This is a few months old but it was just posted to a mailing list that I subscribe to and I haven't seen it here before, so I'll add it for those that are interested.
Digital technology enables the world to become increasingly interconnected as an entire economy becomes reliant upon a single,
network infrastructure. While this offers tremendous opportunities to many industries, including financial, telecommunications, health,
and transportation, it can also be a cause for concern if security issues are improperly addressed, or even neglected altogether. Heinous
crimes such as theft, fraud and extortion can occur in great magnitude within a matter of seconds. The new network-mediated economy
paradoxically presents unparalleled opportunities for the creation of good outcomes or the perpetuation of bad ones.
Trends in cyber crime reveal significant growth. Between 1999-2003 in the United States, attacks on computer servers increased by over
530% to 137,000 incidents.1 This is partly attributable to vulnerabilities in software code, which have grown from a total of 500 in
1995 to over 9000 in 2002 (CERT). Developing countries are also being targeted, even as leapfrog technology is implemented. Brazil
has seen hacker attacks increase by at least 100% yearly since 20002.These growing numbers bear particular important on the financial
sector. The International Data Corporation (www.idc.com) reported that more than 57% of all hack attacks last year were initiated in
the financial sector (source and year. The FBI has corroborated this statistic. Equally troubling, FINCEN’s Suspicious Activity Reports
for Computer Intrusions have shot up more than 500% over the past year.3 With the growing amount of financial data stored and
transmitted online, the ease of computer intrusions add to the severity of traditional crimes such as identity theft; to put this in
perspective for the digital age, over USD$222 billion in losses were sustained to the global economy as a result of identity theft.4
In an effort to mitigate these types of threat, the World Bank publication “Electronic Security: Risk Mitigation in the Financial
Transactions” describes e-security processes and procedures. This is not just confined to the financial industry. As the network
infrastructure spans across industry borders, so too, does the critical need for electronic security. As far back as 1995, the ISO/IEC
13335, better known as the Guidelines for the Management of IT Security (GMITS), recognized that the Internet was a hostile
environment that would require the use of proper e-security. ISO 17799 is the most widely utilized security standard for information
systems. ISO 17799 was written with the 90’s cyber-space environment in mind, it has become outdated and deficient given the growth in outsourcing, wireless usage, applications, blended threats and the organized and dynamic approach to hacking that various criminal
syndicates have taken in recent years. This checklist aims to ask those questions that all to often have been ignored.Technology Risk Checklist - 31 Page PDFThe thirteen layers of e-security described in The World Bank publication covers both the hardware and software pertaining to network
infrastructures. These 13 layers comprise a matrix, which manages the externalities associated with open architecture environments.
1. Risk Management—A broad based framework for managing assets and relevant risks to those assets.
2. Policy Management- A program should control Bank policy and procedural guidelines vis-à-vis employee computer usage.
3. Cyber-Intelligence- Experienced threat and technical intelligence analysis regarding threats, vulnerabilities, incidents, and countermeasure
should provide timely and customized reporting to prevent a security incident before it occurs.
4. Access Controls/Authentication—Establish the legitimacy of a node or user before allowing access to requested information. The first line
of defense is access controls; these can be divided in to passwords, tokens, biometrics, and public key infrastructure (PKI).
5. Firewalls—Create a system or combination of systems that enforces a boundary between two or more networks.
6. Active content filtering—At the browser level, it is prudent to filter all material that is not appropriate for the workplace or that is contrary
to established workplace policies.
7. Intrusion detection system (IDS)—This is a system dedicated to the detection of break-ins or break-in attempts, either manually or via
software expert systems that operate on logs or other information available on the network. Approaches to monitoring vary widely,
depending on the types of attacks that the system is expected to defend against, the origins of the attacks, the types of assets, and the level of
concern for various types of threats.
8. Virus scanners—Worms, Trojans, and viruses are methods for deploying an attack. Virus scanners hunt malicious codes, but require
frequent updating and monitoring.
9. Encryption—Encryption algorithms are used to protect information while it is in transit or whenever it is exposed to theft of the storage
device (e.g. removable backup media or notebook computer).
10. Vulnerability testing—Vulnerability testing entails obtaining knowledge of vulnerabilities that exist on a computer system or network and
using that knowledge to gain access to resources on the computer or network while bypassing normal authentication barriers.
11. Systems administration—This should be complete with a list of administrative failures that typically exist within financial
institutions and corporations and a list of best practices.
12. Incident response plan (IRP)—This is the primary document used by a corporation to define how it will identify, respond to, correct, and
recover from a computer security incident. The main necessity is to have an IRP and to test it periodically.
13. Wireless Security— This section covers the risks associated with GSM, GPS and the 802.11 standards.
It's a very interesting read and an handy checklist.
If this has been posted before, I apologize, I couldn't find it... and, Mods, If you want to move it to another Forum... go for it.