An actual HMG IS2 Full Accreditation Statement based on an actual ITSHC – an actual security audit by Deloitte, one of the Big Four audit firms – which demonstrates the auditor’s reputation has been put on the line, as well as the legal liability shouldered by such an audit.
Author: George McLeod, National Accreditation Manager, NPIA

Judge Walker has said that the audit component primarily benefits TD Ameritrade, not the class.  Here’s why I think a good audit component substantially benefits the class.  Today, the public has no good way of knowing whether any company they are considering doing business with (such as a bank or brokerage firm) has good security.  Only important businesses (such as WalMart) have the clout to demand that their partners prove that they have good security.  Based on successful comprehensive publicly-disclosed third-party security audits, informed class members (and the public) will be justifiably confident that TD Ameritrade has good security. If TD Ameritrade has poor security, class members will know that too, and will be able to make informed decisions.  Today, I have no basis on which to determine that any brokerage firm has better or worse security than any other one.  I’ve tried approaching several brokerage firms as a potential customer and asking them to convince me that they have good security.  None of them have even attempted to do so.  If TD Ameritrade is the only online brokerage firm to have an unqualified public security audit statement, it stands to receive much positive publicity and additional business as a result, so I feel this is an excellent ‘win-win’ settlement component.

TD Ameritrade needs to PASS an internal security audit by an outside party who has full access to internal systems.  They can’t simply have the audit and then claim to have remedied the issues the auditor raised.  They didn’t disclose the breach until almost 2 years after the first of 5 (five) formal security evaluations/security audits prompted by my lawsuit and breach reports in the media, had been completed.  It would be foolish to trust this company to address any security problems it is not forced to address.

There are some firms that are required to pass comprehensive internal security audits. Guess is required to maintain a comprehensive security program at its Web sites and submit an independent security auditor’s report to the FTC every two years for 20 years.

Penetration tests do NOT ensure security.  As I’ve noted before, security reporter Winkler was correct when he quoted Judge Vaughn Walker statement: “Penetration tests provide a reliable way for companies to detect the sort of security weaknesses that led to the Ameritrade breach.” and responded, simply: “That just isn’t true.” Weekly  penetration testing can be ordered for about $100/per YEAR, so while the value is greater than that, the cost is expected to be trivial.  Ameritrade initially agreed to conduct “bi-annual” instead of weekly testing, but only through December 31, 2009, giving it time for only one or two such tests, which may never have been performed!  Account seeding would have been required to continue only through the end of 2008, but the rejected settlement even allowed the company to “change the methodology as it deems appropriate” and canary surveillance is not required.  Ameritrade only promised to retain ID Analytics only through the end of September 2008, when its contract with the company ended, a period that expired  before class members were notified of the settlement, voiding all clauses dependent on them finding organized ID theft.  As these periods have expired, Ameritrade is under no obligation to ensure that new companies it acquires or is acquired by, comply.  See Schwartz, 157 F. Supp. 2d at 573 (finding the value of settlement’s injunctive relief to be “minimal at best” where it would remain in place for only 1-2 years).

In any case, the specified security measures were well below the minimum of what would be expected from any responsible financial services company.  To have any real impact on the security of client data, the settlement would have to provide for a set of best practices modeled on an existing industry standard that is well-regarded. These practices would include, at least, a comprehensive written security plan such as ISO 27001. This is important because many industry standards are woefully inadequate – e.g. there are some well known and frequently used ones that permit a company to say it has no security measures in place, and if that’s accurate, then it meets the standard!  ISO 27001 is the only standard I know of that provides a reasonable level of assurance of system security.

I’d bet that if asked about their Intrusion Security Systems, TD Ameritrade would have said that they have deployed a state-of-the-art IDS.  That answer is like an army reporting in 2010 that they use state-of-the-art balloons for surveillance. (Balloons were used for surveillance during the Civil War in the 60’s – the 1860’s.  Whitepaper with technical details here.)

Massachusetts has a new Data Privacy Regulation that’s partially in effect.

I considered this standard and noted the following flaws, if this was a standard to audit against:

1.  I would not be OK with compliance that might rely on the loophole in § 1703 (2) (f) 2.  Ameritrade has partially-owned third-party service providers.
2. § 1704 (6) does not address patches to applications other than operating systems, or bespoke software, and could be interpreted to only apply to systems directly connected to the Internet. Not OK.
3. I would require that the auditors employ physical access to systems, staff and documentation in order to verify implementation of the comprehensive information security program.  Arguably, this is implied, but I’d feel more comfortable if it was specific.
4. The encryption must not rely on standards or implementations well-known to be compromised (such as SSH1, WEP or SSL2; the Heartland breach relied on the victims’ use of WEP long after it was known to be fundamentally flawed.)

Also, I would prefer the policy (or a link thereto) be emailed to all IT staff and all staff primarily involved in ensuring information security, including the whole Info Sec department.  It would be nice if there was a requirement that the policy include a process for concerns to be raised outside the chain of command.  But these are nice-to-haves.  Without addressing the 4 points above, I feel the standard is fundamentally flawed.

Even more fundamental is that it doesn’t require a third party audit, at all!  Certainly larger companies should have to pass an audit!  Ameritrade is required by law to comply with this standard anyway. If it’s used as part of a settlement of this case, I would only consider it of any value if the company has to publicly disclose that it has passed one or more third-party audits, and the 4 points above were addressed.

It is unclear whether TD Ameritrade has performed a full forensic audit or post-mortem following the breach.  Without one, it is impossible for TD Ameritrade to provide a disclosure of the breach to customers with assurance that it fairly represents the scope of the breach.  A forensic audit result must be a required input to the audit, and include review of the each Letter to the Audit Committee and each Letter to the Audit Committee Chairman from the company’s auditors from 2005 to now.