A critical software problem for banks

Written by

New Quocirca research (sponsored by on-demand software code security specialist, Veracode) underlines a problem faced by financial services organisations when it comes to security and compliance; they track getting on for twice as many critical software applications as other organisations.
This is not just an issue when it comes to ensuring that all the code of all their commercially acquired and in-house developed software code is secure (as a new Quocirca report to be published in early 2012 will discuss); it is also an issue when it comes to monitoring and restricting access to all those applications.
There is more for banks to worry about than their own employees. A previous Quocirca research report (The distributed business index, sponsored by network acceleration vendor Riverbed) showed that banks are more likely than other organisations to make their applications accessible to outsiders; namely contractors, partners, suppliers and customers.
Providing access to so many applications for such a broad range of users is of course a big security headache. However, it is also a compliance issue. The financial services industry is heavily regulated, with national, EU and global watch dogs keeping an eye on them. Compliance often means proving who has been doing what; some are specific about this. For example, PCI DSS V2.0 Requirement 8 states that organisations that handle payment card data should “assign a unique ID to each person with computer access” and “ensure that each individual is uniquely accountable for his or her actions”.
Achieving this requires a way to centrally manage identities and associate a single identity with all a user’s actions, whatever the systems and applications they are accessing. How these issues affect financial services organisation i is a subject of a webinar Quocirca is speaking at on Dec 7th in conjunction with Centrify (an identify management specialist).
To find out more and register for the webinar, click here.

What’s hot on Infosecurity Magazine?