[ISN] UK banks ignore security audit findings

InfoSec News isn at c4i.org
Fri May 20 01:11:41 EDT 2005


http://www.theregister.co.uk/2005/05/19/audit_ignoramuses/

By John Leyden
19th May 2005 

Some UK corporates routinely ignore the findings of security audits 
treating them solely as a necessary step to satisfy corporate 
governance regulations, according to an experienced penetration 
tester.

Tim Ecott, managing consultant at security integrator Integralis, 
explained that banks and other financial institutions are told they 
have to carry out a penetration test to comply with audits. In some 
cases - perhaps five per cent - Ecott and his team discover the same 
faults every time. "The findings of our reports are not followed up on 
either by the firms themselves or their auditors. We're not talking 
about critical security flaws but certainly about things that need 
fixing and leave firms open to attack," he said.

"Some of our clients take our report to pieces and do every thing we 
advise but with others, it's the same things over and over again. 
Reports over a period of quarters could be copies of each other with 
just a different date," Ecott told El Reg.

In some cases companies lack the resources to put things right; and 
often getting new applications up on running is given priority, 
leaving security concerns neglected, he said. "Firms need to think 
about security at the beginning of projects rather than as an 
afterthought. Security and business objectives need to be linked." ®





More information about the ISN mailing list