data protection

Clarifying mobile encryption requirements for 201 CMR 17.00 compliance

When I reported on amendments to the Massachusetts data protection law earlier this week, one of the comments that undersecretary of consumer affairs Barbara Anthony made was a point of interest to many enterprise IT professionals who must determine what 201 CMR 17.00 compliance will mean.

Specifically, Anthony stated that, “We know right now that there’s no widespread technology for encrypting mobile devices, but we know it’s there for laptops.”

Given that the regulation’s language includes a requirement for encryption where “technically feasible,” the issue demanded clarification. I contacted Secretariat CIO Gerry Young, who was involved in drafting the original regulation. He offered the following guidance on mobile encryption:

“This just belies unfamiliarity with the current state of encryption. Even a cursory scan will show that technologies like Snapcell, Navastream, AlertBoot, SecurStar PhoneCrypt, Endoacustica and Babylon nG have carried cell phone encryption to fairly sophisticated stages.

“Encryption for cellular phones has evolved beyond even enterprise-class smartphones, and you are beginning to see robust offerings for 3G phones available at attractive price points.

“European companies like Navastream (Germany) are making inroads in U.S. markets to fill a clear void. This will help to drive competition, and push price points lower for the consumer.

“I would think that once there are free, open source encryption alternatives — along with a plethora of low-cost encryption vendors in the cellular market — that we would be ready to mandate cell phone encryption in the near future.”

In other words, encrypting mobile devices and smartphones remains a best practice, particularly where resident PII is present, but is not mandated for 201 CMR 17.00 compliance — yet.

Amended Massachusetts data protection act focuses on risk management

As Alexander Howard reported earlier today, the Massachusetts data protection law has been amended. The revised data privacy regulations — 201 CMR 17.00, “Standards for the Protection of Personal Information of Residents of the Commonwealth” — include several key updates. If you are an information security professional, take note of these changes, as they will likely have practical implications.

The most immediate impact is the provision for an additional 60 days to comply with the regulations. The deadline for implementation is now March 1, 2010.

Individuals and municipalities have expressly been removed from guideline jurisdiction, with a clarification that the “regulation applies to those engaged in commerce.” Guidelines on the requirement for a written information security plan are now simplified.

A new definition for the term service provider was added. The Office of Consumer Affairs and Business Regulation also amended third-party vendor rules. There is now a two-year grace period, relative to existing contracts, and requirements for those third parties to be in compliance.

Encryption requirements have been clarified. The apparently strict but, practically speaking, vague 128-bit specification from the prior version was replaced by “technology-neutral language.”

Further, a “technical feasibility” standard has been incorporated, acknowledging that methods to securely encrypt data on portable devices may not yet be available. Email encryption now falls under the technical feasibility standard. Additionally, encryption of backup tapes has been clarified to include prospective encryption. So you may safely cancel your firm’s plans to encrypt existing backup tapes. Encrypting new backup tapes will still be required, along with any personal data that travels over the public Internet or wireless network.

In another change that I believe will ultimately enhance consumer protection, 201 CMR 17.00 has been brought in line with certain federal regulations. Specifically, the Massachusetts data protection act now cedes authority to the Federal Trade Commission’s (FTC) standards established under the Gramm-Leach Bliley Act (GLBA). GLBA utilizes a risk management approach to data security.

The patchwork of 44 different state health data protection laws has delayed electronic automation of, and therefore overall security for, health records. Adopting a federal standard, starting with the FTC’s risk-based approach to data protection, avoids this pitfall and may make widespread compliance both more feasible and more likely in the near future.

On one hand, a risk management approach should be familiar to IT professionals. It shifts resources from “check-the-box” controls that may or may not address a particular organization’s specific risks to controls that make more sense in context. On the other hand, given the concrete definition of the personal information in scope, it is difficult to see where risk management would not be present whenever such personal data is stored.

“Mandating every component of a program and requiring its adoption, regardless of size and the nature of the business and the amount of information that requires security, makes little sense in terms of consumer protection,” said Bradley MacDougall, of Associated Industries of Massachusetts. Risk management and assessment will afford more consumer protection by matching a given business’ actual risks with required security investments.

201 CMR 17 FAQ: Updates to Massachusetts data protection law

Earlier today, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) issued an update to 201.CMR.17, the Massachusetts data protection law. The deadline for implementation has now been extended until March 1, 2010.

In an interview with SearchCompliance.com, Undersecretary Barbara Anthony stated that “consumer protections have not been weakened in this amendment. Monitoring, reviewing the scope of security measures – and encryption is still required if you are going to transmit resident PII over public networks. What we’ve tried to do here is to not impose additional burdens which weren’t involved in the consumer protections.”

With the permission of the OCABR, we are posting the FAQ released by the office in full and unedited below. We will post the rest of Anthony’s comments tomorrow, along with further analysis of the changes referenced below.

What are the differences between this version of 201 CMR 17.00 and the version issued in February of 2009?

There are some important differences in the two versions.

First, the most recent regulation issued in August of 2009 makes clear that the rule adopts a risk-based approach to information security, consistent with both the enabling legislation and applicable federal law, especially the FTC’s Safeguards Rule. A risk-based approach is one that directs a business to establish a written security program that takes into account the particular business’ size, scope of business, amount of resources, nature and quantity of data collected or stored, and the need for security. It differs from an approach that mandates every component of a program and requires its adoption regardless of size and the nature of the business and the amount of information that requires security. This clarification of the risk based approach is especially important to those small businesses that do not handle or store large amounts of personal information.

Second, a number of specific provisions required to be included in a business’s written information security program have been removed from the regulation and will be used as a form of guidance only.

Third, the encryption requirement has been tailored to be technology neutral and technical feasibility has been applied to all computer security requirements.

Fourth, the third party vendor requirements have been changed to be consistent with Federal law.

To whom does this regulation apply?
The regulation applies to those engaged in commerce. More specifically, the regulation applies to those who collect and retain personal information in connection with the provision of goods and services or for the purposes of employment.

The regulation does not apply, however, to natural persons who are not in commerce.

Does 201 CMR 17.00 apply to municipalities?
No. 201 CMR 17.01 specifically excludes from the definition of “person” any “agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof.” Consequently, the regulation does not apply to municipalities.

Must my information security program be in writing?
Yes, your information security program must be in writing. The scope and complexity of the document will vary depending on your resources, and the type of personal information you are storing or maintaining. But, everyone who owns or licenses personal information must have a written plan detailing the measures adopted to safeguard such information.

What about the computer security requirements of 201 CMR 17.00?
All of the computer security provisions apply to a business if they are technically feasible. The standard of technical feasibility takes reasonableness into account. (See definition of “technically feasible” below.) The computer security provisions in 17.04 should be construed in accordance with the risk-based approach of the regulation.

Does the regulation require encryption of portable devices?
Yes. The regulation requires encryption of portable devices where it is reasonable and technically feasible. The definition of encryption has been amended to make it technology neutral so that as encryption technology evolves and new standards are developed, this regulation will not impede the adoption of such new technologies.

Do all portable devices have to be encrypted?
No. Only those portable devices that contain personal information of customers or employees and only where technically feasible The “technical feasibility” language of the regulation is intended to recognize that at this period in the development of encryption technology, there is little, if any, generally accepted encryption technology for most portable devices, such as cell phones, blackberries, net books, iphones and similar devices. While it may not be possible to encrypt such portable devices, personal information should not be placed at risk in the use of such devices. There is, however, technology available to encrypt laptops.

Must I encrypt my backup tapes?
You must encrypt backup tapes on a prospective basis. However, if you are going to transport a backup tape from current storage, and it is technically feasible to encrypt (i.e. the tape allows it) then you must do so prior to the transfer. If it is not technically feasible, then you should consider the sensitivity of the information, the amount of personal information and the distance to be traveled and take appropriate steps to secure and safeguard the personal information. For example, if you are transporting a large volume of sensitive personal information, you may want to consider using an armored vehicle with an appropriate number of guards.

What does “technically feasible” mean?
“Technically feasible” means that if there is a reasonable means through technology to accomplish a required result, then that reasonable means must be used.

Must I encrypt my email if it contains personal information?
If it is not technically feasible to do so, then no. However, you should implement best practices by not sending unencrypted personal information in an email. There are alternative methods to communicate personal information other through email, such as establishing a secure website that requires safeguards such as a username and password to conduct transactions involving personal information.

Are there any steps that I am required to take in selecting a third party to store and maintain personal information that I own or license?
You are responsible for the selection and retention of a third-party service provider who is capable of properly safeguarding personal information. The third party service provider provision in 201 CMR 17.00 is modeled after the third party vendor provision in the FTC’s Safeguards Rule.

I have a small business with ten employees. Besides my employee data, I do not store any other personal information. What are my obligations?
The regulation adopts a risk-based approach to information security. A risk-based approach is one that is designed to be flexible while directing businesses to establish a written security program that takes into account the particular business’s size, scope of business, amount of resources and the need for security. For example, if you only have employee data with a small number of employees, you should lock your files in a storage cabinet and lock the door to that room. You should permit access to only those who require it for official duties. Conversely, if you have both employee and customer data containing personal information, then your security approach would be more stringent. If you have a large volume of customer data containing personal information, then your approach would be even more stringent.

Except for swiping credit cards, I do not retain or store any of the personal information of my customers. What is my obligation with respect to 201 CMR 17.00?
If you use swipe technology only, and you do not have actual custody or control over the personal information, then you would not own or license personal information with respect to that data, as long as you batch out such data in accordance with the Payment Card Industry (PCI) standards. However, if you have employees, see the previous question.

Does 201 CMR 17.00 set a maximum period of time in which I can hold onto/retain documents containing personal information?
No. That is a business decision you must make. However, as a good business practice, you should limit the amount of personal information collected to that reasonably necessary to accomplish the legitimate purpose for which it is collected and limit the time such information is retained to that reasonably necessary to accomplish such purpose. You should also limit access to those persons who are reasonably required to know such information.

Do I have to do an inventory of all my paper and electronic records?
No, you do not have to inventory your records. However, you should perform a risk assessment and identify which of your records contain personal information so that you can handle and protect that information.

How much employee training do I need to do?
There is no basic standard here. You will need to do enough training to ensure that the employees who will have access to personal information know what their obligations are regarding the protection of that information, as set forth in the regulation.

What is a financial account?
A financial account is an account that if access is gained by an unauthorized person to such account, an increase of financial burden, or a misappropriation of monies, credit or other assets could result. Examples of a financial account are: checking account, savings account, mutual fund account, annuity account, any kind of investment account, credit account or debit account.

Does an insurance policy number qualify as a financial account number?
An insurance policy number qualifies as a financial account number if it grants access to a person’s finances, or results in an increase of financial burden, or a misappropriation of monies, credit or other assets.

I am an attorney. Do communications with clients already covered by the attorney-client privilege immunize me from complying with 201 CMR 17.00?
If you own or license personal information, you must comply with 201 CMR 17.00 regardless of privileged or confidential communications. You must take steps outlined in 201 CMR 17.00 to protect the personal information taking into account your size, scope, resources, and need for security.

I already comply with HIPAA. Must I comply with 201 CMR 17.00 as well?
Yes. If you own or license personal information about a resident of the Commonwealth, you must comply with 201 CMR 17.00, even if you already comply with HIPAA.

What is the extent of my “monitoring” obligation?
The level of monitoring necessary to ensure your information security program is providing protection from unauthorized access to, or use of, personal information, and effectively limiting risks will depend largely on the nature of your business, your business practices, and the amount of personal information you own or license. It will also depend on the form in which the information is kept and stored. Obviously, information stored as a paper record will demand different monitoring techniques from those applicable to electronically stored records. In the end, the monitoring that you put in place must be such that it is reasonably likely to reveal unauthorized access or use.

Is everyone’s level of compliance going to be judged by the same standard?
Both the statute and the regulations specify that security programs should take into account the size and scope of your business, the resources that you have available to you, the amount of data you store, and the need for confidentiality. This will be judged on a case by case basis.

This FAQ was posted with the direct permission of OCABR. For more information on the regulation, visit Mass.gov/consumer.

What will compliance with the Massachusetts data protection act mean?

A bill being discussed in the Massachusetts Senate proposes major changes to MA GL 93H, the Data Breach Notification Act. These changes could in turn result in revisions to 201 CMR 17.00, the data protection regulation promulgated by the Office of Consumer Affairs and Business Regulation (OCABR), including removal of specific encryption requirements and deference to federal statutes.

We wrote about it last week in “Mass. Senate seeks to amend, weaken data breach notification law.” As you know, we’ve been covering news on the nation’s most comprehensive data protection law since the beginning of the year, including a podcast with the OCABR CIO and general counsel:

•    Podcast: New Massachusetts data protection law mandates IT compliance
•    Panels describe risks of noncompliance with Mass. data protection law

Kevin Beaver, a contributor to SearchCompliance.com, offered his commentary on the situation nationally: “Are you out of the loop on state data breach notification laws?“

Sarah Cortes reminded the readers of SearchCompliance.com last week of  the risk of penalties for violating data privacy laws.

Anne McCrory, editorial director for the CIO/IT Strategy Media Group at TechTarget, also has rung in with her view: “It’s time for a federal data protection act,” following Scot Petersen’s take: “Red Flags Rule delay reveals troubling pattern developing.”

Our sister site, SearchSecurity.com, posted some additional advice:  Encrypt now to meet new Mass. data protection law.

So with all that out there, here’s what I’m wondering:

What do you think of the law?

What are your thoughts on the proposed revisions?

How are you approaching compliance with the regulation?

Do you have clients or partners that you are advising on the topic? What do they think?

I’ve been interviewing many of our readers on precisely these questions, including many thought leaders, CISOs, privacy officers and CIOs. I’d be grateful for your thoughts as well.

Please write to editor@SearchCompliance.com or directly to me at ahoward@techtarget.com.

As you know, you can also find us @ITCompliance on Twitter

Red Flags Rule delay reveals troubling pattern developing

May 1 passed without the raising of the Red Flags: The Federal Trade Commission announced a delay in the enforcement of the Red Flags Rule, which requires companies to come up with programs to detect and respond to financial data breaches or identity theft.

Last week, the FTC said it will delay enforcement until Aug. 1, “to give creditors and financial institutions more time to develop and implement written identity theft prevention programs.”

This is the second enforcement delay of a major data protection law. Massachusetts extended enforcement of its 201 CMR 17.00 law until Jan. 1, from the original enforcement date of May 2009, also to give constituents more time to get into compliance.

Security expert and SearchCompliance.com contributor Paul Roberts of The 451 Group sees a pattern developing, which he relayed in an email:

I think the decision to delay Red Flag Rule enforcement is yet more evidence that the public sector has a lot to learn about formulating and then implementing data privacy regulations. What’s so interesting is how closely the FTC’s Red Flag Rule headache parallels Massachusetts regulators’ headaches trying to implement their “toughest in the nation” data privacy laws.

“The lesson in both cases is that regulators need to put down the sledgehammer when writing these new rules and spend more time refining their scope and soliciting input from the private sector so that they understand the practical impact of new requirements on businesses, nonprofits and individuals. Practically: Some kind of phased-in approach to enforcement would seem to make sense. And, as with the PCI regulations, it might be smarter to have an iterative process to writing these kinds of regulations, rather than trying to fix a complex problem (data theft, data privacy) in one fell swoop. So you might start with small-bore regulations that have teeth, but are focused on clear problems and easy to implement, then expand and refine them over time, as conditions change.

Seems like smart advice. Perhaps security, compliance and risk managers from corporate America should start calling for a change of strategy from federal and state lawmakers. But on the other hand, he’s also right about the fact that the “public sector has a lot to learn about formulating and then implementing data privacy regulations.” As we have also pointed out, many compliance, security and risk managers are finding themselves out of the loop, creating a major disconnect between the new laws and the efforts many companies are putting forth to get into compliance.

Coming: State privacy laws run amok

As business owners are preparing for the new Massachusetts data protection law, also known as 201 CMR 17: Standards for The Protection of Personal Information of Residents of the Commonwealth, due next year, a potential quagmire is building.

Speaking at the TechTarget Compliance Decisions Summit March 12, Laurence Anker, engagement manager, technology risk management for Jefferson Wells International, said the coming influx of state privacy laws will create “a mess.”

Only about half of the states have laws governing personally identifiable information, but several more, including Massachusetts, are crafting tough laws that will put new burdens on businesses, especially SMBs, and businesses outside of the state that employ Massachusetts residents.

These laws will cover areas such as secure storage of data, encryption of data and access controls, as well as require businesses to create written, comprehensive security and privacy policies for personal data.

Such tasks are formidable, but not impossible, but multiply the Massachusetts law by 50 and it’s easy to see how difficult it will become for some businesses to make sure they are in compliance with every state’s privacy law.

Anker said that he does not foresee new state laws as they come on the books to be in direct conflict with one another. Rather, business entities will have to make decisions on how to manage compliance with state privacy laws with different degrees of requirements. Most likely businesses with a widespread employee base will standardize and comply with the state with the toughest privacy policy.

Or, Anker said, there could be a day when state privacy regulators will join an organization similar to the National Association of Insurance Commissioners, which will seek to normalize the state privacy laws and help the states enforce them.

Risk-based approach to information governance at Compliance Decisions

As I wrote yesterday, the Compliance Decisions Summit got off to a great start when Eric Holmquist and Richard Mackey considered the future of compliance in their talks before a crowded hall of auditors, compliance officers, CIOs and information security professionals.

The second half of the day featured Holmquist again, this time exploring a risk-based approach to information security governance, and Laurence Anker, speaking about managing the cost and complexity of compliance through governance.

We posted the following Twitter on our ITCompliance account over the course of the afternoon. The #CSD09 you see below is a hashtag we chose to track tweets related to today’s seminar. For a full explanation of what a hashtag is and how it works, please consult last week’s digest of compliance headlines from Twitter.

All four seminars from Compliance Decisions will be available soon from SearchSecurity.com and SearchCompliance.com, along with an exclusive interview with Mackey exploring the ramifications of virtualization to compliance management.

A Risk-Based Approach to Information Security Governance

Lunch over, video recorded w/Mackey on #virtualization & #compliance. Next: Holmquist on a risk-based approach to infosec governance. #CSD09

Information security must be approached as a business issue, not an IT issue. Then we can consider risk mgmt practices.” -Holmquist | #CSD09

“You can’t buy your way out of a data breach.” -Holmquist | #CSD09 | #riskmanagement

RT @ scotpe Adding: “chief security officer does not belong in IT.” Where does s/he belong? [ <-- Good question. Any answers? ]

Lundquist recommends forming a #security council. Give it authority, include senior execs, make cross-disciplinary, safe & visible. #CSD09

Key insight for creating a culture of cooperation vs. risk: “Make it safe to fail” -Holmquist | Don’t underestimate “gut feelings” #CSD09

Back to #compliance basics: “Everything starts with a risk assessment, not controls. Manage to assessed risk, not perceived risk.” | #CSD09

“Insiders are exponentially more of a threat than outsiders. The ability to respond quickly & effectively is critical” -Holmquist | #CSD09

“You can approach assessing risk in 4 ways: IT systems, electronic data, physical files & third parties. Focus on accountability.” #CSD09

“Risk is quantified in 4 broad categories: What’s at risk? What would be the impact? What could be the source? What can we mitigate?” #CSD09

RT @ scotpe Scare the CEO: Statistically speaking, “someone is planning to steal your data right now, thinking about it or doing it” #CSD09

Paused for another message from another sponsor of #CSD09 & a networking break. Door prize drawing up next for a Flip, iPod & a GPS unit.

Managing the Cost and Complexity of Compliance through Governance

Now up at #CSD09: Anker on managing the cost & complexity of #compliance through #governance. Session info: http://bit.ly/J9OP

Anker began his seminar at #CSD09 talking about the importance of IT governance. @ rlebeaux just reported on that: | #TTGT

@ rlebeaux that reported on aligning IT governance & corporate governance in an economic #recession -> http://bit.ly/PDfkk

Insurance for IT risk? Anker notes standard policies may not address IT exposures like a data breach or reputational damage. #CSD09

“An organization’s info & other intangible assets account for 80%+ of its market value.” -IT Governance Institute (ITGI) | #CSD09

In discussing key requirements of the new MA data protection law, Anker notes WISP: written information security policy | #CSD09 | #acronym

Great Q&A on provisions of the MA data protection law w/Anker to end. @rwestervelt reported on its extension: http://bit.ly/yMBgP #CSD09

Conclusions from Compliance Decisions

You’ll be reading, hearing more and seeing more of Holmquist, Anker and Mackey on SearchCompliance.com. All three men will be contributing experts in upcoming articles, podcasts or video.

Writers from both SearchSecurity.com and SearchCompliance.com will continue reporting on the Massachusetts data protection law and its ramifications for IT professionals and businesses nationwide. Clearly, many questions remain about the regulatory impact of the law on IT operations.

As Robert Westervelt reported, the deadline for the Massachusetts data protection and encryption law was extended to Jan. 1.

“We understand the impact of the current business environment and feel this is an appropriate time frame for companies to implement the necessary protections,” Daniel C. Crane, the Undersecretary of the Office of Consumer Affairs and Business Regulation, said in a statement.

Westervelt noted a key change in the updated version of the regulation: “The extension includes a revision to the rules relaxing a requirement holding third parties accountable to the security rules. Under the original law, companies had to attest that a third-party provider was compliant with the regulations.”

As noted to the audience during the question-and-answer session with Anker, SearchCompliance.com recorded a podcast last month with Gerry Young and David Murray of the Massachusetts Office of Consumer Affairs and Business Regulation. The CIO and general counsel, respectively, discuss the details of the new data protection rules:

Massachusetts data protection law mandates IT compliance [Download the MP3]

The provision of third-party compliance as proven by a “WISP” came up during the course the interview, if not under that name. Regardless of the documentation requirements, small businesses and enterprises alike considering outsourcing data protection and encryption compliance will need to make sure that service providers, VARs and consultants certify and appropriately explain where and how their work brings an organization into compliance with the Massachusetts statute.

On a final note, we picked up dozens of followers on Twitter yesterday and earned two kind endorsements of our coverage from PrivacyProf and DanPhilpott. Thank you, Dan and Rebecca!

Windows compliance: Resources on data retention and data protection

As any CIO or compliance officer knows, compliance affects multiple parts of IT infrastructure and the organization as a whole. Strategy, security, storage, networking, records keeping and human resources are all part of the mix. As an editor at SearchCompliance.com, that means I scan the RSS feeds of all of TechTarget’s sites for relevant content, along with those of other compliance news sites from around the Web. Starting today, I’ll be posting a roundup of the resources I think you’ll find useful at this blog.

Recent research into the buying habits of you, our readers, showed that half of our midmarket CIOs are running Windows shops. That information comes as no shock to anyone. Most of the world lives on a Windows desktop, despite the recent inroads made by Mac OS X and Linux. There’s no question that heterogeneous computing environments are a concern for many a sysadmin. That said, Windows compliance is the crucial topic of the day.

So here’s a question for you: Are there unique issues that arise out of Windows compliance?

I’m certain that the answer is “yes” but I’d like to hear more about what system administrators, CCOs and CIOs are experiencing in their everyday working lives. Let me know what you think in the comments or at ahoward@techtarget.com.

In the meantime, here’s that roundup:

If you’re looking for a comprehensive resource, try The Windows Manager’s Guide to IT Compliance e-book. Chapter 1, for instance, offers best practices on establishing an event log audit trail, maintaining the event log, encrypting email or files and keeping an inventory of stored data. You can also download each of the three chapters separately:

• Keeping up with IT compliance
• Managing email server compliance
• Controlling access for file server compliance

Rebecca Herold has been a prolific contributor on the topic of Windows compliance as well. She’s an adjunct professor for the Norwich University Master of Science in Information Assurance program and is well into writing her 11th book. Her articles can be found at PrivacyGuidance.com, Realtime-ITcompliance.com and, of course, at SearchWinIT.com. (You’ll note she’s in our blogroll, down to the right.)

Earlier this month, Herold explained how to keep Windows shops in compliance with data protection laws. Protecting personally identifiable information is a key aspect of compliance in 2009, given new regulations coming down the (Mass) pike. Even if the Massachusetts data protection and encryption law deadline has been extended, it needs to be on your radar.

In past articles, Herold has also explored how to meet data retention compliance in a Windows environment. In her view, Windows managers must take an active role in learning data retention policies and creating procedures to support them.

Similarly, in her tip on meeting compliance requirements in a SharePoint Server environment, Rebecca suggests that before deploying SharePoint Server, IT managers should examine the compliance implications of using the collaboration tool in their Windows environment .

Herold also has written about how the service desk can help Windows shops meet SOX compliance objectives by using IT governance frameworks like COBIT and Microsoft Operations Framework.

Finally, if you’re still procrastinating on completing your IT compliance documentation, do it now.

Lowering the data leakage risk of USB storage

This is a guest post by John Rostern, Jefferson Wells’ Eastern Region Practice Leader for Technology Risk Management. His last post explained why regulatory compliance doesn’t always bring information security.

The ubiquitous nature and growing capacity of computer-removable media — USB hard drives, thumb drives and similar devices — puts the confidentiality, integrity and availability of corporate information at risk. Many organizations still do not include USB storage in their information security policies, and few security managers actively monitor or prevent their use by employees. Organizations need a security strategy that is both flexible and adaptable to deal with the evolving capabilities of these removable media devices.

Regulatory compliance has served to highlight the need to address the security issues created by the increased use of computer-removable media. The focus on risks related to “information leakage” through USB drives of all sorts is heightened by regulations and industry information security initiatives, such as the Payment Card Industry Data Security Standard for credit card companies and merchants.

In the United States, laws such as the Gramm-Leach-Bliley Act for financial companies and the Health Insurance Portability and Accountability Act for healthcare providers and insurers are putting pressure on companies to safeguard personal information stored on computers — or face penalties for security failures.

Members of the European Union (EU) and companies doing business there are further regulated by increasingly stringent privacy laws.  The 1995 EU data protection directive provides regulatory guidance for the processing and transfer of personal information within and outside the EU.

Managing the risk presented by removable media has proven to be difficult for both security professionals and end users because the same features that contribute to the popularity of these devices create a complex security problem. The easy compatibility, small size and high capacity of these USB storage devices require both technical and procedural solutions.

In my experience dealing with clients of all sizes there seems to be a prevalence of point solutions.  Tactical solutions such as disabling or locking down the USB ports may provide a marginal improvement in security, but they do not address monitoring in situations where USB access is required by the business.  Tools that facilitate the management and reporting of such usage, when aligned with an overall policy regarding the acceptable use of removable media, provide the most effective basis for managing this risk.

Organizations should ensure that their overall security architecture includes a combination of technical and procedural countermeasures covering areas such as employee awareness, encryption and device hardening. The countermeasures developed to mitigate specific risks should be factored into both the risk assessment and the ongoing audit plan for the function. Tests to validate the existence and operational effectiveness of these countermeasures should be performed as part of scheduled audits. The results of such testing can positively or negatively affect the risk rating of a functional area.

Editor’s Note: The following four tips and articles offer additional advice and perspective on the risks of USB storage and methods to mitigate exposure.

• How to lock down USB devices
• How to secure mobile data on USB drives for SMBs
• Does the DoD’s ban of USB storage devices mean our enterprise should ban them too?
• Can USB compromise the security of an embedded mobile device?

How will the Massachusetts Data Protection Law affect IT compliance?

The Massachusetts Office of Consumer Affairs and Business Regulation established a significant new regulations in 2008, 201 CMR 17.00: Standards for The Protection of Personal Information. The strict new data protection law was set to take effect on January 1, 2009.

After the shift in the nation’s macroeconomic climate and strong resistance by state business leaders, however, the deadline for compliance with the basic provisions of the law was extended to May 1, 2009.

I’ll be traveling to Waltham to try to livestream the state’s public hearings on the legislation. Assuming that no technical difficulties occur in our use of uStream.com, you’ll be able to watch a webcast of the proceedings and ask question through the integrated chatroom. An archived version of the event will also be available for on-demand viewing.

We’re also preparing a podcast that will examines the new law from the perspective of a compliance software expert, a security expert and the Massachusetts Office of Consumer Affairs and Business Regulation MIS officer. You can expect the podcast to become available later this week.

Dr. John Halamka, CIO of CareGroup Health System and CIO/Dean for Technology at Harvard Medical School, provided some perspective on the relationship of the new MA data protection law to healthcare compliance on his blog.

UPDATE: Due to the expected 4-7″ of snow falling here in Massachusetts, the Greater Boston Network Users Group has cancelled today’s Q&A with David A. Murray, General Counsel and Gerry Young, CIO. Details are posted at the calendar at BNUG.org. We’ll update you when the next hearing is scheduled.