http://www.independent.ie/business/irish/laptop-security-lapse-at-boi-shines-a-light-on-data-safety-1359869.html By Sharon Lynch independent.ie April 26 2008 LOSING a laptop can be attributed to just plain bad luck, two can be put down to carelessness, however, three and four would send anybody's alarm bells ringing. But this was not the case at Bank of Ireland earlier this week when it emerged that four laptops had been stolen from the institution's investment arm between June and October of last year. The bank said it was only told six weeks ago that three of its unencrypted laptops were stolen from cars and another from the branch. And when it emerged that the laptops had the personal data of 10,000 customers, which were only protected by a password system, a number of questions were raised about the safety of customer information as well as the regulation of security systems. Weak Owen O'Connor at Information Systems Security Association Ireland described the bank's IT security procedure as a "very weak'' level of protection. "If a laptop is unencrypted, a moderately skilled IT person will be able to access all information on the files," he said. The bank also admitted that it was the theft of personal data in the UK in recent times that triggered it to review its own security operations. Its head of retail operations, Richie Boucher, said it was felt at the time that the password system formed perfectly adequate protection. He added that the bank was now moving to encryption. However, security standards have been available in the Irish market for the past number of years. An international security standard called ISO 27001, which has been recommended by the Government as a data protection standard, was established three years ago. ISO/IEC 27001 is part of a growing family of ISO/IEC standards, the 'ISO/IEC 27000 series' is an information security management system (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). In a nutshell, it is an information security management system standard, which lists security control objectives and recommends a range of specific security controls. Apart from setting best policies and basic best practice for securing computer systems, the standard also deals with the physical security of premises, screening and training of staff and establishing a security structure. None of the UK banks will deal with each other unless they have this standard in place, according to Certification Europe, which provides information, training, audit certification and inspection services in information security management. Only 30 large organisations have signed up to it Ireland, but no banks. A spokesperson for Bank of Ireland said it was aware of the IS0 27001 standard and expects to align itself with it in the near future. In this case, the IS0 27001 would require someone to justify why the encryption was not implemented in the BoI laptops in the first place. Michael Brophy from Certification Europe said they have been "frustrated" this week because the laptop debate centred on whether or not the appropriate security was in place. "For three years, there has been an international standard that sets out what is best practice when it comes to information security," he said. " "The whole debate about whether something is appropriate security or not is redundant. The question now is why organisations like Bank of Ireland don't have this standard," Mr Brophy said. The business reason as to why the personal account information on 10,000 people needed to be regularly stored in laptops is questionable, he said. "Even if there was a valid business reason for putting that volume of sensitive data on something as insecure as a laptop, primary consideration would have to be technology controls like encryption to safeguard the sensitive information on it," he said. Not one financial institution in Ireland has achieved the ISO 27001 standard with the sole exception of Waterford Credit Union, which only got its certification last month. "If Waterford Credit Union can put in the resources and the time to get it, why aren't the major retailers on the street achieving it?" he said. Mr Brophy added that similar data theft has occurred at other companies, but this has not been publicised due to the smaller profile of these organisations. "It simply comes down to the fact that they're not operating to best practice,'' he said. "They are not achieving simple international security standards. "Maybe three or four years ago you could have had the excuse that they were not aware of it or did not know about it. Anybody worth their salt, who deals with IT, would know about this standard.'' _______________________________________________ Subscribe to the InfoSec News RSS Feed http://www.infosecnews.org/isn.rss
This archive was generated by hypermail 2.1.3 : Mon Apr 28 2008 - 00:19:58 PDT