Meet the Bloggers Twitter BTSecureThinking YouTube Channel Blogroll About BT Looking for more?
BTSecureThinking Resources center

SecureThinking > SecureCompliance

SecureCompliance

Friday, May 18, 2012

Protecting Your Organisation’s Intellectual Property – Part 2

By Jeff Schmidt, Executive Global Head of Business Continuity, Security & Governance, BT Global Services

Part 2 of a 2 part blog

It is somewhat hubris in our intent to believe we can prevent end-users (permitted users) from finding ways to gain access to corporate data from their own devices. In part, this can be attributed to the demise of the eight-hour working day. We recognise that business requirements can surface anytime of the day, any day of the week. More and more frequently, companies expect their employees to be available “anytime, anywhere” to handle business needs; and those employees aren’t always in a position to grab their corporate computer and review a critical email or document. We need to be mindful that the enthusiasm with today’s end-user devices requires the ease of accessing corporate data — and the simplicity of carrying less technology resources with more power.

Hence, the education of the end-users regarding security issues is essential. No matter how good your policies are, the weakest link is not always a malicious user but often a well-intended user who takes the wrong route.

Build the right security policies, be flexible and work to provide the right blend of enablement so you have control over the critical assets of the business without stifling productivity. In many cases, a user who is not educated on process and policy, who in the spirit of trying to do the right thing, ends up exposing the company.

It doesn’t take a lot to explain why policies are in place and why they are important. Go beyond just stating, “this is our policy.” Instead, explain to employees why the policies are in place to ensure corporate data is protected. You can’t please everyone all the time, but when someone understands the rationale behind the policies, they’ll more likely stay clear of actions that could potentially harm the company and its assets.

As you develop and implement best practices to security network access, don’t forget the telecom side and the old “bricks and mortar” components of the business. Many companies are so focused on protecting their networks they forget that the more traditional “telephony” side of the business (phones, faxes and modems) present as much risk. And with the proliferation today of electronic gadgets, be mindful of refreshing (and reminding employees about) policies governing the protection of hard copies of documents and information, including hard copy plans, budgets, and paper notes taken during meetings. All too often, it’s these hard copy items that are mistakenly left behind in the seat pocket on an airplane or in a taxi or bus or hotel room.

And finally, it’s critical that you test your security processes on a regular, on-going basis. Find ways to monitor the environment to ensure that the right behaviours are taking place — and re-educate your employees continuously. Apply the right metrics to the businesses risk appetite and match that against the governance, risk and compliance aspects.

Use that data in your board level discussions to effectively raise hot spots and where focus needs to be placed. Such facts are the most valuable resource to ensuring security policies are continuously kept current within today’s business environment.

In summary:

-          Starting with the right agreement from a business perspective is key to obtaining appropriate funding and executive support for successful security policies

-          Define your risk appetite and ensure you classify your data appropriately

-          Having good policies in place enables you to drive best practices and know that as you make changes, they are applied in unison across the business

-          Educate. Explain policy so you can achieve buy-in, measure expectations and continue to educate — “tools are fool proof, fools are not tool proof”

-          Test your business practices, inspect what you expect on a regular basis and adjust to meet the changing landscape

-          Look beyond the current issues to ensure you have the entire risk environment in focus.

 

###

Jeff Schmidt, Executive Global Head of Business Continuity, Security & Governance at BT Global Services, is responsible for every aspect of the security-related products and services BT offers its clients — from overall business strategy, through market research and solution design to delivery and support. Previously, he managed the security side of BT’s business in the Western United States where he had full profit-and-loss responsibility for the sales and delivery of networks, managed security services, consulting services and security software. Jeff has more than 25 years of experience in leadership positions in the information technology business, including positions with Home Savings of America (now a part of JPMorgan Chase), Lucent, the California State Automobile Association (AAA), Paramount Pictures, and InCode Telecom Group (which has since become part of Ericsson). He joined BT when it acquired INS in 2007.

