Sometimes there just seems to be too many standards, and organizations either have to rely on intuition or the advice of their ‘consultant’ to go with one or the other. My guess is that on an operational level, most companies see compliance with standards or a quality system as a distraction, at best. Some probably view adopting a standard as a better way to market themselves and gain credibility. In my mind, some recent security breaches in the BPO industry have prompted industry watchers to question whether companies are really serious about implementing the security policies and processes (which they already have or are in planning mode). Most have heard that a well known financial services BPO was in the news because of an employee coordinated fraud that resulted in financial losses to several US based customers of its principal, a leading bank. What many people don’t know is that this BPO was the first in the industry here to attain BS7999 certification. A couple of questions come to my mind - was this certification relevant to the needs of the business? If so, then were there problems with the implementation that lead to such a blatant security breach….If not, then why was it adopted in the first place - if it couldn’t prevent such lapses. Again, another BPO was recently dragged into the public eye when one of its employees allegedly sold thousands of client records to a third party media outfit in a sting operation. The company backtracked, the employee was fired - but are there any safeguards in place to prevent other records being stolen, or for that matter, other companies getting their ‘fingers burnt’?

I don’t think so. Nasscom is making some noises, the PM’s office is ‘outraged’ and has since chaired a meeting with Government and industry representatives to ‘ensure that this doesn’t happen again’…

But how? There will be resistance from many if mandatory policies (which require systems and support) are forced down the industry’s palate. And again, there is a the question of which policies are applicable and how does one go about creating a basic Universal Set of Policies for the Outsourcing industry and then move forward to customizing the policies where applicable.

Existing standards like BS7799, COPC, etc can and should, of course be referred to when policies are defined and designed for a specific industry sector - but there are dangers to adopting one standard as a whole, because there may well be a few ‘blanks’ and ‘gaps’ - areas it does not address, and in terms of coverage.

That, my friends, is the interesting question.

Have a good one,

Rion