With the bank failures of recent weeks, more pending
redundancies and a continuation of the downward slide, should we be
concerned about lax security? Is someone minding the store while
all this is going on or should we be doing something more when the
banks are going bust?
Be ever vigilant
With less "legal money" in circulation, temptations to access
"illegal money" are likely to increase - especially if the walls of
the institution you work in have become paper-thin, writes
Danny Dresner, security analyst atThe National Computing
Centre. Correlate that with research into the human
vulnerabilities in information systems that shows that times of
turmoil increase the people side of risk: Houston, we have a
problem! Any supposed greater security of
mergers and acquisitions (or possibly nationalisations)
generate enough uncertainty for measures to look after number one
to kick in. These may be data timebombs as profitable information
may be being hoarded in anticipation.
Breaching the human firewall
Even the most process-oriented institution hinges on the human
components that carry the information systems through their
lifecycles from conception to disposal. All that data on the hard
drive and the checks for what goes out: how many organisations rely
on the human firewall of last-minute caution?
How many organisations rely on threats of disciplinary action to
assure compliance with their acceptable use or data protection
policy? When your job - or even the whole institution is going -
there's limited or no incentive to comply.
When IT-savvy users can pocket the database on a USB stick,
who's interested in pilfering the stationery? And never mind the
database. Financial institutions regularly handle identifying
documents - rich pickings to sell at the next dark market (the one
we don't know about).
Processes and regulation
Closures and redundancies will test the security systems. Good
practices such as the BS 7858 screening standard looks at movement
in, through and out of the organisation, but what if it is the
controllers of the leaving process who are leaving?
Don't discard standards though. Perhaps pick them up for the
first time. BS 7858 was created to support security screening of
individuals employed in a security environment with the personal
data sloshing around the banking systems, everyone works in a
security environment.
Technology
How well controlled will the disposition of the assets from
failed institutions be? Will the administrators take tight control
of collecting assets before staff leave? How up to date are your
inventories?
Conclusion
Put warnings of data compliance as part of the notification
process with the awareness that as soon as signs of the going
getting tough the tough will be going about their exit preparations
and for some this may well precede that. Forensics has a part to
play. What's your forensics policy?
Consider the role of third-party security services to assure
protection in good times and bad, This runs deeper that ISO/IEC
27001 certification. Security is like petrol prices: once
heightened, you never drop back as far as you were before.
Read more expert advice from the Computer Weekly Security Think
Tank >>