risk management

Amended Massachusetts data protection act focuses on risk management

As Alexander Howard reported earlier today, the Massachusetts data protection law has been amended. The revised data privacy regulations — 201 CMR 17.00, “Standards for the Protection of Personal Information of Residents of the Commonwealth” — include several key updates. If you are an information security professional, take note of these changes, as they will likely have practical implications.

The most immediate impact is the provision for an additional 60 days to comply with the regulations. The deadline for implementation is now March 1, 2010.

Individuals and municipalities have expressly been removed from guideline jurisdiction, with a clarification that the “regulation applies to those engaged in commerce.” Guidelines on the requirement for a written information security plan are now simplified.

A new definition for the term service provider was added. The Office of Consumer Affairs and Business Regulation also amended third-party vendor rules. There is now a two-year grace period, relative to existing contracts, and requirements for those third parties to be in compliance.

Encryption requirements have been clarified. The apparently strict but, practically speaking, vague 128-bit specification from the prior version was replaced by “technology-neutral language.”

Further, a “technical feasibility” standard has been incorporated, acknowledging that methods to securely encrypt data on portable devices may not yet be available. Email encryption now falls under the technical feasibility standard. Additionally, encryption of backup tapes has been clarified to include prospective encryption. So you may safely cancel your firm’s plans to encrypt existing backup tapes. Encrypting new backup tapes will still be required, along with any personal data that travels over the public Internet or wireless network.

In another change that I believe will ultimately enhance consumer protection, 201 CMR 17.00 has been brought in line with certain federal regulations. Specifically, the Massachusetts data protection act now cedes authority to the Federal Trade Commission’s (FTC) standards established under the Gramm-Leach Bliley Act (GLBA). GLBA utilizes a risk management approach to data security.

The patchwork of 44 different state health data protection laws has delayed electronic automation of, and therefore overall security for, health records. Adopting a federal standard, starting with the FTC’s risk-based approach to data protection, avoids this pitfall and may make widespread compliance both more feasible and more likely in the near future.

On one hand, a risk management approach should be familiar to IT professionals. It shifts resources from “check-the-box” controls that may or may not address a particular organization’s specific risks to controls that make more sense in context. On the other hand, given the concrete definition of the personal information in scope, it is difficult to see where risk management would not be present whenever such personal data is stored.

“Mandating every component of a program and requiring its adoption, regardless of size and the nature of the business and the amount of information that requires security, makes little sense in terms of consumer protection,” said Bradley MacDougall, of Associated Industries of Massachusetts. Risk management and assessment will afford more consumer protection by matching a given business’ actual risks with required security investments.

Compliance officers discuss business, IT alignment at ISACA conference

This guest post is from Joe Hewitt, an IT compliance specialist for American Honda Finance Corporation.  His views do not represent those of Honda, any of its divisions, or employees.

The 2009 ISACA International Conference held in Los Angeles had a much different feel than those of the past.  While IT controls were consistently a primary talking point, the emphasis was on how to better align business and IT goals.  Even though theoretical concepts like risk and value information technology were discussed at length, many of the presenters addressed real-world issues with respect to advancing along the compliance spectrum.

Oracle representatives Mark Sunday, CIO and SVP, and Gail Coury, VP of risk management, kicked off the festivities with a detailed and insightful keynote address that outlined the challenges of compliance amid heavy acquisition periods.  Attendees then proceeded to presentations along one of four tracks:

1. IT governance
2. IT compliance audit practices
3. Information security management
4. IT risk management and compliance

While useful information was abundant and widespread, here are some of the more interesting discussion points:

• Risk is often counter-intuitive
• Privacy regulations are here to stay…and will only become more strict
• Reputation risk is increasing for all businesses
• Financial return and value of governance is realized across silos, not from within them
• IT should be used to reduce business costs, not IT costs
• Acceptance of authority in younger generations has gone down, increasing the need for control automation
• The current economic environment emphasizes the need for controls over fraud at every level
• Business = Demand; IT = Supply
• ACCOUNTABILITY IS KEY!

If controls are the key, governance is the lock

Much discussion was held about progression beyond creating a control environment and moving towards overall governance.  With compliance budgets decreasing at a record pace, governance is the only way that auditors will be able to show value of audit activities.

