Our local business community is up in arms about a recent string of (currently 9) armed robberies that have occcured over the last several weeks. Many businesses are now taking extra precautions to protect their valuables and their employees.
"Every business should take an active part in making their business safe. Here are some suggestions to help prevent robbery:
Have at least two employees open and close the business
Install a robbery alarm
Place a surveillance camera behind the cash register facing the front counter with a digital recorder
Vary times and routes of travel for bank deposits
Keep a low balance in the cash register. Don’t leave large bills under the drawer
Place excess money in a safe or deposit it as soon as possible
Stay Alert! Know who is in your business and where they are.
If you see something suspicious, call the police. Never try to handle it yourself.
Use care after dark. Be cautious when cleaning the parking lot, taking out the trash, or going to your car after work.
Make sure to post important signs “Clerk cannot open the time lock safe” , “Premises protected 24 hrs by video surveillance”, etc.
Cooperate with the robber for your own safety and the safety of others. Comply with a robber’s demands. Remain calm and think clearly. Make mental notes of the robber’s physical description and unique characteristics."
With compliance efforts the question is "Which way do we go?! And most times the signs are just this clear! Image by bob august via Flickr.
Two weeks ago, a financial services client of ours asked me “how compliant is compliant enough?”
They’ve been a good client for over 15 years. They are good people who care about their customers. They follow a disciplined approach to IT operations which provides a great foundation for their information security program.
At first, I was blown away by the comment.
How could they even consider such a question?
But the more I reflect on their comments and their situation, a new question has come to mind.
Who could blame them?
With the HITECH changes to HIPAA they unequivocally fall into the frame of HIPAA compliance. They by law are obligated to do more than they do now to secure their customer data.
They are doing a lot and doing it well, though they know they are not perfect.
Their wireless network is 100% impervious to outside invaders; they decided the risks of deploying outweighed the business risks of implementing wireless. Over 10 years of having 3rd party security assessments their technical team and technical infrastructure have consisently passed muster (ours wasn't the only firm evaluating them so the consistent findings were from multiple firms using multiple techniques and tests). A recent HIPAA Security Rule Gap Assessment Workshop that we facilitated found that from a HIPAA standpoint they were doing the vast majority of the controls in the security rule.
They are "doing" security but they don't document at a policy or procedure level what they do. Their staff is aware of security issues, but less so about privacy issues, particularly pertaining to information handling practices within the organization. In those 10 years of tests a couple of the assessors have been able to penetrate their physical security through social engineering. Security and privacy is an IT focused effort.
We believe that they are well secured against external attacks but are vulnerable to inside threats and accidents or to interuptions in their business process.
Fixing those business related issues all boils down to revenue versus expense, and they aren’t sure they can invest the time and treasure to attain perfect compliance.
And so the honest question is asked, “How compliant is compliant enough?”
Although they only ask one question, I suspect they had a few other questions they didn’t verbalize:
If we don’t do anything will we really get in trouble?
Will the government really enforce the law? They haven’t really yet have they?
If we do all this extra work won’t the work cost more than the likely fines we’ll pay if we don’t do the work?
Are our competitors doing it? Do our customers care?
In the time they’ve been wrestling with these questions they could have substantially closed the larger gaps in their program. But they are frozen by the uncertainty.
They are not the only client that is frozen by regulatory uncertainty.
Truly, with the way our government regulates information security and privacy I don’t have good answers for those questions.
Regulatory uncertainty is in and of itself a threat to privacy and security, and regulatory non-compliance is a risk that needs to be managed.
In the face of uncertain and confusing regulatory options most businesses in our experience choose to do nothing.
Regulatory uncertainty manifests itself in a number of ways:
Uncertainty due to a lack of knowledge about the potential regulations on the part of businesses
Uncertainty about just what various regulatory agencies are doing
Uncertainty about just what various regulatory agencies are going to do –
Uncertainty due to the myriad of fine line distinctions and confusion in the regulatory body
Uncertainty because of the confusion about which regulations apply to a particular firm or type of firm
All of these types of uncertainty are born out of poor communication, difficult language, sudden course corrections as rules are morphed in the political process even after they’ve been published,
The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs — or "red flags" — of identity theft in their day-to-day operations. It was first passed in 2003. The FTC moved the enforcement date three times. Depending on whose view you take that was because they bent to lobbying from interest groups representing doctors, lawyers and higher education institutions OR they were listening to industry and adjusting the rules to meet the feedback they were getting. From either perspective the enforcement date continued to slip.
In December 2010, the law was amended with the Red Flag Program Clarification Act of 2010 to focus the law on its original intent.
(NOTE: Did you catch that last line: “Bookmark this site and check it often for revisions that reflect changes in the law.” Often? How often? Changes? What changes? How do I plan for those changes? Are you kidding me?)
HIPAA or the Health Insurance Portability and Accountability Act (HIPAA) of 1996. HIPAA has five titles covering an array of topics. Title II ironically known as Title II of HIPAA, ironically known as Administrative Simplification, primarily requires the establishment of national standards for electronic health care transactions . Administration Simplication also address the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in the U.S. health care system.
Based in part on the poor adoption rates of and loopholes in HIPAA, Congress passed HITECH.
HITECH the street version of the mouthful formal name Health Information Technology for Economic and Clinical Health (HITECH) Act, was enacted as part of the American Recovery and Reinvestment Act of 2009. It was signed into law in February, 2009. It primarily promotes the adoption and meaningful use of health information technologies such as Electronic Health Records (EHR). Within HITECH, Subtitle D addresses privacy and security concerns associated with the electronic transmission of health information primarily through a number of provisions that strengthen enforcement or clarify the original HIPAA rules.
Yet, uncertainty surrounding HIPAA is epic:
Poor enforcement impacted HIPAA adoption rates so HITECH was passed to provide stronger enforcement. We have seen an increase in enforcement action as well as an increase in awareness for breach events through HITECH’s breach reporting requirements but it has not reached a tipping point that catches decisions makers’ attention in a way that motivates them to act.
Rules that were to be out by now are not published. Rules have been published and pulled. Published dates have been moved around the calendar. We know that subcontractors are covered under the Security Rule but the rules have not been published. We know that there are mandatory audits required under HITECH but we don’t know exactly what that means.
Rules sometimes just don’t make sense. For instance, the Security Rule is focused on ePHI or electronic Protected Health Information. Think technical infrastructure. The Privacy Rule is focused on PHI in any form. Think use, handling and behavior. A fax is not considered ePHI though in most environments today many faxes come in and outbound through unified messaging. What is compliant action in regard to action
The government has produced an alphabet soup of laws, rules and regulations FERPA, Sarbanes-Oxley or SARBOX or SOX, GLBA, all with similar stories. And there are legislative efforts to move forward with a new batch of privacy and security laws covering related topics such as national cyber security, privacy, security standards and breach notification. With the continual onslaught of breaches the political will is building to enact and execute a national law focused on information security and privacy.
So into this clear as mud uncertainty we now have political activity driven by the epidemic of breaches that is leading us to a more laws, rules and regulations, and as I would suspect more uncertainty and with it more frozen clients caught between their fear to act and their fear not to act. And doing nothing puts them and their data at risk.
So we think the question isn’t “how compliant is compliant enough” but rather “how can we position our firm to lower compliance risk in light of this uncertainty while focusing on doing the right things to protect our customer and other critical data”
We suggest the following:
Stay focused on the basics. We recommend you start by defining a standard language for internal information security discussions. We at Jacadis like ISO 27001. The ISO 27000 series is an internationally recognized family of standards focused on turning information security, privacy and compliance into a management function. Adoption of ISO 27001 provides a framework and language from which to build top down, management to technical information security, privacy and compliance function within an organization. The framework will provide a standard way of managing security and once adopted assist in building resilience to changes in compliance standards while keeping you focused on protecting the most important information assets in your stewardship. For additional reading on ISO 27001 I suggest an IT toolbox article by Jacadis’ Jerod Brennan.
If you don’t have someone tracking the laws that affect your company, the cost to become compliant is going to hit you like a ton of bricks. Stay on top of it. Ounce of prevention is worth a pound of compliance, er… cure.
And while I don’t suggest you get get caught up with the what ifs and could bes as the legislative process moves forward. If you are an information intensive organization it is a good idea to have an executive level team member monitor the legislative process. You may find there is a moment that calls for your attention to get involved politically if legislation gets restrictive in a way that could impact your business.
This is the video of my April visit with Gail Hogan on her show Daytime Columbus on WCMH. Gail's been great in helping us share with the average technology user some of the things that must be done to live securely in a digital world.
Another guest post from Jerod Brennen, who by day is a part of our great Jacadis services team and who by night is the father & Dad to a clan of Brennen's. Are you an online gamer? If you take to a fantasy world to hack and slay or shoot'em up to wash away the stress of running the business during the day here's some great information to help you play safely.
Secure Gaming Online from Jerod's blog at Slandail
Are you one of the 70 millionPlayStation Network users who were impacted by the Sony data breach. I was. So were my kids. (NOTE: Not us Davidson's. This clan of Scots sticks to the XBOX platform or online PC Games). We’re avid gamers in our household, and we spend most of our play time signed into online multiplayer matches. We trusted Sony to keep our private data secure, but the reality is that even organizations as large as Sony aren’t always to keep user data safe.
So what are gamers supposed to do? Stop gaming? Sure. That’ll happen. While we’re at it, let’s tell fish to stop swimming, and tell birds to stop flying.
My mantra, my credo, is that security concerns aren’t supposed to keep us from enjoying life. On the contrary, we need to know how to do the things we want to do SECURELY, whether we’re a multibillion dollar international corporation or a household of video game enthusiasts.
If you’re a gamer (or the parent, sibling, grandparent, spouse, partner, or next door neighbor of a gamer), here are a few tips you need to consider in order to enjoy gaming securely.
Anonymize your online gaming profile. If your gamer tag is a combination of your name and birthdate, then you’re one step away from handing over your identity to someone else. Choose a more creative gamer tag that represents your interests without revealing any private information. Say you're a huge Douglas Adams fan who always wanted to be an astronaut as a kid. Is stargazer42 taken?
Register with a throwaway email account. Gmail is free. Yahoo mail is free. Hotmail is free. With so many options for free email accounts, consider using a throwaway email account for services like PSN and Xbox Live. Not only will you sleep better in the wake of data breaches, you’ll avoid any of the spam that ends up in that account in the meantime.
NEVER register with a debit card or high limit credit card. This is true for both gaming security and mobile device security. If, for whatever reason, you store a credit card with any online service, use a prepaid credit card. If (when?) that card is compromised, you’ve limited your risk to the remaining balance on that card, and not the remaining balance in your checking account.
Only friend people you know. You don’t need to accept every friend request you receive. We have a strict rule in our house that our kids are only allowed to friend people they know IRL (in real life). Not only do they keep their friends list manageable, their online interactions are more enjoyable. If you don’t believe me, maybe I’ll upload a video of my oldest playing Call of Duty: Black Ops – Zombies with his two best buds. It's a riot.
Specific to the Sony incident, there are three things you should do as soon as possible:
Change your email password. This info was almost certainly compromised, and it will be abused by whoever stole the data. Login RIGHT NOW to the email account that you used to register for PSN and change your password before someone else does.
Contact your credit card company. If you have a credit card on file with Sony, it's safe to assume that someone else now has that credit card number. You should report the card compromised and request a replacement as soon as possible.
Begin monitoring your credit. Give Sony's blog post another read to learn how you can have credit bureaus place place a fraud alert on your file (as well as the impacts of doing so). You can also enroll in a credit monitoring service, but they're costly and, in my opinion, Sony should be picking up this cost, but you'll have to take that up with Sony PlayStation Customer Support.
Online gaming is ridiculously entertaining, and incidents like the Sony data breach shouldn’t discourage you from taking part in that fun. If anything, this incident should serve as a reminder that you can still enjoy the things that make you happy.
The story is not unlike many other breach stories we've seen over the years. A mistake is made. Information including individually identifiable information is exposed. Somebody from the technology department is sanctioned or terminated. Other corrective actions are taken. End of story.
In information security there is a concept of information ownership. An information technology department that fits properly into a business is providing a service to the business units, but those business units are considered the information owners. IT has a responibility to provide appropriate quality services to meet the information owners needs. But the information owners should be accountable to what is done with the information.
Here's a rough analogy. I own a car. I am the owner. The Ohio Department of Transportation provides the infrastructure for me to use my car. If the road fails and I wreck I as the owner (or driver) am responsible to maintain control.
From an information ownership perspective in the case of a breach you rarely see sanctions laid down on the assigned information owners. If information ownership was properly assigned and maintained the owner would have a responsbility to make sure the information was properly managed by the service providers from IT.
An information owner is the individual or departmental unit who creates, acquires or manages information through a business process. When setting up a governance process I prefer an individual within the department has formally assigned ownership. That assigned owner is then responsbile for understanding the value of the information, obligations the organization has to protect information of that type and value, proper handling procedures given those obligations and oversight of the organization's handling of the information. In the case of many of these breaches an information owner overseeing the technical processing of this information would have had a chance of correcting the fault before it resulted in a breach.
In March, 2007, Piedmont Hospital in Atlanta earned the distinction of being the first institution in the country to be audited for compliance with the HIPAA Security Rule. Prior to the audit, according to a ComputerWorld scoop, Piedmont received a request for the information listed below.
Could you provide these items on request in a 10 day time frame?
Policies and Procedures:
Establishing and terminating users' access to systems housing electronic patient health information (ePHI).
Emergency access to electronic information systems.
Inactive computer sessions (periods of inactivity).
Recording and examining activity in information systems that contain or use ePHI.
Risk assessments and analyses of relevant information systems that house or process ePHI data.
Employee violations (sanctions).
Electronically transmitting ePHI.
Preventing, detecting, containing and correcting security violations (incident reports).
Regularly reviewing records of information system activity, such as audit logs, access reports and security incident tracking reports.
Creating, documenting and reviewing exception reports or logs. Please provide a list of examples of security violation logging and monitoring.
Monitoring systems and the network, including a listing of all network perimeter devices, i.e. firewalls and routers.
Physical access to electronic information systems and the facility in which they are housed.
Establishing security access controls; (what types of security access controls are currently implemented or installed in hospitals' databases that house ePHI data?).
Remote access activity i.e. network infrastructure, platform, access servers, authentication, and encryption software.
Internet usage.
Wireless security (transmission and usage).
Firewalls, routers and switches.
Maintenance and repairs of hardware, walls, doors, and locks in sensitive areas.
Terminating an electronic session and encrypting and decrypting ePHI.
Transmitting ePHI.
Password and server configurations.
Anti-virus software.
Network remote access.
Computer patch management.
HHS also had a slew of other requests:
Information Inventory
Please provide a list of all information systems that house ePHI data, as well as network diagrams, including all hardware and software that are used to collect, store, process or transmit ePHI.
Workforce
Please provide entity wide security program plans (e.g System Security Plan).
Please provide a list of terminated employees.
Please provide a list of all new hires.
Please provide a list of outsourced individuals and contractors with access to ePHI data, if applicable. Please include a copy of the contract for these individuals.
Please provide a list of all users with access to ePHI data. Please identify each user's access rights and privileges.
Please provide a list of systems administrators, backup operators and users.
Please provide a list of users with remote access capabilities.
Security Architecture and System Security Plan
Please provide a list of encryption mechanisms use for ePHI.
Please provide a list of authentication methods used to identify users authorized to access ePHI.
Please provide a list of transmission methods used to transmit ePHI over an electronic communications network.
Please include a list of antivirus servers, installed, including their versions.
Please provide a list of software used to manage and control access to the Internet.
Please provide the antivirus software used for desktop and other devices, including their versions.
Please provide a list of database security requirements and settings.
Please provide a list of all Primary Domain Controllers (PDC) and servers (including Unix, Apple, Linux and Windows). Please identify whether these servers are used for processing, maintaining, updating, and sorting ePHI.
Please provide a list of authentication approaches used to verify a person has been authorized for specific access privileges to information and information systems.
Assigned Security Responsibility
Please provide organizational charts that include names and titles for the management information system and information system security departments.
With the likely changes from HITECH we reasonably think an audit today would also require copies of your past Risk Analysises, your Evaluations, your Information Systems Activty Review process and documentation you do it as well as your incident response and breach notification plan.
Today we are joining Gail Hogan on Daytime Columbus. We do a spot about once a month. We were going to do a spot on Spring Cleaning your computer for security recommending that before the nice weather hits you do a quick clean up of your computers to make sure your workspace and playspace is secure.
But some news from last week changed our approach somewhat. With the following announcement on its web site, Epsilon sparked an internet buzz the first week of April:
Last week, the week following this announcement the internet world was abuzz. More than 50 companies were affected by the breach including such brands as Kroger, JPMorganChase, Victoria’s Secret, and Verizon.
The entire list of companies wasn’t immediately published. The announcements came in ones and twos of companies joining the slowly growing list which fanned the flames. The story was in major news outlets, was a major search item on google and caught the attention of many geeks on Twitter.
As the week ended many of us had received email notices from the companies we do business with that had made the list. For those without security chops there was a lot of confusion.
What was lost?
Emails and emails associated with names. Based on preliminary investigations generally everyone agrees that no confidential data was compromised.
What if I got a notice?
It truly isn’t the end of your digital world. At worst case the hacker got your email address and your name. No account information or other confidential information from any of the companies affected or their customers was taken. So there is no immediate threat.
Does that mean it is perfectly safe?
If you are going live a digital life your private information is never going to be “perfectly safe.” The information stolen could be used to send targeted attacks to the customers of Epsilon's clients and that might put you at risk in two ways:
Targeted phishing or spear phishing attacks that look like legitimate messages from any of these companies are likely to be in our future. Know how to protect yourself from phishing attacks.
(NOTE: Sorry, we in the computer industry just make up words and then expect everybody to know what we are talking about. Spam is unwanted email. Phishing is when spam is sent as bait with some call to action to trick you into giving up valued information usually personal details and account information. Spear phishing are emails targeted at individuals with some call to action to trick you into giving up that same kind of information. An email from a bank you do business with addressed to you personally is much more likely to trick you than an email addressed to “Dear Bank Customer”.)
Accounts that depend on your email address might be at risk. If you have one of those accounts and you likely do I suggest you follow the recommendations below.
What should I do?
Take the time to list your critical accounts. Do it on piece of scrap paper. Tear it up and throw it out when you are done. My list includes my bank, my 401k, my company’s benefits site, my blog and about 25 other web sites . For each of those accounts change your passwords and make them strong passwords.
Update your operating system and any installed software. You’ll do this by going to each software publisher (Microsoft, Apple, Adobe, etc.) and loading service packs, patches and updates.
Remove programs you no longer use. My kids install games and get bored. My wife plays around with demo software to support her photography hobby. I download tools for a specific client project and then don't use them again (OK, I also install games and get bored). Those old unused programs take up resources on your compture. They may be a security vulnerability. Two good reasons to get rid of them.
Back up your data!
We are on Daytime Columbus about once a month. My firm, Jacadis, is an information security firm that works with business clients. We participate with Gail's show sharing what we know to consumers and other computer users. Are you a Daytime Columbus regular? Have you seen us more than once? Are we answering your computer security questions? Do you have others? I'd love to hear from you.
Jacadis helps businesses prepare and respond to security questionnaires and audit requests from their usually larger customers. We also are the audit and assessment team for some firms who choose to use external resources to review their key vendors' security.
Frankly, as breaches Epsilon isn't a big of deal. No protected information, just names and email addresses were taken. And more sophisticated attacks have come and gone in the press largely unnoticed.
Epsilon has received more attention than the more impactful breaches in part because it touched so many people. Non techies are talking about it. We believe that buzz is going to find its way into the executive suites and audit teams of big companies and boost the rigor and frequency with which larger firms test, prod, and assess their supply partners.
Experts suggest that companies that outsource technology services take some of the following steps:
Make sure the vendor has a recognized certification for information security, such as ISO 27001 or SAS 70 Type 2, granted by an accredited auditing organization such as the International Standards Organization;
Sign agreements that oblige vendors to undergo regular audits by third parties, at least annually. Auditors should test software (especially software that can be accessed via the Internet) and hardware as well as people, to ensure that vendors’ employees themselves don’t fall prey to scams;
Make sure vendors assume liability for breaches that affect customers and end users; and
Make contingency plans with the vendor so that neither is caught by surprise in the event of a security breach.
Management consultants and corporate governance experts are providing similar advice to their Fortune 2000 and similarly sized customers. These recommendations have been around for several years, however, the buzz from Epsilon has the potential to fuel the recommendations to reality.
This will impact you if you answer yes to any of the questions below:
Your business is part of the supply or services chain for larger regulated firms. We see most of the third party verification activity from firms that have regulatory obligations to HIPAA; PCI, GLBA or other financial privacy rules, or Sarbanes-Oxley. We have seen these type of firms apply the highest security and privacy standards to their vendors even if their vendors don’t process confidential or protected information. Do you provide services to these types of firms?
Your business provides a service that includes considerably volatile information. If, for instance, you process non-protected personal information but it is somehow seen as critical to your client’s business or it’s relationship with its customers this might apply. Or, if, for another instance, you process company confidential information such as trade secret related information. Do you provide services to these types of firms?
Firms in the supply chain stack. You may not be doing business with a regulated firm, but you may be providing services to firms that provide goods or services to firms that provide services to regulated businesses. You know what they say about it rolling downhill. Are you at the bottom of a supply chain?
Take action
If you answered yes to any of those questions we suggest the following:
1. Look at your customer agreements with firms in the categories above.
Do any of those agreements place obligations on your company to protect your client’s information in a certain way?
Do they have the right to audit?
Have you told your IT team about these obligations?
Are you prepared to meet these obligations?
2. Sit down with your technical leadership and discuss:
Are we secure? Vulnerable? Do we follow a best practices approach to information security? Which one?
Do we routinely check through tests, assessments, and/or audits our answers to the questions above?
If we got an auditing letter from an existing customer would we be ready for the audit in a week? a month? 3 months?
When the auditor arrives do we have documentation that defines our security programs values (policies), details the routines we follow to meet those values (processes), shows that those routines are being followed (logs, action reports, scorecards, etc.) and that our staff is aware of their obligations (awareness training)?
If we committed during the sales process with a new customer to do certain things to secure their data did IT and the others in the company responsible for delivering on that obligation have a hand in the answer? Are we overcommitting?
Are we managing security well enough that we can create a competitive advantage over other firms in our class? Can we use that advantage to build new business?
If your business provides business to regulated businesses upstream in your market we recommend you keep asking these questions until you feel comfortable with the answers.
Have you heard? A email marketing firm called Epsilon was hacked. Millions of email addresses and some names were stolen. The people that owned those addresses and names were customers of some 50 big brand household name companies.
The buzz about this hack is phenomenal. Over the last few months the following firms have had breaches or electronic break-ins: Google, Adobe, GE, Gawker, mysql.com and RSA. But not the buzz Epsilon has generated.
The buzz wasn't there for those incidents though many of them were more sophisticated attacks with greater losses.
Why?
I think it is because it touched so close to home with millions of consumers of brands we all know and trust. Conversations were happening in the executive suite because the wives (or husbands) were getting the emails at home. And that got leadership thinking "it could've been us! it could've been worse!"
I've had more conversations with business management and above level staff at our clients about this than all the other hacks this year combined. Because of that we are publishing a special edition Jacadis newsletter to sift through the facts, the hype and the impact from Epsilon.
We can't cover it all, however, so we've listed our favorite articles covering the Epsilon hack news:
