What to do?
1. Build data protection around intrusion detection and access controls.
As contributor John Weathington recommends, begin with a comprehensive data governance and compliance strategy and build data protection practices upon intrusion detection and access controls.
2. Look to the Unified Compliance Framework for common ground.
Compliance professionals and vendors are turning to the Unified Compliance Framework as a common language for overlapping compliance standards.
3. Review our FAQ on mandatory encryption standards and IT operations.
Learn how emerging mandatory encryption standards will affect IT operations.
4. Get a grip on addressing compliance requirements in cloud computing contracts.
As CIOs look to cloud computing for data backup and storage, compliance requirements must be spelled out and met, or the data will be brought back down to earth.
The following compliance resources from SearchSecurity.com will be helpful to IT professionals preparing for renewed security challenges this year.
1. Learn how to create an identity theft prevention plan for FTC Red Flags Rules.
Under the FTC’s Red Flags Rules, all financial institutions and creditors with covered accounts are required to create an identity theft prevention plan. The FTC may have extended the enforcement deadline for the Red Flags Rule to June 1, 2010, but five months will go by quickly.
2. Review this guide to internal and external network security auditing.
Contributor Stephen Cobb covers the baseline network audit processes that a security professional should absolutely conduct regularly.
3. Consider the benefits of ISO 27001 and ISO 27002 certification for your enterprise.
If your enterprise is considering becoming ISO 27001 and 27002 certified, there are several important questions to ask.
4. Get up to speed on privileged account management.
Sarbanes-Oxley compliance requirements and data security concerns are accelerating growth of the privileged account management market.
5. Weigh the pros and cons of end-to-end encryption and tokenization.
Tokenization and end-to-end encryption have emerged as promising technologies, but both have benefits and drawbacks that organizations must weigh.
6. Learn how frameworks and technology can help your PCI DSS compliance efforts.
This mini-guide offers a variety of tips on how organizations can use several frameworks, technologies and standards to help manage PCI DSS efforts and ease the compliance burden.
… that is, if health care compliance is your responsibility.
If you work in healthcare, SearchSecurity.com published a helpful HIPAA compliance manual that will be useful for IT professionals entrusted with health care compliance. Included in the guide is a HIPAA compliance training, audit and requirement checklist, including advice on how to prepare for a security audit.
Here are several other useful stories and tips on health care compliance:
1. Personal health records not measuring up in privacy, say advocates
The federal government has called for greater use of personal health records as part of electronic health record systems. Advocates say PHRs fall short in data control, privacy and security.
2. Growing health information exchanges show lower costs, better care
Some health care organizations such as health information exchanges are showing improved efficiency, lower costs and better patient care using EHRs.
3. Encryption tops new rules of electronic health records compliance
When it comes to electronic health records and personal health information, secure storage can have many meanings, but only one that counts: Encrypt data as many ways as you can.
For more on HITECH and HIPAA compliance, also review:
Hathaway was part of a panel at the International Spy Museum in Washington, D.C., held to draw attention to the growing dangers online as National Cybersecurity Month drew to a close.
“Thank god for Akamai, who redirected a lot of the bandwidth and kept the Department of Transportation and NYSE up and running,” she said, referring to the DDoS attacks on the U.S. government earlier this year. Hathaway highlighted the importance of moving forward on enacting the 25 recommendations included in the cybersecurity report she delivered to the White House.
Her remarks followed the same theme as the speech on cybersecurity threats she delivered to the ArcSight Conference earlier this month.
Hathaway was proud of the attention that the Obama administration has paid to the issue, observing that when President Obama spoke, it was “the first time the leader of any country spoke about cyberspace or cybersecurity for any length of time.” Obama’s speech on cybersecurity is embedded below.
[kml_flashembed movie="http://www.youtube.com/v/wjfzyj4eyQM" width="425" height="350" wmode="transparent" /]
Hathaway noted that cybersecurity threats are a personal issue to the president, referring to attacks against his BlackBerry, and to his staff, given “their data breaches, and policy documents that he lost.”
“Many people don’t realize their computer is already infected by a botnet” she said, emphasizing the importance of raising awareness of the risks. “How many people realize that when they buy a thumb drive that it comes with extra executables for marketing purposes to send data home?”
Hathaway called endemic data breaches in the business world “one of the biggest secrets that no one is talking about publicly” and drew attention to a rising tide of electronic fraud worldwide. “In Bulgaria,” she said, “one of our colleagues said you can’t withdraw cash at an ATM unless you have your cellphone and it geolocates you.” How many people now have to put ZIP codes in for gas? “That’s because POS terminals have been hijacked.”
Cybersecurity threats extend beyond fraud, identity theft and data breaches. “There is generally a lack of agreement about what is a crime in cyberspace, much less what is an act of war,” Hathaway said. “In the event of a digital disaster, who is going to restore the infrastructure?” Also key: Who will pay? “It’s not going to be the government,” she said, at least not under current Federal Emergency Management Agency frameworks. “There’s no equivalent of a national disaster in cyberspace yet.”
Building more intelligence and efficiency into the network, however, has relevance to more than energy policy. As a working group of information security professionals determined over the course of the summer, there are significant smart grid privacy concerns to consider.
These considerations can be neatly summarized in the following excerpt from the NIST report: “The major benefit provided by the Smart Grid, i.e. the ability to get richer data to and from customer meters and other electric devices, is also its Achilles’ heel from a privacy viewpoint. Privacy advocates have raised serious concerns about the type and amount of billing and usage information flowing through the various entities of the Smart Grid … that could provide a detailed time-line of activities occurring inside the home.”
As privacy expert Rebecca Herold explains on her blog, smart grid privacy needs to be considered as utilities move to a next-generation infrastructure. Those implications were concisely listed by Herold as follows:
Sarah Cortes, a contributor for SearchCompliance.com, was the project manager for the Privacy Sub-group of the NIST’s Cyber Security Coordination Task Group.
Key points in the current release of the smart grid privacy document include the following issues, according to Cortes:
The body of the privacy groups work may be found in this draft: NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements (PDF).
Social networking and distributed collaboration sped up report writing for infosec team
One aspect of the report’s generation is worth recognizing: the role that the various collaborative technologies and social networking platforms played in gathering, synthesizing and producing the final deliverable for NIST. As Cortes explained in an email, preparing the current release of the Smart Grid privacy document included the following considerations:
According to Christophe Veltsos, a Midwestern-based information security professional who participated in the NIST CSCTG, the team used the suite of collaborative technologies common to many enterprises in late 2009.
“Gal Shpantzer and I used Google Docs to do live edits, both of us working at the same time,” said Veltsos. “We used either a live phone line or GChat to help facilitate the conversation.” The team members, including Herold, also used email, free conference-calling websites and tweets to send quick bursts of info/updates to each other.
Cortes also said NIST involved Twitter users from the start.
UPDATE: Christophe Veltos wrote to correct the record on the central role that DC-based information security consultant Gal Shpantzer played in organizing the CSCTG. Veltsos points out that “while Sarah was the project manager, Gal was the catalyst and is considered by NIST to be the team leader of the privacy group.”
“When forming the group, NIST staff turned to the industry professionals they most respected across the U.S.: members of Twitter’s online information technology privacy, compliance and security community,” she explained. ”One by one, Gal recruited respected members of the IT professional community, met with prospective members in person at times, and sought out suggestions for additional members. All prospective members could quickly and easily be thoroughly checked out as far as qualifications, accomplishments, and references, all informally through common Twitter features. The breadth and depth of advisory group members was substantial compared to similar panels formed with more traditional methods taking far longer.
According to Cortes, “Twitter has become the medium of choice for networking IT professionals for a few reasons, among them:
If you have thoughts and comments about either smart grid privacy or the utility of social networking for collaboration between compliance and security professionals, please leave them in the comments. Or, if you like, @reply on Twitter. You’ll find SearchCompliance.com there under @ITcompliance, as well as this author as @digiphile.
While no apparent damage to privacy or senstive data has occurred through this XSS exploit, the lesson from the past 24 hours is that a social media usage policy needs to be drafted, promulgated and enforced ASAP.
Although Ben Parr wrote on the social media blog Mashable that Twitter exploit had been fixed, echoing Twitter staff comments, Naylor followed up today with evidence that the Twitter exploit still works – just visit @APIfail2 for a (harmless) example. You’ll need to view the account using a Web browser, given that 3rd party clients are not affected by the issue.
TechCrunch has picked up the lack of resolution to the Twitter security issue. Robin Wauters, the author of the post, has sought further comment from the startup. Although the security team at the online social messaging startup is no doubt working overtime to address the issue in a more substantive way, this episode only adds fresh concerns about the Twitter security risks I reported on in June. Twitter may need to hire a CISO soon.
Such online security concerns, however, aren’t hardly limited to Twitter. If anything, Facebook is an even bigger target, both because of its size and the likelihood of more personal information in profiles. That reality hasn’t gone unnoticed by hackers, as rogue Facebook phishing applications popped up last week.
What does this all means for the compliance and security community? It’s time to get serious about addressing the risk by drafting a social media policy that uses available DLP technology, sets expectations for online privacy and, perhaps most importantly, includes user education about Web app security, social engineering and phishing. As I reported earlier this month in a story exploring social media and compliance, “fewer than one-third respondents in a recent survey said their organization had a policy in place governing social media use” – and “only 10% of the companies surveyed indicated that they had conducted employee training on such use.”
According to a another survey, from security firm AVG, only 27% social networking users are taking steps too protect themselves against similar online threats. According to “Bringing Social Security to the Online Community,” conducted with the CMO Council, 20% of social networking users have been the victim of. 55% experienced a phishing attack. And 47% said that they’ve had to deal with malware. Stark numbers.
In other words, if social media security wasn’t on your task list already, it should be now.
As a former editor at WhatIs.com, I’m familiar with the thousands of tips, news stories and learning resources around the network. For the time-starved reader, especially a busy compliance professional, simply being aware of what compliance resources are available can be a challenge. Here’s the best of what you’ll find on our sister sites from the past months:
CIOs and compliance
On SearchCIO.com, senior news writer Linda Tucci writes that according to research consultancy Gartner, IT security jobs will morph into risk management. The work of our contributors and the IT practitioners we talk to here at SearchCompliance.com confirm this trend. The staff at SearchCIO.com also put together a briefing on enterprise risk management solutions for CIOs and a selection of information security and IT governance guides for CIOs.
SearchCIO-Midmarket.com’s associate site editor, Kristen Caretta, also recently interviewed iRobot CIO Jay Leader. During the video interview, addresses the importance of a solid IT strategy – no small issue for this midsized company that must maintain a high-level of security and secrecy given its defense contracts.
Compliance in the cloud
Tucci is similarly focused on the compliance issues that are presented to the enterprise CIO considering cloud computing for data backup and storage. In addressing compliance requirements in cloud computing contracts, as Tucci makes clear, regulatory compliance requirements must be both expressly defined and then addressed – “or the data brought back down to earth.”
One of TechTarget’s newest websites, SearchCloudComputing.com, naturally has published stories on similar issues. In “Cloud computing skepticism: IT security and compliance,” research director Andi Mann explores whether security and compliance concerns in the cloud can be reconciled.
Compliance and Security
Over at SearchSecurity.com, you’ll find dozens of resources in its audit, compliance and standards topical section. You can watch instructional videos about testing PCI compliance requirement 11 or using IAM tools to improve compliance.
Recent news included coverage of MasterCard’s increase in PCI compliance requirements for some merchants (Visa says it won’t follow suit) or the increasing risks to identity theft, in “Researchers predict SSNs, crack algorithm putting identities at risk.”
Security expert David Mortman recently addressed the recent changes to HIPAA regulations that resulted from the HITECH Act in “HIPAA compliance: New regulations change the game.” Enterprise security teams charged with safeguarding PHI will find his insights useful. Mortman has also written this month about how to find virtual machines for greater virtualization compliance.
We’ve also partnered with SearchSecurity.com to produce both events and in-depth content like the recent log management e-book. Download the e-book (free registration required) to learn how automation can reduce the operational burdens of regulatory compliance.
SearchFinancialSecurity.com, given its focus on the financial industry, naturally features content to help security officers in that highly regulated vertical manage compliance. For instance, in “Tokenization and PCI compliance,” Ed Moyle explains what this relatively new technology may mean for the protection of sensitive credit card data. Our sister website also includes a video on Red Flags Rule compliance featuring John Carlson, senior vice president of regulatory affairs for BITS, a division of the Financial Services Roundtable.
Compliance and the channel
Our colleagues at SearchSecurityChannel.com are also covering the security aspects of compliance. As Neil Roiter writes in “Vulnerabilities, regulatory compliance drive data protection market,” while risk and vulnerability management are the two headings under which security spending often falls, the ultimate goal of both is data protection.
SearchSystemsChannel.com also features compliance coverage, in particular the specific U.S. laws and regulations that represent compliance and security concerns for Microsoft Office SharePoint.
Compliance and storage
Over at SearchSMBStorage.com, contributor Kevin Beaver recently wrote about making sense of regulatory compliance and data storage for SMBs.
If you found this roundup useful, please let us know at editor@SearchCompliance.com or at @ITCompliance on Twitter. If so, I’ll do it again in August.
I talked with Erin Jacobs, chief security officer for UCB Inc., about Twitter security. If you haven’t found her on Twitter yet, she tweets as @SecBarbie. She sent her list of top information security threats about Twitter to us via email, which we published below.
Since Twitter communicates over port 80 and 443, there really isn’t much to protect users from inadvertently bringing malicious code into the network. Bit.ly and other URL shorteners can easily send users to different addresses than the user expects.
Improper use of Twitter
Direct messages are not secure email. Education about potential vulnerabilities is essential for executives and top-level management to understand that they must keep business off of Twitter. Issues around human resources and online harassment are also a consideration.
You can vote on what your primary Twitter security concern is on Twtpoll. The results, as of today, are embedded below:
As you’ll see, insecure third-party apps leading to stolen accounts is (currently) the top answer – it’s an issue of natural concern to Twitter users. Coming in second, however, was Erin’s concern over data leaks of confidential or proprietary information. Information security threats are at the top of on any CISO’s list; add Twitter security to the list.
Each of these information security threats are valid for other social networking platforms or services as well, like LinkedIn and, in particular, Facebook. Issues around Twitter security and social media in general were frequently discussed at this past week’s Enterprise 2.0 Conference in Boston and, at the RSA Conference earlier this year, where Web application security was at the top of the information security threats list.
As his bio notes, Barach, is the founder of Boston Privacy Group, a privacy consulting firm, and the former Internet and Information Privacy Counsel for the New York State Consumer Protection Board (CPB).
Barach will be writing the Think Privacy blog, which will address “timely privacy topics including behavioral advertising, Red Flag Rules, the new Massachusetts regulations, HIPAA, GLBA, data transfer, cloud computing and other emerging privacy issues, laws, regulations and challenges that organizations will continue to face.”
||Since those are all issues and areas we cover, you can expect his posts to show up in our RSS reader. His first post, “The Red Flags Rules are coming, the Red Flags are coming – NOT,” addresses the recent announcement by the FTC that they “will grant a three-month delay of enforcement of ‘Red Flags’ Rule requiring creditors and financial institutions to adopt identity theft prevention programs.” Baruch helpfully linked to the FTC announcement.|
As readers of SearchCompliance.com know, enforcement of the Red Flags Rule has been approaching for some time. Compliance and security professionals alike will now have three more months to get their regulatory ducks in a row.
Information Security Officers, IT professionals and consulting firms have been telling the companies for whom they work to do this for years. But many firms, even those that are highly regulated, have traditionally taken a wait-and-see approach since they can’t seem to find the ROI. Locking down USB ports, encrypting hard drives and encrypting mail that contains sensitive data is just too “inconvenient” for them. I ask them, “What’s your reputational risk worth?”
This legislation goes hand in hand with the Red Flags Identity Theft Prevention rule that went into effect Nov. 1, 2008, for similar types of business. After a deeper look, it was determined that there were more than 10 million businesses throughout the country that would need to be examined. That’s nearly 10 million more than the number of examiners in the field to assess them.
While a great deal of the focus for Red Flags is certainly on the banking industry, in terms of governance and enforcement, my car dealer never heard of it. Neither has my attorney friend, who is the compliance officer at the insurance agency that wrote my general liability and errors & omissions policy and also provides my life insurance. They have no such program in place. And what about the gas station that still uses multipart forms to take my credit card information? I better ask the attendant how their efforts are going to comply with MA 201 CMR 17.00 before I fill up.
Legislation is great, if practical, but governance and enforcement is even better. I’d love to hear how the regulators plan to enforce it for those outside the banking sector, which at least makes an strong effort to comply and do the right thing. I also wonder about vendor management. Third-party providers must comply with the regulation by Jan. 1. Thus, it’s incumbent upon those who use third parties to ensure that those controls are in place at those third-party companies.
For the banking industry, the third key point of GLBA 501(b) requires oversight of service providers, meaning that even though you’ve assigned your risk by outsourcing a function or process to another company, you’re not relieved of your responsibility to ensure that controls are in place to protect sensitive data and systems. Heartland sound familiar? Hannaford sound familiar? TJX ring a bell? There are many others out there as well but just not as high profile. There’s always a box of tapes with a few hundred thousand customer names, account numbers and SSNs that’s been lost or misplaced or that fell off the truck. Or a dumpster that’s been raided for the sensitive info that employees have haphazardly discarded, despite policy for proper destruction and disposal.
A formal vendor management program is a requirement! And the banking sector has seen tighter and tighter regulatory scrutiny and examiner focus in this specific area over the past year or two, but there’s still a long way to go. There are very specific components to a sound and compliant vendor management program. These include vendor inventory, status tracking, periodic monitoring, due diligence, contract review, risk rating, reporting and policies and procedures. This is a long haul for those not in the heavily regulated banking sector. So, again, it will come to being all about governance and enforcement and the penalties for noncompliance to make this legislation effective.
And my final thought is that Massachusetts should at least be commended for taking a stand. I’ve read countless critiques of the legislation but haven’t seen anyone state in writing that MA should be commended for doing something to try to protect the consumer. Any time you stick your neck out, you’re bound to get slapped.
Let us know what you think about our stories. Email email@example.com.
These incidents have shifted a great deal of focus onto three types of IT initiatives:
Two of the most fundamental types of detection and control strategies, however, are often overlooked:
COBIT and most security frameworks consider these controls sine qua non. Unfortunately, neither fundamental is as sexy as IDS or hackers, and thus receive scant press attention.
Database logging is the practice of creating a record of direct access to high-risk data in high-risk databases. It excludes access through user interfaces, so it accurately filters out client or user access. Instead, it records all identities that directly access the data. This would include database administrators, possibly system administrators and likely anyone else who has been granted write privileges into your database.
Are you aware of everyone in your organization who has write access to your high-risk data in your high-risk databases? Do you doubt anyone could possibly have direct access to the banking deposit, withdrawal transactions or trading buys and sells in your firm’s Fortune 500 database?
Let me assure you, they do.
Every firm has individuals to whom this access has been granted. No firm could function without them. Senior business officials often react with outrage and tough talk about firing anyone granting such access to their IT staff. But the reality is that these senior officials should look more closely at both themselves and any budgeting choices that may have denied database upgrades that could have precluded the need for such access. Many institutions have not adequately invested in their applications and database upgrades. As a result, some hapless DBA is often left tasked with daily, high-risk manual database “fixes” to keep business running. The DBA is then blamed if problems crops up as a result.
There are many reasons firms can and do grant write access to IT staff. The primary reasons include:
Monitoring privileged access is a fundamental compliance practice. Such monitoring that includes a daily automated report personally reviewed by the Information Security Officer (ISO) and signed off with his or her initials should be in your firm’s repertoire. Yes, a daily signature. This report alone will likely raise many useful questions. Once monitoring access is addressed, the daily database logging report should similarly be placed in front of the ISO’s daily for personal review and sign off.
In my next post, I’ll give specifics on how to build these reports so they actually capture the violation information you need. Nothing worse than the false security of a violation report that does not actually capture the required information. Your auditors will know the difference. So should you.