Posted at 2:04 PM | No Comments »
Tags: , , , , ,

Bookmark and Share

Wednesday, May 16, 2012

Protecting Your Organisation’s Intellectual Property – Part 1

By Jeff Schmidt, Executive Global Head of Business Continuity, Security & Governance, BT Global Services

Part 1 of a 2 part blog

In today’s business marketplace, with the need for “anywhere, anytime” access to information, most companies are mindful of the inherent security issues – threats of attacks, individual devices connecting to the corporate network, data leakage, and other forms of malicious mal-intent.

With the “de-perameterising” of the corporate network, more end-user devices in the workplace and the proliferation of physical and virtual storage (Google, Dropbox. iDisk, etc.) — how do you keep your business “secrets” and proprietary data contained and secure within the corporate “vault”?

If you add into the mix the physical span and reach of the corporate entity from local to regional and global geographies — security challenges become even more significant and complex. So where do you begin to ensure your corporate information is secure?

The key is to start with a few simple concepts. Implementing successful strategies to secure intellectual property isn’t about swallowing the elephant, but rather taking bites out of it, one step at a time.

First, do you understand your risk appetite and how that applies to the crown jewels of your business? More importantly, are you aligned from an executive position within the company? If you are, then the starting point is to define the most critical information to protect — and what is non-critical data. For example, are there certain areas of your business that require more security and confidentiality than others?

Start by defining the right structure, policy and processes and then apply that information to the use case scenarios within your organisation.

Apply best practices in how data is treated across the business, including external entities that you may use to support your business. In simple terms, having good IT practice in how you communicate, store and move data is essential — not only within the enterprise, but as it extends to those you do business with as well.

Next — address the security issues relating to access by end-user devices, a concept that’s expected to continue to mature. As we see the proliferation of end-user devices, both personal and professional, we must be able to apply to their use the right security framework while creating  translucent processes that are user aware but don’t necessarily require user intervention.

Keep checking for the second part of Jeff’s blog later this week

 

Posted at 3:14 PM | No Comments »
Tags: , , ,

Bookmark and Share

Wednesday, May 9, 2012

For many of today’s businesses security is like an egg…

By Chris Pickles, Head of Industry Initiatives, Global Banking & Financial Markets, BT

… hard on the outside but soft on the inside.

Organisations tend to focus on keeping threats out, but once their external defences have been breached the perpetrators can access pretty much anything they want.

Compared to the way financial institutions secure data as it’s on the move, there are huge differences in operating principles.

In such organisations even relatively low-volume activities like payments processing and post-trade securities processing get heavyweight security applied to them, and communications are expected to be encrypted and tamper-proof with non-repudiable proof of delivery.

At the other end of the scale, high-volume activities such as pre-trade market data delivery and trading activities tend to have almost no security applied to them.

The approach is one of prioritisation.

In a business world of finite resources, it’s not possible to protect everything, so it’s important to make sure that you focus on securing data and traffic that is particularly sensitive.

In a recent interview in “Wall Street & Technology”, Lou Steinberg, CTO of TD Ameritrade, said:

“Knowing my favourite flavour of ice cream is not the same as knowing my Social Security number, and so different levels of protection get assigned to different levels of information. If you try to protect everything, you protect nothing. What we’d rather do is classify our information and assign our best controls — our best protective measure — against the most important, most sensitive data.”

Protecting information when it moves outside your organisation is vital, but there are now an increasing number of ways for outsiders to penetrate a company’s internal systems.

Protecting those systems is now the big issue for IT departments.

The risks are extended still further with the rise of BYOD. 

Protecting information from intruders looking to breach your external defences is a more critical issue than many IT people imagine, and it’s time to put some thought into how to do it.

Posted at 3:34 PM | No Comments »
Tags: , , ,

Bookmark and Share

Friday, May 4, 2012

Security: BYOD and securing the cloud in the workplace

By Philip Hoyer, director of strategic solutions, ActivIdentity

As the number of non-enterprise-owned mobile-based devices increases in the workplace, the ever-present issue of security raises its head.

Sensitive data on company networks is becoming increasingly vulnerable as users access data via their mobile devices. An issue that will only increase as mobile technology improves.

So how do organisations overcome the security issues that arise around BYOD and access to resources from the mobility cloud?

