[ISN] Laptop security lapse at BoI shines a light on data safety

From: InfoSec News (alerts@private)
Date: Mon Apr 28 2008 - 00:10:31 PDT


http://www.independent.ie/business/irish/laptop-security-lapse-at-boi-shines-a-light-on-data-safety-1359869.html

By Sharon Lynch
independent.ie
April 26 2008

LOSING a laptop can be attributed to just plain bad luck, two can be put 
down to carelessness, however, three and four would send anybody's alarm 
bells ringing.

But this was not the case at Bank of Ireland earlier this week when it 
emerged that four laptops had been stolen from the institution's 
investment arm between June and October of last year.

The bank said it was only told six weeks ago that three of its 
unencrypted laptops were stolen from cars and another from the branch.

And when it emerged that the laptops had the personal data of 10,000 
customers, which were only protected by a password system, a number of 
questions were raised about the safety of customer information as well 
as the regulation of security systems.


Weak

Owen O'Connor at Information Systems Security Association Ireland 
described the bank's IT security procedure as a "very weak'' level of 
protection. "If a laptop is unencrypted, a moderately skilled IT person 
will be able to access all information on the files," he said.

The bank also admitted that it was the theft of personal data in the UK 
in recent times that triggered it to review its own security operations.

Its head of retail operations, Richie Boucher, said it was felt at the 
time that the password system formed perfectly adequate protection. He 
added that the bank was now moving to encryption. However, security 
standards have been available in the Irish market for the past number of 
years.

An international security standard called ISO 27001, which has been 
recommended by the Government as a data protection standard, was 
established three years ago.

ISO/IEC 27001 is part of a growing family of ISO/IEC standards, the 
'ISO/IEC 27000 series' is an information security management system 
(ISMS) standard published in October 2005 by the International 
Organization for Standardization (ISO) and the International 
Electrotechnical Commission (IEC).

In a nutshell, it is an information security management system standard, 
which lists security control objectives and recommends a range of 
specific security controls. Apart from setting best policies and basic 
best practice for securing computer systems, the standard also deals 
with the physical security of premises, screening and training of staff 
and establishing a security structure.

None of the UK banks will deal with each other unless they have this 
standard in place, according to Certification Europe, which provides 
information, training, audit certification and inspection services in 
information security management. Only 30 large organisations have signed 
up to it Ireland, but no banks.

A spokesperson for Bank of Ireland said it was aware of the IS0 27001 
standard and expects to align itself with it in the near future. In this 
case, the IS0 27001 would require someone to justify why the encryption 
was not implemented in the BoI laptops in the first place.

Michael Brophy from Certification Europe said they have been 
"frustrated" this week because the laptop debate centred on whether or 
not the appropriate security was in place. "For three years, there has 
been an international standard that sets out what is best practice when 
it comes to information security," he said. "

"The whole debate about whether something is appropriate security or not 
is redundant. The question now is why organisations like Bank of Ireland 
don't have this standard," Mr Brophy said.

The business reason as to why the personal account information on 10,000 
people needed to be regularly stored in laptops is questionable, he 
said.

"Even if there was a valid business reason for putting that volume of 
sensitive data on something as insecure as a laptop, primary 
consideration would have to be technology controls like encryption to 
safeguard the sensitive information on it," he said.

Not one financial institution in Ireland has achieved the ISO 27001 
standard with the sole exception of Waterford Credit Union, which only 
got its certification last month.

"If Waterford Credit Union can put in the resources and the time to get 
it, why aren't the major retailers on the street achieving it?" he said.

Mr Brophy added that similar data theft has occurred at other companies, 
but this has not been publicised due to the smaller profile of these 
organisations.

"It simply comes down to the fact that they're not operating to best 
practice,'' he said.

"They are not achieving simple international security standards.

"Maybe three or four years ago you could have had the excuse that they 
were not aware of it or did not know about it. Anybody worth their salt, 
who deals with IT, would know about this standard.''


_______________________________________________      
Subscribe to the InfoSec News RSS Feed
http://www.infosecnews.org/isn.rss



This archive was generated by hypermail 2.1.3 : Mon Apr 28 2008 - 00:19:58 PDT