Risk was the real elephant in the room.  Discussions concluded that, while we cannot fully eliminate risk in a cost effective manner, the process of implementing a monitoring or review process provides an eye opening set of data for many businesses.

Even though attendance appeared to be down, the group was very diverse and included representatives from all over the globe.  ISACA members from international companies enlightened the group with unique and challenging regional issues.

Overall, the conference delivered as promised.  It had legacy theory, risk management theory, international diversity, and real-world solutions for almost any IT compliance issue.  ISACA continues to be on the cutting edge of IT governance.

Don’t forget business model risk in your risk management strategy

The MIT Sloan CIO Symposium on May 20 in Cambridge, Mass., featured several panels on the top issues affecting CIOs. But one panel on governance, risk and compliance afterwards produced the most interesting discussion of the day, for me at least, when I caught up with two Patni Americas Inc. directors, Amit Sen and John Vaughan, also in attendance.

The two management consultants are proponents of expanding the definition and practice of risk management to include business model risk — that is, risk introduced into your company by new or changed capital ventures or business processes. In their view, business process automation has run amok, leaving the business (as well as the IT organization), exposed to risks that it might not be aware of.

“What we need to understand is where are we are introducing risks, and the risk is understood and planned and not a byproduct of a lack of knowledge or visibility into what actually goes on in the organization,” said Sen in the following podcast, recorded this week. In the podcast, Sen and Vaughan explain what business model risk is, how to measure and understand it, and how to make business model risk a key part of any risk management and IT governance strategy.

 

 Don't forget business model risk in your risk management strategy [29:00m]: Play Now | Play in Popup | Download

Kodak CISO on meeting today’s compliance challenges

In this IT Compliance Advisor podcast from SearchCompliance.com, associate editor Alexander B. Howard interviews Bruce Jones, chief information security officer (CISO) at Eastman Kodak Co.

Over the course of the wide-ranging interview, recorded on-site at RSA Conference 2009 in San Francisco, Jones discusses the challenges he faces as the CISO for a global multinational company. Listen to the podcast to learn:

• What innovations he has introduced to meet today’s compliance challenges.
• How he aligns risk, compliance and security at Kodak.
• How Kodak approaches forming and following a compliance strategy.
• What his biggest pain points are in meeting compliance requirements, and how he is addressing them.

 

 Kodak CISO on meeting today's compliance challenges [11:18m]: Play Now | Play in Popup | Download

Vetting users exposes new compliance risks

Most visitors to websites arrive and leave relatively anonymously. But as e-commerce evolves, businesses are using the Web to invite in specific users, in order to offer special services to them or participate in a study such as a clinical trial.

Steve Ross, a director in the Security & Privacy practice of Deloitte & Touche LLP, has some thoughts in this IT Compliance Advisor podcast about the privacy and compliance risks associated with bringing in these “vetted” users.

 

 Vetting users exposes new compliance risks [11:13m]: Play Now | Play in Popup | Download

Ross, a former international president of ISACA and IS Security Matters columnist for the ISACA Journal, explains to SearchCompliance.com Executive Editor Scot Petersen what constitutes a vetted user, what are the compliance risks that come with a vetted user, and what are some best practices for ensuring privacy of the vetted user.

How do you align an IT risk assessment with COBIT controls?

[One of our readers, compliance officer Ramon de Bruijn, wrote to the editors of SearchCompliance.com at editor@searchcompliance.com last month looking for some advice. Specifically, he asked "What is the best way to implement a risk assessment in an IT department that aligns COBIT controls with risks?" In her first post for IT Compliance Advisor, Sarah Cortes, PMP, CISA, provides an answer to his question. -Ed.]

Implementing a risk assessment that will align the COBIT control framework with risks is a valuable undertaking and a smart way to approach the challenge. If approached with a working knowledge of COBIT, it should take no longer than any other risk assessment approach.

In the long run, it will likely shorten the overall cycle:

Risk assessment -> Recommendation -> Solution implementation -> Audit

This is because COBIT can provide a thorough checklist of potential risk areas that might otherwise be missed, requiring multiple passes or potential wasted effort implementing solutions to lower-priority risks, while ignoring those with a higher priority.

One thing to keep in mind is that COBIT controls are not just “in an IT department.” They include controls for business interruption and other business problems that have traditionally fallen to IT to deal with, rightly or wrongly.

The first step is to obtain a copy of COBIT controls, which you can do from ISACA.org or other sources on the Web.

The second step is to provide education, if necessary. Make sure key individuals in your organization have heard of COBIT and understand it is an internationally accepted standard. No need to worry anyone will know it better than you. Even auditors and CISA professionals can achieve only a moderate level of memorization of all aspects of COBIT. COBIT changes all the time. Technology in some areas moves beyond it in areas. In general, COBIT is too far-reaching for even the most seasoned IT professional to avoid re-reading and referring to it frequently when working with it.

After obtaining a copy and getting buy-in, the third step is to put it away. You need to ask yourself and others where the known risks to IT and business lie. This bottom-up approach is critical to avoiding “over-COBITING,” a common affliction.

Once you have carefully listened to IT professionals and others with respect to control weaknesses and the risks that actually “keep them up at night,’ you are ready to pull out your COBIT framework again. Review a fuller set of risks with those same individuals. See if that uncovers risks they may have missed the first time. This checkpoint is one benefit of COBIT.

Finally, you should document your risk assessment and note areas listed in COBIT that individuals in your organization did not consider worthy of note. Each COBIT area should be covered. If the risk included in COBIT is not prioritized in the risk assessment, a specific reason should be noted, along with the individual who decided to assume or dismiss that risk. This will come in handy later, trust me.

If you follow these steps, you will be further ahead than 99% of professionals and IT departments in your shoes. Good luck, and happy documentation!

Sarah Cortes is a senior technology manager with extensive experience in all aspects of delivering information technology systems and services to Fortune 500 firms in the financial services industry, as well as biotechnology, media and higher education. Sarah Cortes has managed numerous major Code Red business and system interruptions, including the 9/11 failover of trading, accounting and other critical business systems during Marsh McLennan’s WTC data center collapse. You can learn more her work at InmanTechnologyIT.

Coming: State privacy laws run amok

As business owners are preparing for the new Massachusetts data protection law, also known as 201 CMR 17: Standards for The Protection of Personal Information of Residents of the Commonwealth, due next year, a potential quagmire is building.

Speaking at the TechTarget Compliance Decisions Summit March 12, Laurence Anker, engagement manager, technology risk management for Jefferson Wells International, said the coming influx of state privacy laws will create “a mess.”

Only about half of the states have laws governing personally identifiable information, but several more, including Massachusetts, are crafting tough laws that will put new burdens on businesses, especially SMBs, and businesses outside of the state that employ Massachusetts residents.

These laws will cover areas such as secure storage of data, encryption of data and access controls, as well as require businesses to create written, comprehensive security and privacy policies for personal data.

Such tasks are formidable, but not impossible, but multiply the Massachusetts law by 50 and it’s easy to see how difficult it will become for some businesses to make sure they are in compliance with every state’s privacy law.

Anker said that he does not foresee new state laws as they come on the books to be in direct conflict with one another. Rather, business entities will have to make decisions on how to manage compliance with state privacy laws with different degrees of requirements. Most likely businesses with a widespread employee base will standardize and comply with the state with the toughest privacy policy.

Or, Anker said, there could be a day when state privacy regulators will join an organization similar to the National Association of Insurance Commissioners, which will seek to normalize the state privacy laws and help the states enforce them.

Risk-based approach to information governance at Compliance Decisions

As I wrote yesterday, the Compliance Decisions Summit got off to a great start when Eric Holmquist and Richard Mackey considered the future of compliance in their talks before a crowded hall of auditors, compliance officers, CIOs and information security professionals.

The second half of the day featured Holmquist again, this time exploring a risk-based approach to information security governance, and Laurence Anker, speaking about managing the cost and complexity of compliance through governance.

We posted the following Twitter on our ITCompliance account over the course of the afternoon. The #CSD09 you see below is a hashtag we chose to track tweets related to today’s seminar. For a full explanation of what a hashtag is and how it works, please consult last week’s digest of compliance headlines from Twitter.

All four seminars from Compliance Decisions will be available soon from SearchSecurity.com and SearchCompliance.com, along with an exclusive interview with Mackey exploring the ramifications of virtualization to compliance management.

A Risk-Based Approach to Information Security Governance

Lunch over, video recorded w/Mackey on #virtualization & #compliance. Next: Holmquist on a risk-based approach to infosec governance. #CSD09

Information security must be approached as a business issue, not an IT issue. Then we can consider risk mgmt practices.” -Holmquist | #CSD09

“You can’t buy your way out of a data breach.” -Holmquist | #CSD09 | #riskmanagement

RT @ scotpe Adding: “chief security officer does not belong in IT.” Where does s/he belong? [ <-- Good question. Any answers? ]

Lundquist recommends forming a #security council. Give it authority, include senior execs, make cross-disciplinary, safe & visible. #CSD09

Key insight for creating a culture of cooperation vs. risk: “Make it safe to fail” -Holmquist | Don’t underestimate “gut feelings” #CSD09

Back to #compliance basics: “Everything starts with a risk assessment, not controls. Manage to assessed risk, not perceived risk.” | #CSD09

“Insiders are exponentially more of a threat than outsiders. The ability to respond quickly & effectively is critical” -Holmquist | #CSD09

“You can approach assessing risk in 4 ways: IT systems, electronic data, physical files & third parties. Focus on accountability.” #CSD09

“Risk is quantified in 4 broad categories: What’s at risk? What would be the impact? What could be the source? What can we mitigate?” #CSD09

RT @ scotpe Scare the CEO: Statistically speaking, “someone is planning to steal your data right now, thinking about it or doing it” #CSD09

Paused for another message from another sponsor of #CSD09 & a networking break. Door prize drawing up next for a Flip, iPod & a GPS unit.

Managing the Cost and Complexity of Compliance through Governance

Now up at #CSD09: Anker on managing the cost & complexity of #compliance through #governance. Session info: http://bit.ly/J9OP

Anker began his seminar at #CSD09 talking about the importance of IT governance. @ rlebeaux just reported on that: | #TTGT

@ rlebeaux that reported on aligning IT governance & corporate governance in an economic #recession -> http://bit.ly/PDfkk

Insurance for IT risk? Anker notes standard policies may not address IT exposures like a data breach or reputational damage. #CSD09

“An organization’s info & other intangible assets account for 80%+ of its market value.” -IT Governance Institute (ITGI) | #CSD09

In discussing key requirements of the new MA data protection law, Anker notes WISP: written information security policy | #CSD09 | #acronym

Great Q&A on provisions of the MA data protection law w/Anker to end. @rwestervelt reported on its extension: http://bit.ly/yMBgP #CSD09

Conclusions from Compliance Decisions

You’ll be reading, hearing more and seeing more of Holmquist, Anker and Mackey on SearchCompliance.com. All three men will be contributing experts in upcoming articles, podcasts or video.

Writers from both SearchSecurity.com and SearchCompliance.com will continue reporting on the Massachusetts data protection law and its ramifications for IT professionals and businesses nationwide. Clearly, many questions remain about the regulatory impact of the law on IT operations.

As Robert Westervelt reported, the deadline for the Massachusetts data protection and encryption law was extended to Jan. 1.

“We understand the impact of the current business environment and feel this is an appropriate time frame for companies to implement the necessary protections,” Daniel C. Crane, the Undersecretary of the Office of Consumer Affairs and Business Regulation, said in a statement.

Westervelt noted a key change in the updated version of the regulation: “The extension includes a revision to the rules relaxing a requirement holding third parties accountable to the security rules. Under the original law, companies had to attest that a third-party provider was compliant with the regulations.”

As noted to the audience during the question-and-answer session with Anker, SearchCompliance.com recorded a podcast last month with Gerry Young and David Murray of the Massachusetts Office of Consumer Affairs and Business Regulation. The CIO and general counsel, respectively, discuss the details of the new data protection rules:

Massachusetts data protection law mandates IT compliance [Download the MP3]

The provision of third-party compliance as proven by a “WISP” came up during the course the interview, if not under that name. Regardless of the documentation requirements, small businesses and enterprises alike considering outsourcing data protection and encryption compliance will need to make sure that service providers, VARs and consultants certify and appropriately explain where and how their work brings an organization into compliance with the Massachusetts statute.

On a final note, we picked up dozens of followers on Twitter yesterday and earned two kind endorsements of our coverage from PrivacyProf and DanPhilpott. Thank you, Dan and Rebecca!

Considering the future of compliance at Compliance Decisions

The Compliance Decisions Summit taking place in Newton, Mass., got off to a great start this morning. Eric Holmquist and Richard Mackey both provided deep, engaging presentations on “future-proofing” an organization against compliance challenges and managing third-party risk.

Over the course of the morning, we posted to Twitter on our ITCompliance account more than 40 times, in lieu of a single blog post. As we noted to @cmneedles, #CSD09 is the hashtag we’ve chosen to track tweets related to today’s seminar. For a full explanation of what a hashtag is and how it works, please consult last week’s weekly digest of compliance headlines from Twitter.

Introductions

Breakfast & registration in Newton, MA at Compliance Decisions. We’ll be live-tweeting the talks, starting at 9AM. http://twitpic.com/20yxx

Kelley Damore, Ed. Dir for the #TTGT Security Media Group, kicks off #CSD09 by noting recent data breaches at Hannaford, TJX & Heartland.

Damore notes the breadth of compliance challenges: health, financial & proprietary data must all be secured with auditable processes.

Future-Proof Your Compliance Session

Eric Holmquist is up, explaining how to future-proof a compliance program vs. new regulations, including mitigating risk & GRC best practices.

“Compliance management is one aspect of risk management. It’s about risk alignment. It’s never about checklists.” -Eric Holmquist | #CSD09

“Every version of regulatory guidance around risk management boils down to three things: awareness, accountability & actionability.” #CDS09

Risk management boiled down to a continuum: Inherent Risk -> Controls -> Residual Risks | Compliance doesn’t just rest in controls. | #CSD09

“The 4 most important words for improving a compliance program: What could go wrong?” -Eric Holmquist | #CDS09

RT @scotpe 99% of compliance failures are because “somebody did something stupid” | #CSD09 [Key to plan for people being people]

Key elements of an effective compliance program: subject matter expert, compliance committee (real or virtual), control library | #CSD09

More key elements of an effective compliance program: documentation, risk-aware culture, incident response team, wrap-around analysis #CSD09

Eric Holmquist is reflecting on the details of how Advanta implemented an effective compliance program. Gap analysis & visibility key #CSD09

“No regulation is only relevant to IT. There is a business component to every single one.” -Eric Holmquist | #CSD09

“We set the bar at a risk management & governance level. Regulatory guidance, frameworks & standards are a test.” -Eric Holmquist | #CSD09

#GRC best practices: leverage existing processes & map them, focus on risk, secure executive sponsorship, use control libraries | #CSD09

“The costs of #ediscovery are staggering. Get a data retention program for email done. Now.” -Holmquist | #CSD09

PrivacyProf: A related issue is retention of full email threads; possibility of changes in early thread msgs likely creates ediscovery issues (Reply from contributing expert Rebecca Herold)

What does Holmquist see in the future for compliance? More infosec & BCP challenges, updates to PCI & state data protection laws. | #CSD09

Good question from the audience on email retention: What’s too much, too little? Establishing which emails = official documents is key. #CSD09

Sponsored Session from Symantec

Ethan Kelleher up from #Symantec to speak to their approach & notes support for an online resource: http://ITpolicycompliance.com | #CSD09

We’re listening to a live “message from our sponsor” ( #Symantec) regarding version 9.0 of their Control Compliance Suite (CCS). | #CSD09

Managing Third-Party Risk

Richard Mackey now up at #CSD09 on managing third party risk. #Video on building a framework-based#compliance program: http://bit.ly/PqXcd

An IT guy here at #CSD09 is especially interested in the MA data protection law. Our podcast w/state: http://bit.ly/105L3E (free reg. req.)

Mackey talking about impact of regulatory project requirements on service providers. If they handle regulated info, compliance is key #CSD09

Mackey notes that “standards like ISO 27002 & #COBIT describe lifecycles that can be applied to service providers” | #CSD09

“The first step in understanding risk is understanding the information shared.” -Richard Mackey | Data mapping & tools help. | #CSD09

“FFIEC, PCI & GLB all require due diligence in assessing provider controls. Depth should correspond to risk.” -Richard Mackey | #CSD09

“When evaluating service providers for compliance, establish rules for evaluations. View them as a partnership.” -Richard Mackey | #CSD09

“Most regulations require YOU to be the regulator of service providers.” PCI, HIPAA & GLB all require co.’s to ensure compliance. #CSD09

“Standards-based assessments, like ISO 27002, are useful tools. Consumers of the reports, however, must understand what results mean” #CSD09

Key questions when a #CIO receives a compliance report (SAS 70, ISO, etc): Scope of assessment? Metrics used? Control objectives? | #CSD09

When conducting #compliance assessments, concentrate on risk, avoid generic assessments & focus on consistency/operational #security. #CSD09

Mackey continues to focus on associate, partner & service provider #compliance; frequently mandatory but potentially overlooked. #CSD09

IT is critical to service provider #compliance: firewalls, VPNs, intrusion detection, encryption, scanners & data loss prevention | #CSD09

Excellent seminar on third-party risk management for meeting compliance by Richard Mackey. Video will be available later this month. #CSD09

We’ll be posting more to Twitter this afternoon when Holmquist presents again, this time on a “Risk-Based Approach to Information Security Governance,” and Laurence Anker talks about “Managing the Cost and Complexity of Compliance through Governance.”

The importance of risk management in IT compliance

This is a guest post by Cass Brewer, the founder of Truth to Power Association.

John Rostern recently blogged here about the dangers of checkbox compliance, noting that regulatory compliance doesn’t always bring information security.

I’ll take that argument a step further: Especially in terms of PCI DSS, most companies might get better ROI and comparable outcomes if they simply lied on their PCI DSS self assessments and returned to sprinkling salt around their servers, or whatever (apparently) prevented system breaches before PCI DSS came along. As John so aptly notes, siloed, point-in-time compliance is generally inadequate — in terms of both control and cost.

Unfortunately, external mandates tend to pervert otherwise healthy plan-do-check-act operational strategies. In the rush to comply with regulatory panaceas for perceived pervasive risks, managers too often deprecate their own informed risk judgments.

This is a backward response. Enterprise risk management should be both an input and output of any compliance program. As an input, it lets managers “just say no” to immaterial audit recommendations, defines implementation priorities and ensures that relevant controls aren’t displaced by compliance checkboxes.

Management can operationally parse broad compliance requirements by aligning control responses with actual material and significant risks. Or it can limit the in-scope environment of specific controls to particularly critical or sensitive information: cardholder data, customer PII, systems logs, etc. Either way, the bulk of risk management should occur on the front (planning) end of compliance. The risk management output of compliance programs is generally limited to risk mitigation.

Defining and measuring risks up front is also a cost-containment strategy. Under the Sarbanes-Oxley Act and other rules, organizations can exclude irrelevant “compliance” activities aimed at immaterial and insignificant threats. Of course, concrete documentation (and lots of it) is the key to defending such exclusions against auditor challenges.

Risks characteristics including existence, criticality, likelihood and period can further hone appropriate control responses. If a particular risk arises only once a year and potentially impacts just one disconnected system, a siloed, periodic response might be adequate. Of course, most risks are more constant and/or pervasive. Control efforts should respond to those characteristics, hitting compliance goals incidentally.

A risk management approach to compliance has opportunity benefits, too. It’s difficult to measure risk value (or risk abatement value) without understanding business-process value. In many cases, key risk indicators (KRIs) are complements to key performance indicators (KPIs). Defining one provides a base line for defining the other; and that base line is, in turn, a costing base line that supports more broadly strategic business decisions.

How does this work? Learn how to factor risk management into compliance assessments at SearchCompliance.com.

Cass Brewer is the founder of Truth to Power, a free and open research community for better information governance. At T2P and in her previous role as director of the IT Compliance Institute (ITCi), Cass has worked with thousands of compliance, audit, business, and IT leaders to develop practical guidance for corporate compliance and risk management. She can be reached at cbrewer@t2pa.com.