Proventia Integrated Security Appliance

.: Company Profile

Advocate Health Care, based in Oak Brook, Illinois, is the largest, fully integrated not-for-

profit health care delivery system in metropolitan Chicago, and is recognized as one of the

top systems in the country. Advocate has eight hospitals and two children's hospitals with

3,500 beds and more than 200 care sites, as well a privately held full-service home health

care company. More than 4,600 physicians are on staff at Advocate hospitals and more than

24,500 persons are employed at its sites, making it Chicago's 10th largest employers.

Advocate's roots go back more than 100 years. It took on its present form in 1995 with the

merger of Evangelical Health Systems Corporation and Lutheran General HealthSystem, two

faith-based organizations. Its primary academic and teaching affiliation is with the

University of Illinois at Chicago Health Sciences Center.

.: Tighter Controls Were Needed to Secure Hundreds of Locations

Advocate Health Care's more than 200 care facilities are spread throughout metropolitan

Chicago and connect into a central network. There are important central information hubs

as well as smaller branch locations tied in to those hubs. Accessibility and uptime are

essential for every care site in the network. Additionally, some departments, notably

radiology and cardiology, require massive bandwidth to handle their imaging resources.

Maintaining network security and protecting confidential patient data for such a

widespread enterprise is the responsibility of Director, Enterprise Architecture/Network

Security Gary Horn and his staff, led by Regional Team Leader for Network Security Sterling

Davis. About three years ago the company reorganized its information security (IS)

department, and one of the first items of business for the reconfigured department was to

improve its network security.

“We were getting hit with viruses, spam … people were doing inappropriate things on

their computers,” Davis explained.

Proventia®

Integrated Security AppliancePROTECTS ADVOCATE HEALTH CARE'S DIVERSE

METROPOLITAN HEALTHCARE NETWORK

w w w. i s s . n e tCASE STUDY HEALTHCARE

The Company:

Advocate Health Care

Industry:

Healthcare

Location:

Chicago, IL

Situation:

Advocate Health Care needed robust security measures

across its widespread metro Chicago network that would

prevent viruses, spam and inappropriate use of network

resources, as well as meet tightened compliance

requirements for the healthcare industry.

Solution:

Proventia ® M50 Integrated Security Appliance

SiteProtector™ Centralized Management System

Proventia G100 Intrusion Prevention Appliance

Proventia A201 Intrusion Detection Appliance

Proventia A604 Intrusion Detection Appliance

NETWORK & HOST INTRUS ION PREVENT ION l VULNERABIL I TY MANAGEMENT l MANAGED SECURITY SERV ICES

w w w. i s s . n e tCASE STUDY

.: Finding the Right Security Vendor: An Immediate Need

The IS department sent out an RFP to several security vendors including Internet Security

Systems (ISS). “One of my staff had a great deal of experience with ISS, and she

recommended it,” Davis said. Nevertheless, Advocate placed all vendor applicants on an

equal footing, scheduling site visits and running equipment tests of their products. The IS

department allowed a six-month timeframe from RFP to vendor selection, and actually

accomplished everything in four months.

Advocate used strict measures to evaluate the vendors. “We're cost conscious, but price

was not really a factor because one of the other criteria was, we needed to do something

fast,” Davis explained. “We weren't in critical mode, but we needed a good, reliable

product that we could install right away,” he added.

Davis had served on Advocate's HIPAA (Health Insurance Portability and Accountability Act)

committee, and knew that the company had to have stronger security measures in place

before HIPAA became law in 2003.

The outcome of the vendor search was unequivocal.

“ISS won hands down,” Davis said. “They've been upfront with their product and their

reliability is phenomenal. Their service is good, too. If we have issues, they send somebody

out same day or no later than the next day to resolve those issues.”

.: An Integrated Solution for a Far-flung Network

Advocate Health Care chose ISS' Proventia M50 integrated security appliance as the

backbone of its security solution. It has deployed five Proventia M50s at multiple sites

within the corporate network, including the central data warehouse at Advocate Lutheran

General Hospital and the large radiology departments at Advocate Christ Medical Center

and Advocate Good Samaritan Hospital. The IS department plans to install three more

Proventia M50s before the end of the year. The appliances are managed by ISS'

SiteProtector centralized management system on a central server.

Most of the Proventia M50 devices are configured strictly to use the standard firewall and

intrusion prevention system (IPS) capabilities that are part of the integrated security

appliance. A few of the deployed units have the antivirus (AV) module installed as well.

“We use the M50s for protecting networks that some vendor applications are installed on,

as they are a high-bandwidth solution with good logging capabilities and other available

options,” Davis explained. “We had been using fixed firewalls, and with our radiology

program we needed more throughput, so we decided to go with them,” he added.

Advocate's additional network security measures include deployment of Proventia G100

intrusion prevention appliances for inline IPS protection, and Proventia A201 and A604

intrusion detection appliances for passive intrusion detection (IDS) throughout the enterprise.

“We selected an integrated solution for ease of deployment,” Davis said.

KEY ISS BENEFITS:

The Proventia M50 integrated security appliance

assures Advocate Health Care of secure, robust

network protection through its seamlessly

integrated firewall, intrusion detection/prevention,

Web filtering and antivirus capabilities.

In the two years since implementing the Proventia

M50 solution, the device has proven reliable in

protecting Advocate's broad network against

viruses, spam and other threats.


HEALTHCARE


Copyright© 2005 Internet Security Systems, Inc. All rights reserved worldwide.

Internet Security Systems, Ahead of the Threat and SiteProtector are trademarks, and the Internet Security

Systems logo and Proventia registered trademarks, of Internet Security Systems, Inc. Other marks and trade

names mentioned are the property of their owners, as indicated. All marks are the property of their respective

owner and used in an editorial context without intent of infringement. Specifications and content are subject to

change without notice.

SM-ADVCS-1005

.: Security Return on Investment (ROI) and Other Benefits

Advocate Health Care noticed immediate results after deploying its ISS product solutions.

“When everyone else was highly worried about Sasser and all the other viruses going

around, we were secure. We weren't hit hard and we were still able to keep our operations

up and running,” Davis said.

The company has seen additional returns on investment as well. “By improving our

security, we subsequently improved our business productivity by our network being more

reliable, with [fewer] spam and virus attacks,” Davis explained.

The IS department has also saved Advocate “a great deal of money,” according to Davis,

by performing its own network scans, and testing the network from the outside. “Now, we

don't have to use outside auditors. Just once a year they authenticate our network and we

compare notes,” Davis said.

.: Prepared for Future Growth

Advocate Health Care made its decision to deploy Proventia M50 integrated security

appliances with an eye toward future growth and expansion. The devices are scalable to

serve both the large central hub and the remote locations within Advocate's network.

“We're getting larger and larger products in our radiology and cardiology departments, and

closer work with imaging and use the M50s for those larger applications,” Davis explained.

With the Proventia appliances, Advocate's network has better filtering capabilities in place

throughout the system. The remote sites tie in through the closest hospital. Advocate

partners with the University of Illinois on nursing applications, and allows outside vendors

access to support their applications. Both groups use a virtual private network (VPN)

tunnel to get in, which is locked down to specific devices. The Advocate network relies

strongly on IDS protection throughout, and maintains IPS protection at particular sites.

In the two years since the ISS solution has been in place, the Proventia M50 integrated

security appliance has proven capable of handling all of Advocate Health Care's security

concerns.

“We're constantly evaluating if we need more robust hardware, but for now they seem to be

doing the job,” Davis said. “M50s are the future,” he added.

®

KEY ISS BENEFITS:

“ISS won hands down. They've been upfront

with their product and their reliability is

phenomenal.”

Sterling Davis

Regional Team Leader for Network Security

“By improving our security, we subsequently

improved our business productivity by our

network being more reliable, with fewer spam

and virus attacks.”

Sterling Davis


“M50s are the future.”

Sterling Davis



HEALTHCARE

Managed Security Services from Internet Security Systems are the University of Colorado

Hospital's antidote to hacker attacks

.: Organization Profile

Top medical professionals, superior medicine and progressive change make the University of

Colorado Hospital one of the leading hospitals in the nation. Ranked among the top 10

hospitals in the country by U.S. News & World Report's annual survey of “America's Best

Hospitals,” the hospital is internationally respected for its exceptional teams of medical

specialists. With campuses in Denver and Aurora, Colo., the hospital has the Rocky Mountain

region's only academic medical center. The Aurora campus is home to the prestigious

Anschutz Centers for Advanced Medicine and the Rocky Mountain Lions Eye Institute.

Recognized as the region's leading specialty care and referral center, the Denver campus is

part of the University of Colorado Health Sciences Center campus, one of four campuses in

the University of Colorado system.

.: Increased Accountability

Entrusted with highly confidential patient data, the hospital is governed by the stringent

regulations that were issued by the U.S. Department of Health and Human Services under the

Health Insurance Portability and Accountability Act of 1996 (HIPAA), which became effective

in April 2003. The HIPAA Privacy Rules require specific methods of handling protected health

information. Fines, penalties and even jail time can be imposed for non-compliance. While

protecting patient confidentiality and increasing network uptime have always been priorities

for the hospital's IT department, the current regulatory environment, combined with an

exponential increase in the frequency and virulence of hacker attacks, prompted Joe Bajek,

University of Colorado Hospital's director of IT, and his team to ensure that the hospital's

Internet security measures were up-to-date and state-of-the-art.

A Trusted Security Expert HAS THE PERFECT PRESCRIPTION FOR INTERNET SAFETY


Customer

The University of Colorado Hospital

Profile

Health care organization

Location

United States

Situation

The University of Colorado Hospital needed to protect highlyconfidential patient information and mission-criticaloperations data from escalating Internet security threats.

Solution

Internet Security Systems provides the hospital with itsManaged Security Services for reliable, cost-effective, 24/7online security.

Benefits

ISS' Managed Security Services keep highly sensitiveinformation secure and improve network uptime by protectingagainst internal and external threats, while allowing limitedinternal IT resources to focus on business-critical andstrategic initiatives.

© 2004 Internet Security Systems Incorporated. All rights reserved.

F IREWALL l ANT IV IRUS l INTRUS ION PREVENT ION l WEB F I LTER ING l MAIL SECURITY l MANAGED SERV ICES l VULNERABIL I TY ASSESSMENT

Ahead of the threat.


.: Gaining an Excellent Return on Investment

with Managed Security Services

Working with Internet Security Systems (ISS) to upgrade the hospital's network security was

one of Bajek's first responsibilities when he joined the IT department about five years ago.

New on the job, but a seasoned veteran in enterprise security, Bajek was pleased to learn

that the hospital was already working with a trusted partner for the hospital's Internet

security strategy. While the firewall was an important building block for this strategy, Bajek

quickly realized that defending against external threats 24/7 required resources and manpower

that the hospital simply did not have. Explains Bajek, “When ISS offered to manage the

firewall around the clock, we jumped at the opportunity to outsource this function because

we simply lacked the expertise and time to handle it effectively in-house.”

Defending the hospital's network security is an integral part of protecting patient

information, employee data, internal communications and other business applications. But

as Bajek observes, “You really need 24/7 protection by an army of highly trained engineers

with expertise in network security.” For most organizations, the cost of acquiring, training

and retaining this level of talent is prohibitive, as is the expense to watch the Internet around

the clock.

Today, enterprises in the public and private sector alike are locked in a continuing battle with

smart and destructive online enemies that can strike at any moment. To address this

challenge, organizations are increasingly outsourcing security operations to managed

security service providers (MSSPs). For a fixed monthly fee, an organization can purchase the

infrastructure, knowledge, resources and on-demand expertise needed to protect its systems

from Internet attacks around the clock — all at a fraction of the cost and complexity to build

and maintain an in-house capability. As a result, an MSSP consistently and reliably protects

enterprise information, while reducing the total cost of ownership and delivering an excellent

return on investment (ROI).

“Outsourcing network security monitoring and management to ISS just makes good fiscal

sense,” says Bajek. “We are saving more than $100,000 annually just on the costs to hire

and train additional people to ensure proper network protection…and those figures don't

include the ROI that comes with increased staff productivity. Our ROI would increase

dramatically if we could also measure the value of freeing up staff to focus on strategic

business initiatives that make our hospital run more efficiently.”

Bajek also points out other benefits that are difficult to quantify. “We don't have to devote

precious IT resources to reviewing and testing network security configurations, upgrading test

environments and hiring and training staff to do all that additional work. I know that saves

us time and money.” Another benefit of working with ISS that can not be quantified is the

peace of mind that Bajek and his team enjoy with a reliable Internet security partner.



KEY ISS BENEFITS:

ISS Managed Security Services provide organizations with anaround-the-clock guaranteed level of protection, givingorganizations the ability to improve their security posturewhile allowing them to focus on their core businessoperations. Benefits include:

• Protection for company assets and business continuity with24/7 monitoring, management and reliability

• Reduction of in-house security costs by up to 55 percent

• Enhancement of security compliance with industry andgovernmental regulations

• Solid return on security investments

• Improved productivity by freeing IT resources to focus onstrategic initiatives

• Customers, partners and shareholders reassured thatcritical data is protected by trusted resources

• Peace of mind, with guaranteed protection

“With some companies, the size of the check you writecorresponds to the level of service you receive. Here's one that offers a money-back guarantee. We may not be theirlargest customer, but ISS makes us feel like their mostimportant one.”

Joe Bajek

University of Colorado Hospital

Director of IT


Copyright© 2004 Internet Security Systems, Inc. All rights reserved worldwide.

Internet Security Systems, Proventia and SiteProtector are trademarks, and the Internet Security Systems logo andX-Force registered trademarks, of Internet Security Systems, Inc. Other marks and trade names mentioned are theproperty of their owners, as indicated. All marks are the property of their respective owner and used in an editorialcontext without intent of infringement. Specifications and content are subject to change without notice.

.: Securing the Gateway and the Network with Managed Security Services

In addition to outstanding customer service and measurable savings, the hospital derives

additional added value from its partnership with ISS by providing Bajek and his team

early access to new technologies, such as the advanced Proventia™ intrusion

prevention appliances.

Proventia is founded on proactive research from the X-Force® security intelligence team. For

new hybrid threats like Sasser, MS Blaster and SQL Slammer, firewalls and antivirus are no

longer enough to protect the gateway or network. Proventia appliances are designed to

combat the wave of hybrid threats on the Internet by offering protection at the gateway,

including Internet, branch locations, remote offices, customers, vendors and partners, and

within the network, covering servers, users and other networks.

The hospital will soon be implementing the Proventia integrated security appliance, which

provides protection at the gateway and at the network level without jeopardizing bandwidth

or availability of server resources. Proventia integrated security appliances unify antivirus,

firewall, virtual private network (VPN), intrusion detection and prevention, antispam, and

Web filtering technologies in a single device. “We couldn't possibly stay on top of the latest

developments in Internet security,” says Bajek, “but we know that ISS has the expertise and

resources to keep our network protection up to date no matter what new worm or virus is out

there.” This exceptional level of service and reliability illustrates how ISS continues to earn

the hospital's trust — long after the initial contract with its unique service agreement was

inked.

.: Gaining Peace of Mind Through a Stellar Track Record

With Internet access for approximately 3,500 employees who might unwittingly spread the

latest virus or worm and thousands of hackers around the world thinking up new ways to

breach security, Joe Bajek could stay awake at night worrying about the safety of his hospital's

enterprise information. “What I value most about ISS is that I never worry about my network

security and who's monitoring it when I go home at night,” he explained. “That confidence

frees me up to focus on the hospital's overall IT risk management strategy and other critically

important business initiatives. It also helps me sleep a little more soundly.”



“What I value most about ISS is that I never worry about

my network security and who's monitoring it when I go

home at night. That confidence frees me up to focus on

the hospital's overall IT risk management strategy and

other critically important business initiatives. It also

helps me sleep a little more soundly.”

Joe Bajek

University of Colorado Hospital

Director of IT

To effectively protect your organization,

you first need to evaluate where you

stand in relation to industry best prac-

tices and regulatory requirements. A

gap assessment can help identify the

most effective course of action based

on your business objectives.

Creating a roadmap to a more

secure network

Going much deeper than an ordinary

assessment, the IBM Information

Security Assessment provides a

comprehensive evaluation of your

information security posture. Based on

the globally recognized ISO 17799

standard and industry best practices,

the assessment by IBM Internet

Security Systems (ISS) security

experts thoroughly documents the

results and provides specific, action-

able recommendations for mitigating

the identified risks and improving

overall security posture.

p Provides a comprehensive

evaluation of your information

security posture

p Identifies vulnerabilities and

determines gaps in your infor-

mation security environment

p Helps protect the confidentiality,

integrity and availability of

critical data

p Provides recommendations for

mitigating identified risks based

on the globally recognized ISO

17799 standard and industry

best practices

p Leverages a proven methodol-

ogy that includes assessments,

scans, testing and interactive

workshops

p Supports efforts to comply

with government and industry

regulations

Assessing your security state and creating a

roadmap to a more secure environment

IBM Information Security Assessment

HighlightsDetermining your current security state

Understanding your organization’s

security state and identifying vul-

nerabilities are the first steps toward

protecting the confidentiality, integ-

rity and availability of critical data.

Together these steps are also an

important component for achieving

regulatory compliance.

Your organization may be vulnerable to

attack from the outside or the inside if

you remain unaware of security issues,

simply ignore them or don’t sufficiently

manage them. An attack may take

down your network or lead to the theft

of sensitive data—customer informa-

tion, employee information or

intellectual property. The ensuing

loss of public trust or the failure to

comply with regulations could result

in severe financial repercussions. A

major security breach could also

cause irrevocable damage to your

organization’s reputation.

2

Significant, far-reaching benefits

Comprehensive assessment features

Leveraging a comprehensive, proven

methodology

The IBM Information Security

Assessment methodology includes

the following capabilities:

3

Why IBM Internet Security Systems?

IBM Professional Security Services from

IBM ISS offer some of the best security

consulting services in the industry. Our

expertise, tools and methodology com-

bine to deliver:

Security expertise—Our elite team of

expert security consultants comprises

senior security professionals who have

honed their skills through corporate

security leadership, security consulting,

investigative branches of the govern-

ment, law enforcement and research

and development.

Staff cost savings—We offer the experi-

ence and skills of our IBM Professional

Security Services team for less than the

typical cost of hiring a single in-house

security expert.

Trusted relationship— IBM ISS works with

your key staff and management to design

a customized plan that meets your

organization’s security goals.

Specialized skills and tools—Our

consultants combine proprietary and

industry-leading security assessment

tools with in-depth analysis of vulnerabil-

ity data to evaluate and build an effective

security program that enhances your

business operations.

World-class security intelligence— IBM

ISS consultants are supported by the

IBM Internet Security Systems X-Force®

team, our globally recognized research

and development team. This combination

enables us to provide the best security

solution for your business.

Combined solutions provide a more

comprehensive security assessment

For a complete assessment and analysis

of your organization’s security posture,

IBM ISS recommends combining IBM

Information Security Assessment with

IBM Penetration Testing. When com-

bined, these services can provide a

thorough examination of your organiza-

tion’s sec-urity posture from both holistic

and practical approaches.

For more information

To learn more about IBM Information

Security Assessment or IBM Penetration

Testing, contact your IBM ISS represen-

tative to schedule a consultation. Call

1 800 776-2362, send an e-mail to

[email protected] or visit:

ibm.com/services/us/iss

© Copyright IBM Corporation 2007

IBM Global Services

Route 100

Somers, NY 10589

U.S.A.

Produced in the United States of America

02-07

All Rights Reserved

IBM and the IBM logo are trademarks or registered

trademarks of International Business Machines

Corporation in the United States, other countries,

or both.

X-Force is a registered trademark of Internet

Security Systems, Inc., in the United States, other

countries, or both. Internet Security Systems, Inc.,

is a wholly owned subsidiary of International

Business Machines Corporation.

Other company, product and service names may

be trademarks or service marks of others.

References in this publication to IBM products or

services do not imply that IBM intends to make them

available in all countries in which IBM operates.

GTD00834-USEN-00

p Helps to protect corporate data

and assets and company reputa-

tion from loss or damage

p Aids in blocking threats, enhanc-

ing clients’ security posture and

regulatory compliance

p Provides rapid and cost-effective

threat resolution, helping to

reduce potential damage

p Helps to reduce security-related

staffing, training, maintenance

and infrastructure costs

Highlights

Delivering preemptive protection from the

network gateway to the desktop

IBM Managed Protection Services for

networks, servers and desktops

Raising the bar in accountability with

performance-based SLAs

Whether they need to ensure business

continuity, improve compliance with

laws regarding data security, or protect

access points across their global infra-

structures, enterprises today require a

high degree of network connectivity

and a secure environment in order to

conduct business eficiently. IBM

Managed Protection Services (MPS)

goes beyond simple event monitoring

and device management by offering the

industry’s leading performance-based

service level agreement (SLA) with a

cash-back payment* by the leading-

edge IBM Internet Security Systems

(ISS) X-Force® research and develop-

ment team. As a result, our clients can

rest assured that their security provider

has a vested interest in protecting their

infrastructure. This unique preemptive

protection from the Internet’s most

critical threats—known and unknown—

sets a new standard for accountability

in helping organizations minimize risk,

control escalating security costs and

demonstrate due diligence.

IBM MPS for networks, servers and

desktops can help businesses address

these complex challenges. MPS offers

customized security-strategy develop-

ment; expert, end-to-end security

management and monitoring; and real-

time, 24-hour proactive protection.

2

Benefits: Features:

Virtual-SOC

The Virtual-SOC is the engine enabling

IBM Managed Security Services and

the delivery of protection on demand

services. The Virtual-SOC combines

the capabilities of ive global SOCs,

advanced analysis and correlation,

artiicial intelligence, industry-leading

security expertise and a high-impact,

Web-based management portal in a

single uniied system. The Virtual-SOC

has been designed to reduce the

complexity and burden of manual data

analysis and improve the accuracy of

security-event identiication as well as

incident escalation and remediation.

The result is a state-of-the-art, expert

system that allows organizations to

optimize resources, reduce the com-

plexity of managing security, enforce

security policies and improve their

overall security posture.

3

MPS feature comparison at a glance

Features Premium Select Standard

Money-back payment* Yes; US$50K per incident **^ No No

X-Force Certiied Attack List

protection SLA***

Yes Yes Yes

Security incident identiication SLA Yes Yes N/A

Thirty-minute countermeasure SLA Yes Yes N/A

Security incident response SLA 15 minutes 15 minutes N/A

Security content update SLA 48 hours 48 hours 72 hours

Outage notiication SLA 15 minutes 15 minutes 30 minutes

Policy change SLA Yes Yes Yes

Proactive SLA reporting Yes Yes Yes

Required up-front assessment Yes No No

Minimum purchase required Yes No No

Penetration test Yes Optional Optional

IBM Vulnerability Management Service Yes Yes • Optional •

MPS workshop Yes Optional Optional

Mobile and Web customer

portal access

Yes Yes Yes

X-Force Threat Analysis Service Yes Yes Yes

X-Force Emergency Response

Services basic subscription

Yes Optional Optional

Device management Yes Yes Yes

Customized policy creation Yes Yes No

E-mail notiication on level 0 activity Yes Yes Yes

Coniguration backup Nightly Nightly Nightly

Log storage 1 year 1 year 1 year

Security incident reporting Yes Yes No

Monthly impact summary Yes Yes Yes

Change reports Yes Yes Yes

Service offerings Network Network and server Network, server and desktop

Vendor support IBM Proventia® Intrusion

Prevention Appliance and

Integrated Security Appliance

Proventia Intrusion Prevention

Appliance and Integrated

Security Appliance and Server

Proventia Intrusion Prevention

Appliance and Integrated Security

Appliance, Server and Desktop

Pricing per: Segment Device Device

** Security breach must be confirmed.

*** The IBM ISS X-Force Certified Attack List is a list, which is updated quarterly, of the most serious, high-risk vulnerabilities and attacks. There are currently 600+

attacks in the X-Force Certified Attack List, also known as the “default block list.”

