IT Compliance Advisor

August 24, 2016  11:49 AM

Security experts fear voting machine hacks during general election

Christian Stafford Christian Stafford Profile: Christian Stafford

After a Democratic National Committee email leak, security experts are warning against a possible voting machine hack come November. Also in GRC news, the New York branch of one of Taiwan’s largest banks has been fined $180 million after violating compliance regulations, and a data leak by hacker group called “Shadow Brokers” has revealed a possible NSA breach.

Electronic vote manipulation a possibility in November

In a society where almost every bit of information is recorded electronically, the potential for cybersecurity threats is high: After Russian hackers leaked Democratic National Committee emails, security experts told NPR that voting machines could be the next target for hackers. Zeynep Tufekci, an associate professor at the University of North Carolina’s School of Information and Library Science, told NPR that states that rely on electronic voting systems without paper back-up ballots are at risk for potential security breaches and vote manipulation.

In early August, POLITICO interviewed Andrew Appel, professor of computer science at Princeton University, who revealed how easily some voting machines can be hacked and have their results altered.

Mega Financial Holdings fined $180 million for compliance violations

One of Taiwan’s largest banks had its New York branch fined $180 million by the state’s financial regulator for compliance violations, Reuters reported. Mega Financial Holdings violated anti-money laundering laws due to its disregard for “risks of exposure” in Panama, an area popular for money laundering, the New York State Department of Financial Services said in a statement.

Mega Financial is one of many companies whose records is now being looked at under a microscope following the “Panama Papers” leak of more than two and a half terabytes of data taken from Panamanian law firm Mossack Fonseca. Most notably, former UK Prime Minister David Cameron found himself involved in the data leak when it was revealed that he profited from his father’s Panama-based, UK-tax avoiding trust.

“Shadow Brokers” leak possibly revealed classified NSA code

The New York Times reported that a group of hackers calling themselves the “Shadow Brokers” have released classified computer code that has been used by the National Security Agency (NSA) for espionage purposes.

Experts told the New York Times that the code was designed to give the NSA access to the computer systems of foreign countries. Some of the same code was detailed by NSA whistleblower Edward Snowden in 2013. According to Forbes, the information leaked by the Shadow Brokers also reveals how the NSA was able to bypass the encryption of PIX, a Cisco program that offered firewall and VPN technology, to spy on the product’s users.

August 15, 2016  1:08 PM

Bitcoin hack leaves investors apprehensive

Christian Stafford Christian Stafford Profile: Christian Stafford
Bitcoin, Data privacy, Data-security, Hack, HIPPA, Pokemon GO, privacy, Security, Tinder

Investors are nervous about bitcoin’s future value after Bitfinex, one of the world’s “big four” bitcoin exchanges, was hacked and had nearly $65 million worth of bitcoins stolen. Also in recent GRC news: Tinder has been accused of violating EU privacy laws and the popular augmented reality mobile game Pokémon GO could cause some unwanted HIPPA violations.

Hack leaves bitcoin investors spooked

Hong Kong-based bitcoin exchange Bitfinex was breached by hackers who stole nearly 120,000 bitcoins that by some estimates were worth more than $70 million. Experts told CNBC that future investors may be hesitant to consider bitcoin a stable currency to purchase stakes in, as this is not the first time a major breach of a bitcoin exchange has occurred.

In 2014, Tokyo-based bitcoin exchange Mt. Gox became insolvent after discovering a breach that was left undetected for years. Mt. Gox remains the most famous and devastating bitcoin exchange breach of all time, as Mt. Gox once managed nearly 70% of all bitcoin exchanges worldwide, according to the Wall Street Journal.

Tinder accused of breaching EU privacy laws

The popular mobile dating app Tinder has been accused by a Belgian Member of the European Parliament of violating EU privacy laws. Marc Tarabella told the BBC that Tinder fails to notify users of the amount of data the app manages on users’ mobile devices, thereby violating EU privacy rules.

