IT Employment

General discussion


Ok who is getting tired of peoples info

By zlitocook ·
Going missing? I thought there were government rules and laws to protect people! I guess not, the laptop that was ripped off from the contractor for the veteran assoc. was not encrypted, was not checked buy any one. The most recent one was from a YMCA and had a lot of data on it.
Let me say that all hospitals that I have worked for have had a Hippa policy for a few years. You can not access any patient information unless you need it (all information access is recorded) and no patient information will leave the network. Meaning that any thing you do with patient information will only be on the secure network, you can not save, remove or send any info for any patient. If you do you will be subject to discipline up to termination.
The government set up these rules and it seems they have not followed what they told all other companies to do.
Banks are the same way! All internet access companies need to rethink the way they do business and assign a new number and not use the SSN for access to privet information.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Not all Banks are the same way

by j.lupo In reply to Ok who is getting tired o ...

If I am reading your comment correctly, you are assigning banks in the same category as the government witht he stolen laptops. I can speak for at least 3 very large banks that I know encrypt laptops and restrict access. In fact contractors/consultants cannot even use a laptop, they have to use a locked down machine during work hours only.

I also know that these 3 banks have all sorts of restrictions regarding data access, e-mailing data, etc. As a matter of fact, the CD drives cannot write at all or load software. You can play music but you cannot load or write anything to the drive. No floppy drives either or memory stick access without passcodes.

I think they are starting to rethink business and how they are going to handle our digital age. But that is my opinion and experience

Collapse -

Thank goodness for some positive....

by dawgit In reply to Not all Banks are the sam ...

news. And to think people were starting to feel 'ALL' in 'IT' were idiots. It's nice to know that at least a few banks take it seriously.

Collapse -

Credit Unions 2

by w2ktechman In reply to Thank goodness for some p ...

I have had a few jobs in credit unions (2 of them). They take personal information very seriously. Not allowed on notebooks, to be downloaded, etc. The majority of workers dont even have a hdd (Citrix) and USB ports were physically disabled on the ones that did.
They also had data regulations, and very limited Internet access.
Any institution that requires the need for this kind of personal info should be held accountable completely, and if their are policies were broken, the offender should be held responsible as well. Threatening termination for thousands of peoples data is retarded, it wouldnt stop anybody (except the honest). Jail time and financial penalties may, for at least more people.

Collapse -

credit union

by ericl_w19 In reply to Credit Unions 2

the credit union i worked at had horrible security and the it manager didnt care.when i would bring somthing up he would say "well we have insurance to cover such things".i dont work their anymore im sure it wouldnt be hard for me to still get in.oh yea the mainframe the database was on the root password was still set to default from the company that ran it.and if you changed it they would get all mad at you.

Collapse -

Wow, dont bank there?

by w2ktechman In reply to credit union

I have never heard of that from a financial institution. I guess it would pay off to check things out a bit.

Collapse -

Yes I know what they

by zlitocook In reply to Not all Banks are the sam ...

Are suppose to do but, a small bank that I was at for almost a year had three contractors with full access to every thing. The hired out for network and server support and the support people had remote access.
I was hired as a network support specialist and when I started pointing out major security risks I was told not to worry about it.
I was part of Banker's magazine and chatted with other IT people. This kind of thing happens allot with smaller banks. The people who dose their network support also dose the compliance audit for the FDIC.

Collapse -

All I can say is

by j.lupo In reply to Yes I know what they

that is not the norm. Actually, if they are ever audited (especially with the Sarbanes-Oxley act) they will get into all sorts of trouble. Having worked with auditors since Sarbanes-Oxley came out, more and more banking officials are being gone after. It just takes time.

You stated that it is small banks doing this. That sort of makes sense. Since they are small they don't have the resources and since they are bing audited they figure they are safe. It all comes down to the leadership and whether they really know what they are suppose to do. Of course costs play a huge part too.

My experience has been different. Access is not easy to get and is constantly monitored to everything. Just try and access outside e-mail from a work computer and you get a big NO ENTRY error and a statement that your activity is being reported. I have seen people fired over it, so... Changes are coming, but change is slow.

Collapse -

With my bank

by gpastorelli In reply to All I can say is

it is the norm. The auditing is a joke. When the auditors came in they had a list of directories they wanted security checked for and there listing was wrong. It was configured to look at the security for a Windows 2000 server, not a 2003 server. They didnt' look at anything in-depth and if it wasn't on there list they didn't care. I quite honestly hoped they would've had a lot to say, this way I'd have something behind me to reconfigure the entire security of the network. But until we have a security breach or an intelligent auditor my hands are tied.

Access here is super easy to obtain, tellers have full access to entire plethora of data. But upper management won't let me make any drastic changes that may inconvenience someone in the least bit.

It's definetley small banks and unfortunately it's the smaller banks that should have the best security. Not only to keep the customers they have safe, but as a customer service measure to show the customers that small banks can provide the same safeguards and services the big guys can. In my experience small banks look at IT as an unneccesary expense when they should be looking at IT as an ally and way to improve the business as a whole.

Collapse -


by j.lupo In reply to With my bank

That I can very much understand. I think it is also an opinion or view of networking versus IT as a whole. IT is not just internet, or networking, or LAN or WAN or development, or helpdesk. It is all of the different functions and it is very integrated into all business today in so many ways. Unfortunately, business and technology divisions cannot yet find that balance to partner with each other. We read so much about partnering with competitors or business partners to create strategic advantages.

This led me on my own journey to uncover WHY we don't partner the two - i.e. business and technology. It is a real shame if we can't because it is costing businesses over 130 billion dollars a year and growing due to misalignment (Pillips, 2002).

Collapse -

The problem is

by Tig2 In reply to Yes I know what they

That there are FIs out there that perceive that failing audit is merely the price of doing business or have developed a "they won't catch me" attitude.

SOX set some requirements in place but the deadline for compliance has already been extended once and it could be again. GLB has been around for a long time but that compliance level isn't where it should be. FIs define regulatory requirements for their business partners but are only just begining to see the value of audit. Security policy gets written but not followed. If there isn't buy-in from senior leadership to follow the rules, they simply won't be followed.

Now let's consider outsourcing- I had a MAJOR problem trying to communicate security policy requirements to Indians because they don't HAVE SSNs and culturally there is no rationale for them to safeguard Personal Non-Public information. In a recent outsource, we provided a 4 hour Security class that ended with a signed agreement that detailed how they would handle information. We could teach the class in the morning and have 30 violations before lunch. Management did nothing about it.

Bottom line- if the corporation doesn't perceive the value of security, security will be lax. It has to be an all-over effort.

Related Discussions

Related Forums