|
Information Security News
mailing list archives
UK banks ignore security audit findings
From: InfoSec News <isn () c4i org>
Date: Fri, 20 May 2005 00:11:41 -0500 (CDT)
http://www.theregister.co.uk/2005/05/19/audit_ignoramuses/
By John Leyden
19th May 2005
Some UK corporates routinely ignore the findings of security audits
treating them solely as a necessary step to satisfy corporate
governance regulations, according to an experienced penetration
tester.
Tim Ecott, managing consultant at security integrator Integralis,
explained that banks and other financial institutions are told they
have to carry out a penetration test to comply with audits. In some
cases - perhaps five per cent - Ecott and his team discover the same
faults every time. "The findings of our reports are not followed up on
either by the firms themselves or their auditors. We're not talking
about critical security flaws but certainly about things that need
fixing and leave firms open to attack," he said.
"Some of our clients take our report to pieces and do every thing we
advise but with others, it's the same things over and over again.
Reports over a period of quarters could be copies of each other with
just a different date," Ecott told El Reg.
In some cases companies lack the resources to put things right; and
often getting new applications up on running is given priority,
leaving security concerns neglected, he said. "Firms need to think
about security at the beginning of projects rather than as an
afterthought. Security and business objectives need to be linked." ®
_________________________________________
InfoSec News v2.0 - Coming Soon!
http://www.infosecnews.org
 By Date 
By Thread
Current thread:
- UK banks ignore security audit findings InfoSec News (May 20)
|
Intro
