Will Information Security & Privacy Compliance Come to This?

Image via Wikipedia

Yesterday a client rescheduled a meeting because "the State" showed up to audit their medical operations.  The State of Ohio regulators conducts spot visits in this industry on a spontaneous basis.  When they come in, typically unannounced, everything stops so that they can conduct their spot audit.

"Hi, I'm from the <FTC/HHS/DHS/ETC> and I need to see your log files and your patch management reports ... "

Do you think information security and privacy compliance will ever get to that point?

 

Why should senior management be involved in security decisions?

I am putting the finishing touches on an executive presention for a client.  Our finding, after a series of technical tests, a review of their policies and their security administrative compents was that they are generally proactive on securty from a technical perspective but any additional maturation or improvement of their program requires management involvement.

I am going to present this to senior management team that has already informed me they don't want to hear that message.

This isn't the first time Jacadis has encountered such a situation.

Why should senior management be involved in security decisions?

At some level security decisions are really risk management decisions and not just technical, information security decisions.  Even the strongest technical team can't know the risks, obligations, contracts and mission priorities that senior management brings to the table. 

Sorry, managers but this isn't just geeky stuff.

Here is a quick list of five questions that my client's technical team needs senior management input, involvement and or leadership on:

1. Are we obligated by law or contract to HIPAA?
2. Are we obligated to PCI?  Are we exposed in the way we handle crtedit card data?
3. How long can your business operate with reduced computer facilities?  Which facilities are most important to the mission?
4. How will we respond to illegal activity on our network? Attacks from outside? In the event of a breach?
5. What are our employees permitted to do with social media outside of work hours on their own computers?

Are you putting your technical team in a spot where you expect them to protect your business but don't share with them critical information or involve yourself in their decision making process?  If you are in a business that is data driven (and which business today isn't) your lack of involvement will likely ensure a high technical team turnover, raise the possibility that you will have security issues interfere with your business, decrease the resiliency of your business and potentially put at risk vendor and client relationship while also opening your business (and perhaps yourself personally) to legal and regulatory liability.

 

Gap between what employees think and do versus what employers think and do

Last week I gave a Lunch and Learn Presentation to a group of business people and enterpreneurs at the Dublin Chamber of Commerce on Living Securly in a Digital World. 

Researching the topic for fresh material I tripped across a Unisys study that shows a disturbing gap between what employees and what employers think about data use in the  enterprise:

• While 67% can access non-work-related websites only 44% of employers agree.
• While 52% of workers say they can store personal data on the company network only 37% of employers agree.

Do you have that same perception gap in your company?

As an employer it may mean behaviors you don't want, non-productive sites visited during work time or worse, malware introduced into the company network. As an employer, it may also mean extra storage costs or extremely awkward moments during terminations (can I have my data back?!).

As an employee, it may mean a disciplinary action for what you think is approved or allowed behavior.  And more importantly it might mean loss of personal data an information if you lose or leave your job (or the company closes).

It is in the best interests of both sides of this divide to close the gap.

What life tasks do you do online?

I am giving a talk to the Dublin Chamber of Commerce this Thursday on Living Securely in a Digital World.  As I've started preparing my presentation I've come to realize that almost everything we do or have done in the analog (fancy name for "real world") we can now do in the digital world.  I'm going to talk from  frmy experience, but I'd like yours as well.  Here are some things I do online that used to be real world things for me ... would you share your list?

• Communicate with friends
• Search for employees
• Plan and record my workouts
• Plan travel
• Maps
• Look up recipes
• Bank
• Invest
• Pay bills
• Stay informed
• Monitor boys homework
• Write and publish

When the snow flies & the power dies will the generator do its thing? You sure?

Forecast is for some snow tomorrow here in Columbus.  One of my clients just last week shared it had taken a couple of months to get maintenance to test the back up generator.  They finally went to fire it up to test that it worked and .... nothing.  Tried again.  Nothing.  Their hardware vendor responded quickly. Turns out that the broken part was under warranty but was 48 hours away.

The test was conducted on one of those warm sunny days we had before Thanksgiving.  We aren't supposed to get much snow tomorrow but you never know here in Ohio.  Had the part failure not been found until it was actually needed the 48 hour shipping wait could have been catastrophic.

Our client did two things right:

1.  They created a policy calendar.  Policies should be formal statements of value supported by the routines  (processes) that must be followed to meet the stated value. Most of the time though policies are dead documents that state something a client would like to do but doesn't get around to doing.  My client's policy calendar lets them manage the normal routines of their "HIPAA year" which operationalizes their compliance.

2.   They actually tested the process.  The IT Director didn't take no for an answer as maintenance continued to put his test request off. 

How are you doing?

Have you operationalized your HIPAA program?

Have you tested your generator, your back up processes and your contingency operations plan?

 

Tablets, tablets everywhere ....

I've been bombed (not spammed because I know the people sending me the emails) with this message from a number of Verizon representatives. 

Tablets are fast becoming a useful tool in business and our everyday lives.  More and more businesses are buying tablets to help streamline workflow and bee more efficient.  More and more people are buying tablets for personal use because of their small size, ease of use and their multi-functionality versus a laptop. 

Tablets bought in the United States:  
                                    
               2010 – 19.5 million
               2011 – 54.8 million (proj)
               2012 – 103.4 million (proj)
               2013 – 154.2 million (proj)
               2014 -  208.0 million (proj)

Millions of tablets doing work once done behind walls creates a more mobile and more productive (maybe) workforce but it also creates a more vulnerable information system.

Are you finding tablets are a useful addition to your business and personal life? 

What are you doing to protect your tablet and the information on it? 

Make sure that is a part of your decision to move your work and personal computing to a tablet form factor.

Related articles

• Who really needs a stinking tablet, anyway? (zdnet.com)
• 79% of Consumers Crave Tablets Over Laptops (mashable.com)

Security Job Posting: Jacadis Searching for Service Delivery Manager

I have lots to say about what I’ve learned at the Gartner IT Symposia in Orlando as well as some other events relating to small business security and risk management. But I came back to a team that had further positioned Jacadis for growth.  So instead of blogging I’ve been working  to build out some additions to our work team.

We are currently looking for a hands on IT Project Manager with the capability and motivation to grow our services team along with their career.  This is the posting we'll be placing formally on Monday. 

Is this you?

• Do you have a mix of IT technical knowledge combined with strong communication oand organizational skills plus a desire to move out of the day to day technical detals and into a management role?
• Does the thought of building something alongside a high performing team excite you more than the thought of maintaining something built by others before you?
• Are you that unique individual who can work with technology, communicate with others regardless of their IT skill, manage multiple personality types and projects and balance business performance and quality?
• Are you PMP certified or headed down that road?
• Does your work style embrace best  for project management processes, tools and techniques?
• Are you driven to solve tough problems and satisfy customers at all costs?

We are looking for that special person to join us as our Services Delivery Manager.   You’ll join us as the coordinator of a 5 person services team, manage all of our project delivery and then as the company grows you’ll grow alongside it professionally as we continue to build that team.

Download Services Delivery Manager 2011

 

 

 

Security Job Openings: Jacadis looking for Security Analysts

Jacadis is about to begin the search for a security analyst to join our team.  Likewise, we also have the desire to build an ongoing relationship with 1 or 2 independent security analysts who could take project work on as it comes in.  The positions we are looking to fill are all similar to the job description I've attached to this post. 

The employee analyst will ideally be a generalist with any alphabet soup acronyms (PCI DSS, HIPAA, GLBA, ISO, etc.) being a bonus. 

The independents we are looking for will ideally have some HIPAA or healthcare security in their backgrounds in addition to the security and consulting skills we list in the job description. 

Please email me directly with questions.  If you wish to apply send a cover letter and resume to me directly as well. 

Download Security Analyst 2011

 

 

Are you naturally inclined to protect your own business secrets? I don't think so ...

I am reading the Verizon 2011 PAYMENT CARD INDUSTRY COMPLIANCE REPORT to gain some insight from the perspective of the mid-sized enterprises that I typically consult with on governance and management matters related to their information security and assurance.

In the forward is a statement that jumped out at me:

Information security exists for two distinct purposes: to enable an entity (a person, business, or government) to protect their own secrets, and to enable an entity to protect another entity’s secrets. The former will occur naturally—one is naturally incented to protect one’s own secrets. The latter, however, does not—it is an externality. As such, it is sometimes necessary to create regulatory bodies to ensure that these secrets are adequately protected.

I have to comment (and that scares me because I am two pages in to a 36 page report).

The assertion is that we are "naturally incented to protect one's own secrets". 

I generally think that is true in the context of real life and the physical world.  I hide the Christmas gifts from my kids and the new kettlebells I purchased from my wife.  My neighbors don't know my credit card numbers, my social security number or the result of my latest physical.  We don't talk about our crazy uncle.  Everyone has those kinds of secrets and is inclined to protect them.

In the business world we have similar secrets.  Our new marketing campaign.  The new untapped market niche one of the sales people discovered.  Our secret sauce.  Customer lists.  Bank account information.  Sales commission agreements between the company and each salesperson.  Business people ARE inclined to protect those kinds of secrets.

In the personal and the business examples above the secrets are physical secrets or "secrets of the mind".  The moment we digitize those secrets though I think the inclination changes.  There is a desire to protect them but the inclination to protect is twarted by a lack of awareness about how well protected these secrets are and about what might attack them or the system they are "safely" stored on.

Said differently, the unaware business owner just might be inclined to want to protect his "own secrets" but most likely doesn't realize they are exposed.

Several years ago we had a prospective client come calling.  They had been breached. It wasn't a legally reportable breach as no personally identifiable information was involved.  It was a mess, however.  No logs to allow much of an investigation.  The weakness in the soon to be our client's systems was human error.  They had simply not attended to the necessary effort needed to secure the system.  In non-technical terms they had built a building but not put a lock on it or watched the door.   Their losses were intangibles.  Source code to a custom app was taken.  Code in production on their servers was contaminated.  Nothing was backed up so work had to be redone to get them back to a pre-breakin state.

Physically when I first visited their facility I entered from an outside door inta an empty locked room.  In that room, with double locked doors and a camera is a phone.  Instructions clearly stat to call your appointment from the phone and then they will come to get you.  We've assessed the environment since we first met as a an outcome of the breach and the system, though primative works.

They understand the physical and lock it down pretty well.  In the physcial sense they are inclined to "protect their secrets" (or at least their physical property).  But until that breach occured they didn't understand that the hard work invested in their custom code, the code itself and "secrets" kept in databases on their servers were every bit as exposed as if a customer list or some other printed form was sitting unattended in that entry room or outside the front door.

When it came to their virtual goods, the electronic equivalance of that secure room, locked down and monitored, didn't exist.

Why? Were they not "naturally incented to protect one's own secrets'?" 

I think they were inclined to protect their own secrets.  After some education they now have the electronic equivalance of that secure room.

The issue for them and I think for many, if not most, business owners, even in technology fields, is that there is a lack of awareness of what is at risk, where weakness lie and what might be attacking those weaknesses.

I believe it is an imperative for a business owner or executive to understand the context of their business. If much of their business occurs electronically then understanding the context of that environment is an imperative.  Only through that awareness and understanding can your inclination to protect your secrets be real.

Are you naturally inclined to protect your business secrets?

Are you aware of how those electronic secrets are protected?

Are you aware of weaknesses in your system security that would allow an attacker an entry point?

Are you aware of who the attacker might be? Or what they might want?

Have you assessed your security posture?

Again, are you naturally inclined to protect your business secrets?

In today's fluid world your information assets are many places ... do you know them all?

Information security focuses on maintaining the confidentiality, integrity and availability of your information.  Conventionally, information security activities in most businesses focus on maintaining confidentiality, integrity and availability for information on the company network and company owned computing devices such as laptops, cell phones, smart phones, etc.

But in today's fluid world your information assets are many other places.  Do you know where your data flows?

As you work with your IT department use this quick check list to make sure you are talking about all the places your company information is located and make certain you have plans in place to maintain confidentiality, integrity and availabilty of that information as well as the information on your company network.

Do you allow employee's personal devices such as cell phones, smart phones, tablets, USB drives and other devices to connect to your company computers?  Do employees work with company information on those personal tools?  Do they receive voice mails on them? Email? Other information?

Do employees that telecommute work from home on company laptops? or do they use their home computer? home fax? home printer?

Are you sharing or storing information through online services such as Sharefile or Dropbox? 

Are employees taking paper files home?

Are you sharing data and information with service providers in your suppply chain?

Where else might your information and data flow?