Category: Uncategorized

Technology Under SEC rule 17a-4, instant messages must be archived and retrievable and can’t be edited or changed.

Hedge funds are shying away from using instant messaging to send orders to their brokers because there has been a lack of technology to create an audit trail. “If I did not have the ability to archive these messages, I probably would not use it,” says Angie Kim, chief financial officer of Core Fund Solutions, a San Francisco-based company that oversees four hedge funds. Even though the onus is on the brokers to archive instant messages, “There are still certain legal exposures” for the buy side, says Kim.

In fact, to limit their own exposure, prime brokers – which clear the hedge funds’ trades – don’t want hedge fund managers to use instant messaging, adds Kim. If there is a dispute over a trade, the buy-side firm has to be able to retrieve the instant message to resolve the matter. And, because IM platforms are not as secure or as reliable as most trading systems, prime brokers are concerned that a hedge fund could send them trades that an IM platform may fail to deliver. Since hedge funds tend to outsource many functions, such as operations and trading, to third-parties, they don’t want to spend money developing IT infrastructure in-house to capture and archive IM communications.

Core Fund Solutions uses one such solution, IMTrader, a combination light-weight blotter and instant-messaging platform developed by Boston-based Pivot Solutions that interfaces with compliance systems like IM Logic and Facetime. Additionally, order-management systems are expected to integrate instant messaging into their trading applications, too. “The two greatest advantages [to using a system such as IMTrader] are the ability to see trades [filled] on a real-time basis and the ability to streamline operations by downloading the blotter and uploading trades to the prime brokers,” says Kim, who uses IMTrader to monitor trading in real time between the hedge funds’ portfolio managers and their brokers. JNK Securities, an institutional brokerage firm that uses IMTrader, utilizes an order-management system from Tradeware Systems to translate messages into FIX. Since then, Pivot has tweaked the system, so “You can just add our name to your buddy list,” says Jack Weiselberg, president of JNK Securities.

But before Weiselberg implemented IMTrader, he had to make sure the data network was secure and that it met the compliance regulations that govern brokers’ activities.

More info: http://www.storagepipeline.com/news/19205462;jsessionid=ZLEIGG40253TOQSNDBCCKHY

The better approach is to take some risks, and focus on your core mission: doing business efficiently and aggressively in the competitive marketplace. One of the risks of doing business while connected to the Internet is that bad things will happen occasionally.

Your organization may be one of the unlucky few that suffers a loss of personally identifiable information such as customer names and credit card numbers. Even during the worst moments of the Blaster or Slammer attacks, the companies and government agencies with the best event management programs suffered little.

The 100th dollar you spend has less relative impact than the 1st. Therefore, it is not the size of your security budget that matters, but the effectiveness and efficiency of your security choices. It is very tempting to buy products or services because you are afraid of the next security vulnerability.

Success lies in not over-spending on security nor making the security architecture so complex and extensive that it cannot be managed efficiently.

More info: http://www.csoonline.com/analyst/report2306.html

Infrequent or inadequate patching exposes the organization to significant risk of corrupt systems and stolen information. This nature of software alarmed the federal regulators who in the fall of 2003 dictated that all financial institutions develop an adequate patch management program to reduce the risks posed by these flaws.

The federal regulators declared that a patch management program be part of the financial organization’s information security plan. They also stated that failure to maintain an adequate plan can adversely affect an institution’s overall IT examination rating. With the release of FDIC: FIL-43-2003 the FDIC identified these four steps to a compliant patch management program:

1. Development of appropriate organizational procedures.
Like all programs, a structure needs to be created to facilitate the patch management plan.
2. Monitoring software vulnerabilities and identifying corrective patch information.
Patch management is a pro-active pursuit.
3. Evaluating the impact of patches.
Once a patch has been identified the next step is to assess the impact of that patch on the environment.
4. Testing and installing software patches.
The next step is to test each patch prior to installation.
5. Report to the Board of Directors.
Section 501(b) of the Gramm-Leach-Bliley Act stipulates that institutions must perform periodic risk assessments and present the findings to the Board of Directors.

More info: [url=http://www.bankinfosecurity.com/?q=node/view/554]http://www.bankinfosecurity.com/?q=node/view/554[/url]

CISOs have spent the past few years perfecting digging moats around the corporate castle. Now, as they lift their heads out of the trenches, they find themselves living in the age of bomber planes and guided missiles.

The problems with perimeter-based security are neither new nor unclear. Corporate information systems increasingly rely on tools and processes that exist outside the protective embrace of the traditional firewall. Wireless, mobile, remote and ad hoc are the watchwords of today’s business, with employees, partners and customers often using two or three different devices—ranging from laptops to cell phones to kiosks at the local Internet caf

You need a solution that proactively builds security defenses before the damage is done—instead of reacting after it’s too late. According to the Carnegie Mellon University, more than 90 percent of all security breaches involve a software vulnerability caused by a missing patch that the IT department already knows about. That means most IT departments lack a methodology for rapidly deploying patches. The rest are ones that they did not know about and probably lacked the resource to investigate.

You need to get as close to 100% of your vulnerabilities covered as quickly as possible since one breach can be devastating and costly. Until operating system and application vendors start writing perfectly secure software, IT administrators will have to deal with the patch problem. But effective patch management is more than just plugging holes and hoping for the best. It’s an ongoing, systematic process that can benefit from automation. If your IT environment shows any of these early warning signs, you will have a problem:

FAIR USE NOTICE: This site contains excerpts from copyrighted material (along with links and attributions to full text original sources) the use of which has not been pre-authorized by the copyright owner. This material is made available to advance understanding of political, economic, scientific, social, art, media, and cultural issues. The ‘fair use’ of such copyrighted material is provided for under U.S. Copyright Law. In accordance with U.S. Code Title 17, Section 107, material on this site is distributed without profit to persons interested in such information for research and educational purposes. If you want to use copyrighted material from this site for purposes that go beyond ‘fair use’, you must obtain permission from the copyright owner.