There are numerous answers to this, but perhaps the most important thing is to realise that restricting the types of mobile device that employees use is not a feasible solution.

It is not the device that is the issue, it is the level of security employed to protect the host network.

People want to use their own devices so organisations should take into account the varying nature of mobile devices and be prepared for them all. They’ll need to use a range of tactics to prevent security breaches amid the rise of BYOD.

One step is to protect resources with a combination of authentication factors. This approach looks at the value of resources and classifies them in order of potential impact, should a breach occur.

Once classified the appropriate level of protection can be established and put in place.

Strong credentialing on mobile platforms is another tool organisations can use to ensure resources are protected.

These include establishing proof of possession, leverage cryptography and keys to prove that the user’s identity is assured.

The best practice for strong credentialing is to leverage secure key storage within what is called a Secure Element (SE) — basically a smart card chip that includes a certified secure execution environment that has secure application and key storage.

 

Posted at 1:32 PM | No Comments »
Tags: , , , ,

Bookmark and Share

Wednesday, May 2, 2012

Coping with consumerisation: an approach to setting sensible policies

By Stephen Bruce, BT Global Services

What began as a trickle of smartphones, tablets and other mobile consumer devices into the workplace has surged to a flood, with no end in sight. These devices seem to seep through every crack in IT protocols and controls.

But there’s no holding back the tide; employees continue to push, pull and smuggle their own choice of technology into work. Every large organisation must face the reality of the situation, accept what is happening and start to lead. Now is the time to stop worrying and start developing policies and practices that will allow you to enjoy the benefits of consumerisation while keeping your network and data secure.

Companies that have not yet addressed this trend may have no idea of the security, liability and compliance risks to which they are being exposed. Yet on the flip side, there are advantages to employees using their preferred devices: greater productivity, business continuity, and improved talent attraction and retention. While no one policy will fit all organisations, here are some questions you should consider as your organisation deals with the rising tide.

Think procurement and liability

In setting policy it’s important first to segment your workforce to identify different types of users and determine the best ownership model by user type. This involves defining the range of applications employees need access to, from simple internet browsing and email access to the full corporate environment.

For employees who absolutely need mobile access to corporate applications, or who hold or access sensitive data (such as senior executives, legal staff and others), a model of corporate provision and corporate liability is advisable. This lets you impose the highest levels of corporate security and provides a fast-track route to restore any faulty devices, minimising downtime for key people, by completely wiping a lost or stolen device and rebuilding the replacement.

For occasional mobile users whose main mobile requirement is access to corporate email, a personally owned device with employee liability may be appropriate, as long as it fits with the company’s strategic goals, regulatory requirements and overall mobile policy.

Your organisation’s mobility policy should accommodate both corporate and employee-owned devices, and clearly define ‘acceptable use’. It’s good practice to review the policy annually.

Think security

Many organisations lack adequate security to protect mobile devices and corporate data: only 50 per cent enforce a password policy for mobile devices (according to Forrester), and as many as 21 per cent of employees let their family use their work laptop to access the internet, according to a BT study. A formal, enterprise-wide and process-driven approach is needed, which includes educating users about their responsibilities and the risks of non-compliance with mobile security policy and practice.

Questions to consider include:

  • How do users learn about protecting their device/data?
  • How do you enforce acceptable use?
  • How do you secure confidential and sensitive data?
  • How do you protect devices?
  • How do you prevent downloads of unauthorised apps/illegal downloads?
  • How do you support different classes of user?
  • What happens when someone leaves your organisation?

Think cost management and control

 

Even if employees are bringing their own mobile devices to the workplace, cost issues remain. In fact, spending on mobile services is now greater than landline voice expenditures for most organisations. But simply implementing strong corporate mobility policies and tools that actively reduce usage can typically deliver savings of between five and 20 per cent. Third-party telecom expense management services can deliver improvements in mobility strategy that generate savings of up to 30 per cent.

Some questions to consider in determining your policy and controlling costs:

  • Who pays for hardware and monthly service? The organisation? The employee? Is an allowance given to the employee to defray the cost? How is this managed?
  • How do you know that users have the right hardware and service for their needs?
  • How do you ensure that billing is accurate?
  • How do you define reasonable usage?
  • How do you separate personal from business usage costs?

