When companies come to me because they want to draft a security policy, the first question I ask them should be the most obvious: “Why?”
It may seem like a simple question, but more often than not it is met with confusion as if the answer was so obvious that it cannot be articulated. At other times, the answer is that they are simply compelled to have a security policy by law and regulations. But bandwagon mentality or compliance reasons will not generate a successful security policy. Starting with the “why” is the most important step when crafting a security policy, and the answer to “why?” comes from a risk assessment.
Risk assessment is an endeavor to find out why you need this policy and what it hopes to achieve. Risk assessment determines the magnitude of potential loss and the probability that the loss will occur. For security, this means classifying information into separate levels of sensitivity, then, discovering the possible risks, and the probability of those risks, that this information may be compromised.
It is not possible or sensible to protect all information, regardless of sensitivity, with the same maximum level of protection. And there is no cookie-cutter, one-size-fits-all approach to creating a security policy since every business has unique risks and places different values on different kinds of information. This is why an individual risk assessment must be performed. Once this has been determined, a security policy can be crafted based on protecting information based on its value and risk unique to that organization.
The problem is that too much policy work is driven by compliance rather than need. Without first identifying the need (the “why”) a security policy is destined to miss its mark and be nothing more than a symbol of intent rather than a useful procedure.
By relying simply on compliance to dominate a security policy, you may live up to laws and regulations but remain vulnerable. Compliance alone has not saved many companies from data breaches, including the credit card processor Heartland Payment Systems, who suffered an unauthorized disclosure of 100 million credit and debit card transactions while remaining compliant.
I am back from my week of trips, and ready to get back into the blogging routine. While travelling and talking with clients about security audits some thoughts came to me.
If all your security audits are involuntarily performed by external entities and you are simply struggling to survive them for fear of punitive recourse, then you probably don’t have the best attitude when it comes to security. A security audit should help your organization improve and grow – it is not something to be scared of.
I was reminded of the saying that no security is actually better than poor security. This is because with no security, at least you know how secure you are and won’t act in such a way that would put your data at risk. But with poor security, you might be fooled into a false sense of security that can put you in position for staggering losses when a breach does occur.
This is why security audits are so important; they inform you on the current level of your security. This knowledge empowers you to make informed decisions regarding data risk analysis. You should conduct your own security audits often and after implementing new security defenses.
Now I’m often asked if it’s better to conduct internal audits yourself or pay for outside security consultants to conduct external audits. Personally, I feel there are a few more advantages to outsourcing the audit.
1) Security consultants make security audits a core function of their business. They probably have more experience and a wider knowledge base to find more gaps than an internal audit.
2) Internal audits tend to be lax when it comes to identifying gaps. The focus shifts to checking check boxes rather than actively trying to break the system.
3) If something is missed in the security audit and a breach occurs – at least you have someone else to blame. You may even be able to hold your security consultant company accountable depending on the contract.
4) There is no reason you cannot perform an internal audit and then have an external one which you compare for accuracy and team skill set building.
I hope to see more security audits met with welcoming arms than with dread and uncertainty. Just remember, that security is never final and the audit is just a part in the continuous effort to improve your defenses.
As I contemplate purchasing a netbook (the HP Mini 2140 looks awesome) I saw a Computerworld.com article named a “Laptop Losers Hall of Shame” (http://www.computerworld.com.au/article/222142/laptop_losers_hall_shame) detailing the enormous security breaches that ensued when notebook computers were lost or stolen by employees of corporations, government agencies, or colleges. The hall of shame is both hilarious and frightening.
Smartphones are becoming the new laptops. ABI Research expects annual worldwide shipments of smartphones to exceed 334 million units by 2010, up from just more than 42 million units in 2005. With so many millions of devices carrying sensitive company data, it’s not hard to imagine what keeps security analysts up at night.
Mobile phones have evolved to a point where they equal the functionality of older notebook computers. I know that I can do pretty much every daily task I need too from my smartphone including RDPing or SSHing into servers. Like me and probably you, we use these smartphones to house critical information, such as notes, emails, and business contacts. If notebooks became such a huge security risk because they are portable, then smartphones are much worse. Brimming with insecure information, we carry these mobile devices with us at all times. For most of us, losing your mobile phone isn’t a possibility, it’s an inevitability. I have lost 2 phones with one being stolen in Vegas and the other being sucked into the ether somewhere.
Other than having more portability and ubiquity than notebooks, smartphones are also harder to control and manage because they are purchased by individual users and do double duty for work and personal use. Notebooks can be issued and centrally managed by the enterprise, but it cannot do the same for the mobile phones of every employee.
How can IT security professionals create a sound infrastructure to compensate for remote workers who are likely to be the unwitting bearers of major security threats?
As always, include the usage of mobile devices with company data in your security policy and create expectations for your company employees to follow.
When HIPAA was passed and made federal law by the Clinton administration in 1996, the fear of fines and even jail time sent the medical industry scrambling to beef up their patient data security by the 2003 deadline. However, for years afterwards, HIPAA remained a toothless tiger. Occasionally, it growled and violators were threatened to clean up their act. But it usually did not bite, as prosecutions were rare and usually mild.
Since no serious prosecutions have taken place since HIPAA went into effect in 2003, I and the medical industry have wondered if HIPAA is just a made-up boogeyman meant to frighten them into compliance.
All this changed on February 18 when the U.S. Department of Health and Human Services and the Federal Trade Commission issued a press release stating CVS had to pay $2.25 million to the U.S. government for HIPAA violations.
The HHS Office for Civil Rights (OCR) and the Federal Trade Commission caught the pharmacy chain red-handed disposing of empty pill bottles that contained patient data into dumpsters and trash containers outside select stores. Among other issues, CVS “failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process; and failed to adequately train employees on how to dispose of such information properly.”
CVS Caremark Corp., the parent company of the 6,000 store pharmacy chain, must implement a robust corrective action plan that requires Privacy Rule compliant policies and procedures for safeguarding patient information in addition to its fine. CVS must also submit to a biennial audit by a third party to show their compliance.
Is HHS trying to set an example with the steep penalty? Is CVS the sacrificial lamb intended to inspire other delinquent HIPAA violators to clean up their act?
While many medical industry companies may have gambling with HIPAA violations, at least CVS learned it isn’t worth the risk. Besides the possible penalties, compromising personal patient data is a strike against the reputation of a company. And this can be more costly than any fine by the HHS.