Information security

Sep 28 2009   9:23PM GMT

Information security and compliance resources from around TechTarget

Posted by: Alexander Howard
Information security, Health care, PCI DSS, Health Insurance Portability and Accountability Act, policy, Wired Equivalent Privacy, Security, Payment card industry, IT compliance, compliance, HITECH

The laws and regulations that CIOs and CISOs must understand and reflect in their operations are by nature applicable to many different areas of information technology. As a recent study on the privacy profession showed, privacy policy success lies in collaboration with IT. Finding good compliance resources to keep abreast of news and technologies is crucial.

The diversity of stakeholders involved in IT compliance is reflected in the many compliance resources that are published each month across the TechTarget network of IT media. For instance, this month’s Storage Decisions Conference explored how storage managers must explain retention, email archiving and compliance.

At SearchOracle.com, there’s news about how Oracle updated Agile PLM for food and beverage compliance, allowing manufacturers to better analyze ingredients for safety.

At SearchFinancialSecurity.com, a new story explores full disk encryption, which is fast becoming a priority for laptop security in midmarket companies given increasing fears of data breaches. The article explains how to choose full disk encryption for laptop security, compliance.

Earlier this year, SearchNetworking.com ran “New PCI compliance rules ban WEP, tighten wireless LAN security.”

PCI DSS compliance

Since security and compliance are bound closely together, it should come as no surprise that SearchSecurity.com features new compliance resources regularly. That’s particularly true when it comes to PCI compliance.

Last week, site editor Rob Westervelt wrote “PCI virtualization SIG closer to proposing changes to standard.” Westervelt writes that the PCI Virtualization Special Interest Group, which has been studying virtualization for the payment card industry (PCI), is close to issuing guidance ways to maintain PCI DSS compliance when using virtualization.

For more on PCI, editorial director’s Kelley Damore feature about what PCI compliance really means in September’s issue of Information Security magazine has a plethora of useful links.

Elsewhere on SearchSecurity.com, Eric Holmquist offered guidance on strategies for using technology to enable automated compliance.

Given that schools are back in session, IT admins entrusted with securing the records of students may find security expert David Mortman’s explanation for how to prepare for a FERPA audit useful.

Mortman also provides useful advice on a PCI DSS requirement for monitoring and testing security, PCI DSS compliance: ensuring data integrity and understanding PCI DSS compliance requirements for log management.

And “across the pond,” SearchSecurity.uk.co wrote about new products that aim to streamline compliance efforts.

Healthcare compliance

SearchSecurity.com also publishes compliance resources that serve the fast-moving healthcare field, including stories like “FTC extends breach notification to Web-based health repositories” and “HIPAA compliance manual: Training, audit and requirement checklist.”

Again, Mortman provides expert advice on this areas, including guidelines to create a HIPAA-compliant data center, HHS HIPAA guidance on encryption requirements and data destruction and information on writing a patient identifier policy to prevent common HIPAA violations.

We’ve been covering healthcare at SearchCompliance.com as well, along with our sister site, SearchCIO.com, where senior writer Linda Tucci recently wrote that health care security and HIPAA compliance are on deck for CIOs.

We published “HITECH changes the game, but HIT standards still on way” this morning, in fact, following on our FAQ on the HITECH Act’s impact on IT operations and a tip about when is a data breach under HITECH is really ‘discovered.’

Here’s hoping you find these compliance resources useful in your own efforts. If you have other websites you regularly visit to find compliance resources to help you meet regulatory mandates, please let us know in the comments.

Sep 11 2009   8:46PM GMT

The fundamentals of information security for SMBs — easy to read, free

Posted by: Linda Tucci
Information security, NIST

Information security pros weary of explaining the basics of protecting their companies’ information, systems and networks to employees who really don’t want to be bothered might want to take a look at “Small Business Information Security: The Fundamentals.” This straightforward, easy-to-read, free guide from the National Institute of Standards and Technology (NIST) is aimed at SMBs with up to 500 employees, as its title states. I think it would prove just as useful for employees at remote offices where IT staffs are small or nonexistent and it’s important that employees bear responsibility for information security. The draft guide, slated for final form by October, is written for people with little or no technical expertise. Author and NIST computer scientist Richard Kissel said the decision to keep the fundamentals, well, fundamental, stemmed from many years on the road teaching small business owners how to make themselves “less of a target” for malicious attacks and security snafus.

“What we found was that our audiences weren’t technical at all. They were small-business people. They were mechanics, they were printers, they were doctors and dentists. They were good at what they did, but what they did was not IT and it wasn’t information security,” Kissel said. “They had no idea what to do.”

The 20 pages of advice lay out 10 “absolutely necessary” actions, 10 “highly recommended” and include a section on business continuity and disaster recovery. Worksheets for prioritizing and protecting data, as well as estimating the cost of bad stuff happening to that data, round out the packet.

If you don’t think users would appreciate the primer, it might make an early holiday gift for those neighbors and relatives who call you in a panic when viruses, spam or other nastiness put their computers out of commission. I enjoyed it, then promptly sent a copy to my 20-something daughter, who, like most employees her age, takes her work wherever she goes, turning her personal laptop into a small business.

Aug 25 2009   5:29PM GMT

Capability and Maturity Model Creation in Information Security

Posted by: Alexander Howard
Security, Information security, PCI DSS, International Organization for Standardization, Information security management system, Payment card industry, CMM, compliance

This is a guest post from Secure Payments and Chaordic Design Evangelist Michael Dahn. He blogs frequently about PCI and information security at ChaordicMind.com. Contact him there or follow @sfoak on Twitter.

One of the problems that many companies face is staying ahead of the information security curve. Go too fast and you run the risk of wasting capital, but run too slow and you run the risk of being compromised. So how a company can escape the hamster wheel of pain? Be proactive in managing risk and implementing a maturity framework for the organization.

In an attempt to balance the two domains of cost and security, a continual tradeoff, many companies have implemented regulatory compliance standards. These are good tools for measuring ones security to a known industry baseline. The classic example of this is the Payment Card Industry Data Security Standard (PCI DSS). Using standards like PCI DSS, companies can measure their adherence to eliminating sensitive data and protecting the remaining in-scope systems.

There are two problems with aligning an entire information security model along any singular guideline. It should be noted that, in the absence of any information security program, PCI DSS is a very good baseline standard.

The first challenge is the 0-to-100 problem. Some companies start with no information security program and try to adhere to something like PCI DSS. Much like measuring the acceleration of a car by how fast it can go from 0 to 100 miles per hour, these companies struggle with getting from 0 to 100 percent compliance in under 12 months. For these companies this means implementing security for the sake of a deadline, which means not always having the time to test what works and what does not.

The second challenge is the security limiter problem. Once companies reach 100 percent adherence to a given standard, many times they stop developing their information security program. These companies then enter a vicious cycle of identification and remediation. Each year, their auditors alert them to a new set of issues and, each year, the companies fix those and then relax until the following year.

So how do we escape this endless cycle of identification and remediation? How do we provide a way for companies to go from 0 mph to 50 mph in year one, 50 to 100 in year two, and still be inspired to go from 100 to 150 in year three? How do we become proactive instead of being reactive? One option for addressing these problems is the capability maturity model (CMM) that involves risk management.

A CMM is nothing new or innovative. It’s a useful approach for managing the maturity in a system. The Computer Security Handbook 4th Edition reveals that CMMs originated from software development. This book states that a CMM “can be used as a way to assess the soundness of a security product builder’s engineering practices during the many stages of product development.” If a CMM can be used for measuring the soundness of engineering practices, then why not leverage it to measure the soundness of information security practices?

A maturity model encourages continual growth rather than strict adherence to Procrustean boxes of information security. It’s the mathematical equivalent of the integral or the continual variable transmission of an automobile. It provides a smooth curve instead of designated endpoints of information security. For companies suffering from the 0-to-100 problem, a maturity model enables growth from 0-to-50 initially, with the projection of moving from 50-to-100 at a later date. Companies that suffer from the security limiter problem have the ability to continuously and proactively plan information security development to parallel growing business needs, instead of an independent set of criteria.

The Information Security Management Maturity Model (ISM3, or ISM-cubed) provides us with the intersection of information security and a maturity model for growing an information security program. ISM3 describes the process this way:

“Rather than focusing on controls, it focuses on the common processes of information security, which are shared to some extent by all organizations.

Under ISM3, the common processes of information security are formally described, given performance targets and metrics, and used to build a quality assured process framework. Performance targets are unique to each implementation and depend upon business requirements and resources available. Altogether, the performance targets for security become the Information Security Policy. The emphasis on the practical and the measurable is what makes ISM3 unusual, and the approach ensures that ISM systems adapt without re-engineering in the face of changes to technology and risk.”

In fact, the ISM3 is based in part on extending the Systems Security Engineering Capability Maturity Model (SSE-CMM), which is ISO standard 21827. The SSE-CMM “describes the essential characteristics of an organization’s security engineering process that must exist to ensure good security engineering.”

In addition, consider the Building Security in Maturity Model (BSIMM), which is “designed to help you understand and plan a software security initiative.” As well there is the, Open Software Assurance Maturity Model (OpenSAMM) project that can “help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization.” These frameworks exist as tools for helping develop the maturity of organizations and software through the use of measured metrics.

And metrics is where all the magic really happens. Only by measuring the maturity of an organization and matching it to the development and progress of known attacks can we demonstrate that we are maintaining the balance between costs and security. There is a saying that if you and your friend are being chased by a bear, you don’t need to outrun the bear — you need only outrun your friend. In the world of ever-increasing compromises, many companies struggle to stay ahead of the curve. A maturity model, with proper metrics, can help your organization do just that. The best part? Companies that implement a maturity model and show measured growth are many times more likely to adhere to industry standards such as the PCI DSS.

Aug 20 2009   6:09PM GMT

Amended Massachusetts data protection act focuses on risk management

Posted by: Sarah Cortes
Federal Trade Commission, risk management, Information security, consumer protection, Security, Gramm-Leach-Bliley Act, FTC, 201 CMR 17.00, Massachusetts’ Data Privacy Law, privacy, data protection, regulation, compiance, IT compliance

As Alexander Howard reported earlier today, the Massachusetts data protection law has been amended. The revised data privacy regulations — 201 CMR 17.00, “Standards for the Protection of Personal Information of Residents of the Commonwealth” — include several key updates. If you are an information security professional, take note of these changes, as they will likely have practical implications.

The most immediate impact is the provision for an additional 60 days to comply with the regulations. The deadline for implementation is now March 1, 2010.

Individuals and municipalities have expressly been removed from guideline jurisdiction, with a clarification that the “regulation applies to those engaged in commerce.” Guidelines on the requirement for a written information security plan are now simplified.

A new definition for the term service provider was added. The Office of Consumer Affairs and Business Regulation also amended third-party vendor rules. There is now a two-year grace period, relative to existing contracts, and requirements for those third parties to be in compliance.

Encryption requirements have been clarified. The apparently strict but, practically speaking, vague 128-bit specification from the prior version was replaced by “technology-neutral language.”

Further, a “technical feasibility” standard has been incorporated, acknowledging that methods to securely encrypt data on portable devices may not yet be available. Email encryption now falls under the technical feasibility standard. Additionally, encryption of backup tapes has been clarified to include prospective encryption. So you may safely cancel your firm’s plans to encrypt existing backup tapes. Encrypting new backup tapes will still be required, along with any personal data that travels over the public Internet or wireless network.

In another change that I believe will ultimately enhance consumer protection, 201 CMR 17.00 has been brought in line with certain federal regulations. Specifically, the Massachusetts data protection act now cedes authority to the Federal Trade Commission’s (FTC) standards established under the Gramm-Leach Bliley Act (GLBA). GLBA utilizes a risk management approach to data security.

The patchwork of 44 different state health data protection laws has delayed electronic automation of, and therefore overall security for, health records. Adopting a federal standard, starting with the FTC’s risk-based approach to data protection, avoids this pitfall and may make widespread compliance both more feasible and more likely in the near future.

On one hand, a risk management approach should be familiar to IT professionals. It shifts resources from “check-the-box” controls that may or may not address a particular organization’s specific risks to controls that make more sense in context. On the other hand, given the concrete definition of the personal information in scope, it is difficult to see where risk management would not be present whenever such personal data is stored.

“Mandating every component of a program and requiring its adoption, regardless of size and the nature of the business and the amount of information that requires security, makes little sense in terms of consumer protection,” said Bradley MacDougall, of Associated Industries of Massachusetts. Risk management and assessment will afford more consumer protection by matching a given business’ actual risks with required security investments.

Aug 17 2009   9:22PM GMT

201 CMR 17 FAQ: Updates to Massachusetts data protection law

Posted by: Alexander Howard
FTC, Security, Information security, Personally identifiable information, Information privacy, privacy, 201CMR17, data protection, encryption, compliance

Earlier today, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) issued an update to 201.CMR.17, the Massachusetts data protection law. The deadline for implementation has now been extended until March 1, 2010.

In an interview with SearchCompliance.com, Undersecretary Barbara Anthony stated that “consumer protections have not been weakened in this amendment. Monitoring, reviewing the scope of security measures – and encryption is still required if you are going to transmit resident PII over public networks. What we’ve tried to do here is to not impose additional burdens which weren’t involved in the consumer protections.”

With the permission of the OCABR, we are posting the FAQ released by the office in full and unedited below. We will post the rest of Anthony’s comments tomorrow, along with further analysis of the changes referenced below.

What are the differences between this version of 201 CMR 17.00 and the version issued in February of 2009?

There are some important differences in the two versions.

First, the most recent regulation issued in August of 2009 makes clear that the rule adopts a risk-based approach to information security, consistent with both the enabling legislation and applicable federal law, especially the FTC’s Safeguards Rule. A risk-based approach is one that directs a business to establish a written security program that takes into account the particular business’ size, scope of business, amount of resources, nature and quantity of data collected or stored, and the need for security. It differs from an approach that mandates every component of a program and requires its adoption regardless of size and the nature of the business and the amount of information that requires security. This clarification of the risk based approach is especially important to those small businesses that do not handle or store large amounts of personal information.

Second, a number of specific provisions required to be included in a business’s written information security program have been removed from the regulation and will be used as a form of guidance only.

Third, the encryption requirement has been tailored to be technology neutral and technical feasibility has been applied to all computer security requirements.

Fourth, the third party vendor requirements have been changed to be consistent with Federal law.

To whom does this regulation apply?
The regulation applies to those engaged in commerce. More specifically, the regulation applies to those who collect and retain personal information in connection with the provision of goods and services or for the purposes of employment.

The regulation does not apply, however, to natural persons who are not in commerce.

Does 201 CMR 17.00 apply to municipalities?
No. 201 CMR 17.01 specifically excludes from the definition of “person” any “agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof.” Consequently, the regulation does not apply to municipalities.

Must my information security program be in writing?
Yes, your information security program must be in writing. The scope and complexity of the document will vary depending on your resources, and the type of personal information you are storing or maintaining. But, everyone who owns or licenses personal information must have a written plan detailing the measures adopted to safeguard such information.

What about the computer security requirements of 201 CMR 17.00?
All of the computer security provisions apply to a business if they are technically feasible. The standard of technical feasibility takes reasonableness into account. (See definition of “technically feasible” below.) The computer security provisions in 17.04 should be construed in accordance with the risk-based approach of the regulation.

Does the regulation require encryption of portable devices?
Yes. The regulation requires encryption of portable devices where it is reasonable and technically feasible. The definition of encryption has been amended to make it technology neutral so that as encryption technology evolves and new standards are developed, this regulation will not impede the adoption of such new technologies.

Do all portable devices have to be encrypted?
No. Only those portable devices that contain personal information of customers or employees and only where technically feasible The “technical feasibility” language of the regulation is intended to recognize that at this period in the development of encryption technology, there is little, if any, generally accepted encryption technology for most portable devices, such as cell phones, blackberries, net books, iphones and similar devices. While it may not be possible to encrypt such portable devices, personal information should not be placed at risk in the use of such devices. There is, however, technology available to encrypt laptops.

Must I encrypt my backup tapes?
You must encrypt backup tapes on a prospective basis. However, if you are going to transport a backup tape from current storage, and it is technically feasible to encrypt (i.e. the tape allows it) then you must do so prior to the transfer. If it is not technically feasible, then you should consider the sensitivity of the information, the amount of personal information and the distance to be traveled and take appropriate steps to secure and safeguard the personal information. For example, if you are transporting a large volume of sensitive personal information, you may want to consider using an armored vehicle with an appropriate number of guards.

What does “technically feasible” mean?
“Technically feasible” means that if there is a reasonable means through technology to accomplish a required result, then that reasonable means must be used.

Must I encrypt my email if it contains personal information?
If it is not technically feasible to do so, then no. However, you should implement best practices by not sending unencrypted personal information in an email. There are alternative methods to communicate personal information other through email, such as establishing a secure website that requires safeguards such as a username and password to conduct transactions involving personal information.

Are there any steps that I am required to take in selecting a third party to store and maintain personal information that I own or license?
You are responsible for the selection and retention of a third-party service provider who is capable of properly safeguarding personal information. The third party service provider provision in 201 CMR 17.00 is modeled after the third party vendor provision in the FTC’s Safeguards Rule.

I have a small business with ten employees. Besides my employee data, I do not store any other personal information. What are my obligations?
The regulation adopts a risk-based approach to information security. A risk-based approach is one that is designed to be flexible while directing businesses to establish a written security program that takes into account the particular business’s size, scope of business, amount of resources and the need for security. For example, if you only have employee data with a small number of employees, you should lock your files in a storage cabinet and lock the door to that room. You should permit access to only those who require it for official duties. Conversely, if you have both employee and customer data containing personal information, then your security approach would be more stringent. If you have a large volume of customer data containing personal information, then your approach would be even more stringent.

Except for swiping credit cards, I do not retain or store any of the personal information of my customers. What is my obligation with respect to 201 CMR 17.00?
If you use swipe technology only, and you do not have actual custody or control over the personal information, then you would not own or license personal information with respect to that data, as long as you batch out such data in accordance with the Payment Card Industry (PCI) standards. However, if you have employees, see the previous question.

Does 201 CMR 17.00 set a maximum period of time in which I can hold onto/retain documents containing personal information?
No. That is a business decision you must make. However, as a good business practice, you should limit the amount of personal information collected to that reasonably necessary to accomplish the legitimate purpose for which it is collected and limit the time such information is retained to that reasonably necessary to accomplish such purpose. You should also limit access to those persons who are reasonably required to know such information.

Do I have to do an inventory of all my paper and electronic records?
No, you do not have to inventory your records. However, you should perform a risk assessment and identify which of your records contain personal information so that you can handle and protect that information.

How much employee training do I need to do?
There is no basic standard here. You will need to do enough training to ensure that the employees who will have access to personal information know what their obligations are regarding the protection of that information, as set forth in the regulation.

What is a financial account?
A financial account is an account that if access is gained by an unauthorized person to such account, an increase of financial burden, or a misappropriation of monies, credit or other assets could result. Examples of a financial account are: checking account, savings account, mutual fund account, annuity account, any kind of investment account, credit account or debit account.

Does an insurance policy number qualify as a financial account number?
An insurance policy number qualifies as a financial account number if it grants access to a person’s finances, or results in an increase of financial burden, or a misappropriation of monies, credit or other assets.

I am an attorney. Do communications with clients already covered by the attorney-client privilege immunize me from complying with 201 CMR 17.00?
If you own or license personal information, you must comply with 201 CMR 17.00 regardless of privileged or confidential communications. You must take steps outlined in 201 CMR 17.00 to protect the personal information taking into account your size, scope, resources, and need for security.

I already comply with HIPAA. Must I comply with 201 CMR 17.00 as well?
Yes. If you own or license personal information about a resident of the Commonwealth, you must comply with 201 CMR 17.00, even if you already comply with HIPAA.

What is the extent of my “monitoring” obligation?
The level of monitoring necessary to ensure your information security program is providing protection from unauthorized access to, or use of, personal information, and effectively limiting risks will depend largely on the nature of your business, your business practices, and the amount of personal information you own or license. It will also depend on the form in which the information is kept and stored. Obviously, information stored as a paper record will demand different monitoring techniques from those applicable to electronically stored records. In the end, the monitoring that you put in place must be such that it is reasonably likely to reveal unauthorized access or use.

Is everyone’s level of compliance going to be judged by the same standard?
Both the statute and the regulations specify that security programs should take into account the size and scope of your business, the resources that you have available to you, the amount of data you store, and the need for confidentiality. This will be judged on a case by case basis.

This FAQ was posted with the direct permission of OCABR. For more information on the regulation, visit Mass.gov/consumer.

Aug 5 2009   2:13PM GMT

Compliance officers discuss business, IT alignment at ISACA conference

Posted by: Alexander Howard
risk management, Information technology governance, Information technology audit, Information Systems Audit and Control Association, Information security, ISACA, conference

This guest post is from Joe Hewitt, an IT compliance specialist for American Honda Finance Corporation.  His views do not represent those of Honda, any of its divisions, or employees.

The 2009 ISACA International Conference held in Los Angeles had a much different feel than those of the past.  While IT controls were consistently a primary talking point, the emphasis was on how to better align business and IT goals.  Even though theoretical concepts like risk and value information technology were discussed at length, many of the presenters addressed real-world issues with respect to advancing along the compliance spectrum.

Oracle representatives Mark Sunday, CIO and SVP, and Gail Coury, VP of risk management, kicked off the festivities with a detailed and insightful keynote address that outlined the challenges of compliance amid heavy acquisition periods.  Attendees then proceeded to presentations along one of four tracks:

1. IT governance
2. IT compliance audit practices
3. Information security management
4. IT risk management and compliance

While useful information was abundant and widespread, here are some of the more interesting discussion points:

• Risk is often counter-intuitive
• Privacy regulations are here to stay…and will only become more strict
• Reputation risk is increasing for all businesses
• Financial return and value of governance is realized across silos, not from within them
• IT should be used to reduce business costs, not IT costs
• Acceptance of authority in younger generations has gone down, increasing the need for control automation
• The current economic environment emphasizes the need for controls over fraud at every level
• Business = Demand; IT = Supply
• ACCOUNTABILITY IS KEY!

If controls are the key, governance is the lock

Much discussion was held about progression beyond creating a control environment and moving towards overall governance.  With compliance budgets decreasing at a record pace, governance is the only way that auditors will be able to show value of audit activities.

Risk was the real elephant in the room.  Discussions concluded that, while we cannot fully eliminate risk in a cost effective manner, the process of implementing a monitoring or review process provides an eye opening set of data for many businesses.

Even though attendance appeared to be down, the group was very diverse and included representatives from all over the globe.  ISACA members from international companies enlightened the group with unique and challenging regional issues.

Overall, the conference delivered as promised.  It had legacy theory, risk management theory, international diversity, and real-world solutions for almost any IT compliance issue.  ISACA continues to be on the cutting edge of IT governance.

Jul 22 2009   2:29PM GMT

Compliance resources: Tips and news from around TechTarget

Posted by: Alexander Howard
Health Insurance Portability and Accountability Act, Cloud computing, Information security, identity theft, Security

Did you know that TechTarget now has more than 60 different websites, each of which focuses on a different form of technology? You can find compliance resources on nearly every one of them.

As a former editor at WhatIs.com, I’m familiar with the thousands of tips, news stories and learning resources around the network. For the time-starved reader, especially a busy compliance professional, simply being aware of what compliance resources are available can be a challenge. Here’s the best of what you’ll find on our sister sites from the past months:

CIOs and compliance

On SearchCIO.com, senior news writer Linda Tucci writes that according to research consultancy Gartner, IT security jobs will morph into risk management. The work of our contributors and the IT practitioners we talk to here at SearchCompliance.com confirm this trend. The staff at SearchCIO.com also put together a briefing on enterprise risk management solutions for CIOs and a selection of information security and IT governance guides for CIOs.

  iRobot CIO Jay Leader. During the video interview, addresses the importance of a solid IT strategy – no small issue for this midsized company that must maintain a high-level of security and secrecy given its defense contracts.

Compliance in the cloud

Tucci is similarly focused on the compliance issues that are presented to the enterprise CIO considering cloud computing for data backup and storage. In addressing compliance requirements in cloud computing contracts, as Tucci makes clear, regulatory compliance requirements must be both expressly defined and then addressed – “or the data brought back down to earth.”

One of TechTarget’s newest websites, SearchCloudComputing.com, naturally has published stories on similar issues. In “Cloud computing skepticism: IT security and compliance,” research director Andi Mann explores whether security and compliance concerns in the cloud can be reconciled.

Compliance and Security

Over at SearchSecurity.com, you’ll find dozens of resources in its audit, compliance and standards topical section. You can watch instructional videos about testing PCI compliance requirement 11 or using IAM tools to improve compliance.

Recent news included coverage of MasterCard’s increase in PCI compliance requirements for some merchants (Visa says it won’t follow suit) or the increasing risks to identity theft, in “Researchers predict SSNs, crack algorithm putting identities at risk.”

Security expert David Mortman recently addressed the recent changes to HIPAA regulations that resulted from the HITECH Act in “HIPAA compliance: New regulations change the game.” Enterprise security teams charged with safeguarding PHI will find his insights useful. Mortman has also written this month about how to find virtual machines for greater virtualization compliance.

We’ve also partnered with SearchSecurity.com to produce both events and in-depth content like the recent log management e-book. Download the e-book (free registration required) to learn how automation can reduce the operational burdens of regulatory compliance.

SearchFinancialSecurity.com, given its focus on the financial industry, naturally features content to help security officers in that highly regulated vertical manage compliance. For instance, in “Tokenization and PCI compliance,” Ed Moyle explains what this relatively new technology may mean for the protection of sensitive credit card data. Our sister website also includes a video on Red Flags Rule compliance featuring John Carlson, senior vice president of regulatory affairs for BITS, a division of the Financial Services Roundtable.

Compliance and the channel

Our colleagues at SearchSecurityChannel.com are also covering the security aspects of compliance. As Neil Roiter writes in “Vulnerabilities, regulatory compliance drive data protection market,” while risk and vulnerability management are the two headings under which security spending often falls, the ultimate goal of both is data protection.

SearchSystemsChannel.com also features compliance coverage, in particular the specific U.S. laws and regulations that represent compliance and security concerns for Microsoft Office SharePoint.

Compliance and storage

Over at SearchSMBStorage.com, contributor Kevin Beaver recently wrote about making sense of regulatory compliance and data storage for SMBs.

Feedback

If you found this roundup useful, please let us know at editor@SearchCompliance.com or at @ITCompliance on Twitter. If so, I’ll do it again in August.

Jul 17 2009   10:22AM GMT

No easy answers for complying with data protection regulations

Posted by: Scot Petersen
data protection regulations, Information security, compliance, MA 201 CMR 17, encryption

As the effective date of Jan. 1, 2010, approaches for Massachusetts’ data protection regulation, business owners and information security managers are getting a little bit edgy about compliance with MA 201 CMR 17.

Witness this week’s Compliance Decisions conference. There were two main questions on the minds of the attendees: Enforcement (how strict?) and encryption (what to encrypt and how?). However, no easy answers are available — yet.

The answers that were given by a pair of experts — Gerry Young, secretariat chief information officer for the Massachusetts Executive Office of Housing and Economic Development, and David Murray, general counsel of the Massachusetts Office of Consumer Affairs and Business Regulation — provided a wealth of information about compliance, but in the case of enforcement and encryption, not quite enough information.

It’s not really their fault. While Young and Murray helped craft the data protection regulations, promulgated by Massachusetts General Law 93H in 2007, enforcement will fall to the Massachusetts Attorney General, Martha Coakley, and, lawyers being lawyers, Murray could not speculate as to how Coakley will seek to prosecute data breach violations. Will she come down hard on all businesses, or will small businesses be spared? What will she consider to be “reasonable” steps — cited four times in the regulation — to comply?

Coakley’s office has not been available for comment on this topic, and likely no one will know for sure what will happen until the first data breach of 2010 occurs.

That leaves business owners of all sizes with no choice but to comply with the letter of the law (or make their best attempt to). But even what that means is not clear. Young and Murray have been on the road for months, talking up the regulation to business and consumer groups, and have a well-rehearsed presentation with slides. But when asked about what data needs to be encrypted, they said everything — “data at rest” and “data in motion.”

Now, MA 201 CMR 17 is clear about data in motion, mandating “encryption of all personal information stored on laptops or other portable devices” and “encryption of all transmitted records and files containing personal information that will travel across public networks, and … transmitted wirelessly.”

This all makes sense so far. The parties responsible for the infamous TJX data breach in 2007, which gave rise to 93H, exploited the weak WEP encryption protocol for wireless networks, not TJX company servers or databases. Currently, WPA and WPA2 are considered the minimum security standard, but even that has to be implemented correctly, with strong passwords.

As far as data at rest is concerned, there’s no such language, in the Code of Massachusetts Regulations or the Massachusetts General Law, a fact pointed out by a third participant in the conference, consultant Richard Mackey, vice president at SystemExperts. Young then responded: “There is a requirement for encryption of data at rest in 93H that radiates forward [to MA 201 CMR 17].”

After poring through the text of M.G.L. 93H over lunch, Mackey confirmed that data at rest is not an issue, and later in the day, Young and Murray recanted their statement and said encryption of data at rest should be considered a “best practice” only.

Attendees were relieved to hear this. But the concept of a “best practice” opens up even more issues. Encryption of data at rest — in databases, backup tapes, servers, SANs, etc. — is no simple task. Key management, disaster recovery and application performance pose difficult problems for even large companies, let alone small businesses. The best practice of storage encryption may be a worthwhile goal, something to be phased in over time, but shouldn’t be something that gets in the way of the immediate requirements of compliance.

It is not surprising then, that enforcement of MA 201 CMR 17 was delayed from its original May 2009 date to Jan. 1, 2010. Nor that a bill, No. 173, was introduced in the Massachusetts Senate earlier this year seeking to amend the underlying M.G.L. 93H law. Senate Bill 173 would change the law to say that businesses will not be required “to use a specific technology or technologies, or a specific method or methods for protecting personal information.” In addition, it would “create separate regulations for small businesses … that reflect said small businesses unique situation and resources.”

So where are we? No one really knows for sure. What we do know is that Massachusetts employers, and out-of-state businesses that employ Massachusetts residents, must have a compliance plan well under way by January 1.

Jun 25 2009   6:51PM GMT

Add Twitter security to the top information security threats

Posted by: Alexander Howard
Twitter, Facebook, LinkedIn, RSA Conference, identity theft, Social Enterprise, Social network, malware, Information security

Last week’s 140 Characters Conference presented dozens of examples of how people are using Twitter creatively, effectively and disruptively. What didn’t get as much attention are the security risks and compliance challenges Twitter presents as the wildly popular microblogging platform continues to see adoption by enterprise users.

I talked with Erin Jacobs, chief security officer for UCB Inc., about Twitter security. If you haven’t found her on Twitter yet, she tweets as @SecBarbie. She sent her list of top information security threats about Twitter to us via email, which we published below.

---

Information leakage
Corporate networks try to protect themselves from email, IM and other means of sending information outside of the network. There are new services for updating Twitter popping up daily, so it is impossible at this time to completely block the ability to access Twitter. Network security professionals are constantly racing to fill in the holes to ensure that information cannot be leaked. Information leaks could include:

• Identity information from inside organizations.
  • Identity theft
  • Credit card fraud
  • Account numbers
• Business IP leakage.
  • Business plans
  • Code leakage
  • Copyright infringement
• Facility information.
  • Business operating hours could be used in targeted physical theft attacks.
  • Personnel locations or schedules.

Malware/viruses/Oh-MY!
Since Twitter communicates over port 80 and 443, there really isn’t much to protect users from inadvertently bringing malicious code into the network. Bit.ly and other URL shorteners can easily send users to different addresses than the user expects.

Improper use of Twitter
Direct messages are not secure email. Education about potential vulnerabilities is essential for executives and top-level management to understand that they must keep business off of Twitter. Issues around human resources and online harassment are also a consideration.

---

After Erin wrote in, I used Twtpoll to ask my followers on Twitter the same question, using her list and adding a few other options.

You can vote on what your primary Twitter security concern is on Twtpoll. The results, as of today, are embedded below:

As you’ll see, insecure third-party apps leading to stolen accounts is (currently) the top answer – it’s an issue of natural concern to Twitter users. Coming in second, however, was Erin’s concern over data leaks of confidential or proprietary information. Information security threats are at the top of on any CISO’s list; add Twitter security to the list.
Each of these information security threats are valid for other social networking platforms or services as well, like LinkedIn and, in particular, Facebook. Issues around Twitter security and social media in general were frequently discussed at this past week’s Enterprise 2.0 Conference in Boston and, at the RSA Conference earlier this year, where Web application security was at the top of the information security threats list.

Jun 23 2009   11:13AM GMT

Should data security and privacy laws specify data encryption?

Posted by: Sarah Cortes
Privacy Law, Health Insurance Portability and Accountability Act, Massachusetts Senate, Information security, Cryptography, business, Security, Data Security, privacy, HIPAA, SOX, GLB, Massachusetts Data Security and Privacy Law, California Data Security and Privacy Law, data encryption, IT security, compliance, consumer protection, civil liberties, MGL 93H, Massachusetts’ Data Privacy Law, 201 CMR 17.00, Massachusetts SB 173, Technology

The proliferation of data security and privacy laws from state and federal agencies has created challenges and complexities for all entities that store and use data. One of the most controversial areas for these laws is whether or not they should specify data encryption as a requirement.

Issues currently confronting lawmakers, IT security, privacy and compliance professionals, businesses, and consumer protection and civil liberties groups include:

1. Which laws currently specify encryption and which do not? What, exactly, do they specify?
2. Should encryption be included at all in these laws?
3. If so, what, exactly, should be specified?
4. If not, what should the laws require?

One viewpoint holds that data encryption is a fundamental protection and strengthens consumer protection and privacy. From this viewpoint, laws that fail to specify encryption are weak, overly slanted toward business’ interests and inadequately protective of consumers and individuals’ privacy rights.

The counterpoint to that view, held by others, is that:

• Encryption as specified in current laws is a vague term, and thus somewhat meaningless.
• Specifying current encryption standards more concretely likely ensures the laws will quickly become outdated as technology advances.
• Mentioning encryption vaguely, without clear standards, creates business risk and uncertainty for those doing business in the commonwealth.
• Deviating so far from legislation in other states and federal approaches, in areas such as encryption and certification of third-party vendors, creates a situation where those third-party vendors may find it not worth implementing these capabilities just to do business in Massachusetts, leaving organizations at a competitive disadvantage without providing real benefit to consumers and individuals.

M.G.L. 93H, Massachusetts’ Data Privacy Law currently seems to specify encryption:

“Encrypted” transformation of data through the use of a 128-bit or higher algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key, unless further defined by regulation of the department of consumer affairs and business regulation.

However, this definition does not set forth any circumstances under which data must actually be encrypted. When detailed regulations were issued in the form of 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth, regulators further specified that:

Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, shall [include] the following elements: Encryption of all transmitted records and files containing personal information, including those in wireless environments, that will travel across public networks.

An amendment currently under consideration in the Massachusetts Senate, SB 173, would seem to reverse that:

The department shall not in its regulations, however, require covered persons to use a specific technology or technologies, or a specific method or methods for protecting personal information.

What do you think? Should data security and privacy laws specify data encryption?