Stemming the flood

There’s still a lot to learn as we attempt to fathom this new environment. While it’s clear that policies must be established and supported by education and training, a light touch may be advisable at first, as opposed to draconian measures. Build floodgates to regulate the flow, not levees to keep all the water out. In the end, the organisation should strive to encourage good practice and aim for user self-management.

For more on this topic, see the BT White Paper, ‘Living with the genie: The consumerisation of workplace technology: A guide to developing policy and practice

Stephen Bruce is responsible for assisting the various country and vertical business units within BT Global Services to prepare for, introduce, and support BT One (BT’s global unified communications portfolio), with a focus on how effectively to support the needs of large multinational organisations that come to BT for a comprehensive and consistent global service.

 

Posted at 1:20 PM | No Comments »
Tags: , , , ,

Bookmark and Share

Thursday, April 26, 2012

Business Continuity and Resilience Planning – How to Prepare for ‘Business not as Usual’

By Jeff Schmidt, Executive Global Head of Business Continuity, Security & Governance, BT Global Services

How many times a month do we hear on the news about product recalls — on everything from vehicles and produce to toys and pharmaceuticals? How often do we hear about man-made and natural disasters that not only seriously impact the people in a locale — but the businesses that operate in that region?

To survive the “unexpected,” businesses today, both in the private and public sectors, must be prepared for unusual business conditions, whether they are caused by man-made, natural, environmental or accidental circumstances. And it’s essential that businesses develop crisis plans and regularly test them.

Crisis planning can be broken down into three main areas: emergency management, business continuity and resilience plans.

Most businesses look at one or maybe two of these areas, but a good plan needs to encompass all aspects. The flaw many companies often encounter is that they develop crisis plans to show that they will work — but they are seldom tested for failure. But failure is where we learn how things really work — or not. What chain of unforeseen events might be set off by an incident — when best-laid plans are set aside, and improvisation is key.

How do my people react when they are missing a backup, what happens when a key member isn’t available, at what level in the organisation is someone allowed to “make the call,” and who will step up in a critical situation?

So why are these three areas so important? Let’s start with emergency management.

Emergency Management

In most “emergencies,” the first thing to take into consideration is how you assess the situation in preparation for an event — for example, a natural disaster like a hurricane or a scheduled occurrence like the Superbowl. Questions to ask — what is my team, who does it include? How do I ensure I have the qualified resources as well as the assurance that in an emergency situation, they will be able to be first responders? Is any individual critical in the process? How do you get people where they need to be — or do you have access remotely? What is the impact if you pull a few key people out of the process or facilities?

Business Continuity

 

It’s admirable for companies to talk about 99.999 per cent as an effective measure for up-time around networks and systems, but rarely does this get discussed at the application level or even further down the stack, at the customer level. How do you make sure your business is operational and functioning as normal?

This vigilance should be extended to your business partners, suppliers, transporters, maintenance, etc. The aftermath of the tsunami and Fukushima nuclear power accident in Japan has shown us how important this can be, given the disruption we have seen within the technology industry since then.

Resilience

Then there is resilience. How much redundancy do you need in your business, either in the “business as usual” process, or as it relates to business as “unusual.”

With the premise of the three major areas noted above — in reality they all merge together in a solid risk management process and an accompanying assessment of the organisation’s risk appetite. Although the term risk appetite is more often associated with security, a risk appetite should be applied generally to how and what you view as critical within your business. Where is your lifeline and what aspects of the organisation does it encompass? Not every system is critical, not every piece of data should be classified as sensitive, and not every partner is key to your business running effectively.

Here are what I consider the top ten tips for what you should cover in crafting your organisation’s risk management strategy:

1)     What are the requirements of the business as it relates to governance and compliance?

2)     Who is your end customer and how do you make money? The answer to this question can then be interpreted as your company’s “lifeline” — you must be able to service your end-customer. In the case of public sector organisations, you will be defining your end-users and stakeholders and the critical services you are expected to maintain.

3)     What key processes, partners, divisions have to be up and running to ensure you can make your end-product or deliver your service to users?

