IT Compliance Advisor

March 31, 2017  2:51 PM

Risk mapping key to security, business integration

Mekhala Roy Mekhala Roy Profile: Mekhala Roy

It’s no secret that data protection has become integral to bottom line success for digital businesses. As a result, it’s time for InfoSec professionals to crawl out of their caves and start communicating with the rest of the business, Tom Kartanowicz, head of information security at Natixis, North America, told the audience at the recent CDM Media CISO Summit.

To facilitate this communication, the language these pros will use is the language of security risk, Kartanowicz said.

“As security professionals, if we want to be taken seriously we need to put what we do into the risk lens to talk to the business so they understand the impact and how we’re trying to reduce the impact of the types of threats we’re seeing,” Kartanowicz said.

For example, even though the chief information security officer and chief risk officer may appear to be two different islands in an organization, they are part of the same team, he reminded the audience.

Business is the bridge that links them together so instead of working in silos, security professionals should carve out what Kartanowicz calls a “friends and family plan” that forms allies with other departments in their organization. The human resources department can help discipline somebody who might be an internal threat to the organization, corporate communications can help talk to the media and customers when there are incidents like DDoS and malware attacks, and the legal department can be valuable allies when it is time to take action against bad actors, he explained.

“As the CISO or as the head of InfoSec, you are missing out on a lot of valuable intelligence if you are not talking to all these different teams,” he stressed.

Risk mapping — a data visualization tool that outlines an organization’s specific risks — is an effective way to identify threats and vulnerabilities, then communicate them to the business, he said. Risk mapping helps an organization identify the areas where it’s going to spend their security budget, how to implement solutions and, most importantly, helps identify specific instances of risk reduction, he said.

Kartanowicz said there are two things to consider when evaluating and determining the likelihood of a risk: how easy is it to exploit and how often it occurs.

“If the vulnerabilities require technical skills held by 1% of the population, it’s going to be pretty difficult to exploit,” he said. “If on the other hand, anybody on the street can exploit it, it’s going to be pretty easy.”

It is then time to address the specific risks, he said.

“In the enterprise risk management world, the business can accept the risks, avoid the risks or [work to] mitigate the risks — this is where InfoSec comes in — or transfer the risks,” he said.

Using tools such as the NIST cybersecurity framework can help InfoSec reduce the risks, he said. It’s important that organizations tie in their disaster recovery, backup strategy, business continuity and crisis management into whatever the framework they choose, he added. Organizations should also ensure they have baseline controls in place to help minimize the risk of a data breach, he added.

But as threats evolve and vulnerabilities change, he suggested that the risk map be re-evaluated annually. Business requirements are constantly evolving and organizations are always entering different markets, but companies need to be constantly aware of the threat landscape, he added.

“Incidents will always occur; risk is not going away,” he said.

December 22, 2016  2:30 PM

The case for multi-vendor certifications

Ben Cole Ben Cole Profile: Ben Cole

For information technology professionals, obtaining certifications have become an important way to demonstrate their knowledge, experience and qualifications. Although certification programs are often fostered or supervised by certifying agencies or professional associations, some major computer software and hardware vendors provide a certification program for installers of their product, such as Cisco’s Certified Internetwork Professional. In this guest post, Chris Crotteau, manager of customer engineering at Santa Barbara, Calif.-based IT infrastructure and services provider Curvature, says that while vendor-specific certifications such as the ones offered by Cisco are still beneficial, networking professionals should consider multi-vendor certifications to build their skills and further their career path.

The case for multi-vendor certifications
Chris Crotteau

There was a time when Cisco certifications were the best bet for networking professionals seeking to get ahead or just snag a great job. In fact, obtaining Cisco certifications often were considered the fastest route up the corporate ladder for aspiring network operations leaders. Times are changing, though. IT management increasingly is looking beyond just Cisco technical skills when assessing a candidate’s capabilities to build and nurture a modern enterprise network.

