RE: Bank pen test

["Craig Wright" <cwright () bdosyd com au>]

Further to the first point, most financial services legistlation (BASEL II, etc etc) calls for Audit and not Pen Tests. 
By this, this is a legally santioned test by legally [liable/ chargeable/ etc] auditors.
 
"A bank or other financial organization will tend to do whatever it can to avoid any kind of negative press, especially 
as it relates to integrity/confidentiality breaches, as long as the cure wouldn't bankrupt them too."
 
I have to disagree with this. They will look at a risk associated with the cost of "spin" - I have worked with banks 
who have done some *REALLY* stupid things. As sad as it is to say there is the risk as percieved by the directors to 
themself (inc share options) and there is the risk to the bank as a whole. If the share value is not likely to be 
impacted in the longer term (and an attack will not likely achieve this - see Citibank, NAB etc) than the issue may be 
under valued from a shareholder and client perspective.

Regards
Craig

        -----Original Message----- 
        From: Jon Gucinski [mailto:Jgucinski () midwestbank com] 
        Sent: Wed 8/03/2006 8:46 AM 
        To: pen-test () securityfocus com 
        Cc: 
        Subject: RE: Bank pen test
        
        
There's also another thing to consider when dealing with financial
corporations: regulation.  The US Banking sector is one of (if not THE)
most regulated industry on the planet.  We're forced to comply with many
regulations, regardless of cost, in order to do business.  While some
risks may be left open due to cost, i'd wager that the overwhelming
majority are not.  Audit and Compliancy committee's just won't have it,
especially if an outside auditor/pen-test says that its a problem that
has to be fixed.

In terms of media value, its pretty much infinite.  A bank or other
financial organization will tend to do whatever it can to avoid any kind
of negative press, especially as it relates to integrity/confidentiality
breaches, as long as the cure wouldn't bankrupt them too.

-Jon

Regards,

> > > "Craig Wright" <cwright () bdosyd com au> 3/6/2006 9:42:53 pm >>>

This is a simple and short answer for once. A good risk assessment will
take the impact from adverse publicity (not to state that all risk


Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.  

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.