Compliance and Privacy
Compliance and Privacy News )
Essential Reading for Today's Business 15th November 2006

in this issue:
  • What are you doing against Internal Threats?
  • Data chief challenges US access to European Bank data
  • Korean Government to Mandate SSL Certificates
  • Jeff Richards's Demand Insights Blog
  • MiFID: "Implement on time or face legal action" - McCreevy
  • Most security professionals "unaware" of basic online security when shopping
  • Sarbanes-Oxley: Newfound Benefits
  • VeriSign Security Review - October 2006
  • Combating Online Banking Fraud - VeriSign APACS and Deloitte Touche
  • Switch on to Data Protection

    Dear Visitor,

    Many different thoughts this month, not least of which is how you protect yourself from internal threats. An interesting thought is how weird it is to tag a 'Mailbomber'. and give him a curfew. Surely he wants to be indoors looking at a computer screen? Or is it Mikado-esque, making the punishment fit the crime?

    Swift remains in the news as does the inexorable onward march of MiFID, and, as MiFID stalks us, there are more benefits to be seen from SOX. Is this a real set of benefits, or are people newsmongering? Only you can judge. We're starting to wonder.

    We have a bizarre result from our own survey on the people who come here over their security awareness when shopping. 74% have never ever checked who provides the certificate behind an alleged secure site. That's just plain perverse. And this is an audience of security and compliance cognoscenti. Maybe everyone needs the UK Information Commissioner's free DVD on Data Protection!

    Whatever you do if you are in the banking sector you should not miss the VeriSign, APACS & Deloitte Touche event "Combatting Banking Fraud". Remember that the run up to Christmas is also when the fraudsters are busy.

    That's we we are pleased to bring you our sponsor, VeriSign's Security Review. Also the very small article on Korea. Do you trade in Korea? Do you have a website in Korea? If you do you need SSL, and, though easy enough to implement, you need to be prepared now.

    Peter Andrews

    What are you doing against Internal Threats?

    An example is the recent case of David Lennon launching an e-mail attack on his former employer, Domestic & General Group. Lennon caused chaos for Domestic & General by generating millions of hoax e-mails. The insurance company's router and mail server crashed and the cost was in the tens of thousands of pounds. This followed Lennon's dismissal from his part-time job.

    Although Lennon was sentenced to a 2-month curfew and electronic tagging, companies would be ill-advised to assume that this is the type of attack which is their primary threat, dangerous that it was.

    Insider frauds are proliferating. For example, a bank manager in Scotland created £21million in false loans in a five year period.

    Data chief challenges US access to European Bank data

    Europe's head of data protection has challenged the European Central Bank on its practice of allowing the US secret service access to private bank-transfer data.

    The European Data Protection Supervisor, Peter Hustinx, has presented some preliminary observations on the study “The Interception of Bank Transfer Data from the Swift System by the US Secret Services”.

    "We have not concluded our investigation on ECB's role yet, but there are already some observations that I can share publicly,” he said.

    “I basically challenge the fact that the ECB continued to allow confidential client banking data to pass to the US, although it had become aware of the systematic access by American authorities. Moreover, I cannot help feeling that the ECB should have at least felt morally obliged to inform European governments and authorities about this scheme."

    So begins an article in Computer Weekly.

    Korean Government to Mandate SSL Certificates

    Starting January 1, 2007, any businesses in Korea collecting personal information on-line or conducting e-commerce transactions will be mandated to run SSL certificates in the server side. While the client certificates mainly for personal Internet banking and on-line purchases by individuals have been widely and almost ubiquitously used as already mandated by the government, there have been very little adoptions of server certificates meaning this new legislation will be a major shift in the government policy in Korea to drive major adoptions of server certificates. With this legislation, the Korean Government expects on-line businesses in Korea to have 10,000 new certificates installed by the end of this year and additional 40,000 within Year 2007.

    Jeff Richards's Demand Insights Blog

    Jeff Richards is a Vice President in VeriSign's Information Services group (VIS). VIS is a market leader in providing next-generation infrastructure and real-time information in the Internet, Media, Retail and Healthcare markets. Jeff is a serial technology entrepreneur and Silicon Valley transplant currently posting from Northern Virginia, USA.

    Prior to VeriSign, Jeff was President and CEO of R4 Global, an RFID industry leader acquired by VeriSign in May of 2005. Prior to R4, Jeff was a co-founder and executive at QuantumShift, an enterprise software and services provider in the telecommunications space. Prior to QuantumShift, Jeff was a management consultant with PricewaterhouseCoopers (now part of IBM).