Having a Cisco Certified Network Professional (CCNP), CCIE (Cisco Certified Internetwork Engineer), or CCAr (Cisco Certified Architect) after your name still carries a lot of weight, but so do a growing list of vendor-neutral IT certifications from organizations such as (ISC)2 or CWNP.

This is true because multi-vendor networks are growing quickly, for a number of reasons. Customers are looking for ways to save money, avoid vendor lock-in or find the best-of-breed products for their needs. The truth is, the networking space is now a competitive market in many areas, and Cisco’s product options sometimes come with significant compromises or reinforce an uncomfortable degree of vendor lock-in.

Recently, I experienced this point when a customer’s CCIE-level engineer was so heavily biased toward Cisco that he was unwilling to look at a solution from Arista Networks that would have eliminated some significant compromises in the proposed network’s routing design. This lack of knowledge and comfort with the world of networking beyond Cisco managed to create a situation where a substantial amount of additional complexity was introduced for no good technical reason.

Chris Crotteau

Chris Crotteau

The experience above really demonstrated the problem with leaning too hard on Cisco certifications. While they prove strong expertise in a pivotal area, those certifications can also foster a degree of closed-mindedness and over-reliance on Cisco proprietary technologies — to the detriment of a broader array of knowledge and skills in the networking world. This, of course, raises another issue: While organizations like CompTIA offer entry-level certifications, there is a real lack of professional and expert level certificates to prove broader knowledge of industry-standard, open networking principles. Such certifications would be vendor-agnostic and far-sweeping. Let’s hope some forward-thinking organization will step up to take this challenge.

In the meantime, network professionals intent on building their skills and career paths should attain other certifications such as Certified Information Systems Security Professional (CISSP) and those offered by (ISC)2. Beyond the technical realm, it’s equally important to understand the necessity of core project and overall organizational management skills, which can be formalized by certifications such as Project Management Professional (PMP), Certified Associate in Project Management (CAPM) and ITIL.

The steady rise of these certifications demonstrates that operational prowess is gaining ground as IT management looks to groom both business and technology leaders. And while CCIE status won’t lose its luster anytime soon, there’s a multitude of reasons why it shouldn’t be considered the end-all, be-all.

Don’t get me wrong, a CCIE certification is still the pinnacle of Cisco networking expertise because it means passing arguably the toughest test for any senior-level engineer. That said, it should really be more of a jumping-off point for developing broader business skills and understanding other networking technologies and systems.

In the future, CIOs will be looking for smart, savvy engineers with more than just serious technical understanding. They’ll assign equal or maybe even more clout to business acumen and multi-vendor knowledge that helps drive IT innovation and the company forward.

Chris Crotteau is manager of customer engineering at Curvature, where he leads development of customer-focused network hardware and maintenance solutions. He joined the company in January 2004 as an operations technician. Prior to his latest position, Crotteau served as a sales engineer responsible for providing technical solutions and training on new products from Cisco and Curvature’s OEM partners. Crotteau earned a bachelor’s in mechanical engineering from University of California, Berkeley.

December 19, 2016  2:20 PM

GRC news roundup: Russian hacking allegations persist

Christian Stafford Christian Stafford Profile: Christian Stafford

After the U.S. was allegedly plagued by Russian cyberattacks during the election, members of both the Democratic and Republican parties are now calling for investigations. Also in recent GRC news: U.S. auto-safety regulators proposed new rules that would require car manufacturers implement technology in vehicles allowing cars to “talk” to each other in an effort to improve safety, and a recent study showed that one fourth of worldwide ransomware attacks target the United States.

Russian hacking allegations continue

Talk of Russian intervention in the presidential election did not end on Election Day. Now, Democrats and Republicans alike are calling on the U.S. government to open a full investigation into just how large a role Russia played in shaping the 2016 presidential race, the New York Times reported. President Obama has ordered a full intelligence review of Russian hacking that he wants completed by the time he leaves office on January 20.

New allegations suggest that Russia is not stopping with the U.S. election process, the BBC reported: German politicians warn that the country’s 2017 parliamentary lower house (Bundestag) election is now at risk of Russian intervention via cyberattacks, after files hacked from Bundestag in 2014-2015 recently surfaced on Wikileaks. The files were stolen from the committee that was responsible for investigating the NSA‘s spying on German politicians.

Both the Kremlin and President-elect Donald Trump alike have refuted the CIA and FBI’s claims of Russian election hacking, with Trump recently tweeting, “If Russia, or some other entity, was hacking, why did the White House wait so long to act? Why did they only complain after Hillary lost?”

Next-gen cars to communicate with each other

Auto regulators have proposed new rules that would require car-manufacturers to implement crash- avoidance technology that allows cars to communicate with each other, USA Today reported. The National Highway Traffic Safety Administration is striving to eliminate roadway deaths within 30 years, and this technology implementation would mark a significant step to meet that goal.

The technology, dubbed “V2V” or “vehicle to vehicle” within the auto-industry, “would require automakers to comply on 50% of their new vehicles within two years and 100% within four years,” according to USA Today.

Malware attacks on the U.S. increase

A recent analysis conducted by security firm Malwarebytes has shown that more than a quarter of ransomware attacks blocked by its software targeted users in the United States, eWEEK reported. After analyzing about half a million ransomware attacks in 200 countries, the company discovered that 26% of attacks targeted the U.S., with Germany and France in distant second and third places, respectively.

Adam Kujawa, director of malware intelligence at Malwarebytes, told eWEEK that ransomware has seen significant growth in 2016, saying, “Throughout the whole year, ransomware has been the dominant problem. It has just kept growing.”

December 1, 2016  11:17 AM

Trump presidency raises questions for regulatory compliance

Christian Stafford Christian Stafford Profile: Christian Stafford
Compliance, cybersecurity, Data privacy, Drones, Hack, Hackers, privacy, Ransomware, regulatory compliance

The future of regulatory compliance is under scrutiny as President-elect Donald Trump’s administration continues the transition process. Also in recent GRC news: Hackers demanded ransom after disabling San Francisco’s transportation system, ‘dronejacking’ could become the next security issue and Facebook hits another EU privacy roadblock in its quest to use WhatsApp’s data.

The future of compliance under President Trump

President-elect Donald Trump has said he will dismantle Dodd Frank and stated that 70% of federal regulations are unnecessary, leaving some to wonder what the future of regulatory compliance will look like.

Roy Snell, chief executive of the Society of Corporate Compliance and Ethics, told the Wall Street Journal that compliance will be fine for the next four years because enforcement remains a, “for profit industry.”

Governance and compliance attorney Scott Killingsworth of Bryan Crave LLP shared similar views with Snell, telling the Journal that, “Compliance is still going to be much less expensive than misconduct.” Killingsworth added that compliance will remain an important role in business moving forward, no matter the reduction in regulatory enforcement.

San Francisco transportation system hacked

The San Francisco Municipal Transportation Agency recently fell victim to a ransomware attack on its light rail system. The hackers managed to disrupt some of the transportation agency’s internal computer systems, including email, Forbes reported.

The hackers reportedly demanded payment of 100 Bitcoins, equal to $70,000, in exchange for removing the ransomware from the transportation agency’s systems. The systems were down briefly and resumed full operations later in the same day of the attack. A spokesperson for the transportation agency said that the attack did not have much of an effect on service, telling Forbes that, “There has been no impact to transit service, to our safety systems or to our customers’ personal information.”

‘Dronejacking’: The next big cybersecurity threat?

Consumer drone sales have been growing at an incredible pace, with sales projected to reach $12 billion in 2021 after reaching over $8 billion last year, according to Business Insider. Growing alongside the increasing sales numbers are threats of exploitation and hijacking that could potentially turn drones into tools for espionage or terrorism.

