Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
.: Company Profile
Advocate Health Care, based in Oak Brook, Illinois, is the largest, fully integrated not-for-
profit health care delivery system in metropolitan Chicago, and is recognized as one of the
top systems in the country. Advocate has eight hospitals and two children's hospitals with
3,500 beds and more than 200 care sites, as well a privately held full-service home health
care company. More than 4,600 physicians are on staff at Advocate hospitals and more than
24,500 persons are employed at its sites, making it Chicago's 10th largest employers.
Advocate's roots go back more than 100 years. It took on its present form in 1995 with the
merger of Evangelical Health Systems Corporation and Lutheran General HealthSystem, two
faith-based organizations. Its primary academic and teaching affiliation is with the
University of Illinois at Chicago Health Sciences Center.
.: Tighter Controls Were Needed to Secure Hundreds of Locations
Advocate Health Care's more than 200 care facilities are spread throughout metropolitan
Chicago and connect into a central network. There are important central information hubs
as well as smaller branch locations tied in to those hubs. Accessibility and uptime are
essential for every care site in the network. Additionally, some departments, notably
radiology and cardiology, require massive bandwidth to handle their imaging resources.
Maintaining network security and protecting confidential patient data for such a
widespread enterprise is the responsibility of Director, Enterprise Architecture/Network
Security Gary Horn and his staff, led by Regional Team Leader for Network Security Sterling
Davis. About three years ago the company reorganized its information security (IS)
department, and one of the first items of business for the reconfigured department was to
improve its network security.
“We were getting hit with viruses, spam … people were doing inappropriate things on
their computers,” Davis explained.
Proventia®
Integrated Security AppliancePROTECTS ADVOCATE HEALTH CARE'S DIVERSE
METROPOLITAN HEALTHCARE NETWORK
w w w. i s s . n e tCASE STUDY HEALTHCARE
The Company:
Advocate Health Care
Industry:
Healthcare
Location:
Chicago, IL
Situation:
Advocate Health Care needed robust security measures
across its widespread metro Chicago network that would
prevent viruses, spam and inappropriate use of network
resources, as well as meet tightened compliance
requirements for the healthcare industry.
Solution:
Proventia ® M50 Integrated Security Appliance
SiteProtector™ Centralized Management System
Proventia G100 Intrusion Prevention Appliance
Proventia A201 Intrusion Detection Appliance
Proventia A604 Intrusion Detection Appliance
NETWORK & HOST INTRUS ION PREVENT ION l VULNERABIL I TY MANAGEMENT l MANAGED SECURITY SERV ICES
w w w. i s s . n e tCASE STUDY
.: Finding the Right Security Vendor: An Immediate Need
The IS department sent out an RFP to several security vendors including Internet Security
Systems (ISS). “One of my staff had a great deal of experience with ISS, and she
recommended it,” Davis said. Nevertheless, Advocate placed all vendor applicants on an
equal footing, scheduling site visits and running equipment tests of their products. The IS
department allowed a six-month timeframe from RFP to vendor selection, and actually
accomplished everything in four months.
Advocate used strict measures to evaluate the vendors. “We're cost conscious, but price
was not really a factor because one of the other criteria was, we needed to do something
fast,” Davis explained. “We weren't in critical mode, but we needed a good, reliable
product that we could install right away,” he added.
Davis had served on Advocate's HIPAA (Health Insurance Portability and Accountability Act)
committee, and knew that the company had to have stronger security measures in place
before HIPAA became law in 2003.
The outcome of the vendor search was unequivocal.
“ISS won hands down,” Davis said. “They've been upfront with their product and their
reliability is phenomenal. Their service is good, too. If we have issues, they send somebody
out same day or no later than the next day to resolve those issues.”
.: An Integrated Solution for a Far-flung Network
Advocate Health Care chose ISS' Proventia M50 integrated security appliance as the
backbone of its security solution. It has deployed five Proventia M50s at multiple sites
within the corporate network, including the central data warehouse at Advocate Lutheran
General Hospital and the large radiology departments at Advocate Christ Medical Center
and Advocate Good Samaritan Hospital. The IS department plans to install three more
Proventia M50s before the end of the year. The appliances are managed by ISS'
SiteProtector centralized management system on a central server.
Most of the Proventia M50 devices are configured strictly to use the standard firewall and
intrusion prevention system (IPS) capabilities that are part of the integrated security
appliance. A few of the deployed units have the antivirus (AV) module installed as well.
“We use the M50s for protecting networks that some vendor applications are installed on,
as they are a high-bandwidth solution with good logging capabilities and other available
options,” Davis explained. “We had been using fixed firewalls, and with our radiology
program we needed more throughput, so we decided to go with them,” he added.
Advocate's additional network security measures include deployment of Proventia G100
intrusion prevention appliances for inline IPS protection, and Proventia A201 and A604
intrusion detection appliances for passive intrusion detection (IDS) throughout the enterprise.
“We selected an integrated solution for ease of deployment,” Davis said.
KEY ISS BENEFITS:
The Proventia M50 integrated security appliance
assures Advocate Health Care of secure, robust
network protection through its seamlessly
integrated firewall, intrusion detection/prevention,
Web filtering and antivirus capabilities.
In the two years since implementing the Proventia
M50 solution, the device has proven reliable in
protecting Advocate's broad network against
viruses, spam and other threats.
NETWORK & HOST INTRUS ION PREVENT ION l VULNERABIL I TY MANAGEMENT l MANAGED SECURITY SERV ICES
HEALTHCARE
w w w. i s s . n e tCASE STUDY
Copyright© 2005 Internet Security Systems, Inc. All rights reserved worldwide.
Internet Security Systems, Ahead of the Threat and SiteProtector are trademarks, and the Internet Security
Systems logo and Proventia registered trademarks, of Internet Security Systems, Inc. Other marks and trade
names mentioned are the property of their owners, as indicated. All marks are the property of their respective
owner and used in an editorial context without intent of infringement. Specifications and content are subject to
change without notice.
SM-ADVCS-1005
.: Security Return on Investment (ROI) and Other Benefits
Advocate Health Care noticed immediate results after deploying its ISS product solutions.
“When everyone else was highly worried about Sasser and all the other viruses going
around, we were secure. We weren't hit hard and we were still able to keep our operations
up and running,” Davis said.
The company has seen additional returns on investment as well. “By improving our
security, we subsequently improved our business productivity by our network being more
reliable, with [fewer] spam and virus attacks,” Davis explained.
The IS department has also saved Advocate “a great deal of money,” according to Davis,
by performing its own network scans, and testing the network from the outside. “Now, we
don't have to use outside auditors. Just once a year they authenticate our network and we
compare notes,” Davis said.
.: Prepared for Future Growth
Advocate Health Care made its decision to deploy Proventia M50 integrated security
appliances with an eye toward future growth and expansion. The devices are scalable to
serve both the large central hub and the remote locations within Advocate's network.
“We're getting larger and larger products in our radiology and cardiology departments, and
closer work with imaging and use the M50s for those larger applications,” Davis explained.
With the Proventia appliances, Advocate's network has better filtering capabilities in place
throughout the system. The remote sites tie in through the closest hospital. Advocate
partners with the University of Illinois on nursing applications, and allows outside vendors
access to support their applications. Both groups use a virtual private network (VPN)
tunnel to get in, which is locked down to specific devices. The Advocate network relies
strongly on IDS protection throughout, and maintains IPS protection at particular sites.
In the two years since the ISS solution has been in place, the Proventia M50 integrated
security appliance has proven capable of handling all of Advocate Health Care's security
concerns.
“We're constantly evaluating if we need more robust hardware, but for now they seem to be
doing the job,” Davis said. “M50s are the future,” he added.
®
KEY ISS BENEFITS:
“ISS won hands down. They've been upfront
with their product and their reliability is
phenomenal.”
Sterling Davis
Regional Team Leader for Network Security
“By improving our security, we subsequently
improved our business productivity by our
network being more reliable, with fewer spam
and virus attacks.”
Sterling Davis
Regional Team Leader for Network Security
“M50s are the future.”
Sterling Davis
Regional Team Leader for Network Security
NETWORK & HOST INTRUS ION PREVENT ION l VULNERABIL I TY MANAGEMENT l MANAGED SECURITY SERV ICES
HEALTHCARE
Managed Security Services from Internet Security Systems are the University of Colorado
Hospital's antidote to hacker attacks
.: Organization Profile
Top medical professionals, superior medicine and progressive change make the University of
Colorado Hospital one of the leading hospitals in the nation. Ranked among the top 10
hospitals in the country by U.S. News & World Report's annual survey of “America's Best
Hospitals,” the hospital is internationally respected for its exceptional teams of medical
specialists. With campuses in Denver and Aurora, Colo., the hospital has the Rocky Mountain
region's only academic medical center. The Aurora campus is home to the prestigious
Anschutz Centers for Advanced Medicine and the Rocky Mountain Lions Eye Institute.
Recognized as the region's leading specialty care and referral center, the Denver campus is
part of the University of Colorado Health Sciences Center campus, one of four campuses in
the University of Colorado system.
.: Increased Accountability
Entrusted with highly confidential patient data, the hospital is governed by the stringent
regulations that were issued by the U.S. Department of Health and Human Services under the
Health Insurance Portability and Accountability Act of 1996 (HIPAA), which became effective
in April 2003. The HIPAA Privacy Rules require specific methods of handling protected health
information. Fines, penalties and even jail time can be imposed for non-compliance. While
protecting patient confidentiality and increasing network uptime have always been priorities
for the hospital's IT department, the current regulatory environment, combined with an
exponential increase in the frequency and virulence of hacker attacks, prompted Joe Bajek,
University of Colorado Hospital's director of IT, and his team to ensure that the hospital's
Internet security measures were up-to-date and state-of-the-art.
A Trusted Security Expert HAS THE PERFECT PRESCRIPTION FOR INTERNET SAFETY
w w w. i s s . n e tCASE STUDY
Customer
The University of Colorado Hospital
Profile
Health care organization
Location
United States
Situation
The University of Colorado Hospital needed to protect highlyconfidential patient information and mission-criticaloperations data from escalating Internet security threats.
Solution
Internet Security Systems provides the hospital with itsManaged Security Services for reliable, cost-effective, 24/7online security.
Benefits
ISS' Managed Security Services keep highly sensitiveinformation secure and improve network uptime by protectingagainst internal and external threats, while allowing limitedinternal IT resources to focus on business-critical andstrategic initiatives.
© 2004 Internet Security Systems Incorporated. All rights reserved.
F IREWALL l ANT IV IRUS l INTRUS ION PREVENT ION l WEB F I LTER ING l MAIL SECURITY l MANAGED SERV ICES l VULNERABIL I TY ASSESSMENT
Ahead of the threat.
w w w. i s s . n e tCASE STUDY
.: Gaining an Excellent Return on Investment
with Managed Security Services
Working with Internet Security Systems (ISS) to upgrade the hospital's network security was
one of Bajek's first responsibilities when he joined the IT department about five years ago.
New on the job, but a seasoned veteran in enterprise security, Bajek was pleased to learn
that the hospital was already working with a trusted partner for the hospital's Internet
security strategy. While the firewall was an important building block for this strategy, Bajek
quickly realized that defending against external threats 24/7 required resources and manpower
that the hospital simply did not have. Explains Bajek, “When ISS offered to manage the
firewall around the clock, we jumped at the opportunity to outsource this function because
we simply lacked the expertise and time to handle it effectively in-house.”
Defending the hospital's network security is an integral part of protecting patient
information, employee data, internal communications and other business applications. But
as Bajek observes, “You really need 24/7 protection by an army of highly trained engineers
with expertise in network security.” For most organizations, the cost of acquiring, training
and retaining this level of talent is prohibitive, as is the expense to watch the Internet around
the clock.
Today, enterprises in the public and private sector alike are locked in a continuing battle with
smart and destructive online enemies that can strike at any moment. To address this
challenge, organizations are increasingly outsourcing security operations to managed
security service providers (MSSPs). For a fixed monthly fee, an organization can purchase the
infrastructure, knowledge, resources and on-demand expertise needed to protect its systems
from Internet attacks around the clock — all at a fraction of the cost and complexity to build
and maintain an in-house capability. As a result, an MSSP consistently and reliably protects
enterprise information, while reducing the total cost of ownership and delivering an excellent
return on investment (ROI).
“Outsourcing network security monitoring and management to ISS just makes good fiscal
sense,” says Bajek. “We are saving more than $100,000 annually just on the costs to hire
and train additional people to ensure proper network protection…and those figures don't
include the ROI that comes with increased staff productivity. Our ROI would increase
dramatically if we could also measure the value of freeing up staff to focus on strategic
business initiatives that make our hospital run more efficiently.”
Bajek also points out other benefits that are difficult to quantify. “We don't have to devote
precious IT resources to reviewing and testing network security configurations, upgrading test
environments and hiring and training staff to do all that additional work. I know that saves
us time and money.” Another benefit of working with ISS that can not be quantified is the
peace of mind that Bajek and his team enjoy with a reliable Internet security partner.
Ahead of the threat.
F IREWALL l ANT IV IRUS l INTRUS ION PREVENT ION l WEB F I LTER ING l MAIL SECURITY l MANAGED SERV ICES l VULNERABIL I TY ASSESSMENT
KEY ISS BENEFITS:
ISS Managed Security Services provide organizations with anaround-the-clock guaranteed level of protection, givingorganizations the ability to improve their security posturewhile allowing them to focus on their core businessoperations. Benefits include:
• Protection for company assets and business continuity with24/7 monitoring, management and reliability
• Reduction of in-house security costs by up to 55 percent
• Enhancement of security compliance with industry andgovernmental regulations
• Solid return on security investments
• Improved productivity by freeing IT resources to focus onstrategic initiatives
• Customers, partners and shareholders reassured thatcritical data is protected by trusted resources
• Peace of mind, with guaranteed protection
“With some companies, the size of the check you writecorresponds to the level of service you receive. Here's one that offers a money-back guarantee. We may not be theirlargest customer, but ISS makes us feel like their mostimportant one.”
Joe Bajek
University of Colorado Hospital
Director of IT
w w w. i s s . n e tCASE STUDY
Copyright© 2004 Internet Security Systems, Inc. All rights reserved worldwide.
Internet Security Systems, Proventia and SiteProtector are trademarks, and the Internet Security Systems logo andX-Force registered trademarks, of Internet Security Systems, Inc. Other marks and trade names mentioned are theproperty of their owners, as indicated. All marks are the property of their respective owner and used in an editorialcontext without intent of infringement. Specifications and content are subject to change without notice.
.: Securing the Gateway and the Network with Managed Security Services
In addition to outstanding customer service and measurable savings, the hospital derives
additional added value from its partnership with ISS by providing Bajek and his team
early access to new technologies, such as the advanced Proventia™ intrusion
prevention appliances.
Proventia is founded on proactive research from the X-Force® security intelligence team. For
new hybrid threats like Sasser, MS Blaster and SQL Slammer, firewalls and antivirus are no
longer enough to protect the gateway or network. Proventia appliances are designed to
combat the wave of hybrid threats on the Internet by offering protection at the gateway,
including Internet, branch locations, remote offices, customers, vendors and partners, and
within the network, covering servers, users and other networks.
The hospital will soon be implementing the Proventia integrated security appliance, which
provides protection at the gateway and at the network level without jeopardizing bandwidth
or availability of server resources. Proventia integrated security appliances unify antivirus,
firewall, virtual private network (VPN), intrusion detection and prevention, antispam, and
Web filtering technologies in a single device. “We couldn't possibly stay on top of the latest
developments in Internet security,” says Bajek, “but we know that ISS has the expertise and
resources to keep our network protection up to date no matter what new worm or virus is out
there.” This exceptional level of service and reliability illustrates how ISS continues to earn
the hospital's trust — long after the initial contract with its unique service agreement was
inked.
.: Gaining Peace of Mind Through a Stellar Track Record
With Internet access for approximately 3,500 employees who might unwittingly spread the
latest virus or worm and thousands of hackers around the world thinking up new ways to
breach security, Joe Bajek could stay awake at night worrying about the safety of his hospital's
enterprise information. “What I value most about ISS is that I never worry about my network
security and who's monitoring it when I go home at night,” he explained. “That confidence
frees me up to focus on the hospital's overall IT risk management strategy and other critically
important business initiatives. It also helps me sleep a little more soundly.”
Ahead of the threat.
F IREWALL l ANT IV IRUS l INTRUS ION PREVENT ION l WEB F I LTER ING l MAIL SECURITY l MANAGED SERV ICES l VULNERABIL I TY ASSESSMENT
“What I value most about ISS is that I never worry about
my network security and who's monitoring it when I go
home at night. That confidence frees me up to focus on
the hospital's overall IT risk management strategy and
other critically important business initiatives. It also
helps me sleep a little more soundly.”
Joe Bajek
University of Colorado Hospital
Director of IT
To effectively protect your organization,
you first need to evaluate where you
stand in relation to industry best prac-
tices and regulatory requirements. A
gap assessment can help identify the
most effective course of action based
on your business objectives.
Creating a roadmap to a more
secure network
Going much deeper than an ordinary
assessment, the IBM Information
Security Assessment provides a
comprehensive evaluation of your
information security posture. Based on
the globally recognized ISO 17799
standard and industry best practices,
the assessment by IBM Internet
Security Systems (ISS) security
experts thoroughly documents the
results and provides specific, action-
able recommendations for mitigating
the identified risks and improving
overall security posture.
p Provides a comprehensive
evaluation of your information
security posture
p Identifies vulnerabilities and
determines gaps in your infor-
mation security environment
p Helps protect the confidentiality,
integrity and availability of
critical data
p Provides recommendations for
mitigating identified risks based
on the globally recognized ISO
17799 standard and industry
best practices
p Leverages a proven methodol-
ogy that includes assessments,
scans, testing and interactive
workshops
p Supports efforts to comply
with government and industry
regulations
Assessing your security state and creating a
roadmap to a more secure environment
IBM Information Security Assessment
HighlightsDetermining your current security state
Understanding your organization’s
security state and identifying vul-
nerabilities are the first steps toward
protecting the confidentiality, integ-
rity and availability of critical data.
Together these steps are also an
important component for achieving
regulatory compliance.
Your organization may be vulnerable to
attack from the outside or the inside if
you remain unaware of security issues,
simply ignore them or don’t sufficiently
manage them. An attack may take
down your network or lead to the theft
of sensitive data—customer informa-
tion, employee information or
intellectual property. The ensuing
loss of public trust or the failure to
comply with regulations could result
in severe financial repercussions. A
major security breach could also
cause irrevocable damage to your
organization’s reputation.
2
Significant, far-reaching benefits
Comprehensive assessment features
Leveraging a comprehensive, proven
methodology
The IBM Information Security
Assessment methodology includes
the following capabilities:
3
Why IBM Internet Security Systems?
IBM Professional Security Services from
IBM ISS offer some of the best security
consulting services in the industry. Our
expertise, tools and methodology com-
bine to deliver:
Security expertise—Our elite team of
expert security consultants comprises
senior security professionals who have
honed their skills through corporate
security leadership, security consulting,
investigative branches of the govern-
ment, law enforcement and research
and development.
Staff cost savings—We offer the experi-
ence and skills of our IBM Professional
Security Services team for less than the
typical cost of hiring a single in-house
security expert.
Trusted relationship— IBM ISS works with
your key staff and management to design
a customized plan that meets your
organization’s security goals.
Specialized skills and tools—Our
consultants combine proprietary and
industry-leading security assessment
tools with in-depth analysis of vulnerabil-
ity data to evaluate and build an effective
security program that enhances your
business operations.
World-class security intelligence— IBM
ISS consultants are supported by the
IBM Internet Security Systems X-Force®
team, our globally recognized research
and development team. This combination
enables us to provide the best security
solution for your business.
Combined solutions provide a more
comprehensive security assessment
For a complete assessment and analysis
of your organization’s security posture,
IBM ISS recommends combining IBM
Information Security Assessment with
IBM Penetration Testing. When com-
bined, these services can provide a
thorough examination of your organiza-
tion’s sec-urity posture from both holistic
and practical approaches.
For more information
To learn more about IBM Information
Security Assessment or IBM Penetration
Testing, contact your IBM ISS represen-
tative to schedule a consultation. Call
1 800 776-2362, send an e-mail to
[email protected] or visit:
ibm.com/services/us/iss
© Copyright IBM Corporation 2007
IBM Global Services
Route 100
Somers, NY 10589
U.S.A.
Produced in the United States of America
02-07
All Rights Reserved
IBM and the IBM logo are trademarks or registered
trademarks of International Business Machines
Corporation in the United States, other countries,
or both.
X-Force is a registered trademark of Internet
Security Systems, Inc., in the United States, other
countries, or both. Internet Security Systems, Inc.,
is a wholly owned subsidiary of International
Business Machines Corporation.
Other company, product and service names may
be trademarks or service marks of others.
References in this publication to IBM products or
services do not imply that IBM intends to make them
available in all countries in which IBM operates.
GTD00834-USEN-00
p Helps to protect corporate data
and assets and company reputa-
tion from loss or damage
p Aids in blocking threats, enhanc-
ing clients’ security posture and
regulatory compliance
p Provides rapid and cost-effective
threat resolution, helping to
reduce potential damage
p Helps to reduce security-related
staffing, training, maintenance
and infrastructure costs
Highlights
Delivering preemptive protection from the
network gateway to the desktop
IBM Managed Protection Services for
networks, servers and desktops
Raising the bar in accountability with
performance-based SLAs
Whether they need to ensure business
continuity, improve compliance with
laws regarding data security, or protect
access points across their global infra-
structures, enterprises today require a
high degree of network connectivity
and a secure environment in order to
conduct business eficiently. IBM
Managed Protection Services (MPS)
goes beyond simple event monitoring
and device management by offering the
industry’s leading performance-based
service level agreement (SLA) with a
cash-back payment* by the leading-
edge IBM Internet Security Systems
(ISS) X-Force® research and develop-
ment team. As a result, our clients can
rest assured that their security provider
has a vested interest in protecting their
infrastructure. This unique preemptive
protection from the Internet’s most
critical threats—known and unknown—
sets a new standard for accountability
in helping organizations minimize risk,
control escalating security costs and
demonstrate due diligence.
IBM MPS for networks, servers and
desktops can help businesses address
these complex challenges. MPS offers
customized security-strategy develop-
ment; expert, end-to-end security
management and monitoring; and real-
time, 24-hour proactive protection.
2
Benefits: Features:
Virtual-SOC
The Virtual-SOC is the engine enabling
IBM Managed Security Services and
the delivery of protection on demand
services. The Virtual-SOC combines
the capabilities of ive global SOCs,
advanced analysis and correlation,
artiicial intelligence, industry-leading
security expertise and a high-impact,
Web-based management portal in a
single uniied system. The Virtual-SOC
has been designed to reduce the
complexity and burden of manual data
analysis and improve the accuracy of
security-event identiication as well as
incident escalation and remediation.
The result is a state-of-the-art, expert
system that allows organizations to
optimize resources, reduce the com-
plexity of managing security, enforce
security policies and improve their
overall security posture.
3
MPS feature comparison at a glance
Features Premium Select Standard
Money-back payment* Yes; US$50K per incident **^ No No
X-Force Certiied Attack List
protection SLA***
Yes Yes Yes
Security incident identiication SLA Yes Yes N/A
Thirty-minute countermeasure SLA Yes Yes N/A
Security incident response SLA 15 minutes 15 minutes N/A
Security content update SLA 48 hours 48 hours 72 hours
Outage notiication SLA 15 minutes 15 minutes 30 minutes
Policy change SLA Yes Yes Yes
Proactive SLA reporting Yes Yes Yes
Required up-front assessment Yes No No
Minimum purchase required Yes No No
Penetration test Yes Optional Optional
IBM Vulnerability Management Service Yes Yes • Optional •
MPS workshop Yes Optional Optional
Mobile and Web customer
portal access
Yes Yes Yes
X-Force Threat Analysis Service Yes Yes Yes
X-Force Emergency Response
Services basic subscription
Yes Optional Optional
Device management Yes Yes Yes
Customized policy creation Yes Yes No
E-mail notiication on level 0 activity Yes Yes Yes
Coniguration backup Nightly Nightly Nightly
Log storage 1 year 1 year 1 year
Security incident reporting Yes Yes No
Monthly impact summary Yes Yes Yes
Change reports Yes Yes Yes
Service offerings Network Network and server Network, server and desktop
Vendor support IBM Proventia® Intrusion
Prevention Appliance and
Integrated Security Appliance
Proventia Intrusion Prevention
Appliance and Integrated
Security Appliance and Server
Proventia Intrusion Prevention
Appliance and Integrated Security
Appliance, Server and Desktop
Pricing per: Segment Device Device
** Security breach must be confirmed.
*** The IBM ISS X-Force Certified Attack List is a list, which is updated quarterly, of the most serious, high-risk vulnerabilities and attacks. There are currently 600+
attacks in the X-Force Certified Attack List, also known as the “default block list.”
^ Monitors for X-Force Certified Attack List attacks only
• Five IP addresses per device
Safeguarding mission-critical systems
through state-of-the art security facilities
MPS leverages the knowledge,
experience and exper-tise of security
professionals operating from ive
globally networked, state-of-the-art,
industry-certiied IBM ISS SOCs.
These highly secure environments
are designed to ensure that mission-
critical systems and electrical, data
processing and communication links
are protected through trouble-ticket
entry, event handling, incident
response, data presentation, report
generation and trend analysis for all
devices under management.
