Working with clients in financial services has meant that at all times I have had to fit into the corporate security model employed by the firm. With a diverse range of firms I have seen different levels of security. At one extreme has been a number of Swiss firms.
- air gap from internet to core systems - so a user who accesses the internet will have two PCs - one connected to the internet on one network and another connected to core systems
- all client specific data encrypted
- client names not stored with client position data
- use of salt and hash techniques
- strong passwords and two factor authentication mandatory
- unique usernames and passwords for each system
- layered security with different hardware and software
- use of external consultants to attempt to break into the secure network
- firewalls that strip off attachments unless to or from whitelisted email addresses
- whitelisted internet access - if you want to see a page - request it.
- time elapsed access - passwords expire over periods
- file access audit trail maintained and users challenged - why did you need to access file XXX?
- data security written into contracts of employment
In other firms I have seen all of the worst practises possible -
- use of root passwords by multiple users
- no audit trail
- minimal firewall setup
- no employee data access control
- default sa, dbo and root passwords for applications, networks and servers
- usernames and passwords in clear text in relational database tables
The question that I always ask clients is essentially "what's the worst thing that you can think of that could happen to your data?". The challenge to any response is that while that is the worst thing that you can think of, the actual worst thing is more limited by the hackers imagination rather than yours...
Security is not to be trifled with, the right way involves strongly implemented and managed policies and procedures. Or, to consider it another way "I say we take off and nuke the entire site from orbit, it's the only way to be sure."