4)     What systems are critical? Which ones already have resilience built in? This could also be applied to partners and other areas.

5)     Know where your “single point of failures” (SPOF) are and  minimise these, even in your business “as usual” scenario.

6)     Who are the key individuals, teams, groups within the business? It’s essential you bring them into the planning process.

7)     Start with a good foundation. Don’t try to swallow the elephant but take the bites out of it and measure the program against results.

8)     Having a solid governance tool as a way to manage is important. It helps in knowledge sharing and to ensure the intellectual capital is where you can find it and not stuck in someone’s head. It also allows you to measure progress against key business objectives, which is always good when money is being spent against something that appears to be internally focused until the day comes it is put into action.

9)     Integrate your change management processes to include this as part of the standard implementation.

10)Test regularly and test to get to failure! The only time you have a chance for a “mulligan” is when you are testing. When the real incident happens you need to know you have the right people, ingenuity and familiarity with what to do when something goes wrong. Don’t ever believe you have it all covered …

So when the “unexpected” actually happens . . .

The hours — and actions you take — immediately following an incident are particularly critical. What you do then can make a big difference — not just to the costs you incur and the business you may lose — but to the possible public relations fall out. So again, it’s essential to have a crisis management plan in place — one that makes it clear what everyone should do and, in particular, how communications with customers, the media and other stakeholders are to be handled.

Experience suggests honesty is the best policy.  Attempts to minimise problems and downplay their impact have a habit of making things worse.

Your crisis management plan must follow a few simple but important principles if you want to ensure you stay in control and credibly assure all your stakeholders that if a crisis should occur, your actions are minimising the impact on the organisation.

Firstly, you need to “Confirm” the nature, scale, and impact of the incident if your response is going to be appropriate. Is the incident real? Where is it, and who is affected by it?

Secondly, prompt and effective early intervention can “Contain” the incident and prevent escalation of severity and resultant impacts. You won’t be surprised to know that this intervention proves most effective in those organisations where regular and realistic testing of the plan has taken place.

Finally, what and how you “Communicate” is vital. In the early stages of the crisis, the demand for good quality information is at its highest — exactly at the time when the quality of that information, as the full facts are being established, is at its lowest. This position is reversed as the timeline of the crisis progresses.

The effectiveness of the communication strategy will very much depend on how successfully you have managed to confirm and contain the impact of the incident — and coming full circle, how effectively you built and tested your crisis plan in the first place.

See our latest BT Assure videos and downloads here.

Posted at 2:21 PM | No Comments »
Tags: , , ,

Bookmark and Share

Tuesday, April 24, 2012

How We Manage/Don’t Manage Security is of Great Importance

By Sam Erdheim, Algosec

The title of this blog entry may seem obvious, but it hasn’t traditionally elicited the headlines that the latest data breach or attack vector regularly receive. Poor visibility of what is actually going on in the network (i.e. the applications downloaded and/or in use, remote access, user activity), insider threats and poor security processes are responsible for much of the day-to-day risk. Regardless of latest attack vector or breach that makes headlines, it all goes back to strong security processes and having that proper visibility and control.

What happens when you don’t have strong internal processes and lack that visibility? Out-of-process firewall changes, which in turn can take systems offline and disrupt business, are fairly certain.

My company, AlgoSec, recently conducted a survey entitled The State of Network Security 2012, with the goal of identifying the greatest security risks and operational challenges while also trying to understand the level of maturation of companies in terms of their investment and use of next-generation firewalls. What we found from the 180+ IT security and operations professionals who completed the survey was that manual and time-consuming processes and a poor understanding of what is happening in the network are the greatest security risks. Not the sexy headlines we’re used to seeing, but a major factor in what ultimately leads to those headlines.

Here are some additional key findings from the survey, which all speak to the security management challenges that must be addressed:

  • Out-of-process equals out-of-service — As highlighted above, out-of-process firewall changes occur when there is no clearly defined and enforced process. They occur when the business need (i.e. CEO needs access to an application “ASAP”) is so great that IT responds without the proper checks and balances. The impact?
    • A majority of the survey respondents — 54.5 percent – indicated that an out-of-process change resulted in a system outage.
    • Out-of-band changes resulted in a data breach roughly 20% of the time — as far as respondents either knew or were willing to share.
    • These out-of-process changes resulted in a failed audit roughly 26% of the time.

