Photo credit: KAREN BLEIER/AFP/Getty Images

In breaking news directly related to data security policies, FoxNews is reporting that the World Bank has suffered possibly “the worst security breach ever at a global financial institution”:

 The World Bank Group’s computer network — one of the largest repositories of sensitive data about the economies of every nation — has been raided repeatedly by outsiders for more than a year, FOX News has learned.

It is still not known how much information was stolen. But sources inside the bank confirm that servers in the institution’s highly-restricted treasury unit were deeply penetrated with spy software last April. Invaders also had full access to the rest of the bank’s network for nearly a month in June and July.

In total, at least six major intrusions — two of them using the same group of IP addresses originating from China — have been detected at the World Bank since the summer of 2007, with the most recent breach occurring just last month.

While it remains unclear how much data has been pilfered from the bank, it’s a lot. According to internal memos, “a minimum of 18 servers have been compromised,” including some of the bank’s most sensitive systems — ranging from the bank’s security and password server to a Human Resources server “that contains scanned images of staff documents.”

One World Bank director tells FOX News that as many as 40 servers have been penetrated, including one that held contract-procurement data.

Despite the gravity of the break-ins, the bank is trying hard to pretend to outsiders it didn’t happen. “There were attempts to hack the bank’s computer systems last summer,” says a World Bank spokesman. “However, there was no compromise of confidential information.”

So if this actually happened, which data security policies could have helped prevent the “the worst security breach ever at a global financial institution”?

• Corporate Security Policy
• Incident Response Policy
• Network Security Policy
• Vulnerability Management Policy

Others?

The University of Toronto has a great example of a Network Security Policy here.

Here’s an excerpt:

Computing & Networking Services will:

• monitor in real-time, backbone network traffic, as necessary and appropriate, for the detection of unauthorized activity, intrusion attempts and compromised equipment.
• carry out and review the results of automated network-based vulnerability, compromise assessment and guideline compliance scans of the systems and devices on University networks in order to detect known vulnerabilities, compromised hosts, and guideline compliance failures,
• test campus wireless network access to ensure compliance to published guidelines.
• prepare summary reports of its network security activities for the Technical Operations Committee on a quarterly basis

Also includes the appendix Guidelines for the Implementation of Wireless and Wired Docking Infrastructure.

Check it out!