UK banks ignore security audit findings
Purely to satisfy regulations
Regcast training : Hyper-V 3.0, VM high availability and disaster recovery
Some UK corporates routinely ignore the findings of security audits treating them solely as a necessary step to satisfy corporate governance regulations, according to an experienced penetration tester.
Tim Ecott, managing consultant at security integrator Integralis, explained that banks and other financial institutions are told they have to carry out a penetration test to comply with audits. In some cases - perhaps five per cent - Ecott and his team discover the same faults every time. "The findings of our reports are not followed up on either by the firms themselves or their auditors. We're not talking about critical security flaws but certainly about things that need fixing and leave firms open to attack," he said.
"Some of our clients take our report to pieces and do every thing we advise but with others, it's the same things over and over again. Reports over a period of quarters could be copies of each other with just a different date," Ecott told El Reg.
In some cases companies lack the resources to put things right; and often getting new applications up on running is given priority, leaving security concerns neglected, he said. "Firms need to think about security at the beginning of projects rather than as an afterthought. Security and business objectives need to be linked." ®
Related stories
Tough local laws drive corporate security
Over-compliance is the new compliance, says former SEC Chairman
Sarbanes Oxley for IT security?
Tough local laws drive corporate security
Anti Sarbanes-Oxley mood rises in Europe
Corporate governance goals impossible - RSA
IT infrastructure monitoring strategies
Agentless Backup is Not a Myth
Top 10 SIEM implementer’s checklist
Steps to Take Before Choosing a Business Continuity Partner
Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider
