Upload
jeffrey-hearn
View
215
Download
0
Embed Size (px)
Citation preview
8/6/2019 9 Things Executives Must Know
1/11
Copyright 2010 Kaulkin Media http://www.insideARM.com
9 Things Executives Must Know
About IT and Data Security
to Survive the Storm
8/6/2019 9 Things Executives Must Know
2/11
Copyright 2010 Kaulkin Media http://www.insideARM.com
About Kaulkin Media
Kaulkin Media is the most credible publisher of specialized
news and information for the accounts receivable management
(often called debt collection) industry. insideARM.com is the
rms agship website, with over 60,000 subscribers including
collection agencies and law rms, debt buyers, creditors,
suppliers of technology and services to these groups, regulators,
industry investors, and many other interested parties. We bring
the industrys people and their stories to light, put its news and
data in perspective, and inform our audience with smart, easy-to-
digest content. We aim to bring together a variety of articulate yet
divergent perspectives and spark important conversation about
the ARM industry and where it is (or should be) headed.
For more information, visit www.insideARM.com.
8/6/2019 9 Things Executives Must Know
3/11
Copyright 2010 Kaulkin Media 3
1. Be Ready to Participate
Data security is no longer a task that can be delegated to IT staff. Federal law and other audit
reporting standards now requires executive attention to data security strategy, implementation, and
continuing monitoring. From a legal/policy standpoint, data security breaches can create enough
litigation and regulatory action to motivate executives into participation. From a business stand-
point, downtime can be measured in thousands of dollars per hour, in labor misspent on breach
notications, loss of reputation, or even nes and punitive legal awards. Executives clearly have a
stake in the consequences of data security decisions now that it has become a critical part of busi-
ness in the ARM industry.
Luckily, theres help. The IT and nancial industries have developed and freely disseminate best
practices guides and security frameworks. These can serve as a roadmap to your own in-house
implementation of common technical and non-technical security solutions or as a guide to evaluat-
ing third-party security consultants or the security compliance of potential vendors. Likewise, these
guides vary in technical detail, from tutorials built for IT staff working with specic pieces of software
to executive documents written for stakeholders and other decision-makers.
See the links portion of this report for several best practices guides.
2. Not All Standards Are the Same
Payment Card Industry Data Security Standard (PCI DSS)
Developed by the major credit card companies in 2004, this standard focuses on security for pay-
ment data in businesses small to large. This certication is essential to debt recovery, since many
debts are paid in monthly installments linked to a credit card. Collection agencies and debt buyers
also require this certication if their portfolio includes credit card debt, which may use card numbers
to identify the account.
8/6/2019 9 Things Executives Must Know
4/11
Copyright 2010 Kaulkin Media 4
ISO 27000 and BITS Shared Assessments
These standards are extremely comprehensive, covering all aspects of management and IT infra-
structure and organizations of any size.
SAS 70
SAS 70 is a reporting standard meant to communicate the effectiveness of controls between auditors
of separate organizations. It is best thought of as a communications tool, letting audits speak for one
another not a security certication itself.
3. SAS 70 Isnt a Catch-all
SAS 70 has been routinely treated as a security certication regime, but the American Institute of Cer-
tied Public Accountants (AICPA) created SAS 70 for internal communications between auditors andnever meant for it to be marketed as an attestation of an organizations security to prospective clients.
While an SAS 70 report may demonstrate the effectiveness of the controls it details, it does not pro-
vide any guidance that those controls are sufcient to the needs of the organization. Entire segments
of the IT infrastructure may be unaccounted for in an SAS 70 report, so its unwise to depend wholly
upon one for a statement of security compliance.
4. Understand Safe Harbor Protection
Data breach notication laws vary from state to state, but most include an exemption for data which
was encrypted or unreadable when taken. Encryption is the last layer of security protecting data,
but also happens to be one of the most effective. Providing the encryption keys are of sufcient
quality and are kept secure, encrypted data cant realistically be recovered by intruders who obtain
it. The defense is so good that it may relieve you of liability to notify if personally identiable infor-
mation is taken.
Encryption is a goodsecurity practice in itself, but becomes greatwhen leveraged to avoid the worst
consequences of a data breach. Losing labor, time, money, and reputation in a notication can be
disastrous for a company and the ARM industry as a whole.
Consult the links in the next part of this report for resources in learning about this Safe Harbor and its
applicability from state to state.
8/6/2019 9 Things Executives Must Know
5/11
Copyright 2010 Kaulkin Media 5
5. A Robust Firewall is Not Enough
Many companies focus their security efforts on a single piece of hardware or software: the frewall.
But while essential, a rewall-only approach to security still leaves many gaps in the technical defens-
es around your data and completely ignores the nontechnical, human element of security.
Heavy is the Head That Wears the Crown
Imagine your organizations computer network is a medieval kingdom. There are plenty of similarities:
walls, secret passwords, treasure. But the metaphor is most helpful in visualizing the many layers of
security that should be brought to bear against intruders. Before the rise of the nation-state, medi-
eval efdoms often had to fend off Vikings and barbarians all by themselves with limited resources.
The Internet is essential to your companys commerce, but with it comes hordes of intruders massing
themselves at your gate!
The vast bulk of invasion attempts are automated, with intruders programs scanning ports for
common services such as FTP or database servers. The rewall is the rst line of defense. In your
medieval kingdom it translates to a border crossing on the frontier where undesirable visitors are
kept out by a wise guard at the gates and a thick wall as far as the eye can see. The border never
closes completely since trafc in and out of the kingdom is essential to business. Your rewall does
exactly the same thing: try to let only legitimate trafc into your network. This means intruders can
pass themselves off as legitimate travelers (or legitimate access attempts) and get closer to your
treasured data.
Next, intruders will try to gain access to one of your castles: a server inside your network holding valu-
able data. Intruders try to gain control of them by exploiting software vulnerabilities or by just guessing
different passwords. This process is semi-automated as well, with a single intruder trying hundreds or
thousands of password variations each day. Servers may have rewalls of their own, as well as other
countermeasures like authentication systems and anti-virus protection. It is easy to imagine that trav-
elers going into a castle were subject to a closer inspection than they received at the border. Guards
would check their cargo for contraband and they would have needed the proper credentials to enter,
like a password. Non-technical discipline can enhance this stage of security exactly like in the medi-eval era: change the passwords often, make them tough to guess, and continually verify the loyalty of
everyone in your organization. But enough password guesses, a guards loose lips, or an accomplice
on the inside could stillget an intruder past the castle gates.
Luckily, smart kings (and queens) have yet another layer of security around them and their treasure.
Elite guards protect the keep, an inner sanctum and refuge and the safest place for valuables. On
8/6/2019 9 Things Executives Must Know
6/11
Copyright 2010 Kaulkin Media 6
your server, your elite guard consists of intrusion detection systems, user privileges, and le per-
missions. Your keep is built of strong cryptography. Imagine the peerless resources and ingenuity
needed to pilfer the treasure secreted behind all of these layers of security. The time and technical
sophistication needed to breach a well-defended data store is Herculean! No system is uncrackable,
but realistically you can count your data safe.
It would be foolish to focus only on the rewall, the porous frontier border. Rather, a kingdoms trea-
sures are most secure when the effort is spread among each successive defense, making them each
as strong as possible without neglecting any while cultivating the discipline needed to keep your
secrets secret.
6. Vendors Require a Hands-on Approach
Getting a handle on internal data security measures is enough of a challenge, so how do you ensure
the integrity of systems beyond your control? A large part of your IT infrastructure may be remotely
hosted, or accounts may be shared with multiple third-party services during day-to-day operations,
so you need to make sure that your vendors and service providers are living up to the same security
standards you are. Good security can still be inexpensive, but outsourcing isnt an excuse to go bar-
gain hunting either.
8/6/2019 9 Things Executives Must Know
7/11
Copyright 2010 Kaulkin Media 7
Be aware of unrealistic promises or meaningless security jargon that potential providers might feed
you. Since your business and reputation are at stake, closely review their policies, practices, and
their own reputation among clients and peers. Its also worth familiarizing yourself with any regula-
tions or special oversight that their industry requires. These reviews should be ongoing with your own
internal monitoring efforts.
7. Recognize the Sales Value
Data security doesnt have to be an obligation thats dealt with only to keep worse headaches at bay.
A company that can talk effortlessly and authoritatively about its data security to clients and prospects
adds value to their services and builds their reputation. This communication should be backed up with
security standards compliance and case studies showing the benets: increased availability, lower
risk, and solid account integrity.
A candid and transparent discussion of your companys past breaches and their remediation might
even win over a prospect savvy enough to recognize that promises of 100% uptime and unbreakable
security are not honest or realistic.
8. Dont Turn a Blind Eye to Employees
The technical aspects of data security are very well-documented and usually straightforward to learn
and implement. The non-technical aspects, however, depend upon your companys organization, as-
sets, and employees and will take much more effort to control and monitor. Obvious physical security
such as door locks and alarms can minimize the risk of theft, but policies governing human beings
require more thought. Here are a few essentials to consider:
Screen New Hires with multiple background checks and establish a uniform way of judging
the trustworthiness of a candidate based on aggregate information.
Monitor Threat Sources such as removable media, cell phones, thumb drives, internet use,
paper documents, and any other vector that data can leave the premises whether acciden-
tally or maliciously. Sometimes, its simply not feasible to search for storage media that canbe as tiny as a dime (or smaller!), but building up a perception of detection could deter non-
compliance.
Educate Your Employees on the Policies You Adopt so there is no ambiguity regarding
managements expectations, employees responsibilities, and the consequences of computer
misuse or other infractions.
8/6/2019 9 Things Executives Must Know
8/11
Copyright 2010 Kaulkin Media 8
Deputize Your Employees with Clear Reporting Procedures. The data breach threat from
within your organization is real and a certain amount of intrusive security measures are un-
questionably justied but the vast majority of employees willexecute their security responsi-
bilities with good faith and willreport violations if you make the process painless.
9. Tap Into Free Resources
Good data security is not exclusive to powerful, elite organizations who can hire private armies of
consultants and write blank checks for staff training. Much of the best practices are very Do-It-
Yourself-friendly. For instance, the National Security Agency and Department of Defense base much
of their own security framework on the same open source software (such as Linux-based operating
systems) that your own company can leverage without paying for user licenses.
Security guides, standards documents, and white papers are available free of charge from organiza-
tions seeking to improve security practices across the board. After all, more education, more trusted
networks, increased awareness, and better tools will make data security easier for everyone in the
long run.
A sample of these free resources follows.
8/6/2019 9 Things Executives Must Know
9/11
Copyright 2010 Kaulkin Media 9
Links
The Building Blocks of Good Security
Center for Internet Security
http://cisecurity.org/en-us/
This site provides collaboratively-made IT security best practices with the intention of raising security
and privacy threat awareness for businesses and other organizations. They offer free cross-platform
server security auditing tools, benchmark reports for cross platform server/database software, as well
as extremely high quality tutorials for every level of technical skill.
NISTs Security Resource Center
http://csrc.nist.gov/publications/PubsSPs.html
Large library of security guides for specic protocols, devices, and technologies. Strategies are orga-
nized around specic threats as well.
SANS Security Policy Templates
http://www.sans.org/security-resources/policies/
This site features technical and non-technical control policy templates from highly technical anti-
intrusion manuals to executive-level briefs.
FTC Red Flags Rule
http://www.ftc.gov/redagsrule
This site provides an ID Theft prevention guide for businesses who deal with personally identiable data.
Controls, Security Standards, and Audits
Payment Card Industry Data Security Standard
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
This initiative is a coalition effort of the major credit card companies to develop payment account se-
curity standards. You can nd a barebones checklist of each point of the PCI DSS standard, a sepa-
rate Navigating the PCI DSS Document with plain-language explanations of each requirement, as
well as links to certied software packages and security compliance vendors.
http://cisecurity.org/en-us/http://csrc.nist.gov/publications/PubsSPs.htmlhttp://www.sans.org/security-resources/policies/http://www.ftc.gov/redflagsrulehttps://www.pcisecuritystandards.org/security_standards/pci_dss.shtmlhttps://www.pcisecuritystandards.org/security_standards/pci_dss.shtmlhttp://www.ftc.gov/redflagsrulehttp://www.sans.org/security-resources/policies/http://csrc.nist.gov/publications/PubsSPs.htmlhttp://cisecurity.org/en-us/8/6/2019 9 Things Executives Must Know
10/11
Copyright 2010 Kaulkin Media 10
The ISO 27000 Directory
http://www.27000.org
Links to purchase the standard.
BITS Shared Assessment
http://www.sharedassessments.org
The BITS Agreed Upon Procedures (AUP) provide an outline of original AUP requirements as well as
their counterpart requirements in other standards documents like ISO 27000, SIG 5.0, and national/
international certications. The guide includes a 10-page glossary of technical, risk management, and
auditing terms.
The site also has Excel worksheets and forms to document, manage, and organize compliance.
SAS 70
http://sas70.com
SAS 70 is a reporting standard allowing open and clear communication of controls between service
organizations.
SAS No. 70 Transformed
http://www.aicpa.org/News/FeaturedNews/Pages/SASNo70Transformed%E2%80%93ChangesAhead
forStandardonServiceOrganizations.aspx
SAS 70 is currently splitting into two standards:
1. User (nancial) audits which includes sub-audits of service organizations.
2. Service organization (non-nancial) audits.
The site includes a webcast about the transformation of the SAS 70 standard as well as details about
future guides regarding nancial and non-nancial controls.
AICPA FAQs New Service Organization Standards and Implementation Guidance
http://www.aicpa.org/InterestAreas/AccountingAndAuditing/Resources/AudAttest/AudAttestGuidance/
DownloadableDocuments/Final%20Service%20Orgs%20FAQ.pdf
This PDF tells more about the branching and renements of the AICPA standards relating to data se-
curity. A new requirement that management attest to the control system is especially noteworthy.
http://www.27000.org/http://www.sharedassessments.org/http://sas70.com/http://www.aicpa.org/News/FeaturedNews/Pages/SASNo70Transformed%E2%80%93ChangesAheadforStandardonServiceOrganizations.aspxhttp://www.aicpa.org/News/FeaturedNews/Pages/SASNo70Transformed%E2%80%93ChangesAheadforStandardonServiceOrganizations.aspxhttp://www.aicpa.org/InterestAreas/AccountingAndAuditing/Resources/AudAttest/AudAttestGuidance/DownloadableDocuments/Final%20Service%20Orgs%20FAQ.pdfhttp://www.aicpa.org/InterestAreas/AccountingAndAuditing/Resources/AudAttest/AudAttestGuidance/DownloadableDocuments/Final%20Service%20Orgs%20FAQ.pdfhttp://www.aicpa.org/InterestAreas/AccountingAndAuditing/Resources/AudAttest/AudAttestGuidance/DownloadableDocuments/Final%20Service%20Orgs%20FAQ.pdfhttp://www.aicpa.org/InterestAreas/AccountingAndAuditing/Resources/AudAttest/AudAttestGuidance/DownloadableDocuments/Final%20Service%20Orgs%20FAQ.pdfhttp://www.aicpa.org/News/FeaturedNews/Pages/SASNo70Transformed%E2%80%93ChangesAheadforStandardonServiceOrganizations.aspxhttp://www.aicpa.org/News/FeaturedNews/Pages/SASNo70Transformed%E2%80%93ChangesAheadforStandardonServiceOrganizations.aspxhttp://sas70.com/http://www.sharedassessments.org/http://www.27000.org/8/6/2019 9 Things Executives Must Know
11/11
Copyright 2010 Kaulkin Media 11
Safe Harbor Breach Notication Exemption Rules
ACA Fastfax 3017
http://www.acainternational.org/les.aspx?p=/images/14193/fastfax-securitybreachchart2.pdf
This highly detailed PDF chart includes notication details and exemptions for security breaches, bro-
ken down by state. Requires ACA membership.
State Security Breach Notication Laws
http://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/SecurityBreachNoti-
cationLaws/tabid/13489/Default.aspx
This site features links to each breach notication law or statute by state.
CLLAs Breach Laws Matrix
http://www.clla.org/documents/breach.xls
An Excel spreadsheet with citation/link to notication law, details of the provision, and exceptions to it.
Dissecting Breaches and Knowing Your Enemy
2010 Data Breach Investigations Report and Other Verizon Materials
http://www.verizonbusiness.com/resources/1002a2a10-111-Security.xml
This site provides security whitepapers on a variety of subjects.
http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf
This extremely detailed statistical report examines the causes of breaches, threats, mitigation and
much more.
http://securityblog.verizonbusiness.com/
The Verizon security blog includes security news as well as multimedia (podcasts, webinars, reports).
Identity theft Resource Center
http://www.idtheftcenter.org/artman2/publish/lib_survey/ITRC_2008_Breach_List.shtml
This site provides an individual breach incident list with more of an anecdotal focus.
http://www.acainternational.org/files.aspx?p=/images/14193/fastfax-securitybreachchart2.pdfhttp://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/SecurityBreachNotificationLaws/tabid/13489/Default.aspxhttp://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/SecurityBreachNotificationLaws/tabid/13489/Default.aspxhttp://www.clla.org/documents/breach.xlshttp://www.verizonbusiness.com/resources/1002a2a10-111-Security.xmlhttp://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdfhttp://securityblog.verizonbusiness.com/http://www.idtheftcenter.org/artman2/publish/lib_survey/ITRC_2008_Breach_List.shtmlhttp://www.idtheftcenter.org/artman2/publish/lib_survey/ITRC_2008_Breach_List.shtmlhttp://securityblog.verizonbusiness.com/http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdfhttp://www.verizonbusiness.com/resources/1002a2a10-111-Security.xmlhttp://www.clla.org/documents/breach.xlshttp://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/SecurityBreachNotificationLaws/tabid/13489/Default.aspxhttp://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/SecurityBreachNotificationLaws/tabid/13489/Default.aspxhttp://www.acainternational.org/files.aspx?p=/images/14193/fastfax-securitybreachchart2.pdf