UK finance sector: IT security testing 'becoming close to mandatory'

the next step

would be a mandatory certification for all those working in IT security in important sectors.

Followed after by a governing body to encourage continued compliance and knowledge sharing.

Followed by a regulatory body to punish anyone failing even after all these measures have been taken.

Followed by an exodus of talents in the industry because of over regulation and too high of an entry barrier with not enough pay.

Then we'll be the same as teachers, doctors and nurses and a growing list of profession that are being made to take responsbility a lot of the times for things completely outside of their control.

highly hypocritical given that Talktalk Dido is one of the Bank of England directors

How about making the people in charge responsible and accountable?

Until we see real punitive punishments of the people (and companies) that allow the kind of breaches that have taken place. When the heads of large companies can get away with statements like "I can't tell you which data, if any, was encrypted" then nothing will change.

All that happens is the responsibilities get pushed down the food chain as well as the blame.

Mixed feelings

I have mixed feelings about this. If there is a mandatory requirement then all that the banks will do will be the minimum to tick those boxes whilst lobbying hard to keep the framework as watered down as possible to save themselves money. It's not like they don't own the regulators.

Some sort of big penalty financial penalty if they screw up on security - a bit like the risk to profits that normal businesses that aren't bailed out by the government face if they screw up - would be a better incentive for them to be proactive instead of box tickers.

Had your customer database nicked? That's a big load of compensation to your customers. Better than "not our fault because we did the bare minimum to stay inside the rules".

Hold Steady

It appears that this failure at clap trap was not at the door of some simple sap in IT but at the level of process and system. It appears to have been yet another weak link in the chain. I hope I am safe, I left their clutches a long time ago, yet their rubbish processes apparently may have kept details on file for ex-customers who have long since left their clutches. This is a process level failure at corporate process and governance level, not IT staff level. If they ran such a sloppy ship then what else is broken at the same corporate level, if regulation is needed and it sorely appeared to be needed to weed out such weak links then regulation and mandatory audits should be the way forward. Regulation should only ever catch those in charge of process and design errors, not those who have no responsibilities for other than than their defined role.

Clap trap are part of the financial service chain, if they or anyone else does not like the heat give up and send the bag man round to collect cash on door steps.

Explain to me...

Why is that a bad thing? Especially in light of the TalkTalk fiasco?

IT Security... In Banks?

Well, allow me....

Some of our networks guys and server admins are genuinely brilliant. Some of their management aren't even that appaling. But, once you're in the building past the security guards downstairs, which is easy because they nod off around midnight when there's nobody around, then you can get by the around by sitting on a PC that some genius has forgotten to lock (I can see three from here), then you're in.

So now its just between you and the programmer for access to whatever data you need. Two guesses how well that works out? A FORMER employer has trade capture systems that broadcast sensitive data over the network to any subscribers... only you can add a subscriber without authentication or authorisation. That system was supposed to be inside one of the firms Chinese Walls.

They had password and creds laying about on the web servers & file system unencrypted, or checked into version control in plain text, and I've even seen them hard coded into source files. There were password that were unchanged in 10 years, for systems accounts, that are well known to anyone that ever worked in the team but now works elsewhere.

There's next to no encryption, very little proactive interrogation of logs, and poorly conceived policies that are badly implemented.

Security of IT in a bank? It doesn't exist. What does exist is a lot of people that don't understand security who believe the systems are secure. It's no better anywhere I've worked - they're all hopeless at it.

The only bank that is different is my current employer who are best in class and a pure joy to work for.

(Tell me when El Reg, tell me when you'll have HTTPfeckinS)

Like DUH !

This should be mandatory of any financial institution Ferchrissake.

Testing?

What makes anybody think they have time for testing? None of them even seem to have the resources to maintain uptime let alone testing?