Drones have a high potential for exploitation because they often use unencrypted means of communication and contain, “many open ports,” Intel Security cybersecurity and privacy director Bruce Snell told International Business Times.

Drone exploits, once discovered, may also be put up for sale on the Dark Web. “Once these toolkits start making the rounds, it is just a matter of time before we see stories of hijacked drones showing up in the evening news,” Snell told IB Times.

Facebook hits roadblock in WhatsApp plans

In its quest to access users’ WhatsApp data, Facebook has hit another roadblock in the EU as it will face additional action over using WhatsApp’s data for its own advertising purposes, Bloomberg Technology reported.

The social media giant has faced prior scrutiny from EU privacy regulators for using WhatsApp’s user data in ways that were not listed in WhatsApp’s terms of service and privacy policy. In September, Facebook was ordered by the Hamburg city DPA to cease the collection of WhatsApp users’ personal data in Germany after the changes to WhatsApp’s terms and conditions were scrutinized, TechCrunch reported.

November 30, 2016  12:36 PM

Flexibility, speed needed for corporate data protection

Mekhala Roy Mekhala Roy Profile: Mekhala Roy

In today’s threat-filled environment, money is not always a hacker’s prime motivation. They could be driven by political reasons or just want to embarrass organizations.

But irrespective of their motivation, hackers often target sensitive company information. Panelists during a session titled “Anticipating Disruptions: External and Internal Threats to Data” at the recent MIT Sloan CFO Summit in Newton, Mass., said there are several steps organizations should take to protect their data.

“As protectors of data, we are in some way sitting ducks to the agility of the cybercriminals who are coming at it from many different vantage points,” Bright Horizons Family Solutions CFO Elizabeth Boland said.

Not taking steps to protect data could be costly:  A report from World Economic Forum and McKinsey & Company estimates that cyberattacks could cost the global economy $3 trillion by 2020. The problem will only get worse as cybercriminals become more innovative, Michael Ellis, CFO at online tuition payments service Flywire, added. Josh Siegel, CFO at security software company CyberArk, emphasized the need for speed when it comes to identifying a breach.

“The programs should have speed to detection, speed to contain the breach and then speed to remediate in case there is a breach,” Siegel said. “Get to the problem as fast as possible and then you would have the fastest containment of the issue.”

Training and awareness programs for both employees and board members are critical to enhancing cybersecurity, Ellis stressed. Organizations should have protocols in place so that employees know how to contain, analyze and report when an issue surfaces, he added.

“Audit your employees; make sure they understand,” Ellis said.

As company data has become a prime target for hackers, board members have become more aware about cybersecurity issues and have higher expectations about what their organizations are doing in regards to cybersecurity, according to Boland. Therefore, it is crucial to help board members understand the cybersecurity concerns that CFOs and CEOs have, Ellis added.

To avoid financial disasters, organizations should implement manual controls in their systems that complement automated ones, Ellis suggested.

“Any type of breach can be catastrophic at the enterprise level,” he said. “[An organization’s] reputation is destroyed … and there are financial, operational and legal issues.”

The benefits of segmentation, CISOs

Boland highlighted the need for network segmentation to enhance security. If hackers break into a flat network that is not segmented, they would have access to information assets across the network. She advised the audience to implement a layered approach that goes beyond initial security measures to protect sensitive client and employee information.

“We have to detect intrusion, but more importantly prevent the extraction of any information if there is intrusion,” she added.

Panelists also emphasized the need for hiring CISOs.

Seated L-R: Chetan Gavankar (moderator) managing director at KPMG Cyber; Michael Ellis CFO at Flywire; Elizabeth Boland, CFO at Bright Horizons Family Solutions and Josh Siegel CFO at CyberArk

Seated L-R: Chetan Gavankar (moderator), managing director at KPMG Cyber; Michael Ellis, CFO at Flywire; Elizabeth Boland, CFO at Bright Horizons Family Solutions and Josh Siegel, CFO at CyberArk.

“Enterprises need to get CISOs earlier on in the game, because the problem with cybersecurity is it’s a moving target,” CyberArk CFO Josh Siegel said. “The benefit of the CISO is that they are thinking 24/7 about, ‘What do I need to do to keep the enterprise secure?'”

Organizations should also deploy security analytics tools and software to collect, filter, integrate and link diverse types of security event information in order to gain a more comprehensive view of the security of their infrastructure, according to session moderator Chetan Gavankar.

Boland suggested being selective about partners and vendors, and include security protocols in contracts.

“We are not just concerned about our security, but the security of our supply chain, because if our law firms are breached that’s an avenue to breach us,” Siegel reinforced.

CyberArk uses red teams that try to penetrate the company network in order to help the company identify security vulnerabilities, Siegel said. The company also has a very flexible budget for cybersecurity to help fix these vulnerabilities, he added.

“With respects to budgeting, you need to evaluate all kinds of risks — legal, compliance, financial, operational, and reputational — and put it with the business risk itself and quickly evaluate and come up with a number,” Ellis suggested.

November 22, 2016  2:24 PM

Now is the time to ante up on IoT security

Mekhala Roy Mekhala Roy Profile: Mekhala Roy

On Oct. 21, hackers conducted a distributed denial of service (DDoS) attack against domain name server provider Dyn, causing an internet outage across the country and the world. To launch the attack, the hackers relied on internet connected devices to exploit default passwords.

The massive DDoS attack was a harbinger of bad news, according to TCE Strategy CEO and cybersecurity expert Bryce Austin. It is a prime example that the IoT makes cybercriminals increasingly capable of creating a tremendous amount of havoc without a whole lot of effort, Austin said.

“Your IoT devices are just like having a defensive weapon in your home,” he said. “If you can hack thousands of people at the same time and have those devices do something that they otherwise shouldn’t … or use them for a complete unrelated purpose like the DDoS attack, you have an interesting target.”

Speaking at a session on IoT security at the recent SIMposium 2016, Austin emphasized that it is crucial to fuel discussions to help drive organizational changes that prevent such incidents. Technology leaders are responsible for finding ways to make their systems safer and more secure, including initiating measures to enhance security of internet-connected devices, he told the audience.

TCE Strategy CEO and cybersecurity expert Bryce Austin during his session on IoT security at the recent SIMposium 2016.

TCE Strategy CEO and cybersecurity expert Bryce Austin during his session on IoT security at the recent SIMposium 2016.

Austin said the formation of groups like the Industrial Internet Consortium that was launched to drive standards for IoT devices is a step in the right direction.

“When you are on the internet … things are difficult to anticipate,” he said. “But if you develop programs and you develop processes that are designed to be resilient to those kinds of things, you are going to have a better chance of having these incidents never become a disaster recovery scenario.”

As IoT devices proliferate, it’s becoming hard to even avoid using such devices even though they are not always the most secure choice, Austin said. Consumers are responsible for their security as well, and it is important for them to choose internet-connected devices that do not have any obvious security flaws, he stressed. Adversaries could hack into an internet-connected thermostat and use it to turn the temperature down to freeze water pipes, for example.

Organizations should also have cybersecurity checks and balances in place, whether they are procedural or technical, he advised. Systems should be built to monitor IoT devices to ensure they are not doing something unusual, for example, and be equipped to mitigate damage if a hack occurs.

Developers can do their part too, and build IoT devices to be more resilient to hacks, Austin added. When the marketing team proposes a new internet-connected product, organizations should have their cybersecurity team run a quick check on Google or on the dark web to see what potential financial costs there could be if there’s a cybersecurity flaw in the system, he said.

Companies should consider renegotiating service level agreements and user level agreements with vendors to enhance security in IoT devices, he said. Organizations should also initiate processes like data encryption and/or tokenization to further safeguard data.

“If we are working with an internet of things provider or a service hosting provider and we want them to care… we want to have to ask them to have some skin in the game,” Austin said.

Organizations also typically do not allocate enough money for cybersecurity in their budgets, which is another cause for concern, Austin said.

“Security and maintenance are processes, not events,” he stressed. “There has to be a budget [for cybersecurity] that has to go on every single year, for every single system you have.”

November 17, 2016  2:16 PM

GRC roundup: Trump’s transition team looks to dismantle Dodd-Frank

Christian Stafford Christian Stafford Profile: Christian Stafford

Will President-elect Trump’s transition team follow through on promises to get rid of Dodd-Frank compliance regulations? Also in recent GRC news, tech companies urge Trump to back encryption; and some U.S. phones have been subjected to a back door hack that sends users’ data to China.

Trump team seeks to roll back compliance regs

President-elect Trump’s transition team wants to get rid of the Dodd-Frank Act, the 2,300 page law created in response to the 2008 financial crisis. The law, which puts regulations on the financial industry, has been called, “Bureaucratic red tape and Washington mandates” by members of Trump’s transition team, according to NPR. Trump himself stated during his campaign that as president, he would, “get rid of” the Dodd-Frank Act. He also told Reuters in an interview that his administration’s plans are “close to dismantling” Dodd-Frank.

Some experts predict that the Trump administration could also roll back enforcement of the Foreign Corrupt Practices Act, a law banning bribery to earn or keep business in other countries. In a 2012 interview on CNBC, Trump called the FCPA a “horrible law” that made it harder for U.S. companies to do business abroad, according to the Wall Street Journal.

Other experts, including Mike Koehler, an associate professor at the Southern Illinois University Law School, told the Wall Street Journal that it is too early to speculate the future of the FCPA without the knowledge of who will be Attorney General or lead the SEC after Chair Mary Jo White steps down.

Tech companies to Trump: Protect encryption, curtail surveillance

Tech companies including Twitter, Facebook and Google have urged President-elect Trump to protect encryption and curtail online government surveillance. The companies addressed Trump in a letter that was published Monday by the Internet Association, an organization of whose members also include Uber, Netflix and Amazon, the Verge reported.

Trump was critical of influential members of the tech industry during his presidential campaign, calling for a nationwide boycott of Apple after the company’s refusal to comply with the FBI requests to decrypt an iPhone belonging to a terrorism suspect.

Trump also took aim at Amazon CEO Jeff Bezos during the 2016 campaign, criticizing him for his ownership of The Washington Post. Trump told a crowd at a rally that if he were to become president, Amazon would “have such problems,” Business Insider reported.

Some Android phones sending users’ data to China

Analysts from security firm Kryptowire told the New York Times that some Android phones contain preinstalled backdoor software that sends users’ data to China.

Affected users’ text messages, emails, contact lists, call logs and location information is sent to a server in China every 72 hours, with users completely unaware of the transfer in process. Kryptowire vice president Tom Karygiannis told the Times, “Even if you wanted to, you wouldn’t have known about it.”

Devices affected include 120,000 phones manufactured by BLU Products, an American phone manufacturer. Company representatives said that the code has been removed in a recent software patch, the Times reported.

It remains unclear whether the software was intended to facilitate data mining for advertising purposes or a Chinese government effort to collect intelligence. The scope of the data collection is undetermined as well: The Chinese company that wrote the software, Shanghai Adups Technology Company, has code that runs on more than 700 million phones, cars and other smart devices, the Times reported.

November 3, 2016  12:03 PM

FCC privacy restrictions could hinder AT&T’s targeted ad plan

Christian Stafford Christian Stafford Profile: Christian Stafford

New privacy rules passed by the FCC could influence AT&T’s plans for its acquisition of Time Warner. Also in recent GRC news, the internet of things proves useful to hackers and privacy regulators in Europe warned WhatsApp and Yahoo about sharing users’ private information.

Privacy rules impact AT&T’s Time Warner acquisition goals

AT&T’s planned acquisition of Time Warner could be influenced by new FCC-approved privacy rules requiring companies to notify customers and gain their permission in order to use their app and web browsing history for targeted advertisement purposes, according to Politico. AT&T planned on tapping into its customers’ data to generate targeted advertising for viewers of Time Warner’s video content, Politico reported. This is not the first time AT&T has dealt with the ups and downs of acquiring another large media company. AT&T successfully purchased DirecTV in 2014 and aborted a 2011 bid to purchase T-Mobile after the deal was opposed by federal antitrust regulators, the New York Times reported.

IoT becomes hackers’ latest exploit

The internet of things has become the latest weapon in hackers’ arsenal, according to the Washington Post. Devices such as webcams, baby monitors and even smart thermostats were infected with malware to “attack” a New Hampshire-based Internet Performance Management (IPM) company Dyn.

The DDoS-style attack directed large amounts of internet traffic to Dyn, a company that helps connect users to websites, and eventually crippled the company’s servers. The first attack occurred at approximately 7:00 a.m. EST on Oct. 21, and primarily affected users on the East Coast. A second attack occurred later that day at around noon EST.   As a result of the attacks, users of websites including Netflix, Spotify, PayPal and Twitter experienced connection issues, the Washington Post reported. A third attack that occurred later in the afternoon led to connection issues for users around the world.

European privacy regulators criticize WhatsApp and Yahoo

WhatsApp and Yahoo have received warnings from European privacy regulators regarding the distribution of users’ data, Fortune reported. WhatsApp came under fire for sharing information with parent company Facebook, while Yahoo was criticized for a large 2014 data breach and for using software to sift through users’ emails at the request of U.S. intelligence agencies.

WhatsApp’s new privacy policy gives the messaging service the right to share users’ phone numbers with Facebook — a move highly criticized by European privacy regulators.

Yahoo suffered a major data breach in 2014 that exposed more than 500 million users’ email credentials. European privacy regulators wrote to Yahoo asking for complete transparency regarding details of the data breach and for the company to cooperate with “upcoming national data protection authorities’ enquiries and/or investigations,” according to Fortune. The regulators also asked Yahoo to notify all users affected by the data breach and how those users may be adversely affected.

October 31, 2016  4:58 PM

Lack of records management maturity puts PHI, PII at risk

Mekhala Roy Mekhala Roy Profile: Mekhala Roy

Records management is more vital than ever to business success, but not enough organizations care about it, according to Rick Tucker.

To prove it, Tucker, vice president of sales and marketing at Doculabs, presented a question to the audience attending the “Trends in Data Lifecycle Management and Information Governance” session at the recent SIM Boston Technology Leadership Summit in Newton, Mass.

“Does everybody have a records management program in their organization?” Tucker asked.

“Yes,” the audience answered in unison.

“Does everybody follow their records management program on a regular basis?”

“No,” most of the audience replied.

This could pose a problem for organizations as business and customer data is increasingly digitized, Tucker said, and especially those companies that handle personally identifiable information (PII) or protected health information (PHI): These businesses need to use records management programs to gain better control over their data by moving it to more intense document management systems and repositories, or by disposing of content that’s no longer required, Tucker added.

A lack of foresight could prove costly:  The recent Cost of Data Breach Study by the Ponemon Institute that showed the average cost incurred for each lost or stolen record containing sensitive information continues to increase.

“Organizations see that and still go, ‘It’s not going to be me. I’m not going to be hit like that and not going to have that problem,’ until they do,” Tucker said.

Doculabs — a document management consulting company — partnered with Executive Functions Management and conducted two surveys to find out how well InfoSec manages PII and PHI. One surveyed information security leaders and the other surveyed IT leaders.

Fifty two percent of the InfoSec professionals said they had no automated capability to prevent PHI and PII from leaving the company. InfoSec professional reported that they were aware of the risks that can result from unmanaged PII and PHI data, but “reported a lack of maturity in high-risk areas such as network drives.”

