ISACA Says US Banks can Stem Intrusions, Despite Surge in 2007 Figures

The number of US financial institutions that have experienced a sizeable increase in unauthorised intrusions and bank account losses has increased

(20.03.08) - ISACA, formerly the Information Systems Audit and Control Association, says that the number of suspicious and unauthorised intrusion accesses to bank computer systems can be reduced if the banks boost security staff levels and improve governance over outsourcing.

"According to the Washington Post, the number of US financial institutions that have experienced a sizeable increase in unauthorised intrusions and bank account losses has increased, and the cost to the banks per incident has soared," said Lynn Lawton, CISA, FCA, FIIA, PIIA, FBCS CITP, international president of ISACA and the IT Governance Institute (ITGI).

Lawton says that, although the Washington Post news story is based on a closed Federal Deposit Insurance Corporation report, the general trend of online bank account attacks and successful intrusions is clearly on an upward trend, judging from news reports over the last year in the US and in Europe.

"An additional concern, according to the IT Governance Institute's IT Governance Global Status Report for 2008, which has also just been released, suggests that IT staffing levels are an increasing worry for institution managers, as is their reliance on external outsourcing," Lawton said.

"Based on this data, if banks are to reduce the number of intrusions on their systems, and so regain the customer trust lost in recent years, they need to implement improved IT governance based on frameworks such as COBIT, which includes consideration of resourcing, training, control automation and monitoring internal and external performance and controls," Lawton added.

According to Lawton, even though the Financial Sector is ahead of the rest in implementation of IT Governance, the survey demonstrates that there are still over 25% of Financial Sector respondents not yet doing anything about it.

"Good governance has been shown to have a positive effect on share value, and the positive effect on customer confidence that will accrue in the process should help to attract and retain business, too," Lawton said.

Securing information is a key component of compliance with Sarbanes-Oxley in the USA and Basel II in Europe. The IT Governance Institute (ITGI) is well known for its excellent work in aiding the financial service sector with independent guidance on compliance and has recently released new guidance titled IT Control Objectives for Basel II: The Importance of Governance and Risk Management for Compliance.

Developed by individuals from a range of financial services organizations and other banking advisors, IT Control Objectives for Basel II follows the format and intent of ITGI’s popular IT Control Objectives for Sarbanes-Oxley publication. The book provides unambiguous guidance to operational and information stakeholders - including risk managers, IT practitioners, banking regulators, financial services experts and internal/external auditors - regarding operational and information risk management and its application to the Basel II Capital Accord framework.

Additionally, IT Control Objectives for Basel II:

· Maps Basel II principles for operational risk against IT risk

· Highlights the need for operational and information risk management and IT controls from the perspective of bankers and financial experts

· Offers cross-references with COBIT 4.1 processes

· Provides a framework for managing information risk in the context of the Basel II Capital Accord. By applying this framework, financial service organizations are able to apply recognized practices and controls to their IT environment.

· Outlines steps toward convergence

(ISACA: ITGI: ra)