World Bank Technology Risk Checklist
Results 1 to 2 of 2

Thread: World Bank Technology Risk Checklist

  1. #1
    Senior Member
    Join Date
    Jan 2003

    World Bank Technology Risk Checklist

    Hey Hey,

    This is a few months old but it was just posted to a mailing list that I subscribe to and I haven't seen it here before, so I'll add it for those that are interested.

    Digital technology enables the world to become increasingly interconnected as an entire economy becomes reliant upon a single,
    network infrastructure. While this offers tremendous opportunities to many industries, including financial, telecommunications, health,
    and transportation, it can also be a cause for concern if security issues are improperly addressed, or even neglected altogether. Heinous
    crimes such as theft, fraud and extortion can occur in great magnitude within a matter of seconds. The new network-mediated economy
    paradoxically presents unparalleled opportunities for the creation of good outcomes or the perpetuation of bad ones.

    Trends in cyber crime reveal significant growth. Between 1999-2003 in the United States, attacks on computer servers increased by over
    530% to 137,000 incidents.1 This is partly attributable to vulnerabilities in software code, which have grown from a total of 500 in
    1995 to over 9000 in 2002 (CERT). Developing countries are also being targeted, even as leapfrog technology is implemented. Brazil
    has seen hacker attacks increase by at least 100% yearly since 20002.These growing numbers bear particular important on the financial
    sector. The International Data Corporation ( reported that more than 57% of all hack attacks last year were initiated in
    the financial sector (source and year. The FBI has corroborated this statistic. Equally troubling, FINCEN’s Suspicious Activity Reports
    for Computer Intrusions have shot up more than 500% over the past year.3 With the growing amount of financial data stored and
    transmitted online, the ease of computer intrusions add to the severity of traditional crimes such as identity theft; to put this in
    perspective for the digital age, over USD$222 billion in losses were sustained to the global economy as a result of identity theft.4

    In an effort to mitigate these types of threat, the World Bank publication “Electronic Security: Risk Mitigation in the Financial
    Transactions” describes e-security processes and procedures. This is not just confined to the financial industry. As the network
    infrastructure spans across industry borders, so too, does the critical need for electronic security. As far back as 1995, the ISO/IEC
    13335, better known as the Guidelines for the Management of IT Security (GMITS), recognized that the Internet was a hostile
    environment that would require the use of proper e-security. ISO 17799 is the most widely utilized security standard for information
    systems. ISO 17799 was written with the 90’s cyber-space environment in mind, it has become outdated and deficient given the growth in outsourcing, wireless usage, applications, blended threats and the organized and dynamic approach to hacking that various criminal
    syndicates have taken in recent years. This checklist aims to ask those questions that all to often have been ignored.
    The thirteen layers of e-security described in The World Bank publication covers both the hardware and software pertaining to network
    infrastructures. These 13 layers comprise a matrix, which manages the externalities associated with open architecture environments.
    1. Risk Management—A broad based framework for managing assets and relevant risks to those assets.
    2. Policy Management- A program should control Bank policy and procedural guidelines vis-à-vis employee computer usage.
    3. Cyber-Intelligence- Experienced threat and technical intelligence analysis regarding threats, vulnerabilities, incidents, and countermeasure
    should provide timely and customized reporting to prevent a security incident before it occurs.
    4. Access Controls/Authentication—Establish the legitimacy of a node or user before allowing access to requested information. The first line
    of defense is access controls; these can be divided in to passwords, tokens, biometrics, and public key infrastructure (PKI).
    5. Firewalls—Create a system or combination of systems that enforces a boundary between two or more networks.
    6. Active content filtering—At the browser level, it is prudent to filter all material that is not appropriate for the workplace or that is contrary
    to established workplace policies.
    7. Intrusion detection system (IDS)—This is a system dedicated to the detection of break-ins or break-in attempts, either manually or via
    software expert systems that operate on logs or other information available on the network. Approaches to monitoring vary widely,
    depending on the types of attacks that the system is expected to defend against, the origins of the attacks, the types of assets, and the level of
    concern for various types of threats.
    8. Virus scanners—Worms, Trojans, and viruses are methods for deploying an attack. Virus scanners hunt malicious codes, but require
    frequent updating and monitoring.
    9. Encryption—Encryption algorithms are used to protect information while it is in transit or whenever it is exposed to theft of the storage
    device (e.g. removable backup media or notebook computer).
    10. Vulnerability testing—Vulnerability testing entails obtaining knowledge of vulnerabilities that exist on a computer system or network and
    using that knowledge to gain access to resources on the computer or network while bypassing normal authentication barriers.
    11. Systems administration—This should be complete with a list of administrative failures that typically exist within financial
    institutions and corporations and a list of best practices.
    12. Incident response plan (IRP)—This is the primary document used by a corporation to define how it will identify, respond to, correct, and
    recover from a computer security incident. The main necessity is to have an IRP and to test it periodically.
    13. Wireless Security— This section covers the risks associated with GSM, GPS and the 802.11 standards.
    Technology Risk Checklist - 31 Page PDF

    It's a very interesting read and an handy checklist.

    If this has been posted before, I apologize, I couldn't find it... and, Mods, If you want to move it to another Forum... go for it.

    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  2. #2
    Senior Member
    Join Date
    May 2003
    HTRegz.... Indeed a comprehensive checklist. The good thing is that although developed by World bank it is applicable to all industries.

    Great Find....
    ****** Any man who knows all the answers most likely misunderstood the questions *****

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts