9 Things Executives Must Know

8/6/2019 9 Things Executives Must Know

1/11

Copyright 2010 Kaulkin Media http://www.insideARM.com

9 Things Executives Must Know

About IT and Data Security

to Survive the Storm


2/11

Copyright 2010 Kaulkin Media http://www.insideARM.com

About Kaulkin Media

Kaulkin Media is the most credible publisher of specialized

news and information for the accounts receivable management

(often called debt collection) industry. insideARM.com is the

rms agship website, with over 60,000 subscribers including

collection agencies and law rms, debt buyers, creditors,

suppliers of technology and services to these groups, regulators,

industry investors, and many other interested parties. We bring

the industrys people and their stories to light, put its news and

data in perspective, and inform our audience with smart, easy-to-

digest content. We aim to bring together a variety of articulate yet

divergent perspectives and spark important conversation about

the ARM industry and where it is (or should be) headed.

For more information, visit www.insideARM.com.


3/11

Copyright 2010 Kaulkin Media 3

1. Be Ready to Participate

Data security is no longer a task that can be delegated to IT staff. Federal law and other audit

reporting standards now requires executive attention to data security strategy, implementation, and

continuing monitoring. From a legal/policy standpoint, data security breaches can create enough

litigation and regulatory action to motivate executives into participation. From a business stand-

point, downtime can be measured in thousands of dollars per hour, in labor misspent on breach

notications, loss of reputation, or even nes and punitive legal awards. Executives clearly have a

stake in the consequences of data security decisions now that it has become a critical part of busi-

ness in the ARM industry.

Luckily, theres help. The IT and nancial industries have developed and freely disseminate best

practices guides and security frameworks. These can serve as a roadmap to your own in-house

implementation of common technical and non-technical security solutions or as a guide to evaluat-

ing third-party security consultants or the security compliance of potential vendors. Likewise, these

guides vary in technical detail, from tutorials built for IT staff working with specic pieces of software

to executive documents written for stakeholders and other decision-makers.

See the links portion of this report for several best practices guides.

2. Not All Standards Are the Same

Payment Card Industry Data Security Standard (PCI DSS)

Developed by the major credit card companies in 2004, this standard focuses on security for pay-

ment data in businesses small to large. This certication is essential to debt recovery, since many

debts are paid in monthly installments linked to a credit card. Collection agencies and debt buyers

also require this certication if their portfolio includes credit card debt, which may use card numbers

to identify the account.


4/11


ISO 27000 and BITS Shared Assessments

These standards are extremely comprehensive, covering all aspects of management and IT infra-

structure and organizations of any size.

SAS 70

SAS 70 is a reporting standard meant to communicate the effectiveness of controls between auditors

of separate organizations. It is best thought of as a communications tool, letting audits speak for one

another not a security certication itself.

3. SAS 70 Isnt a Catch-all

SAS 70 has been routinely treated as a security certication regime, but the American Institute of Cer-

tied Public Accountants (AICPA) created SAS 70 for internal communications between auditors andnever meant for it to be marketed as an attestation of an organizations security to prospective clients.

While an SAS 70 report may demonstrate the effectiveness of the controls it details, it does not pro-

vide any guidance that those controls are sufcient to the needs of the organization. Entire segments

of the IT infrastructure may be unaccounted for in an SAS 70 report, so its unwise to depend wholly

upon one for a statement of security compliance.

4. Understand Safe Harbor Protection

Data breach notication laws vary from state to state, but most include an exemption for data which

was encrypted or unreadable when taken. Encryption is the last layer of security protecting data,

but also happens to be one of the most effective. Providing the encryption keys are of sufcient

quality and are kept secure, encrypted data cant realistically be recovered by intruders who obtain

it. The defense is so good that it may relieve you of liability to notify if personally identiable infor-

mation is taken.

Encryption is a goodsecurity practice in itself, but becomes greatwhen leveraged to avoid the worst

consequences of a data breach. Losing labor, time, money, and reputation in a notication can be

disastrous for a company and the ARM industry as a whole.

Consult the links in the next part of this report for resources in learning about this Safe Harbor and its

applicability from state to state.


5/11


5. A Robust Firewall is Not Enough

Many companies focus their security efforts on a single piece of hardware or software: the frewall.

But while essential, a rewall-only approach to security still leaves many gaps in the technical defens-

es around your data and completely ignores the nontechnical, human element of security.

Heavy is the Head That Wears the Crown

Imagine your organizations computer network is a medieval kingdom. There are plenty of similarities:

walls, secret passwords, treasure. But the metaphor is most helpful in visualizing the many layers of

security that should be brought to bear against intruders. Before the rise of the nation-state, medi-

eval efdoms often had to fend off Vikings and barbarians all by themselves with limited resources.

The Internet is essential to your companys commerce, but with it comes hordes of intruders massing

themselves at your gate!

The vast bulk of invasion attempts are automated, with intruders programs scanning ports for

common services such as FTP or database servers. The rewall is the rst line of defense. In your

medieval kingdom it translates to a border crossing on the frontier where undesirable visitors are

kept out by a wise guard at the gates and a thick wall as far as the eye can see. The border never

closes completely since trafc in and out of the kingdom is essential to business. Your rewall does

exactly the same thing: try to let only legitimate trafc into your network. This means intruders can

pass themselves off as legitimate travelers (or legitimate access attempts) and get closer to your

treasured data.

Next, intruders will try to gain access to one of your castles: a server inside your network holding valu-

able data. Intruders try to gain control of them by exploiting software vulnerabilities or by just guessing

different passwords. This process is semi-automated as well, with a single intruder trying hundreds or

thousands of password variations each day. Servers may have rewalls of their own, as well as other

countermeasures like authentication systems and anti-virus protection. It is easy to imagine that trav-

elers going into a castle were subject to a closer inspection than they received at the border. Guards

would check their cargo for contraband and they would have needed the proper credentials to enter,

like a password. Non-technical discipline can enhance this stage of security exactly like in the medi-eval era: change the passwords often, make them tough to guess, and continually verify the loyalty of

everyone in your organization. But enough password guesses, a guards loose lips, or an accomplice

on the inside could stillget an intruder past the castle gates.

Luckily, smart kings (and queens) have yet another layer of security around them and their treasure.

Elite guards protect the keep, an inner sanctum and refuge and the safest place for valuables. On


6/11


your server, your elite guard consists of intrusion detection systems, user privileges, and le per-

missions. Your keep is built of strong cryptography. Imagine the peerless resources and ingenuity

needed to pilfer the treasure secreted behind all of these layers of security. The time and technical

sophistication needed to breach a well-defended data store is Herculean! No system is uncrackable,

but realistically you can count your data safe.

It would be foolish to focus only on the rewall, the porous frontier border. Rather, a kingdoms trea-

sures are most secure when the effort is spread among each successive defense, making them each

as strong as possible without neglecting any while cultivating the discipline needed to keep your

secrets secret.

6. Vendors Require a Hands-on Approach

Getting a handle on internal data security measures is enough of a challenge, so how do you ensure

the integrity of systems beyond your control? A large part of your IT infrastructure may be remotely

hosted, or accounts may be shared with multiple third-party services during day-to-day operations,

so you need to make sure that your vendors and service providers are living up to the same security

standards you are. Good security can still be inexpensive, but outsourcing isnt an excuse to go bar-

gain hunting either.


7/11


Be aware of unrealistic promises or meaningless security jargon that potential providers might feed

you. Since your business and reputation are at stake, closely review their policies, practices, and

their own reputation among clients and peers. Its also worth familiarizing yourself with any regula-

tions or special oversight that their industry requires. These reviews should be ongoing with your own

internal monitoring efforts.

7. Recognize the Sales Value

Data security doesnt have to be an obligation thats dealt with only to keep worse headaches at bay.

A company that can talk effortlessly and authoritatively about its data security to clients and prospects

adds value to their services and builds their reputation. This communication should be backed up with

security standards compliance and case studies showing the benets: increased availability, lower

risk, and solid account integrity.

A candid and transparent discussion of your companys past breaches and their remediation might

even win over a prospect savvy enough to recognize that promises of 100% uptime and unbreakable

security are not honest or realistic.

8. Dont Turn a Blind Eye to Employees

The technical aspects of data security are very well-documented and usually straightforward to learn

and implement. The non-technical aspects, however, depend upon your companys organization, as-

sets, and employees and will take much more effort to control and monitor. Obvious physical security

such as door locks and alarms can minimize the risk of theft, but policies governing human beings

require more thought. Here are a few essentials to consider:

Screen New Hires with multiple background checks and establish a uniform way of judging

the trustworthiness of a candidate based on aggregate information.

Monitor Threat Sources such as removable media, cell phones, thumb drives, internet use,

paper documents, and any other vector that data can leave the premises whether acciden-

tally or maliciously. Sometimes, its simply not feasible to search for storage media that canbe as tiny as a dime (or smaller!), but building up a perception of detection could deter non-

compliance.

Educate Your Employees on the Policies You Adopt so there is no ambiguity regarding

managements expectations, employees responsibilities, and the consequences of computer

misuse or other infractions.


8/11


Deputize Your Employees with Clear Reporting Procedures. The data breach threat from

within your organization is real and a certain amount of intrusive security measures are un-

questionably justied but the vast majority of employees willexecute their security responsi-

bilities with good faith and willreport violations if you make the process painless.

9. Tap Into Free Resources

Good data security is not exclusive to powerful, elite organizations who can hire private armies of

consultants and write blank checks for staff training. Much of the best practices are very Do-It-

Yourself-friendly. For instance, the National Security Agency and Department of Defense base much

of their own security framework on the same open source software (such as Linux-based operating

systems) that your own company can leverage without paying for user licenses.

Security guides, standards documents, and white papers are available free of charge from organiza-

tions seeking to improve security practices across the board. After all, more education, more trusted

networks, increased awareness, and better tools will make data security easier for everyone in the

long run.

A sample of these free resources follows.


9/11


Links

The Building Blocks of Good Security

Center for Internet Security

http://cisecurity.org/en-us/

This site provides collaboratively-made IT security best practices with the intention of raising security

and privacy threat awareness for businesses and other organizations. They offer free cross-platform

server security auditing tools, benchmark reports for cross platform server/database software, as well

as extremely high quality tutorials for every level of technical skill.

NISTs Security Resource Center

http://csrc.nist.gov/publications/PubsSPs.html

Large library of security guides for specic protocols, devices, and technologies. Strategies are orga-

nized around specic threats as well.

SANS Security Policy Templates

http://www.sans.org/security-resources/policies/

This site features technical and non-technical control policy templates from highly technical anti-

intrusion manuals to executive-level briefs.

FTC Red Flags Rule

http://www.ftc.gov/redagsrule

This site provides an ID Theft prevention guide for businesses who deal with personally identiable data.

Controls, Security Standards, and Audits

Payment Card Industry Data Security Standard

https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

This initiative is a coalition effort of the major credit card companies to develop payment account se-

curity standards. You can nd a barebones checklist of each point of the PCI DSS standard, a sepa-

rate Navigating the PCI DSS Document with plain-language explanations of each requirement, as

well as links to certied software packages and security compliance vendors.
http://cisecurity.org/en-us/http://csrc.nist.gov/publications/PubsSPs.htmlhttp://www.sans.org/security-resources/policies/http://www.ftc.gov/redflagsrulehttps://www.pcisecuritystandards.org/security_standards/pci_dss.shtmlhttps://www.pcisecuritystandards.org/security_standards/pci_dss.shtmlhttp://www.ftc.gov/redflagsrulehttp://www.sans.org/security-resources/policies/http://csrc.nist.gov/publications/PubsSPs.htmlhttp://cisecurity.org/en-us/


10/11


The ISO 27000 Directory

http://www.27000.org

Links to purchase the standard.

BITS Shared Assessment

http://www.sharedassessments.org

The BITS Agreed Upon Procedures (AUP) provide an outline of original AUP requirements as well as

their counterpart requirements in other standards documents like ISO 27000, SIG 5.0, and national/

international certications. The guide includes a 10-page glossary of technical, risk management, and

auditing terms.

The site also has Excel worksheets and forms to document, manage, and organize compliance.

SAS 70

http://sas70.com

SAS 70 is a reporting standard allowing open and clear communication of controls between service

organizations.

SAS No. 70 Transformed

http://www.aicpa.org/News/FeaturedNews/Pages/SASNo70Transformed%E2%80%93ChangesAhead

forStandardonServiceOrganizations.aspx

SAS 70 is currently splitting into two standards:

1. User (nancial) audits which includes sub-audits of service organizations.

2. Service organization (non-nancial) audits.

The site includes a webcast about the transformation of the SAS 70 standard as well as details about

future guides regarding nancial and non-nancial controls.

AICPA FAQs New Service Organization Standards and Implementation Guidance

http://www.aicpa.org/InterestAreas/AccountingAndAuditing/Resources/AudAttest/AudAttestGuidance/

DownloadableDocuments/Final%20Service%20Orgs%20FAQ.pdf

This PDF tells more about the branching and renements of the AICPA standards relating to data se-

curity. A new requirement that management attest to the control system is especially noteworthy.
http://www.27000.org/http://www.sharedassessments.org/http://sas70.com/http://www.aicpa.org/News/FeaturedNews/Pages/SASNo70Transformed%E2%80%93ChangesAheadforStandardonServiceOrganizations.aspxhttp://www.aicpa.org/News/FeaturedNews/Pages/SASNo70Transformed%E2%80%93ChangesAheadforStandardonServiceOrganizations.aspxhttp://www.aicpa.org/InterestAreas/AccountingAndAuditing/Resources/AudAttest/AudAttestGuidance/DownloadableDocuments/Final%20Service%20Orgs%20FAQ.pdfhttp://www.aicpa.org/InterestAreas/AccountingAndAuditing/Resources/AudAttest/AudAttestGuidance/DownloadableDocuments/Final%20Service%20Orgs%20FAQ.pdfhttp://www.aicpa.org/InterestAreas/AccountingAndAuditing/Resources/AudAttest/AudAttestGuidance/DownloadableDocuments/Final%20Service%20Orgs%20FAQ.pdfhttp://www.aicpa.org/InterestAreas/AccountingAndAuditing/Resources/AudAttest/AudAttestGuidance/DownloadableDocuments/Final%20Service%20Orgs%20FAQ.pdfhttp://www.aicpa.org/News/FeaturedNews/Pages/SASNo70Transformed%E2%80%93ChangesAheadforStandardonServiceOrganizations.aspxhttp://www.aicpa.org/News/FeaturedNews/Pages/SASNo70Transformed%E2%80%93ChangesAheadforStandardonServiceOrganizations.aspxhttp://sas70.com/http://www.sharedassessments.org/http://www.27000.org/


11/11


Safe Harbor Breach Notication Exemption Rules

ACA Fastfax 3017

http://www.acainternational.org/les.aspx?p=/images/14193/fastfax-securitybreachchart2.pdf

This highly detailed PDF chart includes notication details and exemptions for security breaches, bro-

ken down by state. Requires ACA membership.

State Security Breach Notication Laws

http://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/SecurityBreachNoti-

cationLaws/tabid/13489/Default.aspx

This site features links to each breach notication law or statute by state.

CLLAs Breach Laws Matrix

http://www.clla.org/documents/breach.xls

An Excel spreadsheet with citation/link to notication law, details of the provision, and exceptions to it.

Dissecting Breaches and Knowing Your Enemy

2010 Data Breach Investigations Report and Other Verizon Materials

http://www.verizonbusiness.com/resources/1002a2a10-111-Security.xml

This site provides security whitepapers on a variety of subjects.

http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf

This extremely detailed statistical report examines the causes of breaches, threats, mitigation and

much more.

http://securityblog.verizonbusiness.com/

The Verizon security blog includes security news as well as multimedia (podcasts, webinars, reports).

Identity theft Resource Center

http://www.idtheftcenter.org/artman2/publish/lib_survey/ITRC_2008_Breach_List.shtml

This site provides an individual breach incident list with more of an anecdotal focus.
http://www.acainternational.org/files.aspx?p=/images/14193/fastfax-securitybreachchart2.pdfhttp://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/SecurityBreachNotificationLaws/tabid/13489/Default.aspxhttp://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/SecurityBreachNotificationLaws/tabid/13489/Default.aspxhttp://www.clla.org/documents/breach.xlshttp://www.verizonbusiness.com/resources/1002a2a10-111-Security.xmlhttp://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdfhttp://securityblog.verizonbusiness.com/http://www.idtheftcenter.org/artman2/publish/lib_survey/ITRC_2008_Breach_List.shtmlhttp://www.idtheftcenter.org/artman2/publish/lib_survey/ITRC_2008_Breach_List.shtmlhttp://securityblog.verizonbusiness.com/http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdfhttp://www.verizonbusiness.com/resources/1002a2a10-111-Security.xmlhttp://www.clla.org/documents/breach.xlshttp://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/SecurityBreachNotificationLaws/tabid/13489/Default.aspxhttp://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/SecurityBreachNotificationLaws/tabid/13489/Default.aspxhttp://www.acainternational.org/files.aspx?p=/images/14193/fastfax-securitybreachchart2.pdf