^ Monitors for X-Force Certified Attack List attacks only

• Five IP addresses per device

Safeguarding mission-critical systems

through state-of-the art security facilities

MPS leverages the knowledge,

experience and exper-tise of security

professionals operating from ive

globally networked, state-of-the-art,

industry-certiied IBM ISS SOCs.

These highly secure environments

are designed to ensure that mission-

critical systems and electrical, data

processing and communication links

are protected through trouble-ticket

entry, event handling, incident

response, data presentation, report

generation and trend analysis for all

devices under management.

Why IBM ISS?

Preemptive security requires

marketplace-leading research,

a keen eye for attack trends and

techniques, and a streamlined

and affordable platform for deliver-

ing advanced security solutions

that are knowledge-based. IBM ISS

commands the extensive knowledge,

innovative research methods and

complex technologies required

to achieve preemptive security. Our

experienced consultants, architects,

project managers and subject matter

experts are prepared to provide your

organization with a comprehensive

platform of preemptive security pro-

ducts and services designed to protect

your entire IT infrastructure, from the

network gateway to the desktop.


To learn more about IBM MPS, contact

your IBM ISS representative to sched-

ule a consultation. Call 1-800-776-2362,

send an e-mail to [email protected]

or visit:

ibm.com/services/us/iss


IBM Global Services

Route 100

Somers, NY 10589

U.S.A.


06-07

All Rights Reserved

IBM and the IBM logo are trademarks of International

Business Machines Corporation in the United States,

other countries, or both.

Proventia, Virtual Patch and X-Force are registered

trademarks of Internet Security Systems, Inc., in

the United States, other countries, or both. Internet

Security Systems, Inc., is a wholly owned subsidiary

of International Business Machines Corporation.






* Money-back payment (for Managed Protection

Services - Premium Level only): If IBM Internet

Security Systems fails to meet the Security

Incidents Prevention Guarantee, client shall be

paid US$50,000 for each instance this guarantee

has not been met. Please see IBM Internet Security

Systems SLAs for more details.

GTB00838-USEN-01

http://www.ibm.com/services/us/iss

http://www.ibm.com/software/tivoli/

http://www.ibm.com/us/

http://www.ibm.com/us/

http://www.ibm.com/software/tivoli/

http://www.ibm.com

"

http://www.ibm.com/

http://www.ibm.com/healthcare

Security & Privacy —Made SimplerTM

M a n a g e a b l e G u i d e l i n e s t o H e l p Y o u P r o t e c t Y o u r C u s t o m e r s ’ S e c u r i t y & P r i v a c y

F r o m I d e n t i t y T h e f t & F r a u d

S e c u r i t y a n d p r i v a c y e x p e r t i s e c o n t r i b u t e d b y D r . A l a n F . W e s t i n a n d D r . L a n c e J . H o f f m a n

Better Business Bureau®

P u b l i s h e d M a r c h 2 0 0 6

Proud supporter of Security and P o w e r e d b y

2

Security & Privacy — Made SimplerTM

User’s GuideN o matter what type of business you arein, you probably collect, store andshare information about your

customers. Whether it is providing a necessaryservice, completing a financial transaction orcreating a mailing list, customer data hasbecome a key currency of today's information-based economy.As a business owner, you make importantstrategic decisions that affect your bottom line.Each day, how you manage the security and pri-vacy of the data you collect has become a corepart of those strategic business decisions,because it can influence the success or failure ofyour business.Data security and privacy management mayappear complex and overwhelming, but youreally don't need to become a privacy andsecurity expert to manage it. All you need to dois to acquire the basic understanding of theissues and the business tools that will protectyour customers…and your business.

S e c u r i t y a n d P r i v a c y — Made Simpler TM isyour Guide to getting your arms around many oftoday's data security and privacy challenges thataffect small businesses, including:

• Recognizing attempts at theft and fraud.

• Understanding the importance of offline andonline security and privacy practices.

• Developing a security and privacy policy,training your employees to comply with it,and communicating it to your customers.

• Handling, managing and protecting sensitivecustomer information.

• Managing employees as they interact withcustomers and their personal data.

• Credit card/debit card security—both duringand after the actual transaction.

• Taking advantage of the latest technologieswithout compromising data security.

• Conducting international transactionssecurely.

S e c u r i t y a n d P r i v a c y — Made Simpler TMadvises you on how to incorporate basicsecurity and privacy practices into your every-day business operations, offering you options,tips and advice that are right-sized for smallerbusinesses and will help you get started.

It is not intended to provide specific legaladvice. The information is crafted—but notguaranteed—to be accurate, complete andup-to-date at the time of publication. Some ofthe information may not apply in your state oryour particular line of business. Therefore, it iswise to consult an attorney familiar with the lawin your jurisdiction and with your industry.

S e c u r i t y a n d P r i v a c y — Made Simpler TM wasdeveloped through a partnership between theBetter Business Bureau, a leader in promotingtrust between businesses and the customersthey serve, and Privacy & American Business, aleader in consumer and employee privacy anddata protection issues and education.

This Guide is made possible through the supportof corporate sponsors—industry leaders who arecommitted to the success of their small businesscustomers.

S e c u r i t y a n d P r i v a c y — Made Simpler TM

Security is a complex issue.You can manage it. This Guide will help.

Better Business Bureau®

S e c u r i t y & P r i v a c y —Made SimplerTM

1. Customer Data Security & Privacy – A Key To Your Success . . . . . . . . . . . . . . . . . .4

2. Security Challenges Facing Small Businesses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

3. Developing Your Own Data Security & Privacy Plans . . . . . . . . . . . . . . . . . . . . . . . .5

4. Creating & Communicating Your Security & Privacy Policies . . . . . . . . . . . . . . . . .6

5. Spotting Cyber Criminals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

6. Fighting Identity Theft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

7. Guidelines For Good Employee Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

8. Collecting, Protecting & Disposing Of Customer Data . . . . . . . . . . . . . . . . . . . . . . .12

9. Securing Data In Your Office & Online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

10. Internet Security Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

11. Payment Card Security Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

12. If You Have Data Lost Or Stolen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

13. Managing Official Requests For Your Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

14. If You Do Business Globally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

15. Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22

16. Customized Insights from IBM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23

When your customers knowyou treat their personalinformation with the care itdeserves, they will becomemore loyal and activecustomers.

Click here for moresecurity and privacytools and resources forsmall business.www.bbb.org/secur i tyandprivacy

85% of Americansare worried aboutbecoming victims ofidentity theft.

58% of Consumers sayif they were confident abusiness followed itssecurity and privacypolicies, they would belikely to recommend that business

Proud supporter of S e c u r i t y a n d


4

1. Customer Data Securi ty & Privacy—A Key ToYour Success

Customers Care – You Should, tooWWhen your customers know that youtreat their personal information withcare and apply good security and

privacy practices, their trust and confidence inyour business will grow.

You’re Responsible For Customer Data Businesses of all sizes—not just the big corpo-rations—are held responsible for complyingwith federal and state customer data securityand privacy laws. Here is a sample of howexisting privacy laws may affect your smallbusiness:

Here is a snapshot of existing federal privacylaws with which your small business might needto comply:• All small businesses must comply with the

federal and state Fair Credit Reporting Act(FCRA) when seeking to obtain consumerreports, such as credit reports and employ-ment reports, about potential customers andemployees.

• Many small businesses in the healthcare fieldmust follow the privacy requirements of thefederal Health Insurance Portability andAccountability Act (HIPAA) Privacy Ruleand its data security requirements.

• Small financial businesses must comply withrules established by the federal Gramm-Leach-Bliley (GLB) Privacy Rules andSafeguard Rules and the federal bankingagency guidance under GLB. Companies thatneed to comply with GLB include those thatmight not necessarily think of themselves as"financial," such as automobile dealers, taxplanners, and some travel agents.

• Currently, twenty-three states have laws onreporting data breaches (outlined on page 19of this Guide), with potential penalties forsecurity lapses that apply to both large andsmall businesses.

As a business owner, it is your responsibility tostay current on privacy and security laws affect-ing your business…and your customers.

An Ounce of Prevention … Establish good security and privacy practicesnow. The alternative is decidedly distasteful. Ifyou have a data breach resulting from weaksecurity practices, you and your business canface lawsuits from federal or state agencies oryour customers. The Federal Trade Commission(FTC) recently sued 12 companies it accused ofhaving inadequate data security practices inviolation of federal law. Lawsuits stemmingfrom inadequate security practices can erodebusiness equity, consumer trust and, ultimately,your bottom line. Even if you don't face legalaction, your good reputation could be signifi-cantly compromised.

Security & Privacy Drive ConsumerPurchasing Decisions

• 85% of Americans are worried about becom-ing victims of identity theft.

• 64% of consumers say they had decided notto buy a company’s product or servicebecause they did not know how the companywould use their personal information.

• 58% of consumers say if they were confidenta business followed their declared security &privacy policies, they would recommend thatbusiness to family & friends.

Source: Privacy & American Business.

S e c u r i t y a n d P r i v a c y — Made Simpler TM P o w e r e d b y


5


2. Securi ty Chal lenges Facing Smal l Businesses

Firewalls Are Not EnoughI n today's tech-heavy business world, youmight think that the right combination ofhardware and software will prevent data

security and privacy exposures. But technologyis just one piece of the security and privacyequation. Effective policies, along with properemployee training and business-wide implemen-tation, are the other parts.Suppose you've equipped your computer withthe latest network security software—firewalls,encryption—and you think you've deployedstrong security tools. One day a "customer"calls your business to ask what credit card youhave on file for his "account." He gives his"name" and "address" to an employee who thenlooks up the "customer's" information on yourcomputer. Your employee reads the credit cardnumber to the caller. But the caller is not a "customer." He is a crim-inal who found the name and address of one ofyour customers in a trash bin. This happens. Toprevent it, you need a data security plan thatincludes simple steps, such as properly verify-ing a caller's identity, and employee training.Software alone can't prevent employee error.Employee training can. Modern technologies, such as e-mail, e-com-merce, and cell phones, have given us wonderfulnew tools to do business more effectively andefficiently. They have also created new layers ofsecurity that businesses need to secure to pro-tect their customers' information. If you usethese new tools, you must also take reasonablesteps to secure them.

3. Developing Your Own Data Securi ty & Privacy Plans

Find Your Weak SpotsTake a few moments with a blank piece of paperand a pen, or at your keyboard. List all thedifferent ways your business collects, stores anduses personally identifiable customer andbusiness information. Now list who handles orhas access to the information—employees,relatives, customers, service providers or visi-tors. Personal information may include names,addresses, account numbers, Social Securitynumbers, credit/debit card numbers and phonenumbers, as well as account patterns andtransaction records.Anyone who appears on your list is a datahandler and should play a significant role inprotecting sensitive information. They need tobe properly trained to follow your security andprivacy policies and practices. You may want to involve managers oremployees from each business area in this


Security & Privacy Challenges Facing Small Business

• Customer and business ID theft.• Data loss and theft.• Noncompliance with federal and state

data protection laws.• Employee fraud and theft.• Loss of trust ... and customers.• Costly lawsuits stemming from sloppy

security practices.• Computer and hardware damage from

viruses.

Proud supporter of Security and Privacy P o w e r e d b y

6


exercise, to be sure that you are not overlookingany potential security weak spots. Making youremployees a part of the security and privacyplanning process will make them feel likevaluable contributors to the team, and will alsomake it easier for them to remember yourpolicies and follow them on the job.

One Size Does Not Fit AllAll businesses are not alike. Review yoursecurity and privacy issues in light of yourparticular business and its operations, identifyweaknesses, and take stock of your current abil-ity to address them. You may discover areas where you need inputfrom a lawyer or technology consultant. It isimportant to be fully informed about yourbusiness' security risks so you can make themost appropriate, reliable and cost-efficientchoices for your business.

4. Creat ing & Communicat ing Your Securi ty & Privacy Pol ic ies

Once you identify your security needs, you canbegin to write a security and privacy policy foryour comp any. Your security and privacypolicy tells your customers how you will treattheir personal information—how you willcollect it, use it, and keep it secure. It shouldalso give your customers the ability to commu-nicate to you if they wish to receive ("opt-in")or not receive ("opt-out"), "subscribe" or"unsubscribe" information from you and howthey wish to receive marketing communications(e-mail, US postal mail, etc.). Smart companiesoffer meaningful privacy choices, andeffectively carry them out. Those that don't,risk losing their customers.

Resources to Help You Write a Policy• The Privacy Planner from BBBOnLine can

help you generate a simple, but solid onlineprivacy policy for your businessht tp ://www.pr ivacyp lanner .com .

• The Direct Marketing Association (DMA)offers a small business-friendly onlineprivacy policy generatorhttp://www.the-dma.org/privacy/privacypolicygenerator.shtml.

How to Communicate Your Policies toYour CustomersOnce you have a written policy that accuratelydescribes your intended actions with customerdata, it is wise to communicate these policies toyour customers.• Post it on a prominent sign in your store or

office.• Give customers a copy of it when they

complete a transaction with you.• Post it on the homepage of your web site.


Security & Privacy Reality Check• Do you transact business on the Internet?• Do you collect names, addresses, phone

numbers, e-mail addresses or SocialSecurity numbers or other personalinformation about your customers oremployees?

• Do you accept credit or debit cards?• Do you share customer information with

other companies?• Do you engage in direct mail marketing

or telemarketing?• Are you storing customer information for

any period of time?

If you answered “yes” to any ofthese questions, your small busi-ness is in serious need of a datasecurity and privacy plan.

Proud supporter of Security and Privacy P o w e r e d b y

7


• If your customers have agreed to receivee-mail notices from you, tell them aboutyour security and privacy notice in ane-mail, and let them know where they canfind the full notice.

• Mail it to your customers as a separatepromotional piece.

Posting a Security & Privacy PolicyProvides a Competitive AdvantageHaving and following a security and privacypolicy will:• Increase the trust and confidence your

customers have in your business. When theyknow that you plan to use their informationcarefully and keep it secure, they will bemore likely to share it with you.

• Help distinguish your business from yourcompetition.

5. Spott ing Cyber CriminalsThe number and sophistication of online fraudattacks is increasing. Here are some ways crim-inals attempt to get sensitive information fromcomputers and individuals:• Viruses: man-made programs or pieces of

code that are loaded onto your computerwithout your knowledge. Viruses result in

a wide range of disruptive consequenceson a computer or network, including thedeletion or corruption of files. New virusesare introduced to the Internet every day.

• Spyware: software that secretly collectsinformation from a computer, such as whatInternet sites are visited and what key-strokes (including passwords andcredit/debit card numbers) are entered.Spyware transmits that information to athird party for a variety of uses, rangingfrom presenting tailored advertising orgeneral spam to credit/debit card fraud andID theft. Spyware is often installed on yourcomputer as part of a downloaded applica-tion or via a downloaded e-mail attachment.

• Phishing: uses fake e-mails and web sitesthat closely replicate their authentic coun-terparts to trick recipients into "verifying"their personal information.

• Pharming: redirects an individual's web siterequest to a fraudulent site that closelyreplicates its authentic counterpart.

• Keyloggers, Bots, Trojans and more: appli-cations that may appear to be benign or evenhelpful, but are actually destructive to fileson your computer. These introduce virusesor malicious code onto your computer thatcan be programmed to execute any numberof disastrous actions, and send sensitiveinformation to a third party.

Consider installing a web browser tool bar tohelp protect you from known phishing websites. Earthlink offers such a free tool, calledScamBlocker, at: http://www.earthlink.net/software/free/toolbar.eBay also offers an anti-phishing and accountprotection toolbar that alerts users when they'reon a potentially fake eBay or PayPal sitehttp://pages.ebay.com/ebay_toolbar/.


Prominent Security & PrivacyPolicies Build Businesses

• 89% of consumers felt more confident ingiving personal information to a businessthat had a detailed but readable privacypolicy.

• 58% of consumers said that if they wereconfident a business followed the privacypolicies it presented, the consumer would belikely to recommend the business to familyand friends.

Source: Privacy & American Business Study


8


6. F ight ing Ident i ty TheftHow Ident i ty Theft Happens

ID and data thieves have an arsenal of high-techand low-tech ways to steal personal informa-tion. Once they have your information, they willbe able to assume—and misuse—the identity ofyour customers. They may even try to assumeyour identity.


Ways to Avoid Being a Victim ofOnline Fraud

• Always verify whom you are doingbusiness with before revealing personalinformation.

• Ensure your browser is current with allsecurity patches installed.

• Use anti-virus and anti-spyware software,and keep it updated.

• Be suspicious of any e-mail with "urgent"requests to validate or verify personalinformation.

• Don't download anything that comes froma source you don't know. This includese-mail graphics, screen savers, free soft-ware, etc.

• Don't fill out any forms that come to youin an e-mail and request personal informa-tion, unless you definitely know and trustthe source.

• Don't allow your children to use yourbusiness computers. Children are notaware of online threats, and can down-load items without considering whatmight be attached to them.

How Identity Thieves StrikeLow-Tech MethodsDumpster Diving: thieves steal mail or paperswith personal information left in the trashof your business or someone's home and notproperly destroyed or shredded.Mailbox Theft: thieves steal mail left in yourbusiness' unsecured mailbox or at someone'shome.Employee Theft: thieves within your businesssteal the personal information of yourcustomers or of fellow employees.General Theft: thieves steal an individual'swallet, check, credit/debit card withpersonal information, desk top and lap topcomputers—crimes often carried out byfriends, relatives, in-home workers or othersknown by the victim.

High-Tech MethodsComputer Hacking: hackers get unauthorizedaccess to your business computer or comput-er network and steal customer informationfrom your database.Phishing: thieves send fraudulent e-mailsthat appear to be from a legitimate company,and create a fake web site that looks like thelegitimate company site. They do this to trickyour customers into revealing their personalinformation.Pretexting: thieves make phone calls to yourbusiness and others in a "victim's" name, inan attempt to find out more informationabout the "victim." Or, they will call aconsumer claiming to be from a legitimatecompany, and attempt to obtain personalinformation.


9


What ID Thieves Want—Your Customers'Personal InformationCriminals are after credit/debit card numbers,Social Security numbers, driver's license infor-mation and numbers, mailing addresses, e-mail

addresses, and telephone numbers. They alsolook for this information in your product orders,account statements and mail.

How They Use This InformationData thieves will open fraudulent credit cardaccounts in your customers' names, makepurchases without their knowledge, get a loan inyour customers' name, or open a fraudulent bankaccount in your customers' name and writechecks on that account. In addition, they canopen fraudulent accounts with your business andmake fraudulent charges to your customers'accounts…with you.

Small Businesses Can Be ID TheftVictims, TooBusiness identity theft occurs when someonesteals information about a business to commitfraud. Thieves may specifically target small andmedium sized businesses because their datasecurity programs may not be as strong as thoseof larger companies.They want your business credit/debit cardaccount numbers, your bank account numbers,your Federal Employer Identification Number,and other federal and state governmentalidentification numbers.

How They Use This InformationID thieves can use your stolen business informa-tion to open a credit card account in your busi-ness' name, make purchases without yourknowledge or get a loan in the name of yourbusiness. They will open a bank account in thename of your business, write checks on thataccount, and take out money from the existingaccounts of your business. In some cases, IDthieves may secure enough information that theycan actually sell your business or commercialproperty without your knowledge.


Real Data Theft Examples• An old laptop, with a company's customer

records still on it, was sold via a news-paper ad. The records were still openlyreadable and could have been used tocommit fraud by the purchaser, whoalerted the seller about what he'd found.

• Two computers were stolen from a medicalpractice's unlocked computer room. Theycontained easily accessible billing recordsand unencrypted sensitive personal infor-mation in the form of billing codes.

• A courier service driver, carrying a pack-age of customer data, left his unlockedvehicle running while he made anotherdelivery. While he was away from hisvehicle, the package was stolen.

• Perfectly readable, discarded printoutsof personal records were thrown into adumpster. They were later put to practi-cal use by the finder to wrap fish at anoutdoor market.

• In Florida, print-outs of thousands ofmedical records were found in varioustrash bins across the area. The recordsincluded details of sexually-transmitteddiseases, psychological problems,addictions, and even intimate detailsabout a patient's sex life.

• An employee in an accountant's officeused client data to file false income taxreturns in order to receive tax refunds ...until that employee was finally caught.


10


What You Can DoHere is a checklist of things you can do toprotect your business from identity theft.You will find more details in Chapters 7, 8, 9,and 11.

7. Guidel ines for Good Employee Pract ices

Screen Your EmployeesIdentity theft can originate in the workplace.Exercising care to hire honest employees is oneof the best ways to help secure your businessand reduce the risk of identity theft or fraud toyou or your customers.Past behavior is widely considered to be thebest predictor of future behavior, though it isnot a perfect tool. Conducting backgroundspot-checks can assist you in learning andassessing the character pattern of prospectiveemployees (or of your current employees—ifyou did not use a background spot-check beforehiring them). The type of backgroundspot-check to use depends on the size and natureof your business. If you handle lots of sensitivepersonal information, especially financial orhealth information, you might want to considera full criminal background check. But if yourbusiness does not handle much customer person-al information, a credit report can give you auseful snapshot of an applicant. Because background spot-checks, themselves,raise privacy issues, handle this carefully. Ifyou see a "red flag" in a background spot-check,confirm the accuracy of the information with thesource before making a hiring decision.Other factors to consider in this process mightinclude:• Whenever you order a background check on

a prospective or current employee, state andfederal laws require that you notify the per-son (in writing) that you intend to use aconsumer report, and obtain their consent todo it. This process is a key element of thefederal Fair Credit Reporting Act (FCRA).Most background checks contain a "con-sumer report." If you decide to reject an


Physical Securi ty TipsTo Protect Your Business

& Your Customers

• Shred or cross-shred papers with person-ally-identifiable customer or businessdata before throwing them away, or usea document disposal company to destroythe papers for you.

• Send and receive business mail from asecured mailbox or a post office box.

• Conduct regular software audits ofcomputers.

• Train employees to watch for suspiciousactivity among other employees,customers, or people coming to yourbusiness premises.

• Consider telling your customers howthey can spot phishing efforts, and howthey should verify that it's your commu-nication before releasing any personalinformation

• Verify the identity of a customer beforediscussing or providing any customeraccount information by telephone or e-mail.Then take appropriate steps to provide it ina manner that is secure.

• Secure your physical space with locksand alarms.

• Secure your business, customer andemployee records in locked cabinets.


11


applicant or release a current employeebased on something in their consumerreport, you must tell them that you havedone so for this reason.

