IT Compliance Advisor


February 22, 2013  6:05 PM

China hacking allegations puts lack of U.S. cybersecurity in spotlight



Posted by: Ben Cole
CIO

U.S. cybersecurity — or the lack of it — was big news this week, as President Barack Obama’s recent issuance of cybersecurity-related executive orders coincided with reports that China has systematically made cyberattacks against American interests.

Since 2006, a Chinese military unit within the People’s Liberation Army has been using cyber-espionage to steal “confidential data from at least 141 organizations across multiple industries,” according to a report from Alexandria, Va.-based security firm Mandiant Corp. Mandiant’s findings, first reported in the New York Times, allege the Chinese hackers targeted wide-ranging sectors — many with operations in the United States — including information technology, military contractors, aerospace, chemical plants, telecommunications and scientific research. The Chinese government denies the reports.

The China hacking allegations came shortly after President Obama issued an executive order titled “Improving Critical Infrastructure Cybersecurity.” The cybersecurity executive order stated that “repeated cyber intrusions” requires operators of critical U.S. infrastructure to improve cybersecurity information sharing and the implementation of risk-based standards. Following the Chinese hacking allegations, the Obama administration also announced new efforts to protect against U.S. intellectual property theft.

But is the executive order enough to protect U.S. interests? Part of the reason the order was necessary is due to several failed attempts in recent years to pass a sweeping piece of cybersecurity legislation. Past U.S. cybersecurity bills have been thwarted by privacy groups and those representing businesses — including the very vocal U.S. Chamber of Commerce that argued the bills would put undue costs and regulations on industry.

Both the privacy and bottom line-related arguments could be perilous in the face of the Chinese hacking allegations, as well as other recent high-profile hacks of Apple, Facebook and the New York Times itself. It’s just common sense that hackers are usually seeking trade secrets, business information and personally identifiable information. This is all information that would ultimately degrade online privacy and business interests for those organizations and individuals that are being hacked.

If businesses and privacy groups don’t realize the need for U.S. cybersecurity after recent attacks against the country’s interests, the entire nation will continue to face these threats. As hackers and their targets get more sophisticated, a comprehensive, cooperative approach to the nation’s cybersecurity will be necessary. Of course, privacy and costs will have to be considered when developing the rules. But until at least some cybersecurity rules are outlined, online security for all Americans remains vulnerable.

January 18, 2013  4:25 PM

Considering a career in compliance? Heed these warnings first



Posted by: Kevin Beaver
CIO

So you want to pursue a career in compliance? I can’t really blame you. With a median salary of more than $60,000, it can certainly pay off — and the sky’s the limit moving forward. Of course, money’s not everything. Sure, it ranks up there with oxygen — but there’s certainly more to a career in compliance than the financial aspects alone, right?

In my past 11 years working as a consultant, I’ve had the opportunity to work with a number of compliance officers and managers. These roles have evolved from policy pushers to gain a much more respectable seat at the table when critical IT and business decisions are being made. Many businesses even have their own lawyers that serve in a compliance oversight role. There’s no doubt that compliance, and the need for intelligent people to manage it, has certainly gained traction in the last decade.

There are, however, still some potential issues you need to be aware of before running down the compliance career path at full tilt. Here are some aspects about the role compliance plays in organizations I’ve seen time and again:

  1. It can be overwhelming. With government and industry rules expanding all over the world, IT compliance regulations seem to change every week. Add to that the complexity and verbosity of the lawyer-speak you’ll be subjected to, and you have to keep up with a lot of information.
  2. Compliance is not sexy. It’s important, no doubt, and one of the most important roles in business today. But working with policies, procedures and audit processes may not be the most elegant and appealing work. And don’t forget the endless number of meetings.
  3. If they need a scapegoat, expect peers and management to throw you under the bus during and after a data breach. After all, you’re the person who wrote the policies and oversaw the security assessments and controls leading up to the event, right?
  4. IT staff will think you’re out to get them. There can be continual paranoia — even if they need to be called out for their oversights. It’s not normally all that terrible — just know that it can be. Admit it: Those of us working in IT can be hard-headed.
  5. Staying on top of what’s happening in and around IT can require more technical skills than many people assume. You don’t necessarily need a technical degree or certifications to get by — just some sharp insight and well-placed questions (periodically and consistently, of course) to ensure no one is pulling the wool over your eyes.

In the end, you have to ask yourself if you have the right personality, level of patience and raw ability to put up with a lot of nonsense necessary for a career in compliance. If your organization’s culture and leadership embrace compliance and your role in it, however, you can definitely go places in the business — all while making vital decisions that determine its success.


December 14, 2012  5:10 PM

Facebook privacy policy receives a major overhaul



Posted by: Ben Cole
CIO

Facebook rolled out a completely revamped privacy policy this week that promises users simplified tools to protect their personal information.  In a Dec. 12 blog post announcing the changes, Facebook’s director of product management Samuel W. Lessin said the updates are designed to help users control what they share on the site and provide tools to help them act on content they don’t want shared.

Some of the changes include:

Privacy shortcuts and apps permissions. Under the Facebook privacy policy revamp, key settings such as privacy and timeline controls are available on the site’s main toolbar, rather than forcing users to navigate separate pages. The changes also alter application permission settings, providing users more control over what they share on their Facebook page.

Updated user education and activity logs. Under the new privacy policy, Facebook will provide in-context notices to users throughout the site. “We’ve created a series of messages to help you understand, in context, that the content you hide from your timeline may still appear in news feed, search and other places,” Lessin wrote. Facebook’s “activity log” will feature new navigation interfaces as well, designed to ease users’ ability to review their Facebook activity and to help them decide what they want made public on the site.

New tools to manage content. In Facebook’s updated activity log, there will be a new “request and removal tool” that allows users to take action on photos they are tagged in. “If you spot things you don’t want on Facebook, now it’s even easier to ask the people who posted them to remove them,” Lessin wrote.

The Facebook policy updates are scheduled to roll out before the end of the year, and come as online
privacy
remains a hot topic in the IT world. Earlier this month, Delta Air Lines Inc. became the first organization to be sued for potential violations of California’s Internet privacy law. The suit claims the mobile phone application “Fly Delta” violates the law because it does not adequately disclose what personal information is being collected from users and how that information will be distributed.

The U.S. government is paying attention to online and mobile privacy as well: This week, the Senate Judiciary Committee voted in favor of the Location Privacy Protection Act, which would require companies to get customers’ consent before collecting or sharing mobile location data. The move came just weeks after the same committee approved a bill to update privacy safeguards for email and other electronic communications.

As the quest for consumer privacy online continues, the federal government will likely keep seeking regulatory requirements to protect personal information. After being criticized for their privacy rules in the past, perhaps the new privacy policy is a sign that Facebook is trying to take the initiative and revamp consumer protection policies before regulatory compliance rules become the norm.


November 15, 2012  5:11 PM

Will 2012 election results help push Dodd-Frank regulations forward?



Posted by: Ben Cole
CIO

The Internet — and Wall Street — was abuzz this past week after the reelection of President Barack Obama and the election of newcomer Elizabeth Warren as the U.S. Senator in Massachusetts. Wall Street, in all likelihood, was hoping that Mitt Romney would unseat Obama -– as well as dismantle the Dodd-Frank Act regulations and cut back financial reform. Warren has also been outspoken in her disdain for Wall Street’s treatment of consumers, and can now cast financial regulation votes from her Senate seat.

Several bloggers and major newspapers speculated that Obama would target financial reform in his second term. The Washington Post stated that with the election behind him, Obama no longer needs to cater to special interests and can be more tenacious in attacking changes in the financial system. Bloomberg Businessweek reported that Warren’s Senate seat gives her “powerful tools” in the debate over whether and how to regulate the finance industry.

Some, however, remain skeptical that the new regime will have much of an influence on financial reform, especially when it comes to Dodd-Frank regulations. After all, the U.S. is still way behind in implementing most parts of the law. Only a third of the rules have been finalized, noted ProPublica reporter Jesse Eisinger in an article published in the New York Times online, and Eisinger is not sure Obama’s reelection will speed the process.

“The core problems with the financial system and its regulators are deeper than personnel and sadly impervious to which party occupies the White House,” Eisinger wrote. “They are bipartisan and structural.”

The question is: How much of the anti-Wall Street campaign talk was just that — campaign talk? After spouting “sticking up for the little guy” rhetoric on the campaign trails, both Warren and Obama may scale back to more moderate viewpoints after the election. It’s also going to take more than two people to overhaul the financial system — it requires a sea change in the political stance toward Wall Street, and the attitudes of Wall Streeters themselves.

What do you think? Will the 2012 election, particularly the victories by Obama and Warren, have an impact on Dodd-Frank regulations and financial reform? Or will it be business as usual on Wall Street?


October 5, 2012  5:01 PM

As user numbers increase, cloud security issues at the forefront



Posted by: Ben Cole
CIO

Many companies are now seeing the benefits of cloud computing: cost savings, increased network accessibility and improved scalability, to name just a few. But cloud security issues, compliance and privacy are increasing concerns.

The Cloud Market Maturity study, a joint survey released by the Cloud Security Alliance and ISACA last month, revealed that government regulations, legal issues and international data privacy are among the top 10 areas ranked by respondents as “low confidence” when it comes to the cloud.

These concerns were echoed during the recent “Cloud 2.0″ panel discussion held in Waltham, Mass., last week. Among the panelists was Judy Klickstein, CIO at Cambridge Health Alliance, who said that, ideally, the cloud provides the means to offer services to her company’s users in a very cost-competitive, secure environment. It’s that “secure environment” part that creates concern for organizations currently moving to the cloud — especially those in the health care field, Klickstein said.

“We have an obligation, and a duty, a judiciary responsibility at our organization to make sure that somebody’s personal information does not get hacked, stolen, shared or sent to the wrong place,” Klickstein said. “As part of that, there’s an enormous array of federal and state regulations guiding everything about what happens to you if you really screw it up.”

When these regulations are violated, it triggers a loss of patient trust, as well as severe financial penalties, Klickstein said. As a result, Cambridge Health Alliance is very conscious of these cloud security issues when working with providers, and looks closely to see how reliable and secure the platform is.

And, of course, alleviating these data security, privacy and compliance concerns more than likely will not come cheap. Even with the numerous benefits of the cloud, choosing which platform is best is still, ultimately, a business decision — and is treated as such.

“If the cloud was providing me with all the things that I feel we have to have for controlling my data center and my environment and they can do it more cheaply, that would be a terrific thing,” Klickstein said. “If there is a risk of doing that and it’s going to cost me three times as much, then do the math.”

Speaking of cloud-related business, a recent blog post from Fidelity.com examined the possible investing possibilities when it comes to the cloud. While the bloggers state that there are many investment opportunities, there are still many questions around cloud security issues. Successful investing in cloud computing will require a thorough understanding of the technology and any potential regulatory issues that may surface, they added.

The phrase “potential regulatory issues” is interesting. One has to wonder, with increased cloud use, if we’re one major cloud security breach away from government-induced, cloud-specific regulations. After all, these regulations are usually not on the horizon until something goes wrong. It’s good that at least some companies are paying attention, and being proactive about the potential cloud security issues before they arise.


August 30, 2012  5:00 PM

White House releases directives for Obama record management initiative



Posted by: Ben Cole
Barack Obama, CIO, data security and storage, White House

We’ve been talking a lot about records management here at SearchCompliance.com this summer … perhaps President Barack Obama is a fan? Probably not, but last week the White House announced key dates and directives regarding his “Presidential Memorandum — Managing Government Records“, first unveiled in December 2011.

The directives were released in an Aug. 24 memo from Jeffrey D. Zients, acting director of the Office of Management and Budget, and David S. Ferriero, archivist at the United States National Archives and Records Administration.

“This Directive requires that to the fullest extent possible, agencies eliminate paper and use electronic recordkeeping,” Ferriero and Zients wrote in the memo. “It is applicable to all executive agencies and to all records, without regard to security classification or any other restriction.”

The goal of President Obama’s record management initiative is to “develop a 21st-century framework for the management of Government records.” Under the initiative, by the end of 2019, all federal agencies’ permanent records will be managed electronically to the “fullest extent possible.” The president has said the framework will ultimately reduce government costs and help agencies operate more efficiently, as well as improve federal transparency by better documenting actions and decisions.

Some other key dates that federal officials should mark on their calendars:

  • By Nov. 15 of this year, each agency should name its “senior agency official” who will oversee their records management program.
  • Although federal agencies have until 2019 to move records to an electronic format, they must have plans for how they will do so completed by Dec. 31, 2013.
  • Agencies must have records management training in place for appropriate staff by Dec. 31, 2014.

In a blog post following the memo’s release, Ferriero called President Obama’s record management strategy a “historic moment” that will “allow current and future generations to hold their government accountable and to learn from the past.”

Ferriero is correct — President Obama’s records management initiative is a step in the right direction for modernizing the federal government’s data management processes (although one does wonder why it took this long). As we have explored here recently at SearchCompliance.com, sound records management can have many positive implications for entities: When done correctly, it can help boost the bottom line and aid adherence to compliance standards.

There no doubt will be, however, many data governance challenges to overcome as the initiative moves forward. The sheer complexity of federal records, coupled with their sensitive nature that necessitates proper security protocol, will no doubt cause hiccups for at least some agencies along the way. While 2019 sounds far off, it’s probably a good thing the fed has until the end of the decade to complete this initiative.


August 10, 2012  6:36 PM

As IT reliance expands, data management and security lapses loom



Posted by: Ben Cole
CIO, cyber security, data protection, GRC

Data management and security could create huge problems in our increasingly-connected world, as two recent events have made evident: Earlier this month, a Knight Capital computer program unleashed a series of erroneous stock orders that resulted in a $440 million loss for the trading firm. Last week, journalist Mat Honan described in length how hackers, taking advantage of security flaws at Apple, Amazon and Gmail, completely wiped several of his Apple devices and commandeered two of his Twitter accounts.

The two events show that data management and security is taking a backseat as businesses and consumers strive to stay connected. The New York Times reported that Knight Capital rushed to develop the faulty software to take advantage of computer-driven market and failed to work out problems with the system. In his frank, detailed description of the events that led to his “epic hacking,” Honan admits he is very much to blame for his inattention to security. But he also notes the apparent IT security disconnect that people — and corporations — often forget when technology is used across developers and platforms.

“Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information,” Honan wrote. “In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification.”

At least some are paying attention to the potential risks: Apple announced it had stopped allowing over the phone password resets, and Amazon announced fixes to its security policies after Honan’s hacking went public. In response to the Knight Capital debacle, SEC officials are pushing for new regulations around trading technology.

But more consumers and businesses need to realize these data management and security concerns are not going anywhere — and will likely get worse unless they take the necessary steps to protect themselves. In the struggle to stay ahead of the next guy when it comes to the latest IT gadgets and tools, security should stay a primary concern or, as Honan and Knight Capital can attest, more will suffer the personal and financial consequences.


June 22, 2012  4:24 PM

Prepare for the inevitable: Developing a data breach response plan



Posted by: Kevin Beaver
data breach, Data breach response plan

Are you prepared for the inevitable? Odds are it’s merely a matter of time before your business experiences a computer security-related breach and you need a solid data breach response plan. How are you going to handle the situation? Especially if you’re a smaller business, your IT resources probably are minimal. But even your outside resources might not have the expertise to help when you’re in a data security bind. In today’s connected world, there’s a lot that can go wrong when it comes to technology.

Before the bits hit the fan, you need to understand what a breach really means to your business. What it means depends on the industry you’re in and the contracts and compliance regulations you’re held accountable for. Regardless of the type of sensitive information that’s exposed (credit cards, Social Security numbers or intellectual property, for example), you need to define what a “breach” means for your company so you’ll know when to enact your incident response plan. It might be a malware infection, a defaced website or a lost laptop. You also need to remain aware: Data breach statistics show that someone else probably will notify you before you even know about the breach.

Once you do discover a breach, your data breach response plan should allow you to respond quickly and wisely. You can’t just restore a system from backup, or sweep a loss or theft under the rug. You’re going to have to dig in deeper to see what actually happened (by hiring a forensics expert, for example, or calling law enforcement or hiring a technical resource to help), and determine any additional steps you might need to take. These include the way you will pursue the culprit and notify the affected parties based on what the data breach notification laws require.

Going forward, be smart about how you address the breach. That’s what regulators, business partners and customers (and their lawyers) are going to be looking at. Don’t expect perfection — but you do need to keep good notes on what has been done already, what you plan to do to remediate the problem and how you’ll prevent it from reoccurring.

Perhaps most importantly, get your lawyer involved. Even if he’s not tech-savvy, he needs to know about the data breach laws, the compliance regulations you face and how the breach affects your existing contracts.

In other words, don’t just react — respond. Being prepared is the best way to not drop the ball on incident response. When it comes to computers, business applications and sensitive information, something is bound to happen — eventually. This is true regardless of the size of your business. Even if you think you’re not a target or at risk, you are.

An employee is going to lose an unsecured smartphone — even though policy mandates that all smartphones are to be password-protected and that no business information should be stored on them. A contractor is going to lose an unencrypted backup tape — even though your contract says that all media shall be encrypted and transported securely via a third-party service. A cloud provider is going to overlook a SQL injection hole in their system — even though they passed their SAS 70 or SSAE 16 audit with flying colors.

When you prepare for the inevitable with a data breach response plan, you can respond to these problems and more in a professional way, and minimize the impact on your information systems. This should be your ultimate goal.


May 29, 2012  3:47 PM

Planning, foresight needed to address long-term compliance strategy



Posted by: Kevin Beaver
compliance strategy, information security strategy

Remember the law of inertia from physics class? It says that a body at rest tends to remain at rest unless acted upon by an outside force. Well, compliance is the law of inertia-type catalyst when it comes to information security strategy. Over the past decade, I’ve seen many businesses remain complacent when it comes to information security until they’re forced to pay more attention in the name of compliance. They end up spending a few months documenting policies, tightening passwords, creating antivirus processes and, voila, the business is compliant. And secure, right? Well, not really.

A question in the recent Ponemon Institute State of Global IT Security survey asked nearly 1,900 participants in 12 countries, “Are you taking appropriate steps to improve your organization’s information security posture…If no, why?” The No. 1 answer was “insufficient resources” (39%), followed by “not a priority issue” and “lack of clear leadership.” This begs the question: If information security strategy is being undervalued and overlooked, then how can these businesses possibly be compliant? There’s hardly any business I’ve seen that’s not required to comply with an information security-related regulation either directly or indirectly. I’m confident you could ask most executives how their IT governance program is working and they’ll proudly say “we’re compliant.” But compliant with what?

To me, there’s the good, the bad and the ugly side of compliance strategy:

  • The good: Solid control, visibility and automation are present. These traits facilitate not only compliance but also help manage information risk.
  • The bad: Duplicated technical controls, multiple sets of policies/procedures and overlapping security evaluations that only make it appear that work is getting done.
  • The ugly: When management and other key players assume that compliance strategy has created a strong, impenetrable infrastructure.

With compliance, you don’t need to spend a ton of money completely revamping the way you do business, but you do need to be mindful of what’s at stake so you don’t end up at the back of the herd. Speaking of which, there’s the spirit of the law and the letter of the law, and savvy executives and their legal counsel will likely focus on the former. Odds are the businesses that strive for perfection will end up wasting time, money and resources on compliance strategy. Still, there are many businesses in operation today that have yet to even acknowledge they have a problem, much less have developed a plan for how they’re going to move towards any semblance of reasonable IT governance.

Most importantly, make sure you’re addressing compliance for the long-term benefit of the business rather than to simply complete a one-time checkbox and move on. Sadly, too many people are doing the latter, and the long-term consequences will eventually be evident. Don’t fall into this trap.


May 8, 2012  6:37 PM

Five corporate compliance program traits you need to prevent breaches



Posted by: Kevin Beaver
corporate compliance program, data breaches

If you look at news headlines, you’d think the sky were falling with all of the hack attacks and subsequent data breaches taking place. Just glancing at the Chronology of Data Breaches says it all. Every business is, arguably, a target, with both known and unknown vulnerabilities waiting to be exploited. But not every business is bleeding — you just have to be smart about how you approach a corporate compliance program. You can put years of work and hundreds of thousands of dollars into your compliance plan and one single oversight or misstep can cancel it all out.

Here are five things you can get started on today to ensure you don’t end up on the wrong side of a data breach:

1. I can’t stress enough the importance of getting the right people on board. You can’t manage compliance by yourself, and neither can any other individual in IT, security, internal auditing or management. All the right people need to aim for the right target at the same time, because every key player adds his or her own unique value to a corporate compliance program.

2. Understand what’s really at risk. Documentation isn’t enough, and neither is an IT controls audit. Many businesses haven’t even performed a basic security assessment. You have to dig in and see what can truly be exploited from the perspectives of a malicious insider and an external attacker.

3. Be careful how you approach management and “sell” corporate compliance. It’s not all about IT: It’s about the business and how you can best meet management’s needs, along with the needs of the regulators. Wherever possible, use technology to help continually keep all of the right people in the corporate compliance loop.

4. Have a plan. Imagine pilots and surgeons not having a Plan B when potential problems arise. Determine what “data breach” means to your business and then develop a basic incident response plan. You won’t regret having a contingency plan in place when data breaches occur.

5. Finally, remember that information security and risk management is not only about compliance and protecting personally identifiable information. This may be true for your specific job function, but not necessarily for the business as a whole. Most likely, there’s intellectual property that must be protected as well.

You’ve no doubt come across this advice before, but don’t dismiss it. It really works as long as you’re willing to put forth the effort. By focusing on what matters and being careful to avoid overlooking data protection in areas vital to your organization, you have the keys to a successful corporate compliance program.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: