EU Agency presents a new study on how to counter information security risks with a change in the financial sector staff awareness.

Loss caused by theft of customer information and costs of security incidents response is rising according to a new ENISA report. Security breaches in financial organisations can cause heavy financial losses. Employee information security awareness is the way forward, the EU Agency's white paper claims.

Safeguarding personal and financial data is key for the financial services industry. According to the 2008 report of the UK Financial Services Authority financial services firms could significantly reconsider their approaches to data security. Both the costs for less by theft of customer information and the cost of responding to security incidents are rising. Security breaches in financial organisations damages both reputation and causes heavy financial losses, difficult to recover from.

Employees are now considered the single most likely cause of security incidents, confirmed in many international surveys (2007 Global State of Security, the 2008 BERR survey, et al). BERR reports that 47% of large businesses suffer from staff misuse of information systems. Technical solutions are no longer the solution nowadays. The cost for training staff constitutes an important financial commitment for any organisation.

The report is an assessment of the environment of financial organisations and their main business drivers. It presents the landscape of international standards, legislation and certification objectives together with major risks, threats and end-users behaviour. Moreover, the paper covers the different phases of implementation of awareness raising programme in financial organisations and assessment of results. It is imperative that all roles are clearly defined and match them to the corresponding security topics, as identified in tables in the report. Finally, the paper contains practical advice, a set of 20 recommendations and 7 case studies provided by a number of financial organisations around Europe. The ENISA Virtual Working Group on “How to organise awareness raising programmes in financial organisations” contributed to this paper.

The Executive Director of ENISA, Mr. Andrea Pirotti comments on the report:
“The poor state of data security is a serious issue for the financial markets. This is not the time not to invest in security and training for staff, as the costs and consequences thereof may be business critical.”

To view the complete report please visit: http://www.enisa.europa.eu/doc/pdf/deliverables/is_awareness_financial_organisations.pdf

Bloggers take German national library to task

From: FT November 25 2008

For someone writing under the name Robert Basic, it seemed too good to be true.
“My parents are never going to believe I’m going to be catalogued by the German national library,” the blogger wrote about the library’s plans to collect things German on the web to add to its century-old collection of the nation’s books.

But such expressions of delight were drowned out by outraged disbelief as websites reported that the Nationalbibliothek, based in Frankfurt and Leipzig, could force every private website owner and amateur blogger to submit material – and fine the noncompliant up to €10,000 ($13,000, £8,500).

Blogs have since been alive with jokes about German thoroughness, and calls to resist.
“Every home page owner should shunt them a pdf [file] with a copy of their website in highest quality, preferably all on the same day,” one blogger wrote on heise.de, a popular site among techies. “Then [the library’s] server would burst.”

Another blogger, writing under the pseudonym “night watchman”, published a screed on his homepage. The hassle of submitting pages and the threat of fines would kill the German-speaking internet as a forum of free speech, he thundered. His site was a “personal archive” that was of no value to a public institution.

The internet is often praised for its “viral” qualities, which set it apart from the methods of traditional mass media. But in this case, word-of-mouth authenticity morphed into unreliable Chinese whispers, as many of the things criticised about the library’s plans turned out to be incorrect.

The library had indeed received a government mandate in 2006 to collect web publications and to fine the unco-operative – as a last resort.

On October 22, Berlin released more details: the library should choose what it collected – based on its as-yet modest capacity and what it deemed to be of public interest. But the webbies’ frenzy had touched on an important and unresolved issue.

Faced with the deluge of online information and limited budgets for gathering and archiving, what could and should a public archive preserve for the nation – and when should easily tapped home pages be considered private rather than public?

With the internet already in its second decade and host to reams of material for which paper was too expensive or too cumbersome, it is startling to realise that the German national library and its worldwide peers are only just beginning to grapple with the problems of systematically archiving the web.

While the US Library of Congress started looking at “web capture” in 2000, and founded an international group to do the same in 2003, its internet archive remains selective. It boasts 17 thematic collections – but its archive about web coverage of September 11 2001, say, gives no idea how news sites’ top story developed that day.

The Germans started making plans in earnest two years ago to save web publications for posterity. Ute Schwens, director of the Nationalbibliothek in Frankfurt, said the collection was still a work in progress, one that was taking shape in consultation with national libraries in France, the Netherlands, the UK and North America.