“That means when information is created that has PHI or PII, it is not automatically detected or put into the right repository,” Tucker said. “The fundamental problem in information management is that the tools have not matured yet to a point where automation is automatically applied to all the systems.”

Two-thirds of the 550 IT leaders surveyed reported that their organizations are not purging data regularly, which signifies that they are not complying with recordkeeping practices, Tucker said. Half the organizations surveyed said they had no idea where information like trade secrets, HR data and client data lives in their organization, and 65% said that their data was not aligned with their InfoSec policies.

Rick Tucker during his session at the SIM Boston Technology Leadership Summit in Newton, Mass.

Rick Tucker during his session at the SIM Boston Technology Leadership Summit in Newton, Mass.

Not purging data regularly also increases storage costs and makes it a huge challenge to find data in an organization, Tucker said.

“The most important thing that records management has done in the past 20 years is identifying that information has an end of life, that it should be disposed of at certain point of time,” he added.

The lack of these records management best practices dramatically increase information risk: 34% of the 144 InfoSec professionals surveyed said that within the last 12 months they had an audit discover a breach of PHI/PII data, Tucker said.

“Having a good correlation between data hygiene and governance, developing an orphaned data policy, decommissioning legacy applications, and assessing and remediating access rights can help InfoSec reduce PHI and PII risks,” he said.

October 20, 2016  2:30 PM

GRC roundup: UK intelligence agencies’ data collection efforts deemed illegal

Christian Stafford Christian Stafford Profile: Christian Stafford
Compliance, Data privacy, Facebook, personal data, privacy, Privacy Shield, regulatory compliance, UK

Government intrusion of data privacy continues to be a global issue, as a British court recently ruled that UK security agencies illegally collected citizens’ data for 17 years. Also in recent GRC news: Facebook joins the list of businesses adopting the Privacy Shield framework and more businesses are considering regulatory technology as compliance pressures increase.

Court: Citizens’ personal info illegally obtained by UK security agencies

A British court has ruled that UK citizens had their personal information unlawfully collected by multiple UK security agencies for 17 years. Britain’s investigatory powers tribunal ruled that MI5, MI6 and the Government Communications Headquarters were all implicated in the illegal actions. The agencies “failed to comply with article 8 protecting the right to privacy of the European convention of human rights” between the years 1998 and 2015, The Guardian reported.

Data obtained by the agencies included personal phone and web communications, as well as medical records, tax records, financial data and biographical information.

In 2014, UK security agencies were accused of illegal bulk data collection by groups that included Privacy International and Amnesty International. A New York Times editorial about the accusations noted that the British government neither admitted nor denied the allegations of mass surveillance.

Facebook adopts EU-U.S. Privacy Shield agreement

Facebook has adopted the EU-U.S. Privacy Shield framework, an agreement regulating how U.S. companies transfer EU citizen’s data electronically across international borders, The Telegraph reported. The Privacy Shield compliance requirements will apply to Facebook’s existing targeted advertisements that gather users’ data from other companies, as well as Facebook’s new Workplace application.

The Privacy Shield framework replaced Safe Harbor after the European Court of Justice overturned the agreement in 2015 due to concerns that it was enabling U.S. surveillance, according to The Telegraph. The court ruled that each country in the European Union should be able to decide how their citizen’s online data can be gathered and utilized.

As compliance pressures mount, businesses turn to regulatory tech

Government spending in the post-financial crisis world helped not only economies grow, but “government contracts, emerging market exposure and third-party agents” have also put pressure on companies’ from a regulatory compliance perspective, TechCrunch reported.

The increase in compliance and regulations has led to the coining of a new industry buzzword: regtech, which, according to TechCrunch, describes technologies dedicated to “creating solutions that ease the burden of compliance.”

One example where regtech can be of regulatory compliance assistance is identity management. “No number of new government committees and task forces will be able to protect businesses and organizations if they don’t know, on the most basic level, with whom they are doing business,” TechCrunch reported.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: