- Email: [email protected]
Information security in financial services
BOOK REVIEW Title lnforma tion Security in Financial Services Author: Ken Slater Publisher: Macmillan/Stockton Press Price: f 65.00 Specialists in ‘computer security’ tend to come in two flavours: those for whom the entire subject is circumscribed by activity in and immediately around a computer and those who see the computer as providing unique areas of vulnerability through which a business may incur losses. Ken Slater, a senior consultant at Touche Ross, clearly belongs to the latter group. The focus of his book is the threats that confront a company offering financial services. Its great value is that it assists a manager within such a company to appreciate the complexity and variety of risks that it is likely to be facing - and from there to develop a proper security policy. To an extent, of course, all computer-dependent companies face similar risks from fraud or interruption to business, but in any single financial institution you are likely to find upwards of twenty or more separate businesses, ranging from retail banking and savings systems through all manner of loan and credit facilities to dealing in equities, bonds, commodities and foreign exchange markets. Each of these separate businesses may have its own computer facilities (or at least sub-system), will be subject to special procedural regulations, will present their own unique opportunities for fraud and will suffer different sorts of death if the computer facilities suddenly become unavailable. From my own experience, the bulk of a ‘computer security’ survey in a financial institution tends to be the
20
obtaining of an understanding of the businesses in which it is involved. I was therefore particularly grateful for this explanation of the UK regulatory environment. Greedily, I would also have liked similarly-detailed coverage of arrangements in other major banking nations; however the neat setting-out of the UK situation provides an aide memoire when trying to build such a picture for oneself. Also of great value are the explanations of BACS, CHAPS and SWIFT. BACS and CHAPS are of course UK-only operations, but the problems they address are common to many nations and again the descriptions provide a template for the reader wishing to understand arrangements, say, in other European countries or in the USA. The approach to risk analysis is intensely practical: not for Slater the superficial elegance of Annual Loss Expenctancy calculations - these always mislead as the necessary data simply doesn’t exist in the same way as it does, say, for ordinary fire risks. Instead he advocates a four-fold categorization: High Probability /High Cost, Low Probability/High Cost, High Probability/Low Cost, Low Probability/Low Cost - which is as useful and more honest. Of growing concern to many of us are the consequences of business interruption following an unexpected systems crash; the explanations of current systems development methodologies as one is likely to find them in this industry are therefore welcome. Most useful of all are the various checklists for topics as varied as personnel, media library, online access and quality of contingency planning. This is a very practical book which delivers precisely what the title promises.
Editorial offhe: Elsevier Advanced Technology Mayfield House, 256 Banbury Road Oxford OX2 7DH, UK Tel: (0865) 512242 Fax: (0865) 310981 TX: 837966; Telecom Gold 79:IRCOlO Subscription price for 1 year (12 issues) f204.00 including first class airmail delivery. (Payments in other countries are subject to our prevailing exchange rate) Prices
valid to end of 1992
Subscription enquiries, orders payments: Elsevier Services (UK) Crown House, Linton Road Barking, Essex IGl 1 8JU, UK Tel: (081) 594-7272
and
Elsevier Advanced Technology 655 Avenue of the Americas New York, NY 10010, USA Tel: (212) 989-5800 No responsibility is assumed by the Publisher for any injury andlor damage topersons or property as a matter ofproducts liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Special regulations for readers in the USA: This publication has been registered with the
Copyright Clearance Center Inc. Consent is given for copying of articles for personal or internal use, or for the personal use of specific clients. The consent is given on the condition that the copier pays the per-copy fee stated in the code on the front page for copying beyond that permitted by Sections 107 and 108 of the US Copyright Law. The appropriate fee should be forwarded with a copy of each page reproduced to the Copyright Clearance Center Inc., 21 Congress Street, Salem, MA 01970, USA. This consent does not extend to other kinds of copying, such as for general distribution, resale, advertising and promotion purposes, or for creating new collective works. Special written permission must be obtained from the publisher for such copying.
ELSEVlER Peter Sommer
ADVANCED TECHNOLOGY
Printed by Cotswold Press Ltd, Oxford, UK
20
obtaining of an understanding of the businesses in which it is involved. I was therefore particularly grateful for this explanation of the UK regulatory environment. Greedily, I would also have liked similarly-detailed coverage of arrangements in other major banking nations; however the neat setting-out of the UK situation provides an aide memoire when trying to build such a picture for oneself. Also of great value are the explanations of BACS, CHAPS and SWIFT. BACS and CHAPS are of course UK-only operations, but the problems they address are common to many nations and again the descriptions provide a template for the reader wishing to understand arrangements, say, in other European countries or in the USA. The approach to risk analysis is intensely practical: not for Slater the superficial elegance of Annual Loss Expenctancy calculations - these always mislead as the necessary data simply doesn’t exist in the same way as it does, say, for ordinary fire risks. Instead he advocates a four-fold categorization: High Probability /High Cost, Low Probability/High Cost, High Probability/Low Cost, Low Probability/Low Cost - which is as useful and more honest. Of growing concern to many of us are the consequences of business interruption following an unexpected systems crash; the explanations of current systems development methodologies as one is likely to find them in this industry are therefore welcome. Most useful of all are the various checklists for topics as varied as personnel, media library, online access and quality of contingency planning. This is a very practical book which delivers precisely what the title promises.
Editorial offhe: Elsevier Advanced Technology Mayfield House, 256 Banbury Road Oxford OX2 7DH, UK Tel: (0865) 512242 Fax: (0865) 310981 TX: 837966; Telecom Gold 79:IRCOlO Subscription price for 1 year (12 issues) f204.00 including first class airmail delivery. (Payments in other countries are subject to our prevailing exchange rate) Prices
valid to end of 1992
Subscription enquiries, orders payments: Elsevier Services (UK) Crown House, Linton Road Barking, Essex IGl 1 8JU, UK Tel: (081) 594-7272
and
Elsevier Advanced Technology 655 Avenue of the Americas New York, NY 10010, USA Tel: (212) 989-5800 No responsibility is assumed by the Publisher for any injury andlor damage topersons or property as a matter ofproducts liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Special regulations for readers in the USA: This publication has been registered with the
Copyright Clearance Center Inc. Consent is given for copying of articles for personal or internal use, or for the personal use of specific clients. The consent is given on the condition that the copier pays the per-copy fee stated in the code on the front page for copying beyond that permitted by Sections 107 and 108 of the US Copyright Law. The appropriate fee should be forwarded with a copy of each page reproduced to the Copyright Clearance Center Inc., 21 Congress Street, Salem, MA 01970, USA. This consent does not extend to other kinds of copying, such as for general distribution, resale, advertising and promotion purposes, or for creating new collective works. Special written permission must be obtained from the publisher for such copying.
ELSEVlER Peter Sommer
ADVANCED TECHNOLOGY
Printed by Cotswold Press Ltd, Oxford, UK