In my interviews for last week’s piece on the new ISO 31000 risk-management standard, risk expert Brian Barnier pointed out that one of the standard’s salient features is its concept of risk. ISO 31000 defines risk as the “effect of uncertainty on objectives,” acknowledging both the positive opportunities and negative consequences associated with risk.
I asked Brian if he could expound on this idea. I reached him at his home in Connecticut where a morning snowstorm was proving more ferocious than forecast. Schools that had opened were sending out word they were closing early. There were the sudden, predictable runs on milk and staples at local convenience stores. A good scenario, in other words, for our discussion.
One way to think about risk, Barnier said, is as variance from what is expected. Having too much milk is bad for a convenience store; too little milk is also bad, especially on a snowy day. Dealing successfully with risk depends on how prepared you are for the change.
“That word is very important in risk discussions,” Barnier said. “Some people think of preparedness as locking everything down. If you are coming out of the SOX [Sarbanes-Oxley] environment, you want to lock everything down, so your numbers are correct.” A big pharma company will want to lock everything down so it’s not slapped with a major recall of, say, its most popular painkiller.
“But for everybody else, risk is a lot more about being prepared for that snowy day — having the right tires on your car, driving defensively, having an emergency kit if your car goes off the road,” Barnier said. The convenience store with plenty of milk on hand is able to make hay on a snowy day.
Companies must be agile to take advantage of risk. Management guru Tom Peters, Barnier pointed out, was talking about opportunity risk 20 years ago in Thriving on Chaos” Barnier noted.
For IT departments, being prepared for risk opportunities calls for risk management at three levels, Barnier said:
- The investment portfolio: Are you investing in capabilities that will help you cope better with business change, whether that’s an acquisition or move into a new geography?
- The program and project-management layer: In addition to controlling budgets and meeting deadlines, are you prepared to take advantage of an upside opportunity — a pricing change or being able to step in when a competitor falters?
- Operations and service delivery: How can you take advantage more efficiently of opportunities that come your way?
How does your IT organization prepare for risk? Does preparing for the upside factor into your risk management? Or is it all about the lockdown?
Phil Cox, a contributor to SearchCloudComputing.com, recently shared some advice that will be helpful to those faced with understanding the challenges of cloud compliance.
In his tip, he focuses on the five major questions that every organization should ask before it moves into public cloud computing services. As Cox writes, “virtually every regulation requires organizations to adequately protect their physical and informational assets. To do this, there is an implied or assumed ability to control and prove:
- What information is stored on a system?
- Where is the information stored?
- Who can access the system?
- What they can access?
- Is the access appropriate?
All these questions imply some level of ownership of the assets in question, and that is where cloud compliance issues become apparent. In a public cloud environment, you are able to answer the first of those questions with certainty; the other four, however, end up posing a compliance problem.”
Read the rest of the cloud computing tip for Cox’s advice, and make sure to address compliance requirements in cloud computing contracts.
When it comes to technology predictions, there are a few certainties: Apple will grab the world’s attention with a new product, the iPad; Google will find a way to innovate with Web apps, including Google Voice mobile; and IT security budgets will remain strong this year, despite tough macroeconomic conditions.
David Mortman, a contributing analyst at Securosis LLC and SearchSecurity.com contributor, applied his lens to a less-covered area: regulatory compliance and security. He came away with a conclusion that won’t be shocking to many observers: more regulations, new technology.
As Mortman points out, “There are three different federal identity-theft protection bills working their way through Congress.” Certain provisions of the HITECH Act will go into effect Feb.17, including data breach notifications and extensions to HIPAA.
The fly in the regulatory-compliance alphabet soup, however, is likely to be cloud computing. As Mortman points out, “none of the existing regulatory requirements specifically address cloud computing, and few (HIPAA/HITECH and the FTC’s Red Flags Rule excepted) address outsourcing well.” Scale aside, cloud computing compliance still worries IT managers.
For more on the year ahead in compliance, review our compliance trends:
- Important regulatory compliance trends that will affect IT in 2010
- XBRL, PCI and social media to change compliance in 2010. The top regulatory compliance trends for 2010 include XBRL, PCI DSS, disaster recovery, vendor security management, carbon compliance and social networking risks.
Technology can both enhance the lives of consumers and create significant privacy issues, said David Vladeck, head of the Bureau of Consumer Protection at the Federal Trade Commission (FTC).
Speaking from the FTC’s second roundtable on online privacy at the University of California, Berkeley, today, Vladeck expressed concern that consumers have little awareness of how data is being collected or used online. That concern extends to social media privacy, mobile data, manufacturing and cloud computing security.
Vladeck summarized the lessons from the first FTC privacy roundtable, held last year in Washington, D.C. Consumers are “unaware of whether and how they can exercise control” over online data, he said, including practices in data broker industry. The “practice of behavioral advertising may be unfamiliar to consumers.”
The fact that consumers do care about online privacy is driven home in many ways, said Vladeck. He cited the popularity of a popup blocker for the Firefox Web browser and interest in resources for managing social media privacy settings. “The No. 1 most-emailed article from The New York Times was about how consumers can change privacy settings on Facebook,” said Vladeck. “That speaks volumes.”
The FTC privacy roundtable will examine both how technology enhance consumer privacy and how it can challenge or circumvent it, said Vladeck.
The FTC sees a “troubling technological arms race” between consumer empowerment tools and technologies that enable more data collection, he said, with countermeasures developed each time a means to protect privacy is developed.
In his remarks, Vladeck broke the FTC’s privacy roundtable into four areas:
- Social networking privacy: Social media is the “online equivalent to the water cooler,” revolutionizing how people interact. “It’s a boon to consumers, enabling us to reconnect and cement relationships. On the other hand, others can scrutinize the minutia of our lives.”
- Cloud computing security: “Cloud computing offers significant consumer benefit. At the same time, storing data on remote computers raises serious privacy and security concerns.” The issue with cloud computing security and privacy, as he observed, lies in the ease with which data may be shared, which increases the risk that data may be used in unanticipated ways.
- Mobile privacy: “Mobile devices have brought tremendous opportunities,” but also new privacy concerns. “How is location-based information being collected and used?” He also wondered how companies would be able to gain informed consent on devices with small screens. The FTC’s scrutiny confirms that GPS devices and geolocation data create privacy and security risks.
- Manufacturing: Vladeck indicated that the FTC will also be looking at how businesses are building privacy into services or devices at the outset. Ideally, he said, “privacy protections will be baked into products from the beginning.”
A full privacy roundtable agenda is available from FTC.gov.
The roundtable is being streamed online. Follow the conversation at #FTCprivacy on Twitter to read commentary in 140 characters or less or tune in to this list of privacy experts, workshop audience attendees and other commentators.
As Burton Group’s Mike Gotta blogged yesterday, the Financial Industry Regulatory Authority (FINRA) has issued new specific guidance to securities firms and brokers on the use of social media.
The regulatory authority’s updated guidance addresses the changes in usage, as workers spend more time on social networking sites in a business context.
As cited by the guidance, a recent report by the Pew Internet & American Life Project stated that 46% of American adults who use the Internet logged onto a social networking site in 2009. Now FINRA has addressed how rules governing communications apply to social media platforms that have been created by a firm or its registered representatives. For insight into one firm’s approach, check out “ href=”http://searchcompliance.techtarget.com/news/article/0,289142,sid195_gci1376108,00.html”>Brokerage invests in social media archiving for FINRA compliance last year.
“Social networking sites and blogs raise new regulatory challenges, particularly in the areas of supervision, advertising and books and records requirements,” said FINRA Chairman and CEO Rick Ketchum in a press release. “Our goal in issuing this notice is to ensure that firms and brokers use social networking sites in an appropriate manner.”
One of the recommendations in the new guidance for FINRA compliance is that covered firms create, distribute and adhere to an online privacy and social media policy. Another key requirement is that records of communications related to the broker or dealer’s business made through social media sites must be archived.
These new FINRA compliance rules, however, are technology-neutral in terms of how such archiving must be achieved. FINRA indicates that it is aware of different methods for social media archiving under development, including systems that interface with a firm’s network or the use of external systems by a registered representative working off-site.
FINRA guidance for social media now includes a best practice that “firms should consider prohibiting all interactive electronic communications that recommend a specific investment product and any link to such a recommendation unless a registered principal has previously approved the content.”
The full updated guidance on social media for FINRA compliance is linked below:
[kml_flashembed movie=”http://d1.scribdassets.com/ScribdViewer.swf?document_id=25869046&access_key=key-1ns5cbu4ozfcb0qb3k91″ width=”600″ height=”450″ wmode=”transparent” /]
In this podcast, former cybersecurity director Melissa Hathaway talks about emerging cybersecurity threats, reforms to FISMA compliance and corporate cyberespionage. Hathaway is a senior adviser at Harvard Kennedy School of Government’s Belfer Center for Science and International Affairs.
- How could the potential FISMA compliance reforms — so-called “FISMA 2″ — affect the quality of cybersecurity readiness in U.S. government agencies and contractors? Does FISMA compliance need reform?
- Other elements of legislation would introduce certification for IT security professionals. Is that a positive outcome, if it happens? Why or why not?
- The U.S. House passed a national data breach notification bill before the holiday break. If it passes the Senate, there will be a national standard. What do you think of the prospect? Is such a breach notification bill needed to supplement HHS and FTC data breach regulations?
- One critical area in cybersecurity lies in the many data breaches of corporate intellectual property. How does that unfortunate trend relate to compliance? Will a federal data breach notification law help to at least expose the scope of the issue?
- There’s considerable concern in the defense community about electronic espionage. How can those entrusted with maintaining cybersecurity balance privacy issues, civil rights and the need to protect or defend critical infrastructure? What does privacy mean in the context of cyberwar?
The Defense Information Systems Agency (DISA) has entered into a multiyear enterprise contract to use Lumeta Inc.’s IPsonar for network mapping and leak detection for the Department of Defense (DoD) global networks.
TKC Global, a systems integrator, will deploy the system.
Why is IPsonar considered necessary?
The short answer is, you can’t defend what you don’t know. We consider leak detection and mapping as key requirements to fully understand DoD’s networks and our external connections. This capability directly supports one of the actions in DISA’s recently signed Campaign Plan, where we want to conduct cross-domain searches for leaks between networks. IPsonar will provide a good start towards that requirement.
What networks will it be used on?
IPsonar will be used on SIPRNet [Secret Internet Protocol Router Network] and NIPRNet [Nonsecure Internet Protocol Router Network].
How well has it worked on the SIPRNet?
The “good” news is that we’ve had limited success with this tool on SIPRNet. I view it as good news because the problems we have getting a network mapping tool to work are directly tied to the security controls we’ve implemented to limit the ability of an adversary to maneuver on our networks. The vendor has made some changes to make it easier to work through some of these issues, plus we are now working a revised CONOPS [Concept of Operations] that will put the tool in the hands of those best able to make the network changes needed for the tool to be fully effective.
Is the software used for one-time or periodic network mapping? Or does it run continuously?
I would like to see this run continuously, at least the portion of the tool that supports leak detection. We are working now with JTF GNO [Joint Task Force-Global Network Operations] and the services to finalize the CONOPS.
Once the network or networks are mapped, then what does DISA do?
DISA’s role here is as the acquisition and support agency for an enterprise information assurance capability that will be operated by the COCOMS [DoD’s combatant commands], services and agencies. We are responsible for lifecycle support of the capability.
Is DISA planning other steps to increase network security?
Absolutely. We have a large information assurance program that includes a number of initiatives to reduce the attack surface, improve information sharing and provide the global situational awareness needed to assure mission success in the face of cyberattack.
How will IPsonar relate to the transition from IPv4 to IPv6?
We will always have a requirement to understand our network topology and identify leaks. Today, IPsonar can detect, query and capture info from IPv6 assets. The IPsonar solution is sitting on an IPv4 stack but they have identified in their roadmap and are on track to be IPv6-compliant. We will work with the vendor and IPv6 test efforts in DoD to make sure this and all of our IA [Internal Audit] capabilities remain effective as we transition to IPv6.
How will this deployment relate to complying with the Trusted Internet Connections Initiative?
We have strong policy and procedures to support the Trusted Internet Connection Initiative. The leak-detection capability of IPsonar provides the technology to help identify any unapproved Internet connections.
How will this implementation allow DISA and the DoD to meet FISMA compliance standards?
This will support the FISMA requirement for “asset awareness” by providing a mapping capability.
Why choose IPsonar, vs. other networking mapping software?
Our most critical requirement was leak detection. When we considered that, along with the mapping requirements, we found IPsonar to be the best solution.
How will IPsonar integrate with existing network, storage and endpoint security software at DISA to ensure better cybersecurity?
We have a number of cybersecurity solutions providing valuable data for our network defenders, but integration is largely manual. One of the top priorities for us in FY10 is to address this issue. We have two efforts ongoing: one focused on configuration management and vulnerability management requirements leveraging the SCAP data standards, with the other focused on attack detection, diagnosis and response. Both of these efforts will integrate IPsonar to help put data from other sources into context.
Last week, we looked back at the top IT compliance management news stories of 2009. From tougher state data protection laws to compliance in the cloud, 2009 held plenty of IT compliance management headaches. We’ll be posting our predictions for 2010 later this week. In the meantime, IT professionals have arrived back in the office and are confronted with the same compliance challenges that existed before the holidays.
What to do?
First, focus on compliance.
1. Build data protection around intrusion detection and access controls.
As contributor John Weathington recommends, begin with a comprehensive data governance and compliance strategy and build data protection practices upon intrusion detection and access controls.
2. Look to the Unified Compliance Framework for common ground.
Compliance professionals and vendors are turning to the Unified Compliance Framework as a common language for overlapping compliance standards.
3. Review our FAQ on mandatory encryption standards and IT operations.
Learn how emerging mandatory encryption standards will affect IT operations.
4. Get a grip on addressing compliance requirements in cloud computing contracts.
As CIOs look to cloud computing for data backup and storage, compliance requirements must be spelled out and met, or the data will be brought back down to earth.
Second, focus on IT security.
The following compliance resources from SearchSecurity.com will be helpful to IT professionals preparing for renewed security challenges this year.
1. Learn how to create an identity theft prevention plan for FTC Red Flags Rules.
Under the FTC’s Red Flags Rules, all financial institutions and creditors with covered accounts are required to create an identity theft prevention plan. The FTC may have extended the enforcement deadline for the Red Flags Rule to June 1, 2010, but five months will go by quickly.
2. Review this guide to internal and external network security auditing.
Contributor Stephen Cobb covers the baseline network audit processes that a security professional should absolutely conduct regularly.
3. Consider the benefits of ISO 27001 and ISO 27002 certification for your enterprise.
If your enterprise is considering becoming ISO 27001 and 27002 certified, there are several important questions to ask.
4. Get up to speed on privileged account management.
Sarbanes-Oxley compliance requirements and data security concerns are accelerating growth of the privileged account management market.
5. Weigh the pros and cons of end-to-end encryption and tokenization.
Tokenization and end-to-end encryption have emerged as promising technologies, but both have benefits and drawbacks that organizations must weigh.
6. Learn how frameworks and technology can help your PCI DSS compliance efforts.
This mini-guide offers a variety of tips on how organizations can use several frameworks, technologies and standards to help manage PCI DSS efforts and ease the compliance burden.
Finally, focus on health care
… that is, if health care compliance is your responsibility.
If you work in healthcare, SearchSecurity.com published a helpful HIPAA compliance manual that will be useful for IT professionals entrusted with health care compliance. Included in the guide is a HIPAA compliance training, audit and requirement checklist, including advice on how to prepare for a security audit.
Here are several other useful stories and tips on health care compliance:
The federal government has called for greater use of personal health records as part of electronic health record systems. Advocates say PHRs fall short in data control, privacy and security.
Some health care organizations such as health information exchanges are showing improved efficiency, lower costs and better patient care using EHRs.
When it comes to electronic health records and personal health information, secure storage can have many meanings, but only one that counts: Encrypt data as many ways as you can.
For more on HITECH and HIPAA compliance, also review:
Earlier this month, the U.S. House of Representatives passed the Data Accountability and Trust Act, H.R. 2221, the first step toward a comprehensive national data breach notification law. As I wrote in the news story, if the U.S. Senate can reconcile the bills proposed there with the House Version, a new federal data breach standard will emerge.
At least one reader wasn’t so sure, however, that any federal data breach notification law is worth the paper it’s printed on without enforcement:
“The point never discussed with this or any other law, process or procedure is that without assertive enforcement – active, visible and without remorse – this initiative will be of no more use than any of the others currently enacted. At best, a paper tiger. At worst, a smoke-screen that protects the guilty and places the innocent at even greater risk.
The concept of burying a problem under mountains of paper (or rhetoric) has long been demonstrated to be no answer to the issues and real dangers facing today’s and tomorrow’s world.”
-Ken Bumgarner, IWWIT, U.S. Consultant, Senior Systems and Security Engineer, Information Security Department, National Information Center, Ministry of Interior, Riyadh, Kingdom of Saudi Arabia
I’ve written in the past about enforcement of data protection laws, specifically with regards to the amended Massachusetts data protection law. The enforceability of a regulation is critical to its passage and success, as are meaningful penalties. Even more important, in this writer’s opinion, is the likelihood of that enforcement.
Thanks to Mr. Bumgarner for writing in.
This morning, the White House made it official: Howard Schmidt will be the nation’s next cybsersecurity coordinator. The longtime industry veteran will be returning to the executive branch, where he worked previously as vice chairman of the President’s Commission on Critical Infrastructure Protection. Schmidt will report to deputy national security advisor (NSA) John Brennan. You can watch video of Howard Schmidt on the cybersecurity coordinator role by clicking on the image below:
Schmidt was formerly chief information security officer (CISO) at eBay and chief security officer at Microsoft and has worked with federal and local law enforcement and the Defense Department. As Ellen Nakashima reported in The Washington Post, the new cybersecurity coordinator also served as special adviser for cyberspace security from 2001 to 2003, where he shepherded the National Strategy to Secure Cyberspace, a plan that Nakashima writes “was largely ignored.” Schmidt was also the president and CEO of the Information Systems Security Association, an international nonprofit organization that focuses on risks and research in the cyberworld. The question now will be whether a man hailed as a good communicator can also ensure better cybersecurity across industry and government.
“Howard is a good match for this task,” said Vint Cerf, Google’s chief Internet evangelist, as quoted by The Atlantic Monthly’s Marc Ambinder. “I’ve been impressed by his consensus-building style. He’s thoughtful, knowledgeable and he knows Washington.”
Cerf, as quoted in the New York Times article on the cybersecurity coordinator, said that “I’ve come away with a strong sense that Vivek Kundra, chief information officer, and Aneesh Chopra, the chief technology officer, and participants at the N.S.C. are aligned on this effort.”
Filling the position at the National Security Council was overdue, given the time that has elapsed since Melissa Hathaway delivered a cybersecurity report that called for a cybersecurity coordinator to coordinate the nation’s efforts. As SearchSecurity.com Editorial Director Mike Mimoso reported, “Obama announced on May 29 he intended to personally select a cybersecurity coordinator who would coordinate cybersecurity policies across government agencies.”
In May, Threatpost Editor Dennis Fisher recorded a podcast with Schmidt. In the podcast, the incoming cybersecurity coordinator talks about the role, cybercrime and how to fix federal cybersecurity.
CSO Online Senior Editor Bill Brenner enjoyed excellent timing yesterday when he published an email interview with Schmidt. Schmidt made a number of predictions for 2010, including that he believed that cloud computing will be a security enabler. Schmidt wrote that “2010 will be the tipping point as to much wider adaption in all sectors. The overall net effect will give us a better chance to develop more security in the cloud using better vulnerability management/reduction, strong authentication, robust encryption and closer attention to legal jurisdictions.”
The timing of the White House appointment of a cyber coordinator is, as Ambinder wrote, something of an early Christmas gift, though perhaps not for Schmidt himself. As Ambinder observed, “It’ll be a thankless job: given the near-certainty that the government will experience some massive data breach or a major cyber terrorism attack, Schmidt will be both the point person — and the person seen as responsible, even though he lacks the statutory authority to prevent these catastrophes.”
In the security industry, reactions to the appointment have been generally positive. Like Ambinder, Dave Lewis, a Canada-based IT security practitioner and editor at Liquidmatrix Security Digest, also sees a tough challenge ahead for Schmidt. “I think that this is an extremely unenviable position for him to take,” he said. “There are numerous turf wars that he will be at risk of becoming collateral damage in the crossfire. I would like to see him succeed. There needs to be a central point of control for IT security.”
George Moraetes, an information security and enterprise architect, related a similar sentiment: “I really don’t know if congratulations or even condolences are in order.”
Moraetes supports the appointment of Schmidt, stating he “is the best advocate and most experienced individual to take on this incredibly difficult job that basically has no teeth or jurisdiction to preside over federal agencies. He is the only person capable of this job, having solid federal government and corporate experience at top levels, and knows the ropes.”
Patricia Titus, former CISO for the Transportation Security Administration and now CISO for Unisys Federal Systems, is similarly supportive. “He comes with exactly the type of credentials to rally the right people at the needed levels. His private- and public-sector background lends itself well to knowing who needs to sit at the table. There hasn’t been that level of IT credentials and security experience in a similar position before.”
Titus sees the position of the cybersecurity coordinator directly under the deputy NSA as “critical to the success of the position. The fact that John has publicly stated that Howard will have regular access to the president shows that cybersecurity is a national priority.” Schmidt will be charged with assessing and mitigating a complex mix of threats and authorities. ‘I think that all of us in cybersecurity look at the difference between compliance and verifiable security carefully. Are we spending too much time writing documents, versus in real-time monitoring of security controls? Howard’s role may be to address that from a policy standpoint, with regards to securing critical infrastructure, government websites and agencies.”
“I’m cautiously pessimistic about anyone in that job, but I think Howard has a better shot than most,” said David Mortman, CSO-in-residence at Mason, Ohio-based security consultancy Echelon One. “Howard is a known quantity and knows how to play the game. Gives him a huge advantage, since it’s like he’s simultaneously an insider and an outsider. Hopefully the best of both worlds.”
Dan Kennedy, CISO of the Praetorian Security Group, also wrote in to share his take on the appointment of the new cybersecurity coordinator: “I am familiar with Howard, having watched him speak numerous times, being introduced to him a few times, having sat at a dinner round table across from him, and having been an ISSA member for years who reads his introductions every month. I think Howard Schmidt is both a smart guy and one who understands the issues of information security. I don’t always agree with what he has to say, but if you are quoted as much as Howard is that will happen. He doesn’t say completely crazy things, as a few senior security executives do now and then, and has a conservative approach to IS concerns. Howard is a competent choice, and clearly better than many alternatives having worked in the private sector and having been involved very closely and nearly exclusively in the infosec industry. This is much better than, say, a competent technologist, a lawyer who understands technology at a high level, or related choices taking on their first big information security job with this position.”
“That said, he is a safe choice, one who has had an opportunity already in what was a very similar position under the Bush administration. I, like many folks, wanted to be excited by the choice of cybersecurity czar, to see someone I thought would really shake things up. A safe choice doesn’t do that. I voted for Obama to make competent but also pushing the envelope decisions. I hoped for an appointment that would inject some discomfort into an established information security hierarchy in need of a change agent. Howard may be that; perhaps he wasn’t given enough of a chance or shackled by a lack of organizational power the last time around.”
“Don’t get me wrong: this appointment is a positive. There’s a more empowered position (especially now that the nonsense on reporting line is resolved) and a competent person in it helps information security. It was a long time coming. Howard is not afraid to speak uncomfortable truth to power, one of the hallmarks of a great CISO. I congratulate him and look to this appointment with optimism.”