Photo credit: KAREN BLEIER/AFP/Getty Images

In breaking news directly related to data security policies, FoxNews is reporting that the World Bank has suffered possibly “the worst security breach ever at a global financial institution”:

 The World Bank Group’s computer network — one of the largest repositories of sensitive data about the economies of every nation — has been raided repeatedly by outsiders for more than a year, FOX News has learned.

It is still not known how much information was stolen. But sources inside the bank confirm that servers in the institution’s highly-restricted treasury unit were deeply penetrated with spy software last April. Invaders also had full access to the rest of the bank’s network for nearly a month in June and July.

In total, at least six major intrusions — two of them using the same group of IP addresses originating from China — have been detected at the World Bank since the summer of 2007, with the most recent breach occurring just last month.

While it remains unclear how much data has been pilfered from the bank, it’s a lot. According to internal memos, “a minimum of 18 servers have been compromised,” including some of the bank’s most sensitive systems — ranging from the bank’s security and password server to a Human Resources server “that contains scanned images of staff documents.”

One World Bank director tells FOX News that as many as 40 servers have been penetrated, including one that held contract-procurement data.

Despite the gravity of the break-ins, the bank is trying hard to pretend to outsiders it didn’t happen. “There were attempts to hack the bank’s computer systems last summer,” says a World Bank spokesman. “However, there was no compromise of confidential information.”

So if this actually happened, which data security policies could have helped prevent the “the worst security breach ever at a global financial institution”?

• Corporate Security Policy
• Incident Response Policy
• Network Security Policy
• Vulnerability Management Policy

Others?

In a breaking news story directly related to data security policies, it sounds like Deloitte had another laptop stolen yesterday, 9 Oct 2008.

Here’s an excerpt from the UK Computing article here:

A laptop owned by consultancy Deloitte which held information about staff under BSkyB’s pension plan has been stolen, Computing can reveal.

The computer was taken from a Deloitte employee in September at a public place and contained names, dates of birth and salary figures to be used for audit work on the broadcaster’s pension scheme.

BSkyB said the data did not include bank or address details and claimed it is highly unlikely that the information will be mishandled due to the laptop’s reliable data security set-up.

“The laptop was protected by a number of security measures, including passwords, user IDs and encryption of the majority of the information, so we are confident that the risk of data access or misuse is low,” said a BSkyB spokeswoman.

The fact that the spokeswoman says they used encryption on “the majority of the information” signals to me that they weren’t using whole disk encryption which is a common practice on laptops these days.

I’m sure if they were using full disk encryption they would have been 100% confident that the data was protected and they wouldn’t have had to notify the media about the loss.

What do you think?

I really like the easy-to-read-and-understand customer data security policy from ING Direct here.

I wish more companies wrote such simple and clear policies.

Here’s an exerpt:

We take every reasonable precaution to protect your information. When you submit information to us through our web site, your information is protected both on-line and off-line. All data transferred to/from the ING DIRECT internal network, from/to an external entity, is encrypted to industry standards (128 bit encryption). Please keep in mind that messages you send to us by Internet e-mail may not be secure. Do not send us any confidential or personal information by Internet e-mail. We maintain appropriate physical, electronic and procedural safeguards to ensure the security, integrity and privacy of your personal information within our company. Only those employees who require your personal information to perform a specific job are granted access to your personally identifiable financial information. Furthermore, all employees are kept up-to-date on our security and privacy practices. If you have any questions about the security of your information at ING DIRECT, you may contact us at 1-800-ING-DIRECT (1-800-464-3473), or at the following address: ING DIRECT, 1 South Orange Street, Wilmington, Delaware 19801.

Here’s a fun security training video that could be useful to explain the value of security policies and security concepts like defense in depth:

I like how it incorporates Second Life as a training tool. 

The educause.edu site has a chapter from the book Computer and Network Security in Higher Education here.

It does a good job of describing how university security policies should be written.

Here’s an excerpt:

If the goal of institutional policies is to direct individual behavior and guide institutional decisions, then the effectiveness of formal policy statements will depend on their readability and usefulness. Many colleges and universities suffer from the lack of a common and consistent approach or format for writing organizational policies. Policy development is often confused and sometimes derailed because of the misunderstanding and misuse of terms with important meanings to a professional policy administrator, legal counsel, and others.

You can download an archive copy of the chapter here.

Joel Weise and Charles R. Martin from Sun wrote an excellent Data Security Policy guide which you can download here.

This is a great reference to follow when developing any data security policy.

Here’s an excerpt:

The purpose of this document is to define the Data Security Policy. Data is considered a primary asset and as such must be protected in a manner commensurate to its value. Data security is necessary in today’s environment because data processing represents a concentration of valuable assets in the form of information, equipment, and personnel. Dependence on information systems creates a unique vulnerability for our organization.

Security and privacy must focus on controlling unauthorized access to data. Security compromises or privacy violations could jeopardize our ability to provide service; lose revenue through fraud or destruction of proprietary or confidential data; violate business contracts, trade secrets, and customer privacy; or reduce credibility and reputation with its customers, shareholders and partners. This policy therefore discusses:

• Data content
• Data classification
• Data ownership
• Data security

The main objective of this policy is to ensure that data is protected in all of its forms, on all media, during all phases of its life cycle, from unauthorized or inappropriate access, use, modification, disclosure, or destruction. This policy applies to all of our and all customer data assets that exist, in any of our processing environments. The processing environment is considered to be, collectively, all applications, systems, and networks that we own or operate or that are operated by our agents.

Very helpful! Check it out!