Legal Opinion
Test Your Computer NOW for Spyware, Hacker Tools and Other Threats
Threats and Regulatory Responses
Global security threats have catapulted information security to a top priority for financial institutions and regulators. The exponential growth in use of the Internet has brought widespread public recognition of the need to apply professional standards to Information Security (IS) procedures. Until recently, compliance and internet security requirements focused on large enterprises and the security of their computers tied to the corporate network. But the law of computer security is equally applicable to individual computers outside of large enterprise networks. Recent developments show how individual machines expose their owners (including associated Brokers) to legal liability.
Computer crime is a serious challenge, and it's getting worse. Every computer crime study over the last 5 years conclusively confirms that it's getting worse. Computer crime is exploding. The speed with which computer viruses spread and the number of security weaknesses in our systems is expanding exponentially. Hackers now look for access to computers through the computer's security software. The cost to business, in lost productivity, theft, embezzlement, and other categories, is out of control.
Information Systems Audit and Control Association (ISACA) developed Guidance for Management who are directly (and personally) liable for information security. This system will be used by accountants and auditors to evaluate your security.

The ISACA model provides an organization with:
  • A snapshot-in-time assessment tool, assisting the organization to identify the relative strengths of its information security management practices
  • A method for identifying gaps between an its current security maturity level and its desired level
  • An Improvement Program for systematically improving the organization's information security management capabilities

"GLBA" The Gramm Leach Bliley Act

Consistent with general negligence law, the Gramm Leach Bliley Act (GLBA) requires financial institutions to protect customer data. Under GLBA, the Federal Trade Commission has sanctioned small financial institutions (in a settlement with the FTC, one firm is required every two years for the next decade to hire an outside professional to conduct a security assessment. In addition, for 10 years the company must file security reports with the government and the CEO must notify the FTC every time he changes jobs).

"GAISP" (Generally Accepted Information Security Principles)

Several organizations are currently involved with information security. "GAISP" (Generally Accepted Information Security Principles) are currently being developed by an international consortium under the leadership of the Information Systems Security Association "ISSA", with the majority of participants coming from the United States.

GAISP relates to; 1) physical, 2) technical, and 3) administrative areas of information security, and encompasses functional and detailed security principles. Information technology (IT) changes rapidly, and GAISP regulations are expected to evolve accordingly. These three steps have become the industry standard.

GAISP Version 3.0, section 3

  Management shall ensure that policy, standards, baselines, procedures, and guidelines are developed and maintained to address all aspects of information security.
  Management shall hold all parties accountable for access and use of information. It must be possible to affix the date, time, and responsibility, to an individual, for all significant events.
  Management shall communicate information security policy to all personnel, who are to be trained on standards, procedures, guidelines, and responsibilities.
  Management shall consider and compensate for risks from the internal and external physical environment including data storage, transmission, processing, or disposal.
  Management shall provide the capability to respond and resolve information security incidents and ensure that security is addressed at all stages of the system life cycle.
  Management shall establish appropriate controls to balance access to information against the risk and take steps to address legal, regulatory, and contractual requirements.
  Management shall recognize the increasing use of computers, communication facilities and data and information that may be stored, processed, retrieved or transmitted by them.


Sarbanes Oxley (SOX)

The Sarbanes-Oxley Law of 2002 ("SOX") has been called the most significant new securities law since the Securities and Exchange Commission was created in 1934. SOX places responsibilities on officers and directors of public companies and imposes significant criminal penalties on CEOs, CFOs and others who violate various provisions of SOX.

Even corporations that are not public today, but hope to become public or be sold to a public company in the future, need to be operating the company in compliance with SOX, particularly the requirements for establishing and following detailed internal controls and disclosures of these controls. These requirements obligate companies to address their information security procedures and practices in a very public way.

Corporate governance that was first applied to public corporations, has often been extended to private companies, sometimes through the state regulations, and other times through market forces. Auditors and insurance carriers have adopted similar standards for both public and non-public companies because they were viewed as best practices.

ISO-17799 - Emerging Code For Information Security Management

ISO is an emerging international standard for managing information security that originated in Australia and Great Britain before being adopted by the International Standards Association which provides a world standard to identify a "Code of Practice" for the management of information Security.

ISO identifies 10 specific Management Practices and asserts that an organization's information is secure only to the extent that these practices are being systematically managed. Weakness in any single practice could negate the combined strength in the other nine.

Security Practices:
  1. Security Policies and Procedures
  2. Organizational Security
  3. Asset Classification and Control
  4. Compliance Steps
  5. Business Continuity Management
  6. Access Control
  7. Systems Protection, Development and Maintenance
  8. Personnel Security
  9. Communications and Operations Management
  10. Physical and Environmental Security

Homeland Security

As computer crime continues to rise, the legal and regulatory landscape continues to move towards more responsibility at the corporate and agent level. The Corporate Governance Task Force of the National Cyber Security Partnership, a public/private partnership working with the Department of Homeland Security, recently released a management framework challenging them to integrate effective information security governance (ISG) programs into the business processes. We in the middle of:
  • Evolving legislative & regulatory rules for information holders
  • Evolving interpretation of contract and tort law
  • Evolving security practices and standards of professional responsibility
There is growing international agreement on computer related offenses covered by penal laws and reflected in the development of computer crime and data protection legislation in OECD Member countries, and in the work of other international bodies to combat computer-related crime.

Summary:

Typically, independent broker-dealers have concentrated their data protection efforts on their own primary network, implementing safeguards such as secure transaction platforms, firewalls, secure e-mail, and limitations on instant messaging. However, as personal computing technology has developed, there is an increasing tendency for affiliated independent advisors and their employees to use their personal computers to establish remote access with the independent broker-dealer's primary system and to engage in a substantial amount of work at remote locations.

Advisors themselves store and share large amounts of customer information, in both paper and electronic form. To comply with legal requirements and to effectively provide investment services, such widespread custodianship of customer information is inevitable. These remote locations from which advisors work, be they offices, homes, or client sites, present challenges to the physical security of the hardware and hard copy files that may encourage a relaxed attitude with respect to data protection.

As demonstrated by surveys and confirmed by experience and public reports, the daily practices of independent advisors simply do not comport to the standards explicitly laid down by the independent broker-dealers with which they are affiliated. Even as regulatory oversight and audit of data security increases, the compliance message from independent broker-dealers to their advisors is not generating consistent information management practices.

NASD issued a Notice to Members, entitled "Safeguarding Confidential Customer Information," which addressed independent broker-dealer obligations with respect to the use of laptops and other personal computers owned by registered representatives, problems posed by the availability of remote access by registered representatives to a independent broker-dealer's primary network, and potential security shortcomings of Wi-Fi networks used by registered representatives both at home and in publicly available "hotspots." To address these issues, NASD instructed its members that they should, at a minimum, consider the following steps:
  1. Review their policies and procedures to determine whether they adequately address the technology currently in use by employees;
  2. Determine whether they have taken "appropriate precautions" to protect confidential customer information including risk assessment and a written Information Security Plan.
  3. Review their employee training programs to determine whether they adequately address the protection of customer information, and
  4. Perform periodic audits to uncover vulnerabilities in their systems and to ensure that the systems are, indeed, protecting customer information.
Again, these steps are not intended as a safe harbor. Independent broker-dealers need to everything in terms of data protection that every other business needs to do - and more because of the special trust relationship and the financial data in their hands.
Advisor Security Inc. © 2006 All Rights Reserved Privacy Policy    Legal Policy              A Wizbang Media Design