[ISN] UK banks ignore security audit findings
InfoSec News
isn at c4i.org
Fri May 20 01:11:41 EDT 2005
http://www.theregister.co.uk/2005/05/19/audit_ignoramuses/
By John Leyden
19th May 2005
Some UK corporates routinely ignore the findings of security audits
treating them solely as a necessary step to satisfy corporate
governance regulations, according to an experienced penetration
tester.
Tim Ecott, managing consultant at security integrator Integralis,
explained that banks and other financial institutions are told they
have to carry out a penetration test to comply with audits. In some
cases - perhaps five per cent - Ecott and his team discover the same
faults every time. "The findings of our reports are not followed up on
either by the firms themselves or their auditors. We're not talking
about critical security flaws but certainly about things that need
fixing and leave firms open to attack," he said.
"Some of our clients take our report to pieces and do every thing we
advise but with others, it's the same things over and over again.
Reports over a period of quarters could be copies of each other with
just a different date," Ecott told El Reg.
In some cases companies lack the resources to put things right; and
often getting new applications up on running is given priority,
leaving security concerns neglected, he said. "Firms need to think
about security at the beginning of projects rather than as an
afterthought. Security and business objectives need to be linked." ®
More information about the ISN
mailing list