Tinder, however, is not the only mobile app that has recently been in the spotlight due to users’ rights to privacy. In May, Ars Technica reported that the fitness tracking app Runkeeper was accused of violating EU privacy laws by the Norwegian Consumer Council. According to the Consumer Council, Runkeeper’s practice of recording and sending users’ location data to a third party in the United States — even while the app is not in use — is a violation of EU data privacy laws.

The record-breaking augmented reality mobile game Pokémon GO has been making headlines for reasons other than its massive financial and cultural success. Shortly after the game was released in early July, it was discovered that  Niantic, the game’s developer, was able to access a large amount of private and personal information from user’s Google accounts that were used to create a Pokémon GO account. According to Adam Reeve, a principal architect at RedOwl Analytics security farm who was the first one to break this news, Niantic had the ability to read and send users’ email, access users’ Google Drive documents, look at users’ search history, view users’ Google Maps navigation history and access users’ private photos stored in Google Photos. Niantic has now updated its permissions policy in response to the privacy issues, stating that the game is only able to access basic Google account information and nothing more.

Pokémon GO poses risk to HIPPA violations

The National Law Review detailed the benefits and detriments of healthcare facilities allowing Pokémon GO to be played on their premises. Reasons to let the game stay include the benefits of physical activity, because the game’s objectives can help healthcare facilities motivate patients to exercise. One of the reasons for banning Pokémon GO from healthcare facilities includes the possibility of HIPPA violations of patient privacy.

The mobile game’s augmented reality feature allows users to view and capture photos of animated characters in the real world through their device’s camera so users can share the images via social media. This poses an obvious privacy issue in a healthcare environment, as patient’s private health information, and the patients themselves, could be recorded and shared on social media.

Niantic has made concessions to allow businesses and organizations to opt-out of the Pokémon GO craze. By submitting an online complaint on Niantic’s website, healthcare facilities can have their location removed from the game and essentially block Pokémon GO characters from spawning in and around their facility.

July 28, 2016  1:24 PM

Privacy Shield gets regulators’ stamp of approval

Fran Sales Fran Sales Profile: Fran Sales
Data access, Data privacy, Data transfer, GDPR, GRC strategy, HIPAA Compliance, PHI, Privacy Shield, regulatory compliance, SEC

The Privacy Shield data transfer pact finally received the green light from U.S. and EU privacy regulators, and businesses can begin registering to comply with the framework Aug. 1. Also in recent GRC news: The SEC calls for better transparency for brokers’ order routing practices, and a University of Mississippi hospital is fined $2.75 million for violating HIPAA security rules.

With Privacy Shield finalized, companies are urged to act quickly

The U.S. and the European Commission have greenlighted Privacy Shield, the data transfer agreement that replaces the Safe Harbor framework. Companies can start registering for Privacy Shield on Aug. 1. Experts told the Wall Street Journal that the finalization of the deal could alleviate uncertainty for thousands of businesses that relied on Safe Harbor for legal guidance as they moved business and customer data across the Atlantic. Privacy Shield contains more robust provisions than Safe Harbor, such as increased limits on U.S. companies regarding European data access and remediation rights for individuals. Privacy regulators will review the framework every year to ensure that it remains effective.

There are aspects of Privacy Shield that will work in favor of companies that adopt the framework, data transfer experts told WSJ. One way it benefits companies is that the Privacy Shield provisions are consistent with the principles of the EU’s General Data Protection Regulation (GDPR), a new law that overhauls how EU citizens’ data is handled. Businesses that are already enacting compliance processes around Privacy Shield can use those endeavors to comply with GDPR. Another benefit is that companies that sign up for Privacy Shield within two months of Aug. 1 receive a grace period of nine months to achieve compliance with the framework.

SEC proposes greater disclosure of order routing practices

The U.S. Securities and Exchange Commission (SEC) has proposed rules that would require brokers to reveal standard data about order routing practices. This data includes possible conflicts of interest with their clients, how adequately they carried out their customers’ orders and the average rebate a broker firm received for its orders, which will be published in aggregated reports on the SEC’s website.

Critics of the current standards say investors lack sufficient details on where their orders are being set and why. “This proposal should provide investors with an important new tool to better assess whether a broker-dealer’s order routing practices are consistent with their investment objectives,” SEC chairperson Mary Jo White said in a public statement.

U-Miss hospital to pay $2.75 million fine for HIPAA infraction

The University of Mississippi Medical Center (UMMC) will pay the Office for Civil Rights, part of the U.S. Department of Health and Human Services, a $2.75 million fine for HIPAA violations. An OCR investigation found that the hospital had been aware that there were vulnerabilities to electronic protected health information (ePHI) since at least 2005, but didn’t take any meaningful action to alleviate or remove the risk until after a laptop was stolen in 2013. The OCR also found that health data were susceptible to unauthorized access through UMMC’s wireless network because users were able to access an active directory holding the ePHI of 10,000 patients. The OCR’s findings showed UMMC were in violation of the HIPAA Security Rule’s guidelines for safeguarding ePHI.

UMMC will enter into a resolution agreement and three-year corrective action plan with the OCR. The resolution agreement states that the hospital failed to enact the appropriate security measures to remain HIPAA-compliant, particularly in regard to reducing data vulnerabilities and notifying patients of insecure ePHI. UMMC accepted the OCR’s resolution agreement, but noted that the acceptance does not admit the hospital’s liability.

July 15, 2016  11:48 AM

Gartner: Cybersecurity control a concern for digital businesses

Mekhala Roy Mekhala Roy Profile: Mekhala Roy

Digitization requires big changes to companies’ strategic processes, and security is no different: In a recent report, Gartner predicts that 60% of digital businesses will experience major service failures by 2020 due to the inefficacy of their IT security teams to handle digital risks.

Cybersecurity will continue to be a growing concern among businesses in the digital age, according to Khushbu Pratap, principal research analyst at Gartner.

“Digital security is the risk and resilience-driven expansion of current cybersecurity practices to protect the pervasive digital presence in business, government and society,” Pratap said in an email interview.

In the report, the IT research and advisory firm identified five major areas for organizations to focus on to successfully address cybersecurity in the digital era.

The role of leadership

Investing in leadership and governance improvements will triumph over technology tools when it comes to addressing cybersecurity, according to the report.

“CISOs need to communicate with business leaders,” Pratap said about CISOs’ role in mitigating cyber risks. “First, they need to figure what cybersecurity means for their organization and then get a consensus of that understanding from the business. Everything else related to assessments, recruiting talent, threat intelligence and incident response procurements are pointless if this key piece is missing.”

Creating and developing roles like a digital risk officer to address the changing nature of risks and threats will help connect the dots between different parts of the organization’s digital strategy, she added.

Protection, detection and response

With cybersecurity threats increasing in number and sophistication, IT risk and security leaders should stop focusing their efforts solely on prevention and balance investments across data protection, incident detection and response, Pratap said.

Gartner predicts that by 2020, 60% of enterprise information security budgets will be allocated for quick detection and response approaches, a significant increase from less than 30% in 2016.

IT risk and cybersecurity leaders should employ existing and innovative technologies to detect and respond to external and insider threats, according to the report.

One important step will be to stop focusing on checkbox compliance and shift to risk-based decision making, Pratap said.

Cultivating a new approach

Security approaches designed for traditional businesses won’t work for digital businesses, according to the report. With introduction of new strategies like bimodal IT, enterprises need a new approach to address cybersecurity, Gartner predicts.

“The challenges of designing and running a digital business make digital security a broader term,” she said. “Digital business is creation of new business designs that connect not only people and business, but also connect people, business and things — physical objects that are active players and contribute to business value — to drive revenue and efficiency.”

Security in the cloud era

In the digitization era, organizations are often required to address cybersecurity and potential risks for technologies and assets that they no longer own or control, the report states.

Gartner predicts that by 2018, 25% of corporate data traffic will bypass enterprise security controls and flow directly to the cloud from mobile devices.

With data no longer restricted to data centers, it is important to stop trying to control information and instead determine how it flows, Pratap added.

“Finding all sensitive data and tracking all access in all forms will be too onerous for most organizations,” she said. “Each organization will have to manage their ability to do this within the limits of the resources they can commit. From personally identifiable information to sensitive intellectual property, the impact of compromise of such information on the organization needs to be assessed regularly.”

A people-centric approach

When it comes to cybersecurity, people and processes have failed to receive the same attention as technology, according to the report. A recent CEO survey conducted by Gartner shows the majority of CEOs still look at cybersecurity as an IT issue and not a business one, Pratap added.

Cybersecurity in the digital age must cater to the needs of the employees and customers, the report states. It is important to accept the limits of technology and become more people-centric, Pratap said, because monitoring and analyzing user behavior can replace many restrictive controls.

“It is commonly recognized that normal, everyday users just trying to get their work done can be the weakest links in the digital security chain,” she said. “Conversely, motivated people can be the strongest links in our security chain. It is necessary to shape behavior and motivate people to do the right thing.”

July 13, 2016  1:09 PM

New Jersey CTO targets compliance, security standards

Fran Sales Fran Sales Profile: Fran Sales
CISO, CTO, Data privacy, Data security breaches, Data security standards, FTC, GLBA, GRC strategy, Security compliance

New Jersey’s new chief technology officer has announced plans to boost data security by ramping up compliance monitoring in the state. In other GRC news, the Consumer Financial Protection Bureau has proposed exempting certain financial institutions from the annual privacy notice requirement under the Gramm-Leach-Bliley Act; and the FTC says it closes 70% of its data security investigations.

New Jersey CTO aims to boost security by focusing on compliance

David Weinstein, New Jersey’s newly appointed CTO, said he plans to enforce security standards and policies with “more teeth” and to better monitor compliance across state agencies.

Weinstein will report to New Jersey governor Chris Christie. He was appointed to the cabinet-level position in late June after his tenure as the state’s CISO.

Weinstein’s office plans to employ GRC software to monitor compliance, publish cloud security governance standards, update IT risk management policies and develop new security assessments for high-risk agencies, such as those that store a high volume of PII.

“We’re really focused on embedding security not just into the culture of our IT operations but also the way we do business and develop applications and infrastructure,” Weinstein told Wall Street Journal.

Weinstein also has his sights set on wider cloud computing adoption.

CFPB proposes exemptions to GLBA annual privacy notices

The Consumer Financial Protection Bureau (CFPB) has proposed a rule that would implement amendments to privacy protections outlined in the Gramm-Leach-Bliley Act. Under the GLBA, certain financial companies are required to give their customers initial and yearly notices on their privacy practices, including how they share customers’ nonpublic personal information. These companies must also notify their customers of their right to opt out of allowing the companies to share their personal information with unaffiliated third parties.

Congress amended GLBA in December 2015 to allow some financial institutions to be exempt from sending the annual privacy notices, and the CFPB’s new proposed rule would make these exemptions official.

According to a July 1 press release by the CFPB, a financial institution can claim exception to the requirements “if it limits its sharing of customer information so that the customer does not have the right to opt out and has not changed its privacy notice from the one previously delivered to its customer.”

FTC has a 70% closure rate of data security investigations

The Federal Trade Commission closes 70% of data security cases, according to Maureen Ohlhausen, the agency’s commissioner. Ohlhausen detailed the FTC’s enforcement practices at a recent panel on security regulation in Washington, D.C., late last month. This closure percentage pertains to breach investigations that have actually been formally opened by the FTC, said Ohlhausen, who pointed out that the agency doesn’t formally investigate every data breach.

The reasons the FTC closes a case, according to Ohlhausen, include the commission having deemed a company’s security strategy “reasonable.”

“A company’s data security measures must be reasonable in light of the sensitivity and volume of consumer information it holds, the size and complexity of its data operation, and the cost of available tools to improve security and reduce vulnerabilities,” the Commissioner explained.

Ohlhausen also said that the FTC is still trying to establish how it should interpret certain standards, particularly how PCI DSS regulates and controls payment card data.

June 17, 2016  12:34 PM

Medical records theft from NFL team’s trainer could violate HIPAA

Fran Sales Fran Sales Profile: Fran Sales
Data breach, Dodd-Frank, EMR, grc, HIPAA, risk, SEC

Late last month, the NFL Players Association informed its member teams that a Washington Redskins trainer’s laptop containing players’ medical records was stolen and that it would collaborate with the U.S. Department of Health and Human Services to determine possible patient privacy violations. Also in recent GRC news: A new proposal would roll back Dodd-Frank compliance regulations and the SEC strongly reiterates broker-dealer rules among private equity firms.

Laptop with thousands of NFL players’ medical records stolen

On May 27, the NFL Players Association informed NFL players that the backpack of a Washington Redskins’ athletic trainer was stolen from inside a locked car in late April. Inside that backpack were paper and electronic medical records of thousands of current and former NFL players. While the laptop that contained the electronic records was password-protected, it was not encrypted. The players union consulted with the U.S. Department Health and Human Services (HHS) on the matter.

Storage of data on unencrypted devices does not adhere to both local and federal medical privacy standards, including HIPAA, making the breach a potentially costly one for the NFL. Deadspin reported that the HHS has aggressively pursued HIPAA violations in recent years and noted that athletes’ medical records are legally protected under HIPAA regulations.

The latest statement by the NFL regarding the data breach said that the theft involved only information maintained by the Redskins, and that no information maintained on the NFL’s overall electronic medical records (EMR) system was compromised. The league also said that it is not aware of the thief having obtained information from the stolen computer or making the information public.

Dodd-Frank proposal could exclude CLOs from risk retention

U.S. Rep. Jeb Hensarling (R, Texas), chairman of the House Financial Services Committee, has proposed the Financial Choice Act, which would roll back parts of the Dodd-Frank Act affecting the leveraged finance markets, including the Volcker Rule and risk retention mandates.

In his remarks, Hensarling said that the Volcker Rule “undermined financial stability” and recommended that all asset classes, including collateralized loan obligations (CLOs), be exempt from risk retention (except for residential mortgages) in order to encourage growth among businesses looking for financing. There is little likelihood the proposal will pass, according to market observers, because of the current political climate in Congress.

SEC urges private equity firms to heed Exchange Act broker-dealer rule

Private equity firms would do well not to follow Blackstreet Capital Management’s footsteps, said Robert B. Baker, assistant regional director of the Securities and Exchange Commission. On June 1, the Chevy Chase, Md., firm agreed to pay $3.1 million to settle securities violation allegations including charging Blackstreet’s investors for brokerage services without registering as broker-dealers.

Blackstreet’s violation of section 15(a) of the Securities Exchange Act of 1934 is unprecedented, Baker said, adding that “advisers should be carefully considering whether their conduct violates this rule.”

May 31, 2016  5:27 PM

As IoT and big data increase cyber risks, industry on the defensive

Mekhala Roy Mekhala Roy Profile: Mekhala Roy

The time isn’t far away when everything in our lives, from furniture to coffee pots, will have the ability to be “smart.” Various reports estimate that there will be anywhere between 30 to 200 billion internet-connected devices by 2020.

And with the dollar value of personally identifiable information going up, the focus of the cyber-attackers has changed in recent years: As they begin to realize the value of personal data, hackers have focused on commoditizing the information that is often readily available on connected devices.

As the focus of the attackers continues to change in the face of IoT proliferation, the challenge will be how to mitigate attacks beforehand, said Sam Phillips, VP, general manager, CISO at Samsung Business Services.

“The real challenge is to figure that next step out,” Phillips said during a recent panel discussion titled Mitigating Cyber Risks in the Growing World of Internet-connected Devices at the MIT Sloan CIO Symposium in Cambridge, Mass. “If you can do that, you have removed the financial incentives around those [data].”

As companies move into IoT, it is important to be cautious and architect security processes well before products are deployed, Phillips added.

Modern data security challenges

There is no doubt the surge of Internet-connected devices is creating a varied range of new attack surfaces for hackers: Markets and Markets forecasts that the Internet of Things (IoT) global security market will grow to $28.90 billion by 2020.

As we look forward to a more connected future, organizations have to be prepared to combat these increasingly sophisticated cases of cyberattacks. One upside to the surge in cyberattack cases is that more companies are implementing security controls from the beginning to protect and secure their data, panelist Roota Almeida, head of information security at Delta Dental of New Jersey, said at the session.

To offset the risks associated with widespread digitization and IoT, many companies today are applying advanced big data analytics like machine learning to predict cyberattacks and understand the tactics and techniques used by their adversaries. The analytics data also helps them respond and recover quicker from such attacks.

“In machine learning … the whole goal is to take human speed out of the equation and operate on network speed, so you can stay not too far behind the adversaries,” panelist Mark Morrison, CISO at State Street Corp., said at the session.

One of his challenges at State Street is to show how security in a digitized world is an enabler for the business, he added.

Security should be sold as a sector,” Morrison said, adding that financial organizations “should not monetize and sell security as a product; that’s something we provide to our clients for doing business with us.”

The future of cybersecurity

Panelists agreed that when it comes to mitigating modern cyber risks, being compliant alone does not guarantee security. To be secure, there are a lot of other components that need to be taken care of even after regulatory compliance is taken care of.

Phillips and Morrison agreed that security will get better with time, as companies grow accustomed to the new threats.

“We are growing at a faster rate than our adversaries,” Morrison said.

Almeida, however, said that in the future the security situation will be different but not necessarily better. The “bad guys” will simply go after the information available then, she added.

Another major challenge that companies face today is the lack of talent in the security sector, said panelist Tom Eilers, Eastern U.S. director of Intel Security’s Government and Education Solutions, at the session. There is a 40 percent deficit in available talent and that number is expected to rise in a couple of years, Eilers said.

The solution?

Academia has to continue to generate next-generation coders and cyberwarriors, panelists suggested.

May 26, 2016  1:19 PM

How security standards help companies prioritize data protection

Fran Sales Fran Sales Profile: Fran Sales
Authentication, Consumer data, Data security standards, GRC strategy, nist, Privacy and security, regulatory compliance, SANS, Threat intelligence

In part one of this blog post, John Pescatore, director at the nonprofit cybersecurity training provider SANS Institute, delved into the legal challenges companies face as they strive to secure consumer information. Here, Pescatore discusses how companies can use various security standards available to create their unique set of security policies.

Considering the thicket of data security principles and factors modern companies have to consider, is there one governing body that can guide organizations as they navigate through it?

Unfortunately, there is no global governing agency or set of standards everyone has agreed upon, Pescatore said. While there are large and exhaustive security frameworks that companies can consult such as the NIST Cybersecurity Framework and the ISO 27001, what companies frequently need help with is discerning which practices are the most important and which they should do first, he added.

Companies can start with looking at the various structures and standards to help them prioritize the security practices that can help reduce the potential for attacks. Some examples of prioritization guidelines are the critical security controls offered by the Center for Internet Security/SANS, guidelines from the information insurance division of the NSA and the security standards outlined by the payment card industry.

There are a couple of ways companies can filter through these security standards, according to Pescatore:

  • Pescatore advised companies to join the ISACs, or information sharing and analysis centers that are found within each vertical industry. Members of each ISAC collect, analyze and share actionable threat information with each other. The finance, industrial controls and automotive industries, for instance, have very active ISACs, and the healthcare and retail verticals have new ISACs sprouting up. “[Joining ISACs] are not expensive; they’re good ways to see what the best practices or common practices of your peers are,” Pescatore said.
  • In the U.S. in particular, many cities have FBI-sponsored sharing organizations called InfraGard groups that are free for private-sector companies to join. InfraGard groups function similarly with ISACs in that participants, including academic institutions and local and state law enforcement agencies, share threat intelligence with each other.

Ditch the myths or fall behind

The bottom line, Pescatore said, is that every company is ultimately going to have different security and privacy policies and procedures based on how their business works. Establishing the right policies is reliant not just on basic principles such as stronger authentication and doing away with reusable passwords, however. It is also overcoming the myth that users will never accept these new security practices, he said.