We can have the greatest security tools around, but without a solid foundation and without well-defined and enforceable processes (which in this case means ensuring proper testing, validation, approval, documentation, etc.) we won’t make up much ground.

  • Hands-on is out of touch — Thirty percent of survey respondents cited time-consuming manual processes as the greatest challenge to managing network security devices. The impact of manual processes stretches far and wide. Manual processes:
    • Require more time and money (to perform audits, manage change requests, troubleshoot connectivity issues, etc.).
    • Take IT security and operations professionals away from more strategic initiatives such as improving the organisation’s security and business efficiency.
    • Are more prone to human error which in turn can introduce risk (a major finding from AlgoSec’s survey from 2011).

Organisations should look to automate what have been traditionally manual processes where possible.

  • Enterprise risks are inside-out – When asked about the greatest security challenge, these IT security and operations professionals focused on within the company walls:
    • Almost 29 percent of survey respondents said a lack of visibility (into networks and applications) was their greatest security challenge.
    • Almost 28 percent highlighted insider threats.
    • Less than 20 percent focused on external threats such as hackers.

Employees and security teams can make the biggest difference when it comes to improving security.

  • Next-Generation Firewalls (NGFWs) increase security, but at what cost? — Of the survey respondents that have implemented NGFWs, an overwhelming majority (84 percent) believe that the increased control and visibility these devices offer improves security, but simultaneously 76.1 percent complain that the size and complexity of policy management is creating more work — on average of about one hour per day (a 12.5 percent increase).NGFWs provide additional levels of control and in turn can potentially make the network security policy more complex. They have real significant value, but organisations must plan ahead to make sure that security is increased… without adding significant burden and overhead. Organisations should plan for where in the network NGFWs make the most sense and determine a way to manage them in the same way that traditional firewalls are managed.

Complexity is a security killer. It’s just that this never makes the headlines. I’m hopeful that The State of Network Security 2012 provides some key points to help organisations improve how they manage their security, which will in turn improve their security.

AlgoSec will be at Infosecurity Europe in booth G31 and can share/discuss more of the findings from The State of Network Security 2012 with you

Posted at 12:27 PM | No Comments »
Tags: , , , , ,

Bookmark and Share

Monday, April 23, 2012

Living with the Risk

By Tara Savage, Security Marketing Manager for BT.

Questions are being asked in boardrooms: “can we truly protect ourselves against the next generation of threat? Or is damage-control the best we can hope for?”

There is no easy answer to this problem. There is no single product or service that can be plugged in that eliminates all your risk.

Identifying which ones are significant to your business and aligning security activities against them is a key part of the CISO’s day job.

If you are participating in an activity that doesn’t directly contribute to securing areas where risks are, then stop. If your activities aren’t aligned to risk, then you are probably wasting time and money. Treat risk as a constant, not as a variable to be minimized, since that only creates a false sense of security.

Have you got the information you need to evaluate the risk and protect your network, and if you have, are you doing something with it? Effective network security monitoring lets you correlate your network information with established baselines, known threats, attack signatures, patterns and vulnerabilities, helping to catch the small problems before they escalate and adversely affect your business.

Look for security solutions that are built into the network and infrastructure from the beginning, not bolted on afterwards. This will give you the agility and baseline protection to reduce your risks both today and tomorrow.

Understanding the whole picture and being able to react proactively to the threat information you receive will put you in a good position to respond in the right way to the risk.

 

 

Posted at 1:30 PM | No Comments »
Tags: , , ,

Bookmark and Share

Friday, April 20, 2012

Why banking isn’t just about banking anymore

By Toby Weir-Jones, Vice President of Product Development, Managed Security Solutions Group, BT Global Services

Not too long ago, banking was something abstract that Other People Did. We all needed a bank account and carried around plastic cards which enabled us to move money from one electronic container to another, we got statements in the mail, and we maybe had a degree of anxiety as to whenever we needed to ask the bank to do us a favour, such as forgive us a fee or let us buy a house.

But there wasn’t much thought given by the general public to all the machinations required to support that global system, because it mostly worked, and our consumer-level interactions with it happened as expected.

Banking is ultimately a trust relationship. We trust that the money we deposit today will be available to withdraw tomorrow. We trust that the arithmetic will be performed honestly when computing fees and interest. We trust that our accounts will be reasonably protected from unauthorised access or use. The business of banking works because banks adhere to these common rules, even when they compete with one another. It’s been this way for millennia; exceptions are flagged, loopholes are closed, and banks absorb any losses.

Of course, since 2008 banking has been squarely in the sights of public scrutiny, and the existing regulatory burden has itself been examined for completeness and integrity. As a result, banks in major markets are now compelled to disclose a lot more information about the real details of what they do and what it costs their consumers and institutional customers to do business with them. Worst of all, trust has been eroded because of the immense losses suffered by real account holders, either directly or indirectly. We trusted the financial system not to play fast and loose with speculative assets and questionable ratings, but it didn’t work out this time.

So banks are now in the business of rebuilding trust. This is about reaffirming the perception of security, and a whole industry exists to allow banks to develop controls and measures which can be shared with shareholders, auditors and regulators. Like much of the business of banking, these activities were often invisible to end-customers for years, and banks have invested heavily to create sophisticated internal security practices designed to identify fraud, abuse, and unmitigated risk. But the minutiae of these activities don’t resonate with the general public.

Security performance and benefits need to be brought upstairs, from the server room to the boardroom. It’s no longer just about the tactical goal of keeping things contained in-house; it’s about developing governance programmes and reporting mechanisms which proactively educate and satisfy external consumers, quantifying the effects of those same controls and measures.

Please join us in the BT Connectivity Lounge at TradeTech Europe 2012 at the London Excel from Tuesday 24 to Thursday 26 April.

Let’s discuss how our investment and innovation can help you get:

  • Faster exchange of market information, trading, clearing and settlement of secure transactions via connectivity to the BT Radianz Cloud — the world’s largest secure networked financial community of over 15,000 member sites.
  • Closer to your customers, anywhere in the world — BT serves customers in more than 190 countries.
  • Smarter ways of reducing complexity and increasing liquidity across the trade cycle through a powerful range of award-winning solutions to meet customer needs across the STP chain.

BT manages and secures the world’s largest financial community linking the global market infrastructure throughout the trade lifecycle. One in three traders globally uses a BT turret.

 

 

Posted at 10:21 AM | No Comments »
Tags: , , , ,

Bookmark and Share

Monday, April 2, 2012

One identity to rule them all

By Chris Pickles, Head of Industry Initiatives, Global Banking & Financial Markets, BT

Projects dealing with issues of identity often result in considerable duplication of effort and cost across banks and investment firms, but this may now be reaching the point where it can no longer be sustained by financial institutions.  One reason for this is that heavier regulatory requirements for capital adequacy mean that there is less money to fund projects that ultimately add to overall inefficiency.

We all know that we have multiple financial “identities” to the outside world – one everyday reflection of that is the number of different payment and ID cards that we carry in our wallets and purses.  However, we’ve often got different identities even with the same service provider, largely because the service provider hasn’t been able to grasp the concept of centralising identity management internally.

This has now become a major issue not only for financial institutions but also for the regulators that monitor and supervise their activities.  Regulators now want to understand the risk exposure of financial institutions to specific counter parties and clients.  They understand that having a unique identifier for each and every financial institution, rather than a collection of pseudonyms that varies by institution and function, is critical to effective market regulation and the avoidance of a repeat of the market crisis like the one that began in 2008.

The proposal now from the Financial Stability Board in Basel is to have a unique identifier for every financial institution in the world, and the scope will also include their counterparties and clients that are legal entities.  This initiative is being backed by regulators around the world, and will impact the IT systems of every financial institution.

Some of the related documentation on this Legal Entity Identifier initiative can be found here.

Posted at 3:50 PM | No Comments »
Tags: , , , , , ,

Bookmark and Share
« Older Entries