• Many states have their own laws that applyto background checks and consumer creditreports. Discuss with your attorney therequirements in your business’ home state orin other states in which your business makeshiring decisions.

Control Employee Access toSensit ive Data

• Each of your employees should have accessonly to the sensitive information necessaryto do their specific jobs. When you controlemployees' access to information, you sig-nificantly reduce the risk of data exposure.

• You can limit employee access to customerinformation by using a variety of physicaland technological security measures, rang-ing from padlocks to passwords. For specif-ic suggestions, see Chapter 9, SecuringData in Your Office and Online.

Train Your EmployeesWriting privacy and security policies for yourbusiness is not enough. Your employees needtraining for how to protect the privacy,confidentiality and security of personalinformation. Your training program shouldaddress all the issues discussed in your securityand privacy policy.


Tips for Creating and Executing a Security & Privacy Training Program

• Make it relevant, personal and timely.• Tell employees why the topic is important to

everyone involved. • Role play with real-world scenarios that present

examples of privacy and security choices youremployees could face—and then explain howthey should handle them.

• Have your employees sign a nondisclosureagreement, in which they will agree to keepyour customer information confidential.

• Include your managers.• Update employees on new developments in this

area as they occur. • Train employees to use computer security tools.• Advise them on the dangers of purchasing or

downloading pirated or counterfeit software.• Train them to regularly update all security soft-

ware and browsers.• Train employees to spot phishing attempts, and

not to respond to them. Keep them updated onnew phishing ploys. For more information onphishing visit http://pages.ebay.com/education/spooftutorial/index.html orht tp ://of f i ce .microsof t . com/en-us/ass is tance/HA011400021033.aspx .

• Use specialized training for employees whose jobfunctions require it..

• Teach your employees how to look for suspiciousactivity from other employees, customers, visitors,strangers or acquaintances on your businesspremises.

• Train all new employees about your informationsecurity policies.

• Reinforce your employee training at least semi-annually to ensure that employees regularly puttheir training into practice.

Proud supporter of Security and

12


8. Col lect ing, Protect ing & Disposing of Customer Data

Collecting The type of information you collect from yourcustomers depends on your individual business,and can range from simply a customer's name,address, telephone number, and e-mail addressto significantly more personal information, suchas credit/debit card numbers, account numbers,transaction summaries, consumer preferences,consumer credit reports, etc.If you collect and store credit card information,you need to follow security rules set by themajor credit card companies. See Chapter 11,Payment Card Security Requirements fordetails www.v isa .com/c isp .If you don't absolutely need a piece of customerinformation, don't collect it. Collectingcustomer data you do not need increases yoursecurity and privacy risks. Be particularly careful about collecting andstoring financial and personally identifiableinformation, including Social Security numbers,credit and debit card numbers, or driver'slicense numbers. Check your payment transac-tion software systems to determine if it iscollecting sensitive data you aren't even awareof, such as the magnetic stripe of a paymentcard or the PIN information from a debit cardtransaction. If you have customer data you nolonger need, discard it—securely. See Disposingfor tips.

ProtectingYou need to guard against both high-tech andlow-tech opportunists. If your business is notkept physically secure, anyone can walk in andsteal unprotected customer data from your cabi-nets, drawers, and desks. This has happened.The same is true about your own employees ifthey have access to sensitive information they

don't need or shouldn't have to do their job. Oneof the larger data breaches in 2006 stemmedfrom employee access to sensitive customer datathat was inconsistent with their job description. For tips on protecting against both high andlow-tech predators, see Chapter 9, SecuringData in Your Office & Online.

DisposingDisposing of personal data also is an accesspoint for data/identity thieves. Sloppy securitypractices in data disposal can lead to theft.The federal government issued a Disposal Ruleamendment to the Fair Credit Reporting Act(FCRA), called the Fair and Accurate CreditTransactions Act (FACT Act). Both are enforcedby the Federal Trade Commission. It mandatesthat all businesses that manage credit data—nomatter their size—must take steps to ensure thatdiscarded customer personal information is notaccessible to unauthorized access. For moreinformation on the Disposal Rule, and how itmay affect your business visit:w w w . f t c . g o v / b p / c o n l i n e / p u b s / a l e r t s /disposalalrt.htm.Currently, the law applies only to informationyour business gets from credit reports (or other"consumer reports"). However, it is goodbusiness to follow sound data disposal practiceswhen discarding sensitive customer informa-tion, whether or not the law specificallyrequires it.

Disposing of an Old ComputerBefore discarding an old computer, permanentlyerase all customer personal information on thehard drive. Deleting files by putting them in the"recycle bin" or "trash" on your computer'sdesktop is not good enough. These "deleted"files remain on the computer and can beaccessed using commercial recovery software.

S e c u r i t y a n d P r i v a c y — Made Simpler TM P o w e r e d b y

Proud supporter of P o w e r e d b y

13


To ensure you properly "clean" an old computer,purchase commercial erasure software, avail-able from most computer and office supplystores. This will overwrite all the data on thedrive. You also can remove the hard drive andphysically destroy it, so that it cannot be usedagain.

Disposing of Electronic Files(not on a computer)If you are disposing of a computer disk, CD,DVD, or other electronic storage tool that con-tains sensitive information, the same rulesapply. Don't just delete. Permanently erase thedata, using commercial erasure software. Or,physically destroy the tool so that no one elsecan use it.

Disposing of Paper FilesBefore throwing away any papers containingcustomer information, destroy the papers byshredding or cross-shredding, burning or pul-verizing them.If you don't want to do it yourself, hire a wastedisposal company to shred or pulverize recordsfor you. Articulate your requirements for dis-posal when using an outside company, and askthem to provide you with a quarterly report stat-ing what they've disposed of, and how and whendisposal was completed. If the company is local,you may want to visit their operations site foryourself and check their record with the BetterBusiness Bureau.

9. Securing Data in Your Off ice & Onl ine

The following guidelines generally apply tobusinesses that use a blend of hard copy andelectronic methods to conduct their businessactivity, as most businesses do today. Remember

that ID thieves operate using both high-tech andlow-tech methods.

Physical Security • Keep customer account records and other

personal information in locked cabinets.• Don't leave papers or files unattended on

desktops. • Never leave a business premise open and

completely unattended, even for a shorttime.

• Use a locked mailbox or a post office boxfor incoming and outgoing mail.

• Use security envelopes for bills or othermail containing personal information.

• Shred anything with customer or employeepersonal information before discarding it.

Computer and Network Security• Use SSL technology for your online transac-

tions. SSL stands for "Secure SocketsLayer," a technology that applies encryption—a scrambling of the message—to sensitiveinformation traveling on the Internet, suchas credit/debit card numbers. To use SSL,you will need to purchase an SSL Certificatefrom a Certificate Authority (CA). There area number of Certificate Authorities you canbuy SSL from, such as VeriSignwww.ver is ign .com , Network Solutionswww.networkso lut ions .com , Thawtewww.thawte .com and GeoTrustwww.geot rust .com . For more informationon what encryption is and how to use it,visit HowStuffWorks ht tp ://computer .howstuf fworks .com/encrypt ion .h tm .

• Consider encrypting financial, medical andotherwise sensitive information on youron-site business computers. Your computermay already have the ability to encrypt datausing settings installed on its operatingsystem or networking hardware. Ask your



14


network administrator or computer vendorfor assistance. If this is not an option, youcan buy encryption software and hardwareat most computer stores.

• Use passwords and change them frequently.Don't use a password that someone whoknows even a little about you could guess,such as a spouse's or child's name, hometelephone number, or college you went to.Never write your password down. TheFederal Trade Commission provideshelpful password tips at www.onguardonline.gov/stopthinkclick.htm.

• To the extent possible, don't keep personalinformation on the hard drive of computersthat connect to the Internet. Use CDs,removable memory (flash drive), or floppydisks. Try to keep any disks or removablememory in a secure and locked location.

• Use a firewall to protect your computernetwork. Firewalls are a system of software,hardware, or both designed to preventunauthorized access to a network. A varietyof ready-to-use firewall programs areavailable from popular brands such asMcAfee www.mcafee .com , Symantecwww.symantec.com, and Zone Labswww.zone labs .com . If your businesshandles especially sensitive personalinformation on the network and needs ahigher level of protection, seek an ITconsultant or visit a trustworthy computerstore for suggestions.

• Continuously update your browsers, operat-ing system, and other software to make sureyou are using the most secure versionsavailable. Updates can be found on thewebsites of the companies that manufacturethe browsers, operating system and othersoftware you use.

• Continuously update your anti-virus andanti-spyware software. Updates aregenerally available at the website of themanufacturer of the anti-virus and anti-spyware software you use. If you don't haveanti-virus and anti-spyware softwareinstalled, contact an IT consultant or visit acomputer or business supply store that youtrust to find out what products will best fityour needs.

• Use file sharing only when you need it. Turnit off at all other times. You may want toconsult a networking professional for expertsecurity advice if especially sensitive infor-mation will be shared over a network.

• If you use wireless networking, turn on thesecurity features that come with the wirelessnetwork products you purchase and test thatthey operate properly. Again, you may wantto consult a networking professional beforeyou share any sensitive information over anetwork. Seeht tp ://www. f tc .gov/bcp/on l ine/pubs/onl ine/wi re less .h tm .

• Keep your network servers in a lockedroom.

• Turn off your computers when not in use.

• Back up all your data regularly and keepbackup disks or other back-up materials ina locked area.

• Refer to Chapter 11, Payment CardSecurity Requirements. For moreguidance, see www.v isa .com/c isp .



15


Laptop Computer, PDA & Cell PhoneSecurity

• Always keep your laptop, PDA, or cellphone within sight—especially when youare away from your office.

• Always keep your portable device withinreach when traveling; stealing laptops atairports and from trains and restaurants hasbecome a popular data theft technique.

• Limit the amount of any sensitive informa-tion stored on laptops, PDA's, and cellphones. If possible, do not store sensitivedata on portable devices.

• Password-protect access to the laptop, PDA,and cell phone. Also password-protectfeatures such as Internet access, e-mail,voicemail, and address books.

• Turn these devices off when not in use.

• Do not share portable communication/organization tools (or their passwords)with others.

• If an employee (a salesperson or telecom-muter, for example) needs to take personaldata off premises on a laptop, CD, flashdrive or other portable device, you shouldencrypt the data.

• Back up all data regularly and keep backupdisks or other back-up materials in a lockedarea.

Special Protections for Cell Phone UsersToday's digital cell phones feature e-mail andInternet capabilities, address book and calendarfunctions, and can store recorded memos, voice-mail, pictures, and other data files.

Although these features help businesses be moreefficient, they also create a new layer of datasecurity and privacy to protect. Criminals canhack into cell phones and steal stored files, con-tacts and voicemail. Viruses can significantlydisrupt a cell phone, just as they do a computer.This is why it is important to lock your deviceand keep it in a secure location when not in use.Do not download or accept file downloads fromunknown sources.Limit the amount of data you transmit or storeon a cell phone or PDA. Never store sensitiveinformation, such as bank account numbers,ATM codes, and credit/debit card informationon cell phones. Cellular technology changes rapidly, and cellphone capabilities and security features varysignificantly between models. Refer to yourowner's manual for help to configure thesecurity setting on your phone, or contact yourcellular provider for assistance.

10. Internet Securi ty Fundamentals

If you have an "e-business" or your businessregularly executes transactions over theInternet, your security toolkit should includeweb site security, e-mail security, and advancedcyber-security tools.

Web Site SecurityCustomers have come to expect security on yourbusiness web site. Given this, you must ensurethat you securely transmit all data over theInternet during an online purchase from yourwebsite. Secure Sockets Layer (SSL) is theindustry standard for secure, encrypted datatransfer over the Internet. SSL technology isbuilt into all major Web browsers (e.g., Explorerand Netscape). Ask your web site designer to



16


configure your site to accept SSL transactions,and ask for advice on how to get your SSLcertificate.SSL is a good starting point, but website securi-ty does not end there. Hackers also can stealstored information directly from computers,even if the information is not being transmittedover the Internet. As a result, go the extra stepand consider encrypting any sensitive informa-tion stored on all your computers.Refer to Chapter 9, Securing Data in YourOffice & Online for information and links onSSL and data encryption.

E-mail SecurityE-mail is not secure. Criminals can easilyintercept e-mail transmitted over the Internet,and your employees, co-workers, or familymembers at home may have the ability to accessyour e-mail without you ever noticing. It'simportant to engage safeguards when you usee-mail.

Cyber-Security Tools - The BasicsUsing the right cyber-security tools can helpyou diminish the risk of data exposure from datahandling.Here are the most widely used computersecurity tools and a brief explanation of whatthey do. • Firewalls: software and hardware that limit

external access to your business computersor network.


E-mail Security Tips

• Use e-mail filtering software to screene-mail and identify suspect messages.

• Don’t open e-mail attachments or linksfrom anyone you don’t know or trust.

• Turn off the “preview” function of youre-mail program. While this allows youto see the first few lines of the emailcontent, it can be a security risk.

continued

continued • As a general rule, do not include

sensitive information in unencryptede-mail (Social Security Numbers,credit/debit numbers, account numbers,personal address, phone or e-mailinformation, etc.).

• When e-mailing messages to a group ofpeople, put recipient addresses only inthe "BCC" header (blind carbon copy)—not in the "To" or "CC" headers. This isimportant even if there is no sensitivecontent in the body of the e-mail; other-wise you expose the e-mail ID of every-one on your distribution list.

• Beware of "phishing." These are e-mailsthat mimic the designs of well-knownsites and ask you to respond by givingpersonal information. Do not respond inany way to these e-mails. If you thinkthe e-mail is genuine, directly contactthe real organization and verify theauthenticity of the e-mail. Legitimatecompanies do not ask for personalinformation in an e-mail.


17


• Encryption: software or other technologythat scrambles data to prevent unauthorizedviewing.

• Vulnerability Analyzers: software that per-forms checks to determine if a computernetwork's devices and software are properlyconfigured, patched, and updated.

• Host/Network-Based Intrusion DetectionSystems: software that scans for network-related suspicious activity.

• Intrusion Prevention Systems: sensors thatdetect network security vulnerabilities.

• File Integrity Systems: systems that provideintrusion detection and verify that files havenot been tampered with.

• Network Scanners: tools that identifynetwork security holes that could giveintruders access to your network.

These tools are available commercially at mostcomputer or business supply stores. Ask yourcomputer vendor, a sales specialist at a trustedcomputer store, your network administrator, oran IT consultant for the specific brand and prod-uct recommendations that will best match yoursystem and your business needs.

11. Payment Card Security Requirements

Securi ty Rules Your Business MustFol lowThe major credit card associations (Visa,MasterCard, American Express, and Discover)have established security requirements for bothcredit card processors and merchants accepting

payment cards. The following rules are espe-cially applicable for your business.• Do not store the contents of any credit

card's magnetic stripe.

• Do not store the CVV or CVV2 (card verifi-cation value), two security features of debitand credit cards that should never be storedby businesses. The CVV is a secret codeembedded in the magnetic stripe of paymentcards that is used to prevent counterfeiting.The CVV2 is the three or four number codeon the signature panel of most cards or thefront of an American Express card.

• Store only the account information you needto complete and service your transaction.Under no circumstances should the CVV,CVV2 or PIN be stored.

• If you store the basic 16-digit credit or debitcard account number, have a plan to destroyit when it's no longer needed. You may wantto establish a policy that specifies the lengthof time your business holds on to credit cardinformation.

• Ensure your business partners and vendorsfollow the payment card security require-ments. A complete list of PCI compliantservice providers is available atwww.v isa .com/c isp .

• Additionally, be aware of the unintendedconsequences of any software you are using.Merchants are encouraged to use point-of-sale payment software that has been validat-ed compliant with the Payment ApplicationBest Practices (PABP). A list of softwareproviders/software applications that havebeen validated by PABP is available atwww.v isa .com/c isp .



18


• Your business may have to comply withsecurity audits according to the PCI require-ments. You may be asked for a system'sscan or self-assessment. Contact the bankor the company that manages your paymentcard processing for details or log on towww.visa.com/cisp for more details on thePayment Card Industry Data SecurityRequirements.

Security Rules for Processors—WhichAlso Apply to Small BusinessesIn addition to the guidelines listed above,payment card processors and merchants arerequired to follow these rules:

• Use firewalls.

• Change passwords and security codes fromthose supplied originally by the softwaremanufacturer, to secure the processor's dataand computer network.

• Encrypt all payment card information storedon the processor's computers.

• Encrypt any card data transmitted over theInternet or other public network.

• Use anti-virus software and keep it updated.

• Keep other software, such as operatingsystems, secure and updated.

• Provide employee access to data on a need-to-know basis only.

• Give each company employee who uses acomputer a unique ID.

• Restrict physical access to hard-copypayment card data.

• Your business may have to comply with ·Track card data access on the company'scomputer network.

• Test the company's security systems on aregular basis.

• Have an information security policy thatspells out rules for employees who handledata and reinforce it regularly.

• For a full listing of these rules, go towww.visa.com/cisp. Click "PCI DataSecurity Standard."

By following the payment card securityrequirements, you will protect your customers'sensitive data, and put your business at a com-petitive advantage with other businesses that arenot in compliance. The alternative can be disastrous. If yourbusiness has a security breach and is found notin compliance with the payment card securityrules, there are severe penalties, includingbarring your business from accepting paymentcards.

Choosing a Payment Card ProcessingCompanyAs a business, you have a choice in processors,and credit/debit card processors can vary intheir performance. If your customers' informa-tion is lost or stolen from your card processor,you and your business could become the targetof negative publicity, loss of customer trust,fines, and costly lawsuits.



19


As you select a processor, verify that theyfollow all the security rules required by themajor payment card associations. If acredit/debit card processor fails to follow thoserules, a major data security breach is possible.In 2005, hackers accessed information onapproximately 40 million cardholder accountsfrom a credit card processor that was found notto be compliant with the credit card securityrequirements.

12. I f You Have Data Lost or Stolen

Consider Notifying Your CustomersCurrently, twenty-three states (listed here) havelaws that require customer notification in theevent personal data is lost, stolen, or inadver-tently disclosed, and these laws may expand to anational level soon. Many states require you tonotify your customers of any data breach. Otherstates require notification when harm to poten-tial victims is likely. Even if the law doesn't require it, consider theadvantages of giving notice to your customerswhose information was compromised. If you tell your customers about the breach:• Describe the nature of the incident.• Tell them what you have done to address the

problem.• Tell them what you will do in the future to

further reduce the chance of it happeningagain.

Notify Law Enforcement and OtherAuthoritiesIf a breach occurs, it is important to alert appro-priate law enforcement officials immediately so

they can investigate the incident. Talk to alawyer to get advice on which law enforcementauthorities you should contact. This couldinclude local police, state authorities, or eventhe FBI. The major payment companies alsoadvise that you immediately contact yourpayment processor and your acquiring bank ifyou have a credit/debit card security breach. It is also recommended that if you have any kindof customer data breach, you alert the threenational consumer reporting agencies:Equifax w w w . e q u i f a x . c o m , TransUnionw w w . t r a n s u n i o n . c o m , and Experianwww.exper ian .com . Visit the FTC Web site(w w w . f t c . g o v ) for more information onresponding to a data breach.Also alert the bank or company that you hire toprocess your payment cards. It's important thatthe compromised accounts are watched or


States with Breach Notification Laws*Arkansas

California

*Connecticut

*Delaware

*Florida

Georgia

Illinois

Indiana

*Louisiana

Maine

Minnesota

*Montana

Nevada

*New Jersey

New York

*NorthCarolina

North Dakota

*Ohio

Pennsylvania

*RhodeIsland

Tennessee

Texas

*Washington

* Requires notification only when there is risk of harm to consumer victims


20


closed to prevent fraud from occurring on them.You could have liability for the resulting fraud,so quick notification to the payment cardcompanies can help.Ask your lawyer about this now, so that in theevent something does happen, you are immedi-ately prepared and know which law enforcementagencies to contact. Some local law enforce-ment departments have even set up special unitsto investigate such incidents.

Support Your CustomersIf a breach occurs:• Encourage your customers to monitor their

credit reports for signs of identity theft. Ifyou can afford the expense, consider payingfor a credit monitoring service for youraffected customers for a designated periodof time (generally 6-12 months).

• Encourage any customer experiencing orsuspecting identity theft to notify you, file apolice report, and notify the three nationalconsumer reporting agencies, outlined in thesection on the previous page.

Responding quickly to a data breach may helpyou retain your customers.

13. Managing Official Requests For Your Data

You Have Both Duties and RightsWhen you receive a request for customerrecords from a law enforcement officer or agovernment agency, balance your general incli-nation to respond immediately with yourresponsibility as a trustee of your customers'information.

14. If You Do Business GloballyYou Could Be Subject to Foreign DataProtection LawsOver 50 nations have personal data protectionlaws that regulate the handling of consumerinformation by businesses. Most data protectionlaws apply to all businesses that handlecustomer information, regardless of size. Even acompany with no physical presence in anothercountry—but which engages in internationalbusiness-to-consumer e-commerce—is oftenrequired to comply with these laws. These dataprotection laws are found throughout Europe,Canada, South America, Asia, Africa, and theMiddle East.


Responding to Government Agency or Law Enforcement Requests for Data

• State your company's policies on respond-ing to these requests in your security andprivacy policy. If your business sharescustomer personal information with thegovernment when it is required to do soby law or valid access request—say so.

• Consult with your attorney about yourobligations to respond to governmentinformation requests and to ensure thatyou are complying with your privacypolicy.

• Train your employees. Tell them what todo when they receive a request forcustomer information from law enforce-ment or other government agency.


21


What These Laws Require fromBusinesses In general, data protection laws: • Provide information to consumers about the

collection and processing of their data.

• Process consumer data in a fair and lawfulmanner, and only for the purposes communi-cated to the consumer.

• Restrict the collection and processing ofcertain "sensitive" types of consumer data.

• Collect only relevant (and not excessiveamounts of) personal data from consumers.

• Take reasonable steps to protect consumerdata from accidental loss, destruction orunauthorized disclosure. This includessupervising employees and contractors whotouch consumer data on a business' behalf.

• Ensure that safeguards are in place at desti-nation points before transferring consumerinformation outside of the country.

• Check on whether a country requiresbusinesses to file a notification with thenational data protection authority beforecollecting and handling any consumer data.

Customers Have Rights UnderInternational Data Protection LawsCustomer rights under data protection lawsgenerally include:

• The right to withdraw consent to certainuses of personal data (generally for directmarketing uses).

• The right to obtain information about howpersonal data is processed.

• The right to view their personal informationand request that any errors in that informa-tion be corrected.

• The right to sue a business in court forcompensation or damages resulting fromharm caused by a breach of the data protec-tion laws.

Law EnforcementMost countries with data protection laws havedesignated a separate data protection authorityto supervise and enforce the law. These agenciesgenerally have the power to receive and investi-gate complaints about businesses from con-sumers, or to initiate their own investigations.Some have the power to impose fines and otherpenalties for violations of the law, while othersmay only make non-binding determinations(which may be enforceable by a court).


What You Need To Know About Global Commerce

• Learn about the data protection laws incountries in which you do business. Agood place to start is with the web sitesof national data protection authorities foreach country. Some publish guides totheir laws that are customized for smallbusinesses, such as the UK and Australia.For a list of data protection authorities incountries around the globe visithttp://www.dataprotection.ie/docs/European_Functions-Useful_Links/99.htm

• Consumers in these countries expectbusinesses to understand and comply withlocal data protection laws, no matter whatthe business size.


22


15. Additional ResourcesManaging security and privacy in your businessactivities doesn't need to be an undulyexpensive or time-consuming activity. Takingpractical steps to protect the sensitive data yourcustomers entrust to you will produce manydividends in return. Establishing solid datasecurity and privacy policies and practices will:• Put your business in compliance with

federal and state law.

• Help protect your business and customersfrom data theft and criminal activity,including ID theft.

• Create a bond of respect and trust betweenyour business and your customers.

Customers expect their information to be keptsecurely. Consider this your initial Guide tosecurity and privacy best practices. However,note that security has new manifestations all thetime, so it's a changing landscape. Here areadditional resources to help keep you current.• The Better Business Bureau: Find updates

for small business owners about changes insecurity and privacy laws as well as newrisks they need to manage.www.bbb.org/securityandprivacy.

• The Federal Trade Commission: The site ofthe nation's consumer protection agency hasa collection of resources for businesses andconsumers www.f tc .gov . The FTC alsoprovides a one-stop national resource on IDTheft at www.consumer .gov/ id thef t .

• Privacy Manager's Resource Center: acomprehensive resource from BBBOnLineto help businesses promote trust in con-sumer relationships www.bbbonline.org/UnderstandingPrivacy/PMRC.

• IBM's Small Business Center: a collectionof resources for small business ownersincluding white papers, technologysolutions and expert Q&A www. ibm.com/bus inesscenter/smal lbus iness .

• Visa: Full briefing of payment card industry(PCI) standards for merchantswww.v isa .com/c isp .

• Business for Social Responsibility: IssueBrief—Consumer and Employee Privacywww.bsr .o rg .

• OnGuard Online: provides practical tipsfrom the federal government and thetechnology industry to help you be onguard against Internet fraud, secure yourcomputer, and protect your personalinformation. Managed by the FTCwww.onguard on l ine .gov/ index .h tml .

• Small Business Computing.com: an onlinemagazine-style guide by Jupiter MediaCorporation for small business ownersfeaturing technology articles, reviews,and a message board www.smal lbus inesscomput ing .com .



23


16. Customized Insights from IBM

In addition to the solid security and privacymaterial provided in this Guide, IBM offersthese key reinforcements and additionalthoughts.1. Ensure your antivirus software is installed,

and up to date. Believe it or not, there con-tinues to be activity from viruses as old asCodeRed and Nimda, which first appearedyears ago.

2. Install a firewall for your home and businesscomputer network, especially if you use analways-on connection like broadband orDSL. Intruders are continuously scanningfor home and business systems they canhijack to create a “list bomb” to send toyour entire address list.

3. Fend off “airsnarfs” – hackers who piggy-back onto to your wireless connection – byensuring your laptop has its own firewall.

4. Do not respond to unsolicited e-mail, spit,spim or spam. Even the Unsubscribe func-tion on a spam e-mail probably won’t takeyou off any junk lists, and it may even redi-rect you unknowingly to a malicious website that creates a backdoor or downloads avirus onto your PC.

5. Did you know that 40% of all computerusers use the word “password” as their pass-word? When choosing a password, here aresome tips to slow down programs that arespecifically written to crack your password.

• Don’t choose obvious things like the name of a pet, friend or your birth month.

• Select longer passwords–at least eightcharacters.

• Mix letters with non-letters, such as num-bers and punctuation.

• If you absolutely have to use a real word,misspell it.

6. If you are an IM user, be cautious about fol-lowing links or running software sent to youby someone else. These are commonly usedto build networks of computers that areunwittingly part of a denial of serviceattack. Experts project that two billionspam messages will bombard InstantMessage applications this year.

7. Don’t be fooled by “spoofers.” There is nogood reason to give out your password,social security number or bank accountinformation in response to an e-mail orphone call. Most legitimate banks andInternet service providers would never askyou to send them that kind of information.If in doubt, call them.

8. Look for a third party privacy seal to ensurethat the transaction is secure when purchas-ing over the internet.

9. Last, but not least – When was the last timeyou backed up your files? There is no suchthing as 100% protection from phreaks,spoofers and spammers, so make sure youhave a recent back-up before a wicked wab-bit brings your system to a halt.

For more information and tools to help youprotect your small business, visithttp://www.ibm.com/businesscenter/small -business


Highlights

IT solutions for midmarket On Demand Business

IBM security solutions: Protecting

your business from spam, viruses

and spyware

Addresses today’s e-mail

security issues with effective,

easy-to-manage and affordable

security solutions

Offers protection against

current risks with the flexibility

to adapt to ever-changing

e-mail threats

Provides highly secure,

automated user management

Helps reduce costs by leverag-

ing open-source technology

A secure e-mail system is a vital part of

becoming an On Demand Business,

in which your business processes

are integrated end-to-end with key

partners, suppliers and clients. This

enables you to respond with speed

to virtually any client demand, market

opportunity or threat. And innovation

is the key to creating business value

and differentiation. It’s what makes your

company indispensable to customers.

IBM and IBM Business Partners can

help you differentiate your company

from the competition — our On

Demand Business strategy can help

you become more responsive to your

customers..

More common than the telephone in

business communication, e-mail is

more than a convenience for today’s

business—it’s essential. This quality

also makes e-mail a prime target for

security threats.

The 2005 IBM Global Business

Security Index Report assessed a

number of security threats, nearly all of

which pose a threat to e-mail. Viruses

have been on the upswing, despite

extensive efforts to contain them. Spam

has continued to proliferate, despite

the U.S. Federal Trade Commission’s

Controlling the Assault of Non-Solicited

Pornography and Marketing (CAN-

SPAM) Act of 2003. Phishing continues

to grow, attempting to scam users

into surrendering private information

through e-mail that falsely claims to be

sent from an established enterprise.

What can you do to prevent productiv-

ity loss, damage-containment costs,

and other potentially severe financial

impacts resulting from a security

breach? What measures can you take

to comply with regulations that require

you to keep a record of e-mail commu-

nications and secure the confidentiality

of information? What can you do to

keep your e-mail secure?

Easy-to-manage and affordable

e-mail security solutions

IBM offers easy-to-manage and afford-

able security solutions that address

today’s e-mail security issues. These

solutions help manage current risks

with the flexibility to adapt to ever-

changing e-mail threats.

Comprising hardware, software and

services from IBM and IBM Business

Partners, the security solutions span

three areas: managed e-mail security

services, network e-mail security, and

access and identity management.

Express managed security services

Protect your e-mail infrastructure and

network with a comprehensive solution

designed for mid-sized businesses.

IBM Express Managed Security Services

for Web security

IBM Express Managed Security

Services for Web security suite is

designed to protect IT investments

and productivity with around-the-clock

scanning that reduces the threat of

spyware and viruses delivered through

Web browsing. The solution is easy to

deploy and manage, and effectively

enforces corporate Internet usage

policies by filtering access to inappro-

priate or potentially dangerous URLs.


Services for Web security protects

with robust antivirus, anti-spyware,

and URL-filtering technologies. It is

a complete solution that:

• Stops virus and spyware outside

the network

• Filters out inappropriate Internet

material

• Lowers the cost of protection by

eliminating hardware and software

maintenance

IBM Express Managed Security Services

for E-mail Security


Services for E-mail Security can act as

your first line of defense by scanning

e-mail and eliminating threats originat-

ing from outside your network. This IBM

managed service provides worldwide

24x7 service and support with threat

monitoring and response at a poten-

tially lower cost than can be achieved

in-house. It requires no additional

hardware, software, updates or IT staff.


Services for E-mail Security offers

you the flexibility to choose only the

security components you need. These

services include:

• Virus protection

Unlike desktop virus software, the

antivirus service option is designed

to clean e-mail of viruses before

they reach your network, helping

eliminate the downtime caused by

virus infections.

• Spam protection

The antispam service option com-

bines predictive technology with fully

customizable sender lists to help

identify and reroute spam before it

ever reaches your network.

• Image filtering

This image control solution com-

bines multiple techniques, including

groundbreaking image composition

analysis to detect and control

pornographic images.

• Content control

Applying a combination of advanced

technology and configurable usage

rules for filtering inbound and

outbound e-mail, content control

enables you to identify and control

confidential, malicious or inappropri-

ate content sent or received by

your organization.

An additional level of security provided

by this service helps reduce the

opportunity for hackers to attack your

corporate infrastructure. If corporate

servers go down, this solution provides

e-mail continuity by delivering incom-

ing messages when service is restored.

Network-based security

IBM offers an easy-to-install, easy-

to-use and easy-to-manage e-mail

appliance designed and priced for

small and mid-sized companies. It is

powerful enough to plug network e-mail

security gaps, and flexible enough to

readily adapt to changing threats.

IBM System p5 Network E-mail

Security Express

This solution provides a multilayered

approach and an adaptable framework

to meet the ever-changing challenges

of network e-mail security. It combines

the outstanding price and perfor-

mance of IBM System p5™ platforms,

the flexibility of the Linux® operating

system, and the adaptability and

ease of management of an innovative

message processing platform. The

high-performance, cost-effective and

scalable solution helps reduce cost

by eliminating the need for costly,

internally developed solutions, and

reducing management and adminis-

trative requirements.

Network access and identity

management

IBM Tivoli® software, IBM Global

Services and IBM Business Partners

provide robust perimeter control,

preventing unauthorized intrusions

and reducing the likelihood of

e-mail attacks.

IBM Tivoli Access Manager

IBM Tivoli Access Manager software

enables you to give employees,

partners, suppliers and customers

dynamic, role-based access to your

business applications, based on their

need to know. This is accomplished by

defining a comprehensive policy based

on user roles or business rules to man-

age access to your applications. You

can create user groups and assign per-

missions to groups, which can simplify

administration of access control across

multiple applications and resources.

IBM Tivoli Identity Manager Express

IBM Tivoli Identity Manager Express

provides highly secure, automated

and policy-based user management

and single-signon capabilities. It

helps ensure that the right people

can access the right applications and

infrastructure. It enables automated

setup of new accounts and passwords

for employees and customers, and

provides users with the ability to reset

and synchronize their own passwords

without help desk support. It helps

improve visibility into security manage-

ment operations, and can quickly

produce reports for auditors with

predefined reports and audit events.

IBM Express Vulnerability Assessment

IBM Express Vulnerability Assessment

is a reliable, affordable starting point

for reducing security-related risks and

protecting confidential data. It’s a cross-

industry security solution that helps

clients better understand vulnerabilities

in their Web-based applications and

networks and how to address them.

Low-, medium- and high-risk expo-

sures are identified and documented

for the client, along with recommenda-

tions for improvements. This solution

is packaged and priced for mid-sized

businesses and features IBM Business

Consulting Services’ industry-leading

methodologies and tools.

IBM Managed Security Services

IBM Global Services provides robust,

comprehensive managed security

services to help decrease system

vulnerability, and optimize security and

privacy strategies and procedures.

• Network intrusion detection

Guard your Web sites against attacks

with around-the-clock monitoring

of all Internet Protocol (IP) network

An IBM customer success story

A manufacturing company found

that each of its 100 employees was

receiving approximately 400 spam

e-mails per day. The organization

also did not have virus protection

in place. It needed to eradicate

viruses and minimize the amount

of spam being received.

IBM Global Services and IBM

Business Partners provided a

complete e-mail security manage-

ment system to this company. This

solution provided e-mail antivirus,

antispam and other undesirable

content filtering. As a result of the

e-mail security services, no viruses

could penetrate the network through

e-mail. The solution eliminated 98

percent of spam. In addition, during

a recent e-mail server outage, IBM

held e-mail for the company until

the company restored its e-mail

server operations two days later.

IBM e-mail security services helped

the company achieve greater pro-

ductivity, reduce the risk of legal

liability and achieve greater network

bandwidth by stopping spam at the

Internet level.

traffic within a hosted environment.

Services include installing and man-

aging an intrusion sensor, logging

and analyzing events, and recom-

mending security enhancements.

• Ethical hacking

IBM security consultants can

perform a range of intrusion tests

using the same techniques known

to be used by the most common

hackers. By identifying weaknesses

and recommending specific security

measures that can protect informa-

tion and processes, these services

can help you circumvent actual loss.

IBM Express Advantage

The IBM Express Advantage is your

gateway to a comprehensive line of

hardware, software, services and

financing solutions designed, devel-

oped and priced specifically for

mid-sized businesses. These offerings

are available through the IBM network

of Business Partners, who combine

their applications and services with

IBM offerings to solve midmarket busi-

ness challenges. The IBM Express

Advantage also offers financing and

enhanced capabilities to help mid-

sized customers find the right IBM

and Business Partner resources.

IBM Express Portfolio

In addition to the Express solutions

mentioned before, IBM Express

Portfolio™ offers competitively priced

solutions developed exclusively for

mid-sized businesses. This portfolio,

which includes hardware, middleware,

storage capabilities, consulting and

financing services, addresses the

special challenges that mid-sized

businesses face—limited IT staffs,

fewer skills and resources, and smaller

budgets than large companies. With

Express, IBM provides solutions

that are easy to install, manage and

integrate with existing systems, and are

available from IBM as well as from our

vast network of Business Partners.

Financing offerings

You can get the security solution you

need, while preserving your cash and

credit lines, with the IBM Financing

Advantage program. This suite of smart,

simple financial solutions, designed

specifically for small and mid-sized

business, offers:

• Highly competitive rates on IBM

or non-IBM hardware, software

and services

• A 5 percent rebate on selected IBM

products in selected countries

• Cash for your unwanted equipment

(or safe, secure disposal services)

• IBM Certified Used Equipment, if

acquiring new equipment is simply

not an option


IBM and IBM Business Partners can

help you achieve business objectives,

and avoid loss of business, reputation,

and competitive advantage resulting

from unsecure e-mail systems. To learn

more about IBM solutions for e-mail

security, please contact your IBM

representative or IBM Business Partner,

or visit

ibm.com/businesscenter/smb/us/

en/solutionssecurity


Route 100

Somers, NY 10589

U.S.A.


03-06

All Rights Reserved

Express Portfolio, IBM, the IBM logo, the On

Demand Business logo, System p5 and Tivoli are


Corporation in the United States, other countries

or both.

Linux is a trademark of Linus Torvalds in the

United States, other countries, or both.

Other company, product and service names

may be trademarks or service marks of others.

References in this publication to IBM products

or services do not imply that IBM intends to

make them available in all countries in which

IBM operates.

G299-0740-01

Security and privacy

September 2006

Stopping insider attacks: how

organizations can protect their

sensitive information.

Stopping insider attacks: how organizations

can protect their sensitive information.

Page 2

2 Introduction

3 The growing threat of insider

attacks

5 Your organization at risk:

understanding the stakes

6 Building greater sophistication

into security measures

11 Conclusion

ContentsIntroduction



Page 3

Highlights

The growing threat of insider attacks

Strong perimeter defenses can

block external threats effectively,

but provide only part of the

protection organizations need.

Though often overshadowed by

attacks from the outside, the risk

of insider threats is nevertheless

a pressing concern for practically

every organization.



Page 4

Highlights

A list kept by the Privacy Rights

Clearinghouse shows hundreds

of data breaches reported in the

United States alone since February

of 2005.

“Dishonest insiders” can exploit

an organization’s vulnerabilities to

commit identity fraud and expose

confidential information—for

personal gain or as part of a larger

crime ring.



Page 5

HighlightsYour organization at risk: understanding the stakes

Because employees carry valid

authorization and are privy to

the organization’s vulnerabilities,

insider attacks can be more

difficult to detect than external

penetration attempts.

Undetected attacks can cause

serious harm, including legal

liability for compromised data,

loss of competitive position and

disrupted business operations.

According to a recent study, the

average fraud scheme continues

undetected for 18 months.



Page 6

HighlightsBuilding greater sophistication into security measures

Behavioral analysis

Distributed, global work environ-

ments and rapidly changing

business conditions require

a balance between end user

accessibility and data protection.

Protecting against attacks from

the inside requires greater

sophistication and granularity

on the part of security systems.

There are four basic elements

that can provide the sophistication

needed to help prevent insider

attacks.



Page 7

Highlights

Security systems should

automatically monitor the online

activities of authorized users,

detect abnormal behavior and even

help to prevent potential misuse.

Behavioral analysis can help

pinpoint small deviations and

unusual patterns in high-traffic,

dynamic work environments.



Page 8

HighlightsIntegrated security components

Security elements should interact

seamlessly—in real time—to

enable thorough analysis and quick

response to potential threats.

Effective pattern detection

depends on the ability to correlate

messages and events from

different monitoring systems

across the IT environment.



Page 9

Highlights

Automatic response

The security systems themselves

must be capable of responding

immediately to unacceptable

user behavior.

Automatic denial of access can

thwart attacks before they occur—

and give network administrators

the opportunity to determine a

suitable course of action.



Page 10

HighlightsIterative modeling process

To stay a step ahead of evolving

security threats, organizations must

continuously revise and enhance

their security efforts.

Self-tuning systems should react

appropriately and intelligently to

dynamic business conditions—

without human intervention.



Page 11

HighlightsConclusion


IBM Center for Business Optimization

IBM Information Security Framework

ibm.com/services

Organizations must be prepared

to fend off attacks wherever they

originate—even as the boundaries

between organizations, partners,

users and customers blur.


IBM Global Services

Route 100

Somers, NY 10589

U.S.A.


09-06

All Rights Reserved

IBM and the IBM logo are trademarks or registered


Corporation in the United States, other countries,

or both.






IBM assumes no responsibility regarding the ac-

curacy of the information provided herein and use

of such information is at the recipient’s own risk.

Information herein may be changed or updated

without notice. IBM may also make improvements

and/or changes in the products and/or the pro-

grams described herein at any time without notice.

1 California Security Breach Information Act

(S.B. 1386), enacted July 1, 2003; http://info.

sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/

sb_1386_bill_20020926_chaptered.html

2 IBM global business security index report, 2005.

3 Scott Berinato (with Research Editor Lorraine

Cosgrove Ware), “The Global State of Information

Security 2005,” September 15, 2005, published

by PricewaterhouseCoopers and CIO; http://www.

cio.com/archive/091505/global.html

4 “A Chronology of Data Breaches Reported

Since the ChoicePoint Incident,” Privacy Rights

Clearinghouse; August 5, 2006, used with

permission of the Privacy Rights Clearinghouse,

www.privacyrights.org

5 John Ribeiro, “HSBC claims customer fraud in Indian

services center,” Network World (IDG NewsService),

June 27, 2006; http://www.networkworld.com/news/

2006/062706-hsbc-claims-customer-fraud-in.html

6 “2006 ACFE Report to the Nation on Occupational

Fraud and Abuse,” Association of Certified Fraud

Examiners; http://www.acfe.com/fraud/report.asp

GSW00316-USEN-00

Simpler, smarter choices,customized for you.

Your one-stop IT financing partner

IBM Global Financing

Just as today’s businesses increasingly rely

on sophisticated IT solutions—hardware, soft-

ware and services from multiple vendors—the

financing requirements associated with them

can become similarly complex. That’s why it’s

important to choose a financing partner that can

help you make simpler, smarter choices—offer-

ing financing solutions that are customized for

your business needs and are flexible over time.

In the same way that IBM knows how innovative

IT solutions can contribute to the success of

your business, IBM Global Financing knows how

innovative financing can contribute to the value

your company realizes from its IT investments.

Our objective is to be your partner—providing a

one-stop source of competitively priced IT

financing solutions. When you choose

IBM Global Financing, you’re getting a strategic

partner for managing all aspects of your financed

solution.

Over the lifecycle of your IT investment,

IBM Global Financing offers asset tracking, serv-

ices for the disposal of assets no longer required

and high quality used equipment. IBM Global

Financing also offers channel financing for

resellers, value-added resellers and independent

software vendors.

“ Leasing from IBM Global Financing gives us the flexibility to

migrate to a new architecture—and better utilize our capital.”

– Jesse Perez, CFO, Geotrace Technologies, Inc.

Smarter financing decisions

IBM Global Financing has the expertise to help you make

smarter financing decisions. We work with companies of all

sizes and can create customized financing packages.

Depending on your business, IT and financial priorities, we

offer plans that take into account the lifecycle of your

investment, helping you acquire, manage and even eventu-

ally dispose of technology assets. Our financing solutions

are competitive and can give you the flexibility to change or

upgrade hardware and software—so you can keep your IT

capabilities in line with an evolving business and technology

environment.

Partnership across the lifecycle

As the world’s largest provider of IT financing, IBM Global

Financing has a worldwide asset base of nearly

US$31 billion, enabling us to provide financing expertise,

comprehensive solutions and competitive terms. Whether

you are a global business or a smaller local company, we

can apply our experience and innovative thinking to serve

your goals—something we already do for 91 of the United

States Fortune 100 and for 125,000 customers in more

than 40 countries.

Right from the start, we’ve operated from a simple, core

assumption—it’s in our best interest to serve your best

interest. We value our client relationships and emphasize

clear, straightforward contracts that can minimize surprises

and bumps in the road. When finances are tight, you can

include IBM Certified Used Equipment™ as part of your

financing solution. We build partnerships that put the full

range of our expertise and resources to work for you.

A simpler experience—one-stop financing

We know you want to acquire technology more easily, so

IBM Global Financing works to simplify the decision-making

process for IT financing. We provide rapid quotes and

approvals. We can provide customized financial solutions

and easy online tools for tracking and managing your

financed assets.

Finally, we know you want a comprehensive financing pack-

age that addresses your total IT solution—for hardware,

software, services and maintenance, including both

IBM and non-IBM components. IBM Global Financing pro-

vides one-stop shopping for IT financing, with a single point

of contact to make it easier for you to address all the ele-

ments of your financing solution.

“ Leasing from IBM helps to give us the ability to grow. We’re

going to have to make a lot of critical spending decisions

[when we build our new medical center], and it will be nice to

have the cash.”

– Kevin Fitch, senior treasury analyst, Elmhurst Memorial Healthcare


To learn more about simpler, smarter financing, contact

your IBM representative or visit:

ibm.com/financing


IBM Global Financing

North Castle Drive

Armonk, NY 10504-1785 USA

ibm.com/financing

Produced in the United States

March 2006

All Rights Reserved

IBM, the IBM logo and IBM Certified Used

Equipment are trademarks or registered

trademarks of International Business

Machines Corporation in the United States,

other countries, or both.

Other company, product and service names

may be trademarks or service marks of

others.

References in this publication to IBM products

or services do not imply that IBM intends to

make them available in all countries in which

IBM operates.

IBM Global Financing offerings are provided

through IBM Credit LLC in the United States

and other IBM subsidiaries and divisions

worldwide to qualified commercial and

government customers. Rates are based on a

customer’s credit rating, financing terms,

offering type, equipment type and options,

and may vary by country. Other restrictions

may apply. Rates and offerings are subject to

change, extension or withdrawal without

notice.

IGF4-a085-03

GFB02045-USEN-03

Documents

Proventia Integrated Security Appliance