shopping cartShop
Call Us: 888 641 0500

Information Security Policies According to NIST

Five Best Practices from NIST 800-53 In April 2013, NIST made the final updates to their complete catalog of information security requirements, Special Publication 800-53 Revision 4 – Security and Privacy Controls for Federal Information Systems and Organizations.  The catalog is BIG – it contains hundreds of information security and data privacy requirements organized into …

Continue reading »

View full post

Security Policies Key to HIPAA BA Compliance

In January the Department of Health and Human Services (HHS) released the much-awaited final updates to the HIPAA Security, Privacy and Enforcement Rules. These updates, known as the “Omnibus Rule” were required by the HITECH Act and have been in proposal form since 2010.  The new law incorporates some major changes in the HIPAA security …

Continue reading »

View full post

New Guidance Requires Social Media Security Policies

In January 2013, the Federal Financial Institutions Examination Council (FFIEC) posted a set of proposed guidelines for financial institutions to maintain compliance in the world of social media.   The document entitled “Social Media: Consumer Compliance Risk Management Guidance,” includes a number of specific recommendations for financial institutions that must protect customer information.  The FFIEC security …

Continue reading »

View full post

The Six Pillars of Personnel Security Policy

The insider threat is often discussed among the top information security risks facing organizations.  In fact, for the first time in seven years of doing the study, the 2012 Ponemon Data Loss survey listed internal mistakes by insiders is the number one cause of data breaches.  What is an insider threat? This term is loosely …

Continue reading »

View full post

Most SMBs have no Information Security Policies

87% of Business in 2012 survey have no Acceptable Use Policies Phishing attacks are now among the top security risks for organizations. Yet, according to a recent survey of small and medium-sized businesses (SMB), a full Eighty-seven (87%) percent do not have a formal written Internet security policy for employees. These findings are from a …

Continue reading »

View full post
Information Security Policies According to NIST Security Policies Key to HIPAA BA Compliance New Guidance Requires Social Media Security Policies The Six Pillars of Personnel Security Policy Most SMBs have no Information Security Policies

May
08

Information Security Policies According to NIST

by

Five Best Practices from NIST 800-53

In April 2013, NIST made the final updates to their complete catalog of information security requirements, Special Publication 800-53 Revision 4 – Security and Privacy Controls for Federal Information Systems and Organizations.  The catalog is BIG – it contains hundreds of information security and data privacy requirements organized into 17 different topic categories.  Each category is called a “family”, and covers a key information security topic such as access control (AC), incident response (IR) or physical security (PE).

For people not familiar with FISMA or NIST, this document is essentially the security “encyclopedia” for how to protect systems and organizations.  As such, even organizations that are not required to comply with federal information security laws still reference the NIST standards for guidance on all things security.

So what does NIST SP 800-53 say about written information security policies?  In this article we take a slice through the outline and pull out the requirements as they relate to information security policies.  For this article, we will use the NIST family Access Control (AC) as a working example.  The result is a list of five key principles of information security policies according to NIST:

1: Written information security policies and procedures are essential

The first control in every domain is a requirement to have written information security policies.  The specific requirement says:

The organization Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: (1) An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance;

Notice the term “documents”.  This implies that policies need to be written down.  While this seems obvious, many organization still fall short in documenting their specific security policies.  (This is often sites as the greatest deficiency when audits are conducted for HIPAA/HiTECH by the OCR.)  The second part calls for written procedures to support the policy:

(2)    Procedures to facilitate the implementation of the access control policy and associated access controls; and

Each of the 17 other control categories (or families) follows the same format, with the first requirement always calling for written for policies and procedures.  What this also implies is that the policy document for each section covers the key controls required for that domain.   For example, within Access Control (AC), your Access Control Security Policies could cover:  Account management (AC-2), access enforcement (AC-3), information flow enforcement (AC-4), separation of duties (AC-5) and so on.  While NIST also specified a minimum set of these controls, the typical organization may choose a smaller subset.  But the structure can remain the same – one or more policy statements for each topic.

2: Security policy documents must have a defined structure

NIST SP 800-53 also goes into detail about what needs to be covered within the security policies.  The requirement for an Access Control Policy specifies that the organization develop:

(1)    An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance;

For example, each document should cover the “scope” of the organization or systems that the policy applies to.  It should also include references to specific organizational roles required to take action as part of the policy.  To address these requirements, each policy and procedure document should have a standard format with sections addressing each of these required areas.  A standard format not only speeds up the review and update cycle, it helps the written information security policies integrated with other standard corporate policies.   A similar standard format is built into each of the 30 sample policy documents included within Information Security Policies Made Easy.

3:  Security policies must be periodically updated

The NIST guidance is once again very specific about this requirement.  Written information security policies and procedures need to updates to reflect the latest changes in the organization.

The organization: (b) Reviews and updates the current: (1) Access control policy [Assignment: organization-defined frequency]; and (2) Access control procedures [Assignment: organization-defined frequency].

Notice that the requirement allows the organization to set a specific time-period or frequency for updates.  A common time period is annually for information security policies.  Information security procedures can be updated at the same period or triggered as part of a policy update.  For example, the organization may update the Employment Termination Procedure to reflect new requirements, but the Personnel Security Policy that requires this procedure can remain unchanged.

4: Security policies must be distributed to the organization

Information security policies and procedures are not effective unless the drive organizational behavior.  To do this, policy and procedure documents need to be distributed to the users in the organization so they can be read and understood.

The organization Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:

Some other implied requirements come from the need to “disseminate.”  First, organizations should target specific policies to user groups and roles within the organization.  For example, all users do not need to be aware of the contents of the Network Security Policy, while all users should know how to safely use the internet and email.   Another implied requirement is that these documents are understood.  The organization should perform due-diligence in educating users on the security requirements of their jobs, including the information security policies and procedures that apply to them.

5: Security policies must be managed with a defined process

The previous four elements lead up to this key requirement:  Organizations must establish a formal management process for information security documents.  This requires that the organization treat information security policy documentation as an ongoing project, not a one-time event.   This implies several other requirements, such as assigning ownership to each policy document and to the entire policy management process.  How can an organization possibly manage the specific security policy elements – including reviewing, management commitment, coordination and compliance – without a management process?  Sadly, this is where many organizations fail.  The development of information security policies is delegating to a single individual as a part-time project with minimum visibility into management, rather than being treated as a project that requires funding and resources.  While this approach may get the organization by, it usually fails after the first major audit.  As always, up-to-date information security policies are key pieces of evidence to support due-diligence.

Summary

While your organization may not be required to comply with FISMA, the NIST family of publications can provide excellent guidance on developing and managing an information security program.  When it comes to written information security policies, the message is clear:  Security and privacy policies need to be living documents.

—————————————————————————————————————-

Example:  The full catalog listing for AC-1 within NIST SP 800-53.

AC-1 ACCESS CONTROL POLICY AND PROCEDURES

Control:  The organization:

a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:

  1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
  2. Procedures to facilitate the implementation of the access control policy and associated access controls; and

b. Reviews and updates the current:

  1. Access control policy [Assignment: organization-defined frequency]; and
  2. Access control procedures [Assignment: organization-defined frequency].

Supplemental Guidance:  This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9.

Control Enhancements:  None.

References:  NIST Special Publications 800-12, 800-100.

Priority and Baseline Allocation:

P1 LOW   AC-1 MOD   AC-1

Tags: , , ,

Jan
29

Security Policies Key to HIPAA BA Compliance

by

In January the Department of Health and Human Services (HHS) released the much-awaited final updates to the HIPAA Security, Privacy and Enforcement Rules. These updates, known as the “Omnibus Rule” were required by the HITECH Act and have been in proposal form since 2010.  The new law incorporates some major changes in the HIPAA security and privacy rules, including a new focus on the risk of third party vendors (aka Business Associates).

300,000 Business Associates Impacted

Perhaps the most sweeping change was the extension of HIPAA to “make business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules’ requirements.”  In short, Business Associates (BA) that process electronic health information (ePHI) are now required to conform to the same data protection requirements as covered entities (CA).  In addition to the compliance requirements, the legal liability of HIPAA violations was also extended to the vendors.

According to HHS, an estimated 250,000 to 400,000 new organizations will be required to comply with HIPAA security requirements.  This represents a substantial number of small and medium-sized businesses that are suddenly faced with the burden of compliance.

In addition to this compliance requirement on the vendors, each covered entity (CA) will be required to perform due-diligence in screening, managing and assessing third party vendors.  As usual, a key part of this validation will be the effectiveness of the written information security policies of the business associate.

§ 164.308 Administrative safeguards.

“(8) Standard: Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity’s or business associate’s security policies and procedures meet the requirements of this subpart.”

The Cost of Compliance – Are they serious?

Here’s the good news – if you believe HHS, you can charge these new compliance efforts to your corporate credit card.  It its required economic impact analysis, HHS estimates the total impact of this new compliance effort of business associates to be between 22 and 113 million.  If you assume the highest estimate for 400,000 organizations -  this works out to be roughly $250 per organization.  (Are they serious?)  In the real world, these costs will likely be much higher.  A robust information security program that can be validated by a third party is not a small effort.   At Information Shield we are doing our part by offering cost-effective solutions to help you establish and document your written information security program.

Solutions for the Human Side of Security

HIPAA Compliance should not just be a documentation exercise.  If your organization is going to make the effort, why not create a sound information security program that actually reduces risk?  Information Shield solutions help you accomplish this sensible goal.  We have everything you need to manage the “people” side of information security and privacy:  quality information security policies, security awareness training and compliance management.  You can spend millions of dollars on technical security (firewalls, antivirus, spam filtering, IDS) and still have a breach with ONE human mistake.

 

 

Tags: , , ,

Jan
28

New Guidance Requires Social Media Security Policies

by

In January 2013, the Federal Financial Institutions Examination Council (FFIEC) posted a set of proposed guidelines for financial institutions to maintain compliance in the world of social media.   The document entitled “Social Media: Consumer Compliance Risk Management Guidance,” includes a number of specific recommendations for financial institutions that must protect customer information.  The FFIEC security requirements are key for GLBA compliance.

People + Information = RISK

As is often the case with security recommendations, information security policies are a key part of the equation.  In fact, one of the key “reputational risk” areas highlighted in the document concerns employee use of the social networking sites.   To quote from the official document:

“Financial institutions should be aware that employees’ communications via social media—even through employees’ own personal social media accounts—may be viewed by the public as reflecting the financial institution’s official policies or may otherwise reflect poorly on the financial institution, depending on the form and content of the communications. Employee communications can also subject the financial institution to compliance risk as well as reputation risk. Therefore, financial institutions should establish appropriate policies to address employee participation in social media that implicates the financial institution.”

After the comment period is complete, some version of these guidelines will be part of the official requirements. Accordingly, institutions will be expected to use the guidance in their efforts to ensure that their policies and procedures provide oversight and controls commensurate with the risks posed by their social media activities.

While these requirements are for financial institutions, the lessons are valid for every organization.  Studies show that 80% of employees access some type of social networking sites at work.  And where there are people and information together – there is risk.

Sample Social Media Security Policies

Does your organization have Social Media Acceptable Use Policies in place?  The PolicyShield Security Policy Subscription includes sample documents including Acceptable Use of Social Networking, which provides policies for safe use of online communities and social sites.  An additional sample, Corporate Use of Social Networking provides policies for organizations that are actively using social media to engage customers.  Don’t reinvent the wheel!  We have incorporated the latest social media risks into our standard security policy templates.

Tags: , , ,

Dec
03

The Six Pillars of Personnel Security Policy

by

The insider threat is often discussed among the top information security risks facing organizations.  In fact, for the first time in seven years of doing the study, the 2012 Ponemon Data Loss survey listed internal mistakes by insiders is the number one cause of data breaches.  What is an insider threat?

This term is loosely used to describe current or former employees doing damage to the organization.  These can be malicious actions, such as stealing confidential information, or accidental, such as sending confidential information in an email attachment.  Within the world of information security policies, risks involved personnel are addressed with the Personnel Security Policy.

Challenges of Personnel Security

Personnel security is an extremely challenging area of security.  In order to function, an organization must allow access to sensitive data.  But in an instant, a trusted employee can become an attacker.  A recent court ruling involving stolen corporate data by a former employee is a perfect illustration.

In short, the court ruled that since the employee had legitimate access to the information at the time it was taken, they could not be prosecuted under state law or federal anti-hacking laws.  It was clear that the employee violated written security policy.  But it wasn’t clear that this constituted a criminal act under current laws.

On the surface, this would seem like a death-blow to the entire notion of having information security policies.  But the situation is complicated, because not all policy violations are criminal acts.   For example, one piece of information that was not revealed in the court case could have been critical – did the employee sign a non-disclosure agreement (NDA)?  If stealing confidential information does not constitute “hacking” in the eyes of the law, would violation of an NDA made any difference?  In any case, the entire episode is a good chance to look at the entire area of personnel security.  While firewalls and intrusion detection and malware get much of the spending, the cases always come down to people.

The Objectives Personnel Security

Before diving into the details, what are the high-level objectives of a personnel security policy?  Generally, there are two.  The first is to protect sensitive information by securely managing the “life-cycle” of employment.  Generally, the life-cycle has three phases – per-employment, during employment, and post-employment.  (For example, the ISO 27002 Standard uses this breakdown.)  But another important objective of a personnel security policy is to establish key governance points regarding information security.  In short, the organization wants to make sure that the rest of their security policies are enforceable.  This means taking proper steps to educate employees on both general information security requirements as well on organization specifics such as how to report an information security incident.  This second set of governance controls are most often overlooked in weak personnel security policies.

Core Elements of Personnel Security

So what are key areas that should be covered in a personnel security policy to best protect the organization?  By analyzing a combination of best practices, real incidents and regulatory requirements, several key areas jump out as critical. While there are a lot of elements to personnel security, we choose to refer to these as the “Six Pillars”.

Pillar 1:  Screening

Screening is the process of verifying a prospective employee’s credentials and suitability for the job.  Most often this is in the form of a background check.  The general idea is to make sure that former criminals are not hired or placed in positions of trust within the organization.  But employee screening can take on many different levels, depending on the nature of the organization and the position being screened.  Other example security policies may require a credit check or emotional stability test, or a check with references at previous employers.  Many insiders who commit crime have a history of human resources issues at current a previous employers.

Pillar 2: Contracts

This pillar is less obvious, but just as important when it comes to governance and the ability to take  action against employees who violate security policies and also commit crimes.  Controls related to contracts include employment agreements, non-compete agreements, non-disclosure agreements and intellectual property agreements.  Contracts are designed to protection intellectual properly from being stolen or lost.

Pillar 3: Security Policy Acknowledgement

Every employee or contractor with access to information must be made aware of the information security policies that apply to them.  In most organizations, this includes a high-level “Code of Conduct” as well as acceptable use policies such as Internet Acceptable Use.   But sometimes ignored is this key governance piece:  Making certain that employees formerly acknowledge that they have read and understood the written policies.  While this control is rarely called out within security regulations or frameworks, it is critical for policy enforcement.   Many court cases have gone the way of employees who were fired for policy violations, but claimed ignorance of the policies.  Without a written acknowledgement, few organizations can defend against the claim of being unaware of policies.

Pillar 4: Security Education

One of the most often ignored aspect of personnel security is awareness and education. Employees must be trained on basic information security principles so they can recognize common threats such as phishing attacks.  Study after study has demonstrated that human error is at the root cause of a majority of data breaches.  In addition to basic security education, employees should also be trained on the information security policies of the organization.  (See Pillar 3)

Pillar 5: Monitoring

Although employees are by definition trusted by the organization, their behavior still must be monitored at some level.  The type and level of monitoring depends on many factors, including the sensitivity of the data being used, the overall security posture of the organization, or even government requirements.  At a minimum, the organization should monitor all security-related user activity on systems.  Many organizations choose to monitor internet and web traffic.  Whatever the security posture on monitoring, it is best to inform the employees on how they are being monitored.   The disclaimer of “no expectation of privacy” generally applies when using corporate resources.  But if that policy is not communicated to employees, legal trouble is possible in any attempts to use the the information for sanctions.

Pillar 6:  Termination Procedures

The final essential component of personnel security is having proper termination procedures in place and enforced.  Once an employee is no longer employed (or has indicated that they are going to leave), both logical and physical access must be terminated.  In addition, the exit process usually involves the return of organizational property such as laptops or access badges. There is a reason that termination procedures are required in nearly every information security regulatory framework.  In many cases former employees have been able to access their employer’s network – either via their own login ID or a shared ID that was created – and steal data or plant malicious software.

Other Resources

For those interested in more details regarding insiders threats, the Insider Threat Center at Carnegie-Mellon has publish numerous research papers that are freely available.  At Information Shield, we have incorporated most of these results into our sample security policies within the PolicyShield Security Policy Subscription.  For those who need to develop Personnel Security Policies, Information Security Policies Made Easy contains over 80 specific sample security policies just on personnel security alone.

 

Tags: , , ,

Dec
01

Most SMBs have no Information Security Policies

by

87% of Business in 2012 survey have no Acceptable Use Policies

Phishing attacks are now among the top security risks for organizations. Yet, according to a recent survey of small and medium-sized businesses (SMB), a full Eighty-seven (87%) percent do not have a formal written Internet security policy for employees. These findings are from a new survey of over 1000 businesses by the National Cyber Security Alliance (NCSA) and Symantec.

The study indicates that overall, small and medium-sized businesses are dramatically underestimating the risks to their business.  Because of this, cyber-criminals are increasing setting their sites on small business.  The survey was releases as part of National Cybersecurity Awareness Month to help educate small business on these growing risks.

Among other highlights from the 2012 Survey:

  • A Majority of SMBs Believe Security Is Critical to Their Success and Brand: Seventy-three percent of SMBs say a safe and trusted Internet is critical to their success, and 77 percent say a strong cybersecurity and online safety posture is good for their company’s brand.
  • SMBs Unprepared to Handle Data Breach Losses: Nearly six out of 10 (59 percent) SMBs do not have a contingency plan outlining procedures for responding and reporting data breach losses.
  • Most SMB have no formal policies: Eighty-seven percent of SMBs do not have a formal written Internet security policy for employees while 69 percent do not have even an informal Internet security policy for employees.  At the same time, 10 percent say they have a formal written Internet security policy while 28 percent say they have an informal Internet security policy for employees to follow.
  •  Social Media Users Vulnerable : Seventy-five percent of SMBs do not have policies for employee social media use on the job while 23 percent have established policies. (Note: This number seems high since only 10% report having any formal policies at all.)
  • Customer Privacy Lacking:  Despite the growing number of public data breaches, sixty percent of SMBs say they do not have a privacy policy that employees must comply with when they handle customer or employee information while 38 percent say they do have a privacy policy.

Easy Information Security Policies

In our experience, part of the problem is that information security is perceived to be to difficult.  So it is seems easier to do nothing at all.  Most organizations are not aware that quality information security policies can be purchased and customized for a very reasonable price.   Information Security Policies Made Easy has over 30 sample documents that can be customized in minutes.  The sample information security policies include internet acceptable use, email acceptable use, social networking security, customer privacy, network security, incident response and many others.  Other free resources are also available, including the SANS Security Policy Project.

 

Tags: , , ,

Sep
11

Information Classification – The Link between Security and Privacy

by

Most of the attention focused on information security today surrounds the public data breach. Almost daily we hear a new report about hundreds or thousands of records of personal information being improperly disclosed.  In fact, it is the loss of private data that drives most of the regulatory environment designed to enforce security.  GLBA, HIPAA at the national level, as well as dozens of state laws including CA SB 1386 and  MA 201 CMR Part 17.  Certainly, any organization that is concerned with information security must be concerned about data privacy.

So how does information security enforce privacy?  Essentially, the idea is to make sure that private customer information is protected from improper disclosure.  In healthcare, for example, protecting individual electronic personal health information (ePHI)  is the focus of the both HIPAA and the extension of HiTECH.  Within PCI-DSS, the credit card number and individual information is the focus of the protective controls.

So how does this translate into an information security program?  In practical terms, the enforcement of customer privacy requires two key ideas:  First, that the organization identify and classify all of the private data it possesses, and second, that the security program implements the highest level of protection for this sensitive data.   This link is created within the Information Classification Policy.

Information Classification – or more accurately – Information Sensitivity Classification is the process of dividing data into different categories based on the need for confidentiality.

Usually, this is done using three or four categories.   A common three-category scheme divides up the information like this:  PUBLIC – Information that is not sensitive to the organization and can be viewed by anyone.  INTERNAL USE ONLY (Private) – Information that should only be seen by people inside of the organization, and CONFIDENTIAL – Access to this information must be tightly restricted based on the concept of need to know.
Information that should only be accessed by a limited group of individuals and would cause harm of the organization if released.  The famous  label “TOP SECRET” was often used by the government to indicate that information may involve national security.

The idea is simple in principle.  Apply more protection to the most sensitive data.  Apply less protection to the least sensitive data.  In practice, the idea can be very difficult to implement.  Information classification requires a well-crafted set of information security policies that enable the organization to identify and label the information, and then maintain these sensitivity labels as the data moves around the organization.  With so much data in so many different places, this can be quite a challenge.

In working with many organization developing information security policies, perhaps the biggest mistake we see is the failure to track and properly classify sensitive customer data.  An organization may have a highly sophisticated information security program, using the latest technical wizardry such as firewalls with intrusion prevention.   But if the organization cannot identify which data needs to be protected, all of the technical controls may be meaningless.

Security Policy Tip: So the take-away is this:  If you go through the trouble of developing and implementing information security policies, make sure you remember the important link between privacy and information security – the information classification.

__________________________________________________________

For organizations that need to develop a comprehensive Information Classification Policy, Information Security Policies Made Easy contains examples of two, three, four and five-category information classification schemes, as well as 1500 other sample information security policies.

 

 

Tags: , ,

May
30

Defining Information Security Roles – Key to Governance

by

Information Security Roles & Responsibilities

The proper definition and assignment of information security roles and responsibilities has always been a key principle of information security governance.  In fact, every major information security and data privacy regulation requires that the organization document roles and responsibilities.

Real-World Challenges

Despite being such a core governance requirement, in practice many organizations are still behind in compliance.  As recently as May 2012, a report entitled  Governance of Enterprise Security published by CyLab (the cyber-security research arm of Carnegie Mellon University) shows that a majority of companies (66%) have seldom or never had their board review and approve roles & responsibilities of lead personnel responsible for privacy & IT security.

In fact, according to the CyLab report, less than two-thirds of the Forbes Global 2000 companies surveyed have full-time personnel in key roles responsible for privacy and security in a manner that is consistent with internationally accepted best practices and standards.

Information Shield’s 2011 Information Security and Data Privacy Staffing Survey shows similar results.  The survey indicated that only half (51%) of organizations report having appointed a Chief Information Security Officer (CISO) or equivalent position, while only 30% reporting have a Chief Privacy Officer (CPO) or equivalent position.  While these numbers have been increasing for some time, they still represent a major gap between governance requirements and reality in many organizations.

There are many reasons why adoption is lacking.  As Charles Cresson Wood discussed in Information Security Roles and Responsibilities Made Easy, one of the key misconceptions is that the scope of information security roles and responsibilities is confined to the Information Security Department.  In fact, the information security function has become a multifaceted, cross-department team effort involving everyone in the organization.

Management, Governance and Visibility

One of the by-products of poorly defined information security roles and responsibilities is that critical information never makes it so senior management.  Without a formalized accountability and reporting structure, management is often left in the dark regarding the true risks to the organization. This leads to an overall disconnect between the Board and other senior managers with regard to information security risks.

The CyLab report confirms this by stating:  “One of the most important advance findings of the CyLab 2012 Governance survey is that boards and senior management still are not exercising appropriate governance over the privacy and security of their digital assets.

In fact, the top-two recommendations from the report to help increase management visibility were to (1) Create top-down approach with consistent information security policies, and (2) Review roles and responsibilities for privacy and security and ensure they are assigned to qualified, full-time senior level professionals and that risk and accountability are shared throughout the organization.

Real Returns – Data Breach Cost Reduction

Data from the research field is starting to confirm what is implied in most data protection laws: Having a defined senior manage responsible for information security and data privacy is truly effective.

2011 Cost of Data Breach Study sponsored by Symantec and the Ponemon Institute show that having an appointed CISO with overall responsibility for enterprise data protection is the single greatest factor for reducing the cost of a data breach.

If the organization has a CISO with overall responsibility for enterprise data protection the average cost of a data breach can be reduced as much as $80 per compromised record. This was roughly a 30% average savings per record.  Withe the average breach cost now at nearly $3.1 million per breach, these savings can be significant.  The other key factor dramatically reducing breach costs was the use of outside consultants.  Outside consultants assisting with the breach response can save as much as $41 per record (16%).  And yet, organizations should not outsource key information security that they don’t already have defined and documented within their own programs.

The cost savings are extending when each member of the organization becomes aware of their information security roles and responsibilities through proper awareness and training.  In fact, the 2011 Cost of Data Breach Study shows that for the first time, mistakes from insiders were the leading cause of data breaches, surpassing external attacks.

Defining Information Security Roles and Responsibilities

Information Security Roles and Responsibilities Made Easy (ISRRME) was designed to help organizations properly develop this key pillar of information security governance.   Among the key features are pre-written information security-related job descriptions for 40 different job roles.  Also included are 20 different department mission statements linking various departments to their roles within the enterprise data protection landscape.  Using these professionally-made templates can save organizations hundreds of hours in development while leveraging the experience of nearly 100 other organizations.

 

Tags: ,

Mar
28

Managing Vendor Security Risks Under HiTECH

by

Assessing the risk of third-party vendors has been a growing problem for compliance management.  Because of the growing number of data breaches related to third-parties, regulators have been focusing on the inherent risks of outsourcing.   Within the financial services industry, this has long been accomplished via a SAS70 (now SSAE16) type audit.

Within the U.S. healthcare industry, the Health Information Technology for Economic and Clinical Health Act (HITECH), enacted in early 2009, put enforcement teeth behind vendor breaches of medical records.   Among other requirements, it essentially extended the liability of Covered Entities under HIPAA to their Service Providers.  This created a flurry of activity as covered entities struggle to find ways to manage and assess the risk of hundreds or even thousands of vendors.

This month a milestone was reached, as the Department of Health and Human Services (HHS) took the first enforcement action for a breach under HiTECH.  As part of the enforcement,  BlueCross BlueShield of Tennessee, Inc., agreed to pay $1.5 million in fines as a result of the theft of 57 unencrypted hard drives taken from a data closet in a Chattanooga facility that was no longer in use by the company.

This is likely to be only the beginning.  Since 2010, reports to the HHS breach reporting site has averaged about 17 breaches per month, with over 500 reported so far.

Managing Third Party Risk with Information Security Policies

Written information security policies are an essential part of managing risks related to third-parties.  (The requirement for written policies is clearly spelled out within the HIPAA Security Rule.)  There are several key areas to consider when developing information security policy documents for vendors:

1. Vendor Approval and Establishment – The first step is to properly assess the risks of outsourcing to any third party vendors.  (This is broadly covered in ISO 6.2.1 Identification of risks related to external parties.)

2. Contract Management – All contracts with third-party vendors must include information security requirements.  (This topic is covered in ISO 27002 section 6.2.3 Addressing security in third party agreements.)  The types of security controls may depend heavily on the type of vendor and type if information being accessed by the vendor.    For example, Information Security Policies Made Easy has over 25 different controls related to vendor contract management.

3. Ongoing Monitoring – Once established, third-party vendors must be monitored for ongoing compliance, including any major changes to their business that may impact their performance.  (ISO 27002: 10.2.2 Monitoring and review of third party services) For example, HiTECH requires that Services Providers who experience a breach must notify the Covered Entities that they serve.

4. Contract Termination – This final phase of a vendor relationship is often overlooked.  Once a relationship is terminated, all access points between the vendor and the organization must be removed.  This includes removal of third-party user accounts.  In some cases, this is as basic as leaving confidential information behind on the vendor premises, as happened in the BlueCross incident.

In summary, organizations must consider the relationship with third-party vendors as a complete life-cycle.  Poor security controls during any phase of the relationship can expose the organizations to unnecessary risks.

Tags: , , ,

Feb
20

EU Updates Data Protection Guidelines

by


The European Union recently released a set of draft recommendations for a major update to the current privacy framework that underpins Directive 95/46/EC. The changes would introduce a single set of rules on data protection, valid across the EU. The proposed changed give individuals more control over their personal information and would have a significant impact on any organization that processes data on EU citizens.

The report entitled “Safeguarding Privacy in a Connected World A European Data Protection Framework for the 21st Century” come after a new study on attitudes on data protection indicates growing concern over data privacy among the citizens of EU countries.

Some highlights of the guidance include:

  1. Breach responsibility and accountability – companies would have to notify their clients of any theft or accidental release of personal data
  2. Explicit Consent: Before a company reuses their personal data, individuals need to give that consent explicitly.  People would also have access to their own private data and be able to transfer it to another service provider more easily
  3. List Removal:  The updates enforces the  ‘right to be forgotten’ – where people will be able to have their personal data deleted if a business or other organization has no legitimate reasons for keeping it
  4. International Scope:  The updates apply EU rules when personal data is processed outside Europe.  People would be able to involve the national data protection authority in their country, even when their data is processed by a company based outside the EU.

Organization concerned with compliance must consider updating their information security and data privacy policies.

Tags: , , ,

Dec
27

Password Policies Still Important in 2011

by

The Privacy Rights Clearinghouse recently released their review of what they call the most significant data breaches of 2011. Even if you have read about each of these incidents before, they are worth reading again in summary form.  What is perhaps most striking is how the most basic security policies and procedures are often the ones that were ignored or not implemented in these major breaches.   So here is the quick summary of incident and matching security policies:

Sony PlayStation (April 27) -  External intrusion by hackers gained access to 101.6 million records, including 12 million unencrypted credit card numbers.

Control Failure:  Weak Passwords

Epsilon (April 2) – Epsilon, an email service provider for companies, reported a breach that affected approximately 75 client companies.  (Maybe the largest breach EVER when counting records)

Control Failure: Third Party Service Provider Security / Sensitive Information in the Cloud

Sutter Physicians Services (SPS) and Sutter Medical Foundation (SMF) (Nov. 16) – A company-issued desktop computer was stolen from SMF’s administrative offices

Control Failure:  Physical Security of Devices Holding Sensitive Data / Encryption of Sensitive Data during Storage

Texas Comptroller’s Office (April 11) – Information from three Texas agencies was discovered to be accessible on a public server.

Control Failures:  Change Control on Product Systems / Sensitive Information on Low Security Systems

Health Net (March 15) – Nine data servers containing the personal information of 1.9 million current and former policyholders went missing from Health Net’s data center.  The breach was reported to customers nearly 3 months late.

Control Failures:  Physical Access Control of Processing Facilities / Incident Response and Data Breach Notification Policies

Tricare Management Activity, Science Applications International Corporation (SAIC) (Sept. 30) – The car theft of backup tapes resulted in the exposure of protected health information from patients of military hospitals and clinics.

Control Failures:  Secure Transport of Sensitive Information / Encrypted Backups of Sensitive Information

The good news is that these controls are all part of the basic information security policies found in nearly all data protection frameworks, including ISO 27002 and NIST SP-800-53.  For sample information security policy templates that address all of these requirements, see Information Security Policies Made Easy.

 

Tags: ,

Older posts «