Event Summary
On October 22, the White House and Congress agreed to change outdated US banking laws. Until this agreement was reached, the White House had promised to veto the banking reform bill. Details of the compromise are reportedly not yet disclosed. The new legislation hopes to replace banking laws written during the Depression era, with up-to-date Year 2000 era banking laws
Currently, FDIC policy only "encourages" banks to perform information security audits. If a bank does decide to do an information security audit, the independent security auditor is hired by the bank which can create a conflict of interest. As well, today's banks are not qualified to decide which Information Technology consultants perform quality audits. Just because a consulting house is big name, and well-known, does not guarantee that they will perform an exhaustive and quality information security audit. Every consultancy who performs information security audits does them differently.
The FDIC reviews these optional audits, and assigns what is called an URSIT rating to the financial institution. URSIT stands for Uniform Rating System Information Technology and is an indicator of how well a bank manages its internal information technology systems, including the security of them. Currently, the FDIC does not have any procedures on how to assign URSIT ratings, and URSIT ratings are only made available to the banks board of directors.
Market Impact
The October 22nd announcement is a clear admission that today's banking laws do little to take internet banking, and internet banking security into consideration.
When Stephen White, an information review examiner for the FDIC was asked, " Due to all the security compromises on government systems, how can you expect the general public to have faith in the government's ability to monitor information security at banks?" he responded that today's URSIT ratings are meaningless without facts to support them.
Clearly some banking reform and regulations are in dire need. An independent auditor, not paid by a bank's board of directors, should be auditing all FDIC insured banks. The FDIC's information security audit should be standardized, and presented to various private sector security forums for review.
SOURCE:
http://www.technologyevaluation.com/research/articles/congress-acknowledges-outdated-banking-laws-15248/
On October 22, the White House and Congress agreed to change outdated US banking laws. Until this agreement was reached, the White House had promised to veto the banking reform bill. Details of the compromise are reportedly not yet disclosed. The new legislation hopes to replace banking laws written during the Depression era, with up-to-date Year 2000 era banking laws
Currently, FDIC policy only "encourages" banks to perform information security audits. If a bank does decide to do an information security audit, the independent security auditor is hired by the bank which can create a conflict of interest. As well, today's banks are not qualified to decide which Information Technology consultants perform quality audits. Just because a consulting house is big name, and well-known, does not guarantee that they will perform an exhaustive and quality information security audit. Every consultancy who performs information security audits does them differently.
The FDIC reviews these optional audits, and assigns what is called an URSIT rating to the financial institution. URSIT stands for Uniform Rating System Information Technology and is an indicator of how well a bank manages its internal information technology systems, including the security of them. Currently, the FDIC does not have any procedures on how to assign URSIT ratings, and URSIT ratings are only made available to the banks board of directors.
Market Impact
The October 22nd announcement is a clear admission that today's banking laws do little to take internet banking, and internet banking security into consideration.
When Stephen White, an information review examiner for the FDIC was asked, " Due to all the security compromises on government systems, how can you expect the general public to have faith in the government's ability to monitor information security at banks?" he responded that today's URSIT ratings are meaningless without facts to support them.
Clearly some banking reform and regulations are in dire need. An independent auditor, not paid by a bank's board of directors, should be auditing all FDIC insured banks. The FDIC's information security audit should be standardized, and presented to various private sector security forums for review.
SOURCE:
http://www.technologyevaluation.com/research/articles/congress-acknowledges-outdated-banking-laws-15248/
No comments:
Post a Comment