For example, when companies are trying to instill stronger authentication procedures, it is detrimental to think “we can’t make the users do anything but reusable passwords, the vice president of sales will never stand for it,” Pescatore said.

This causes businesses to fall behind and fail to implement security measures that employees already practice as consumers. “Meanwhile, at home, [the VP of sales] is using his iPad with his fingerprint, using his thumbprint on his phone, to be more secure,” he said.

May 26, 2016  1:10 PM

Businesses must look beyond regulations for security and privacy guidance

Fran Sales Fran Sales Profile: Fran Sales
Consumer data, Data security standards, GRC strategy, personal data, Privacy and security, regulatory compliance, SANS

Last month, Sens. Richard Burr and Dianne Feinstein from the Senate Select Committee on Intelligence unveiled a draft of the Compliance with Court Orders Act of 2016 that would require all technology companies — from mobile device manufacturers to application makers — to comply with court orders granting federal officials access to encrypted information. “No one is above the law,” the draft states, adding that tech companies should be able to protect user privacy with strong security while still complying with these legal requirements.

The Compliance with Court Orders Act is the latest development in the continuing battle to protect personal privacy while at the same time maintaining national security. It further brings to light how maintaining that balance presents a particular challenge as companies strive to meet their customers’ expectations regarding user experience and privacy.

One way tech companies try to figure out where this balance between security and privacy lies is through regulations and court rulings. But relying only on laws is problematic, according to John Pescatore, director at the nonprofit cybersecurity training provider SANS Institute.

“Regulations just specify some bare minimum; they don’t define security for anything,” he said at a CompTIA IT professional webinar last month. He added that not only is there no global definition for attaining this security-privacy balance because privacy laws vary by region or by country, but also that regulations and legal precedents can change over time.

Instead, Pescatore advises companies start with three basic principles that can be combined and implemented in various ways:

  • Confidentiality, or making sure the right people have access to information
  • Integrity, or ensuring the accuracy of the information and that changes to data are tracked
  • Availability, or making sure the information in your systems is accessible when it is needed.

These three foundational ingredients should add up to help meet current regulatory requirements, but more importantly satisfy consumer expectations.

“No law came along and told Apple they had to protect things better than Microsoft did. … Those are not laws driving things; those are actually people’s demands for increased security and privacy,” Pescatore said.


Encryption can be an effective tool to enable this increased security and privacy if the aforementioned basic principles have been laid out properly as the foundation, Pescatore said. In the case of passwords, for instance, encryption is useless if users employ easy-to-guess or reusable passwords, or are susceptible to phishing attacks.

“The vast majority of attacks would have been foiled if we used … something as simple as a text message to your phone in addition to a password,” Pescatore said. “Once we’ve gotten to the point where we can at least protect the user’s authentication, that’s where encryption becomes very powerful” by allowing companies to be more flexible about where they store their data.

But despite encryption’s security strengths including only permitting access when explicitly allowed, it’s very easy to implement the tool “badly,” Pescatore added. If keys aren’t managed properly, for example, encryption could potentially prevent or hamper the right person from accessing their data.

Further complicating matters are countries with laws with language similar to the Compliance with Court Order draft that include the government in their definition of the “right person” to access data.

For companies such as Apple and WhatsApp that built their business model on giving their consumers sole control of their own encrypted communications, this puts them at a legal quandary, technology advocates recently told Recode.

Law enforcement has also suggested building backdoors into encrypted systems and data as the answer to this issue, but Pescatore doesn’t think so: He equated backdoors to securely locking a house and then leaving a key under the welcome mat.

“In the digital world, sooner or later, someone is going to find that key under that welcome mat, no matter how well that backdoor was hidden,” he said.

In part two of this blog post, Pescatore discusses how companies can wade through the various security standards to get guidance on developing security policies.

May 9, 2016  11:02 AM

Five reasons to invest in ISO 27001 and other security certifications

Ben Cole Ben Cole Profile: Ben Cole

Information security has become a vital business driver as the huge data volumes generated by modern companies contain a treasure trove of intellectual property and PII that is enticing the hackers. A variety of security certifications and standards have been developed to help companies navigate the increasingly complicated data security landscape, as well as protect both business and customer data. One such standard is ISO 27001, developed by the International Organization for Standardization to help businesses establish, maintain and improve an information security management system. In this guest post, Kyle Anixter, PMO manager of IT services at Curvature, an IT infrastructure and services provider headquartered in Santa Barbara, Calif., outlines the business benefits of ISO 27001 certification.  

The business benefits of ISO 27001 certification

by Kyle Anixter

News regarding the unwanted release of corporate and/or consumer information makes headlines nearly every week. Whether it’s Anthem, AOL or Adobe, the biggest names in corporate America have watched their reputations be sullied by the continuous onslaught of data breaches. According to a data breach report released earlier this year by the Identity Theft Resource Center, the business sector topped the ITRC 2015 Breach List with nearly 40% of the breaches publicly reported last year, compared with about 32% in 2014.

The ignominious impact of this spike in breaches only seems to be intensifying, proving there is no better time to make sure your company takes a systematic, proactive and certified approach to managing the security of its sensitive information. For that reason, investing in highly structured and validated security certifications should be a top business priority.

Achieving the ISO 27001 certification, for example, is a solid strategy to ensure proper control over critical information assets. First published in October 2005 and updated in 2013, this standard pertains to internal employee records, financial information and intellectual property, as well as external data from customers and vendors. The ISO 27001 certification also makes sure information shared by and with third parties, such as customers, partners and vendors, is protected.

The ISO 27001 certification is particularly useful to companies by helping develop a stringent information security management system. Most important, it will demonstrate to employees, customers and business partners that when it comes to security, your company is prepared.

Curvature_Kyle_Anixter copy

Kyle Anixter

Here are the five most compelling benefits to investing in ISO 27001 security certification:

Manage risk: ISO 27001 focuses on proactive risk management, which is crucial for building a solid, sustainable security foundation. All companies realize they must invest in security, but having the proper risk management procedures in place goes a long way toward maximizing investment in the areas where it can deliver the biggest benefits while avoiding wasteful spending.

Security management frameworks: ISO 27001 provides a proven framework and all the general requirements for establishing information security best practices (for example, asset management, access control, cryptography, network security, etc.). The framework forces structure across the entire department, including roles, responsibilities, leadership and decision making. As a result, operations are more efficient, organized and successful. Improving operations has become an increasing priority for most companies, especially given the ongoing desire to keep IT operations lean and functioning optimally amid constant change and greater demands. With ISO 27001, there is the proof that systems and procedures are in place to enable the company to be better prepared to meet the known and unknown security challenges ahead.

A concentration on compliance: The laws, rules and regulations at all levels of government are continually changing, but this is no excuse for IT organizations to fall out of compliance with any of the legal requirements that apply to their operations. Aside from being the subject of the latest front-page news, falling out of compliance can lead to financial penalties, loss of trust and tarnished reputation. In addition to keeping its own ship on course, companies must remain vigilant regarding all information security-related requirements that originate in customer and supplier contracts and agreements.

Protect suppliers and customers: It’s sad but true: In a troubling number of instances, a company’s biggest security vulnerability comes from its customers and suppliers. The ISO 27001 certification delivers a well-defined structure by which both are made aware of their information security roles and responsibilities. With continual monitoring and measuring, everyone’s data — and reputations — are protected.

Improve customer confidence: It is common knowledge that solution and service providers often introduce and deliver products before fully realized security procedures have been put in place. Having ISO 27001 certification lets your customers know their sensitive and confidential data is protected within your company. Another key benefit is that it will set you apart from competitors. When working with large companies, certifications such as ISO 27001 are often necessary for inclusion on the list of approved partners.

In today’s fast-moving and evolving world of professional and managed services, ISO 27001 now is considered table stakes. Though not mandated by law, this certification ensures the holder is taking advantage of best practices and adheres to a set of proven procedures. Adding ISO 27001 to your corporate resume ensures customers and partners that you have the right controls in place and that data is not vulnerable inside or outside your corporate walls. As a result, you can proceed with a high level of confidence that all information and systems are safe and secure.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: