...the word "understatement" comes to mind. I would add "common sense" but I suspect that's pushing it.

.

... because the last time I posted a comment on El Reg I got sacked but...

The author make valid points about what ANY company needs to do to address information security.

"First they need to get their IT infrastructure in order. This requires strict asset management and auditing of activities – understanding what equipment is in place and who is using it. Second, software development processes need to be watertight, making sure applications are secure and that rogue developers are not building back doors.

On top of this processes need to be well defined. Who is authorised to do what and how should it be done?"

But all that grass-roots, in the trenches, boring technical work costs money and requires knowledgeable staff who know how all the systems inter-relate (knowledge which is increasingly difficult to obtain and retain in an outsourced world).

But increasingly "information security" is being transformed into "information risk management" which is the different between "plugging the security holes" and "writing lots of risk assessment saying why we don't need to spend the money on boring technical stuff because we've done a risk assessment"...

The end results are as obvious as the SocGen debacle - they had an "award winning risk management framework" and still got stiffed for £3.7Bn... and now are vulnerable to takeover.

SANS and other IT security bodies publish the same top ten lists every year - firewalls, anti-virus, configuration management, monitoring, CIRT teams, patch management, server hardening, IP zoning, "least privilege" etc etc.

Until all this baseline stuff is done all the rest is just hot air.

I am aware of one bank that has just been asked by an external company (developer) for a dump of a live data to allow them to diagnose a problem with their application - since they can't repeat it in house.

The data in question was originally requested in the form of a standard DB dump on DLT with no encryption or anything. This DLT was then to be sent or couriered (they hadn't decided when I heard about it) every month.

Surprisingly enough 3 or 4 people started to actually process this request before someone said 'hold on, this is a joke' and discussions started as to whether customer data should really be sent out like that.

There is a policy within that bank to not send data out of the premises at all, let alone unencrypted, but because this was for bug fixing people ignored it...

Policy is not always the problem, interpretation sometimes is.

Fraud crimes will continue to grow until the government and banks exploit ID KEY system described on website www.xwave.co.uk which will make both signature and PIN systems reliable and foolproof.

Current signature and PIN systems are the root cause of the problem because fake documents have made signature system unreliable while skimmers and pin-hole cameras have made PIN system unreliable.

It is obvious that it is virtually impossible to stop fraudsters from obtaining our personal details and hence the need to deter fraudsters from misusing these stolen details via use of ID KEY system is a must.

Proposed ID KEY can be treated as a reliable international ID card because it will personalise signature and PIN number to only the right individuals.