Compliance mandates do not make up your enterprise security program (PCI, SOX, GLBA, etc.. included)

A challenge for large businesses is addressing their own information security needs to manage their operations in a manner that allows them to be resilient and adaptable in an ever competitive market place.  Each organization is different – the risks and the needs to mitigate.  A painful evolution of the past decade has been the mistaken direction organizations have taken to build / address singular compliance instances.  Meaning, organizations develop programs to address single compliance requirements – vendors, SEC, industry, etc …  Not that these are not important, but a natural effect of this is the perception that the security “controls” (even the word doesn’t lend itself in the right non-audit light) are there to achieve compliance.

The mistake is achieving compliance to compliance requirements alone.  There is a gap in the business’ OWN needs.  Over the past year I have spoken on this topic publicly at conferences and my book  has a huge focus on aligning and establishing business requirements cohesively.

To elaborate on the graphic … the CxO office must be aware and share their strategy – typically easy to find, as I generally begin building these programs from the 10-k reports over last two years.  These feed the information security program elements and form the decision framework against all technology, security controls, risk frameworks, sourcing considerations, recovery timelines, etc…  In addition, the compliance elements must be addressed – but with the understanding these are risk transfer activities by third parties.  Not to be the basis of the enterprise program, but a singular consideration.

The capability of the organization to address market competitive requirements is based upon the proper balance.  Here you can see the target is 85% of the program is made up by the business’ own innovative and market driving / supporting activities.  15% of the program to meeting these ‘license to operate’.

The takeaway is to challenge your organization’s singular managed compliance initiatives and a deep dive on budget alignment to business revenue generation.  There must be rationalization to the safeguards to make the business efficient and effective – that includes safeguarding and enabling the business to conduct business, everywhere.

Thoughts?  Challenges?

James

Enforcement of HIPAA / HITECH violations and how to improve

A great challenge with gaining massive industry adoption of a set of standards – regardless of security, privacy, or operational effectiveness measures is making it worthwhile.  Some aspects of regulation and industry led practices are obvious and clear.  Others are strikingly similar (duplication in many instances) and can be adopted simply by communication and adjustments.  Unfortunately there are specific requirements that are not sufficient alone as self-evident, and these are then made necessary through fines and punitive actions.

HIPAA / HITECH components are absolutely valuable to the consumer, the individual enterprise, and the industry as a whole.  This is true when the directives are merged into the existing culture, and the business is able to remain competitive.  There are challenges of course when a business tries to bolt-on a set of requirements, as these are seldom done efficiently, effectively, and are generally unsustainable.

The financial damage to industry is clear – the most recent studies show over the past 5 years data breaches have cost victims $139 billion (Digital Forensics Association).  In addition there is a growing trend of enforcement by state and the federal agencies, such as the California DPH actions (audio teleconference file).

When these enforcements are released though there is always valuable intelligence released highlighting what is expected – today.  This perspective reinforces that security mandates’ intent are to secure the data, and businesses must shift and respond as the attack vector shifts and evolves.  The recent Rite Aid $1,000,000 penalty enforced by the OCR and FTC provided the following direction:

1. Implementation of complete and sufficient Policies and Procedures is critical – specifically must include safeguarding PHI during the disposal process (dumpsters, shredding, disk wipe management, third party terminations)
2. Develop complete training related to all aspects for protection of sensitive information – job specific training
3. Develop, implement, and maintain sanctions policies

A nice article regarding Rite Aid is available here from Information Week.

As has been consistent with prior Federal enforcement, a 20 year expectation of independent security assessments is required with sufficient monitoring and triggering.  Here is the link to the Federal press release.  Other case examples and resolutions are available here.

As the data suggests that 395,000 individuals’ data files are being stolen daily, this is not a focus on the Healthcare sector but to provide lessons learned from others.

Symantec’s 2010 State of Enterprise Security

The 2010 survey is complete and I have dug through and have the following thoughts to offer.  First off though – thank you to Symantec for making the information so readily available.  They have provided the slides via slideshare, the PDF report, and the press release.  My efforts below are not to reproduce the report, but instead to carry the ideas and findings one step further.  In addition, my hopeful final goal is to challenge the report and certain aspects of the findings in the spirit of relative context.

“Enterprise security is IT’s top concern” – when compared to the other options listed in the survey I do not find this impressive, as digital threats are the most direct concerns.  On page 5 of the report though the detail about 94% of businesses expect to change their cyber security efforts and 48% are planning major changes is impressive.  That highlights the intelligent repositioning of enterprises and the continued focus on remaining engaged with the threats and not passive.  This also likely has correlation to businesses increased focus on deploying greater information technology throughout the business, and throughout the expanding consumer / business markets.  Major changes are a natural result in these cases.

“Enterprises experiencing frequent attacks” – 75% of business experienced a cyber attack within the past 12 months is a significant figure.  If a cyber attack is considered an event that “activates” the incident response teams and / or forensic groups that is a significant cost and concern.  Attacks, as every firewall administrator and Grandmother who gets a virus, occur non-stop online, so it is important to qualify and scale these attacks by crtiicality.  This is an important fact in the survey, but more important in the enterprise.  The help desk of most organizations is ably suited to respond to malware infections and queuing systems for remote desktop configuration refreshes.  For situations that involve a lose of trust for a specific system resulting from extended malware infection, odd behavior, or log evidence of unauthorized access – these systems should activate the appropriate resources to address these risks directly.

Most problematic IT initiatives from a Security standpoint:

• Infrastructure-as-a-Service
• Platform-as-a-Service
• Server Virtualization
• Endpoint virtualization
• Software-as-a-Service

The common thread of these initiatives is the abstract nature of the actual computing system.  Whether virtual or processed within a distributed computing environment the necessity to translate information security safeguards is not automatic.  In fact, most conversions into these initiatives highlights the inherent weaknesses that are present in the existing infrastructure, but were addressed through compensated / ad-hoc controls.  Therefore, while difficult the net risk posture will improve.  Another perspective is the organizational shift that occurs when network/system operators become service delivery specialists.  This cultural swing away from computing system management to application procurement and service management requires careful attention, training, and tight feedback cycles.

The report concludes with some strategic recommendations that are worth reviewing and confirming are currently in operation.

Overall the statistics and findings are in-line with concerns and challenges enterprises have been addressing last year.  The survey provides a nice update and is certainly useful.  As in any survey, consider the source and recognize that your environment is unique.  Such individuality of computing systems by its very nature requires a custom and reflective approach to managing risk and security within the organization.

Best regards,

James DeLuccia

Devolution, Forrester, Synergies, and reducing TOC

Devolution was pitched yesterday by Forrester Researcher Andrew Jaquith – on a Webcast entitled “Effective Data Security: No Forklift Required”. I quite enjoyed the presentation and thought the concepts were timely and consistent with what have been needed in the market. In fact, I spoke on this last year at the RSA Conference 2008 and dedicate a portion of my book IT Compliance and Controls on this concept. However, my focus was on synergies across business controls and operation targets and less upon the DLP type challenges Forrester was addressing. The Forrester Research provided good details into the expected shifts in budget, but not the shift in how IT functions and security safeguard requirements shall evolve in these situations.

There is tremendous value to be gained from current technology deployments, and tremendous waste occurs when organizations do not communicate. While that is not a very insightful statement one should consider – Organizations that require their technology to met 99.9xx% uptime and undergo several audits on privacy / pci / sox / IFRS / FISMA / HIPAA that do not align these underlying technology components are wasting money and time. Specifically, according to my research and field experience these institutions tend to be more INsecure despite the heavy focus on meeting audit deadlines and customer SLA. To save on budget, regardless of the state of economy, find synergies and move forward with better security and less service problems. A key litmus test – does your staff have to respond more then once for an audit – if so, this is a symptom of wasted effort and untapped budget flexibility.

During the Forrester call there were several great questions posed. If you are able to attend future Research calls I would advise posting questions to ensure maximum value.

Thoughts and Comments?

James DeLuccia IV

**Speaking at RSA 2009 on the Payment Card Industry, April 22nd 2009**