    "My blog will focus on new technologies and trends in our markets, as well as general commentary on interesting happenings in the technology space. I hope it also has a bit of a personal touch. In the supply chain business, we are focused heavily on the retail, consumer goods, and pharmaceutical industries, and demand is a big theme (consumer demand focus) as opposed to supply (manufacturing and production focus)."

    MiFID: "Implement on time or face legal action" - McCreevy

    Speaking at a dinner this week hosted by the Financial Times, EU Internal Market Commissioner, Charlie McCreevy warned member states that they are likely to face legal action if they are not ready to to introduce the markets in financial instruments directive (MiFID) on time.

    The directive needs to be implemented by the end of January 2007, and will come into force in November of that year.

    MiFID aims to create a single market for financial products and providers and allow greater competition between different institutions with regard to the provision of certain investment products.

    Most security professionals "unaware" of basic online security when shopping

    In our long running survey on user security awareness when shopping, which we opened in June 2006 and closed after four months, the results showed a sad lack, even in a security aware readership, of knowledge of basic aspects of online self protection.

    The current results are astounding. They show a cavalier disregard for even the most basic security precautions when buying online. And this is by educated users!

    Sarbanes-Oxley: Newfound Benefits

    So says Theodore F. di Stefano in the E-Commerce Times on 27 October 2006, where he starts his article thus:

    Small to medium-sized companies were forced to both develop and document their financial and IT processes much earlier in their business maturity than they would otherwise have. In the past, little attention was paid by these companies to process documentation and controls. SOX created the imperative to develop controls because of its rigorous focus on operational performance.

    The press has been replete with complaints from companies that have to comply with Sarbanes-Oxley (SOX). Some of the criticisms were based upon the outsized cost of compliance. Other criticisms revolved around the difficulty and intricacy of compliance, especially to Section 404, Management Assessment of Internal Controls.

    The complaints, it seems to me, have reached a crescendo and now seem to be dissipating. Out of the turmoil and confusion relating to SOX compliance, it seems that some people are beginning to see real benefits to the act - benefits that could actually enhance the bottom line of a business.

    VeriSign Security Review - October 2006

    In October, Symantec Corp. and VeriSign, Inc. announced plans to deliver security solutions to combat the growing threat of consumer identity theft and fraud on the Internet. Symantec plans to offer support for the VeriSign Identity Protection (VIP) Authentication Service, which allows consumers to utilize one-time passwords to protect their online identity. The VIP Authentication Service is enhanced by the VIP Shared Authentication Network which enables consumers to use one credential across multiple member websites.  In addition, the two companies intend to jointly market combined identity and security solutions to financial institutions, online retailers, and end users.

    In this issue:

    Hot Topics

    • VeriSign Introduces the First Fully-managed Service to Collect, Analyze, Store, and Alert on Logs. Leverage log data for  broader compliance and more comprehensive security—at a lower cost than traditional solutions.
    • Take Charge of Compliance with VeriSign Solutions and Services . How many information security regulations apply to your business? What would it take to comply with them all?
    • Intelligent Infrastructure Enables and Protects Your Business. In today's challenging heterogeneous environments, VeriSign enables and protects digital interactions—billions of them a day.

    Monthly Threat Summary

    • Microsoft Corp. released 10 bulletins on Tuesday, Oct. 10, covering 26 vulnerabilities, at least one of which impacts the Windows operating system and is rated as "Critical.”

    Combating Online Banking Fraud - VeriSign APACS and Deloitte Touche

    Just a few hours out of your day could save you weeks of planning and research and possibly much more. This free seminar is a fantastic opportunity for you to discuss reducing online fraud with industry leaders and your peers. Find out how you can take both strategic decisions and immediate tactical steps to reduce online fraud.

    VeriSign provides its clients, including a large number of leading financial institutions, with advice and strong practical solutions to fight online fraud. They look forward to sharing our working knowledge and insight with you at their upcoming free seminar in London on the 27th November, where they will present the latest services and developments including the VIP Network and VeriSign Fraud Detection Services.

    Alongside VeriSign are key speakers from APACS and Deloitte Touche. If you are concerend in any way about online banking fraud, this is an unmissable event.

    Switch on to Data Protection

    The UK Information Commissioner has produced a free DVD for UK businesses who need still to get up to speed with the Data Protection Act. Learn what's in it and how to get your copy.

    Quick Links...


    Readers should note that references to VeriSign's sponsorship are historical. That sponsorship ended on 28 February 2007, and is simply included here for context and historical purposes. VeriSign is not formally associated with this site in any manner, and has asked us to emphasise this point.