data leakage

Red Flags Rule delay reveals troubling pattern developing

May 1 passed without the raising of the Red Flags: The Federal Trade Commission announced a delay in the enforcement of the Red Flags Rule, which requires companies to come up with programs to detect and respond to financial data breaches or identity theft.

Last week, the FTC said it will delay enforcement until Aug. 1, “to give creditors and financial institutions more time to develop and implement written identity theft prevention programs.”

This is the second enforcement delay of a major data protection law. Massachusetts extended enforcement of its 201 CMR 17.00 law until Jan. 1, from the original enforcement date of May 2009, also to give constituents more time to get into compliance.

Security expert and SearchCompliance.com contributor Paul Roberts of The 451 Group sees a pattern developing, which he relayed in an email:

I think the decision to delay Red Flag Rule enforcement is yet more evidence that the public sector has a lot to learn about formulating and then implementing data privacy regulations. What’s so interesting is how closely the FTC’s Red Flag Rule headache parallels Massachusetts regulators’ headaches trying to implement their “toughest in the nation” data privacy laws.

“The lesson in both cases is that regulators need to put down the sledgehammer when writing these new rules and spend more time refining their scope and soliciting input from the private sector so that they understand the practical impact of new requirements on businesses, nonprofits and individuals. Practically: Some kind of phased-in approach to enforcement would seem to make sense. And, as with the PCI regulations, it might be smarter to have an iterative process to writing these kinds of regulations, rather than trying to fix a complex problem (data theft, data privacy) in one fell swoop. So you might start with small-bore regulations that have teeth, but are focused on clear problems and easy to implement, then expand and refine them over time, as conditions change.

Seems like smart advice. Perhaps security, compliance and risk managers from corporate America should start calling for a change of strategy from federal and state lawmakers. But on the other hand, he’s also right about the fact that the “public sector has a lot to learn about formulating and then implementing data privacy regulations.” As we have also pointed out, many compliance, security and risk managers are finding themselves out of the loop, creating a major disconnect between the new laws and the efforts many companies are putting forth to get into compliance.

What does being PCI DSS compliant really mean?

There is a big difference between being PCI DSS compliant and being “certified” as PCI DSS compliant, says e-commerce expert Evan Schuman of StorefrontBacktalk.com in this edition of the IT Compliance Advisor weekly podcast. Because audit results can sometimes be subjective, the results could mean that some retailers may not really be compliant even though someone says they are, he says.

 

 What does being PCI DSS compliant really mean? [13:58m]: Play Now | Play in Popup | Download

The PCI DSS specification is under fire for enabling such ambiguity. The House Committee on Emerging Threats, Cybersecurity and Science and Technology recently held a hearing on PCI and concluded that it has been inadequate in stopping credit card transaction data leakage. The administration of PCI DSS by credit card giant Visa is one reason, Schuman says. Find out more in this podcast.

Lowering the data leakage risk of USB storage

This is a guest post by John Rostern, Jefferson Wells’ Eastern Region Practice Leader for Technology Risk Management. His last post explained why regulatory compliance doesn’t always bring information security.

The ubiquitous nature and growing capacity of computer-removable media — USB hard drives, thumb drives and similar devices — puts the confidentiality, integrity and availability of corporate information at risk. Many organizations still do not include USB storage in their information security policies, and few security managers actively monitor or prevent their use by employees. Organizations need a security strategy that is both flexible and adaptable to deal with the evolving capabilities of these removable media devices.

Regulatory compliance has served to highlight the need to address the security issues created by the increased use of computer-removable media. The focus on risks related to “information leakage” through USB drives of all sorts is heightened by regulations and industry information security initiatives, such as the Payment Card Industry Data Security Standard for credit card companies and merchants.

In the United States, laws such as the Gramm-Leach-Bliley Act for financial companies and the Health Insurance Portability and Accountability Act for healthcare providers and insurers are putting pressure on companies to safeguard personal information stored on computers — or face penalties for security failures.

Members of the European Union (EU) and companies doing business there are further regulated by increasingly stringent privacy laws.  The 1995 EU data protection directive provides regulatory guidance for the processing and transfer of personal information within and outside the EU.

Managing the risk presented by removable media has proven to be difficult for both security professionals and end users because the same features that contribute to the popularity of these devices create a complex security problem. The easy compatibility, small size and high capacity of these USB storage devices require both technical and procedural solutions.

In my experience dealing with clients of all sizes there seems to be a prevalence of point solutions.  Tactical solutions such as disabling or locking down the USB ports may provide a marginal improvement in security, but they do not address monitoring in situations where USB access is required by the business.  Tools that facilitate the management and reporting of such usage, when aligned with an overall policy regarding the acceptable use of removable media, provide the most effective basis for managing this risk.

Organizations should ensure that their overall security architecture includes a combination of technical and procedural countermeasures covering areas such as employee awareness, encryption and device hardening. The countermeasures developed to mitigate specific risks should be factored into both the risk assessment and the ongoing audit plan for the function. Tests to validate the existence and operational effectiveness of these countermeasures should be performed as part of scheduled audits. The results of such testing can positively or negatively affect the risk rating of a functional area.

Editor’s Note: The following four tips and articles offer additional advice and perspective on the risks of USB storage and methods to mitigate exposure.

• How to lock down USB devices
• How to secure mobile data on USB drives for SMBs
• Does the DoD’s ban of USB storage devices mean our enterprise should ban them too?
• Can USB compromise the security of an embedded mobile device?