“At the moment, we’re only collecting e-books and online dissertations but we’re going to be moving into the areas of blogs and websites fairly soon,” she said. “It’s got to be information other people might need but nothing purely commercial” – basically eliminating a huge crop of online shopping and corporate websites.

“We’re talking to [newspaper and magazine] publishers about their sites,” Ms Schwens said, “And we’re interested in blogs by people in public life – but not in every site of every private individual.” The limiting factors were technical: What file types to accept? How often should a library archive an ever-changing website?

Currently targeting e-books and dissertations, much of the collecting in Frankfurt is still done by hand. The 20,000 publishers and academic institutions registered with the library are obliged to submit web material to the library’s server, run by an outside provider, or leave files on their own systems for the library to pick up.

Soon a lot of collecting will be done by machine. Material from news sites, for example, can already be secured automatically using a technique called “harvesting”. The question for each library will be how often to instruct its computers to do this: Ms Schwens said there were 12m active German websites, although not all would deserve a look.

The library has already collected 40,000 e-books, 60,000 online dissertations and 1,200 e-journals, still a modest number compared with a physical archive that counts 24.5m items.
“But in the next few years, we’re going to collect millions of files,” she said – perhaps even the web encyclopaedia Wikipedia. Now that should make all webbies happy.

Indeed, the German blogosphere seems to be coming round to the idea. Admitting it was caught off guard by the deluge of misinformed protest, the Nationalbibliothek now gives comprehensive information about its plans – on its website, of course. One newly enthused webbie recently said on heise.de: “Let’s stop digital amnesia!”

Source: http://www.ft.com/cms/s/0/fb9fb642-ba81-11dd-aecd-0000779fd18c.html

ARMA's 3rd Brussels Roundtable brings together top policy makers, stakeholders and RIM professionals

On 7 November 2008, ARMA International organised its 3rd Roundtable on Information Governance and Records Management in Brussels. The event was attended by more than 80 representatives from the European Union Institutions, stakeholder organisations, and the private sector. The event was also attended by a large number or records and information management professionals, information security professionals and archivists from all over Europe and beyond, working in many different sectors.

Douglas Allen, President-Elect of ARMA International, opened the roundtable by addressing the need for good records management in view of the financial crisis which was in large part due to lack of transparency. He mentioned recent security breaches in Europe to underline that information have become corporate assets of critical importance and growing risk areas and that sound records management should be the responsibility of all individuals within an organisation.

Towards a European Freedom of Information Act
Mr. Marc Maes from the Secretariat-General of the European Commission gave first a short presentation of the history of the right of access to documents. He provided an overview of the current version of the Regulation 1049/2001 regarding the beneficiaries, scope and limits of the right of access to documents.

He also presented the situation of third party documents that should be transmitted after the consultation of the author unless it is clear that the document should be transmitted. He stressed that the institutions who received a request should decide on the basis of the exceptions to this right and other institutions are consulted under a memorandum of understanding.

Mr Maes gave an overview of the proposal to review the Regulation 1049/2001 that was published on 30 April 2008 on which ARMA replied to a consultation following the publication of a Green Paper and drafted a position paper. He pointed out in particular the main features of the definition of the term document and presented the main limitations to the scope of the Regulation. Finally, he mentioned the latest case laws on access to documents.

Mr. Fergal O’Regan, Head of Legal Unit at the European Ombudsman’s office addressed the main concerns of this organisation regarding the review of the Regulation 1049/2001.

He pointed out that the wording used in the definition of the term document is the main concern of the Ombudsman. He wondered if the term “formally transmitted” means documents transmitted within or outside the institutions or if this definition should be understood as including informal transmission. In its position paper on the review of the Regulation 1049/2001 ARMA International expressed that this definition should be revised to be more in line with document and records definitions included in international recognized standards in information management such as ISO 15489.

Mr. Hielke Hijmans from the European Data Protection Supervisor (EDPS) office explained the role of the EDPS in case law related to access to documents. He stressed that the fundamental right of access to documents sometimes clashes with the fundamental right to privacy. He pointed out that the review of the Regulation 1049/2001 does not find the right balance between access to documents and privacy as its provisions does not ensure that disclosure can only be denied if the privacy or the integrity of a person would be undermined.

The Markets in Financial Instruments Directive (MiFID)
Mr. Salvatore Gnoni from the Directorate-General Internal Market and Services of the European Commission gave a wide overview of MiFID. He also discussed the MiFID provisions regarding transparency, transactions reporting and record keeping.

As regards transparency requirements, he explained that the market transparency regime concerns pre- and post-trade information and covers shares admitted on a regulated market while the transaction reporting regime covers all securities and derivative contracts admitted on a regulated market.

He stressed that investment firms should report details of their transactions to their national authorities and that these authorities should share information among themselves.

Investment firms should keep records of their transactions for a general period of 5 years in order to keep them at the disposal of the competent authorities. He quoted a recommendation from the CESR (Committee of European Securities Regulators) which provides a list of minimum records and explained that Member States can keep records of telephone conversation or electronic communications which can be used in order to show that investment firms comply with record keeping requirements.

Mr. Jitz Desai, Director of JWG-IT, pointed out the difficulties of firms to comply with MiFID requirements regarding record keeping as these new obligations are among the EU implementation priorities. Consequently, a short period of time is at the disposal of firms to comply with the Directive.

He stressed that firms need to know exactly their data in order to prove that they comply with this Directive. But some requirements such as proving best execution will make compliance difficult. It will be also difficult for firms to assess the costs to gather the relevant information.

e-Health Interoperability
Ms. Linda Mauperon, member of the Cabinet of European Commissioner Viviane Reding, insisted first on the benefits of eHealth for healthcare services and for citizens, and on the importance of the eHealth market compared to others health markets.

She stressed that the lack of interoperability is the most important obstacle to the development of eHealth. However, she pointed out that a growing will exists among Member States and stakeholders to solve this problem. The Commission is also committed to improve interoperability of eHealth services as it published a Recommendation containing guidelines and principles to provide interoperability in a cross-border context in July 2008. She quoted other initiatives such as the epSOS project whose goal is to reach a situation where doctors have access to information on a patient without taking into account the country in which they were created. She also stressed that industry is committed to interoperability and that all these initiatives will contribute to make interoperability a reality

Ms. Angelika Haendel from AHIMA explained on the fact that eHealth is a growing sector but interoperability is a prerequisite to its development. She stressed that interoperability is a necessity because trends such as international travel or multinational companies make boundaries less relevant.

Mrs Haendel pointed out that eHealth will become an important area as it represents 5% of the EU GDP and because the EU provides more funds to eHealth projects. However, there are several challenges eHealth projects have to challenge: the intervention of several Member States in an area of national competence, the fragmentation of health organisations in Europe and the growth of electronic data. She presented several eHealth projects such as the integrated care project or the Siemens Soarian Integrated Care.

The Internet of the Future
Dr. Florent Frederix, Head of Sector Networked Enterprise & Radio Frequency Identification unit at the European Commission, presented past and future actions of the Commission on RFID. Regarding future actions, the Commission will adopt a Recommendation on RFID in Autumn 2008 and will publish a staff working paper and a Communication on the Internet of Things in winter 2008/2009.

He stressed that a secure and privacy friendly use of RFID is one of the objective of the Recommendation. He pointed out that RFID chips can become more intelligent and will be able not only to identify things but also to collect information.

The main challenges of the consultation on RFID that close on 28 November 2008 were also put forward: security, privacy and data protection, control of critical global resources, governance of resources, standard settings and interoperability and social and human impact.

The different applications of RFID were promoted in areas such as health, transport, environment monitoring and disaster management.

During this session it appeared that RFID will entail important challenges for records management regarding privacy or security for instance as through this technology an important amount of information will be created and will have to be managed in compliance with EU requirements. However, the way record managers will have to manage these data did not appear clearly.

Mr; Laurent Beslay, Technology Adviser at the European Data Protection supervisor (EDPS) office, stressed the role of the EDPS and data protection principles applicable to RFID and explained that the EDPS office analyses the impact of new technologies on these principles.

He pointed out that privacy challenges are related to RFID as this technology will concern not only the industry but also citizens. If citizens store their data at home they will benefit from a legal protection as home is considered as a legal sanctuary but data are now spread everywhere. He also mentioned the trend of cloud computing where end users store their data on a server outside their hope but do not know where these data are stored exactly. He wondered if end users will benefit from a legal protection if there data are stored by a company.

He stressed that to implement successfully RFID applications security and data protection considerations should be introduced as soon as possible in the creation of new applications. Moreover, best techniques, i.e. the way a technology is implemented, should be used and the way security breaches will be managed should be taken into account.