Technology

Oct 7 2009   3:54PM GMT

Bailey on the role of the CIO in innovation, PKI in cloud computing

Posted by: Alexander Howard
Software as a service, Cloud computing, Technology, Public key infrastructure, Identity management, compliance, identity, encryption

Last week at the OASIS Identity Management Conference, Gregg “Skip” Bailey, director of technology integration for the federal practice at Deloitte, suggested that agencies looking to leverage the power and scale of cloud computing should use the Identity, Credential and Access Management Subcommittee’s (ICAM) framework.

Bailey says embracing that framework may solve some of the federated public key infrastructure (PKI) management challenges involved in securing personally identifiable information (PII). Bailey said that a useful resource, a cloud standards wiki for proposed and ratified cloud computing standards, is available at the (aptly entitled) Cloud-Standards.org.

Bailey, a former CIO at the Bureau of Alcohol, Tobacco and Firearms, defined the role of a CIO simply in this context to conference attendees: “reduce the cost of commodity technologies and increase innovation in applying those technologies to mission goals.”

“Private clouds are the predominant focus in large enterprises,” said Bailey. “Single-purpose SaaS offerings are most widely adopted.” In his assessment, cloud computing “probably provides the ability to apply to both areas,” with “enterprise flexibility and time to value are significant drivers.”

Jul 20 2009   7:26PM GMT

Managing e-discovery and compliance: What would Eliot Spitzer do?

Posted by: Sarah Cortes
e-discovery, Audit, regulation, Massachusetts, privacy, Security, compliance, high-risk data, Technology, Putnam, Putnam Investments, market timing, Project management, Eliot Spitzer, business

E-discovery - or electronic discovery - has many technical aspects. Questions of available tools, case law, regulations and scope are critical. One of the most important and often overlooked elements, however, is managing e-discovery and compliance.

As a senior manager at Putnam Investments, bizarre coincidences and convergence of fate with the soon-to-be famous marked my tenure. Few chapters embodied all these elements as thoroughly as the following e-discovery anecdote, for reasons that are obvious now, but were less so in 2003.

On Monday, Nov. 3, 2003, Putnam Investments fired its CEO, Larry Lasser, following a probe into market timing. Eliot Spitzer, New York’s attorney general, and William Galvin, the Massachusetts state regulator, had brought significant pressure to bear regarding market timing charges.

Spitzer, then known best as U.S. Attorney for the Southern District of New York, issued a subpoena two weeks later for Putnam documents. In the process, he indicated that criminal charges were being considered. From that day onward, senior managers at Putnam had a critical new IT project: managing e-discovery and compliance.

Unlike other IT projects, which include a feasibility analysis, budgeting and decision-making process prior to kickoff, e-discovery really starts from subpoena receipt. Spitzer’s reputation for a “take-no-prisoners” approach to investigations and prosecutions, not atypical for situations many firms face during litigation, had implications for IT.

From the moment a subpoena is received, senior technology managers should be called in. From IT’s viewpoint, e-discovery then becomes a new IT project on the list that requires reprioritization of existing resources.

The first step in managing e-discovery is to assign an IT project manager. Given that this will be a high-risk project, a seasoned individual is required. That means either hiring a backfill candidate for an existing project, or cancellation or delay of exiting work. E-discovery is usually a good example of a project that has no real, measurable ROI. This is a handy data point for all those IT projects that you, the IT manager, have to argue for each year during the budgeting process. That process demands an ROI even for operating system, database and other major software upgrades, which are also projects that evade calculating an ROI.

The next step in managing e-discovery is stakeholder and requirements identification. While vendor or tool selection usually comes later in the process, for a specialized project like e-discovery, identifying requirements should be fast-tracked from Day One. Firms and experts specializing in e-discovery are crucial for this type of project, which typically will be handled only once in a company’s lifetime – you’re lucky. Your staff is likely to lack experience with e-discovery, a reality best addressed by selecting an advisor immediately after selecting a project manager.

In the next post, I will address how to adapt standard project management techniques to the e-discovery project.

Questions? Write to editor@searchcompliance.com or reply to @SecuritySources on Twitter.

Jun 23 2009   11:13AM GMT

Should data security and privacy laws specify data encryption?

Posted by: Sarah Cortes
Privacy Law, Health Insurance Portability and Accountability Act, Massachusetts Senate, Information security, Cryptography, business, Security, Data Security, privacy, HIPAA, SOX, GLB, Massachusetts Data Security and Privacy Law, California Data Security and Privacy Law, data encryption, IT security, compliance, consumer protection, civil liberties, MGL 93H, Massachusetts’ Data Privacy Law, 201 CMR 17.00, Massachusetts SB 173, Technology

The proliferation of data security and privacy laws from state and federal agencies has created challenges and complexities for all entities that store and use data. One of the most controversial areas for these laws is whether or not they should specify data encryption as a requirement.

Issues currently confronting lawmakers, IT security, privacy and compliance professionals, businesses, and consumer protection and civil liberties groups include:

1. Which laws currently specify encryption and which do not? What, exactly, do they specify?
2. Should encryption be included at all in these laws?
3. If so, what, exactly, should be specified?
4. If not, what should the laws require?

One viewpoint holds that data encryption is a fundamental protection and strengthens consumer protection and privacy. From this viewpoint, laws that fail to specify encryption are weak, overly slanted toward business’ interests and inadequately protective of consumers and individuals’ privacy rights.

The counterpoint to that view, held by others, is that:

• Encryption as specified in current laws is a vague term, and thus somewhat meaningless.
• Specifying current encryption standards more concretely likely ensures the laws will quickly become outdated as technology advances.
• Mentioning encryption vaguely, without clear standards, creates business risk and uncertainty for those doing business in the commonwealth.
• Deviating so far from legislation in other states and federal approaches, in areas such as encryption and certification of third-party vendors, creates a situation where those third-party vendors may find it not worth implementing these capabilities just to do business in Massachusetts, leaving organizations at a competitive disadvantage without providing real benefit to consumers and individuals.

M.G.L. 93H, Massachusetts’ Data Privacy Law currently seems to specify encryption:

“Encrypted” transformation of data through the use of a 128-bit or higher algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key, unless further defined by regulation of the department of consumer affairs and business regulation.

However, this definition does not set forth any circumstances under which data must actually be encrypted. When detailed regulations were issued in the form of 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth, regulators further specified that:

Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, shall [include] the following elements: Encryption of all transmitted records and files containing personal information, including those in wireless environments, that will travel across public networks.

An amendment currently under consideration in the Massachusetts Senate, SB 173, would seem to reverse that:

The department shall not in its regulations, however, require covered persons to use a specific technology or technologies, or a specific method or methods for protecting personal information.

What do you think? Should data security and privacy laws specify data encryption?

May 29 2009   4:21PM GMT

White House releases cybersecurity report on cyberspace policy

Posted by: Alexander Howard
Melissa Hathaway, White House, United States Department of Homeland Security, Government, Technology, National security, cybersecurity

Earlier today, the White House released a long-awaited cybersecurity report, including a video (below) featuring commentary and perspective from officials and experts:

Melissa Hathaway, cybersecurity chief at the National Security Council, wrote the following “Securing Our Digital Future” entry on the White House blog:

“The globally-interconnected digital information and communications infrastructure known as cyberspace underpins almost every facet of modern society and provides critical support for the U.S. economy, civil infrastructure, public safety and national security.  The United States is one of the global leaders on embedding technology into our daily lives and this technology adoption has transformed the global economy and connected people in ways never imagined. My boys are 8 and 9 and use the Internet daily to do homework, blog with their friends and teacher, and email their mom; it is second nature to them. My mom and dad can read the newspapers about their daughter on-line and can reach me anywhere in the world from their cell phone to mine.  And people all over the world can post and watch videos and read our blogs within minutes of completion. I can’t imagine my world without this connectivity and I would bet that you cannot either. Now consider that the same networks that provide this connectively also increasingly help control our critical infrastructure.  These networks deliver power and water to our households and businesses, they enable us to access our bank accounts from almost any city in the world, and they are transforming the way our doctors provide healthcare. For all of these reasons, we need a safe Internet with a strong network infrastructure and we as a nation need to take prompt action to protect cyberspace for what we use it for today and will need in the future. Protecting cyberspace requires strong vision and leadership and will require changes in policy, technology, education, and perhaps law.

The 60-day cyberspace policy review summarizes our conclusions and outlines the beginning of a way forward in building a reliable, resilient, trustworthy digital infrastructure for the future. There are opportunities for everyone — individuals, academia, industry, and governments — to contribute toward this vision. During the review we engaged in more than 40 meetings and received and read more than 100 papers that informed our recommendations.”

We’ll have more perspective and commentary next week on what this report will mean for compliance and security professionals. In the meantime, you can read the Cyberspace Policy Review for yourself.

[If you followed @ITCompliance on Twitter, by the way, you already knew all that.-Ed.]