“Third-party providers are providing some information, but financial institutions are using their own resources to continue” seeking additional information on a broad array of security details, according to Faith Boettger, a senior consultant to BITS, the industry group behind the project.
The effort is aimed at making it easier on both sides: for the financial institutions that need the information, and for the service providers that are getting deluged with invariably disparate and often redundant requests. The new policy won’t just touch on what level of encryption providers put on data or what security protects databases that contain customer information, although those are two of the granular details it will touch on. The group is putting together a standardized questionnaire that will touch on service providers’ security policy, asset classification and control, personnel security, physical and environmental security, communications and operations management, access control, system development and maintenance, business continuity and regulatory issues.
Priscilla Rabbayres, a global regulatory executive in the financial services sector for IBM, told eWEEK that IBM considers the financial institutions’ efforts to be of “enormous importance,” particularly given the times. “If we look back even a year ago, this was an important issue, but it really came to life with the California legislation of 2003 [that required enterprises to inform customers of security breaches],” she said. “One service provider may look at one standard, another at another aspect,” she said.
http://www.eweek.com/article2/0,1759,1917900,00.asp?kc=EWRSS03119TX1K0000594