Why IBM ISS?
Preemptive security requires
marketplace-leading research,
a keen eye for attack trends and
techniques, and a streamlined
and affordable platform for deliver-
ing advanced security solutions
that are knowledge-based. IBM ISS
commands the extensive knowledge,
innovative research methods and
complex technologies required
to achieve preemptive security. Our
experienced consultants, architects,
project managers and subject matter
experts are prepared to provide your
organization with a comprehensive
platform of preemptive security pro-
ducts and services designed to protect
your entire IT infrastructure, from the
network gateway to the desktop.
For more information
To learn more about IBM MPS, contact
your IBM ISS representative to sched-
ule a consultation. Call 1-800-776-2362,
send an e-mail to [email protected]
or visit:
ibm.com/services/us/iss
© Copyright IBM Corporation 2007
IBM Global Services
Route 100
Somers, NY 10589
U.S.A.
Produced in the United States of America
06-07
All Rights Reserved
IBM and the IBM logo are trademarks of International
Business Machines Corporation in the United States,
other countries, or both.
Proventia, Virtual Patch and X-Force are registered
trademarks of Internet Security Systems, Inc., in
the United States, other countries, or both. Internet
Security Systems, Inc., is a wholly owned subsidiary
of International Business Machines Corporation.
Other company, product and service names may
be trademarks or service marks of others.
References in this publication to IBM products or
services do not imply that IBM intends to make them
available in all countries in which IBM operates.
* Money-back payment (for Managed Protection
Services - Premium Level only): If IBM Internet
Security Systems fails to meet the Security
Incidents Prevention Guarantee, client shall be
paid US$50,000 for each instance this guarantee
has not been met. Please see IBM Internet Security
Systems SLAs for more details.
GTB00838-USEN-01
Security & Privacy —Made SimplerTM
M a n a g e a b l e G u i d e l i n e s t o H e l p Y o u P r o t e c t Y o u r C u s t o m e r s ’ S e c u r i t y & P r i v a c y
F r o m I d e n t i t y T h e f t & F r a u d
S e c u r i t y a n d p r i v a c y e x p e r t i s e c o n t r i b u t e d b y D r . A l a n F . W e s t i n a n d D r . L a n c e J . H o f f m a n
Better Business Bureau®
P u b l i s h e d M a r c h 2 0 0 6
Proud supporter of Security and P o w e r e d b y
2
Security & Privacy — Made SimplerTM
User’s GuideN o matter what type of business you arein, you probably collect, store andshare information about your
customers. Whether it is providing a necessaryservice, completing a financial transaction orcreating a mailing list, customer data hasbecome a key currency of today's information-based economy.As a business owner, you make importantstrategic decisions that affect your bottom line.Each day, how you manage the security and pri-vacy of the data you collect has become a corepart of those strategic business decisions,because it can influence the success or failure ofyour business.Data security and privacy management mayappear complex and overwhelming, but youreally don't need to become a privacy andsecurity expert to manage it. All you need to dois to acquire the basic understanding of theissues and the business tools that will protectyour customers…and your business.
S e c u r i t y a n d P r i v a c y — Made Simpler TM isyour Guide to getting your arms around many oftoday's data security and privacy challenges thataffect small businesses, including:
• Recognizing attempts at theft and fraud.
• Understanding the importance of offline andonline security and privacy practices.
• Developing a security and privacy policy,training your employees to comply with it,and communicating it to your customers.
• Handling, managing and protecting sensitivecustomer information.
• Managing employees as they interact withcustomers and their personal data.
• Credit card/debit card security—both duringand after the actual transaction.
• Taking advantage of the latest technologieswithout compromising data security.
• Conducting international transactionssecurely.
S e c u r i t y a n d P r i v a c y — Made Simpler TMadvises you on how to incorporate basicsecurity and privacy practices into your every-day business operations, offering you options,tips and advice that are right-sized for smallerbusinesses and will help you get started.
It is not intended to provide specific legaladvice. The information is crafted—but notguaranteed—to be accurate, complete andup-to-date at the time of publication. Some ofthe information may not apply in your state oryour particular line of business. Therefore, it iswise to consult an attorney familiar with the lawin your jurisdiction and with your industry.
S e c u r i t y a n d P r i v a c y — Made Simpler TM wasdeveloped through a partnership between theBetter Business Bureau, a leader in promotingtrust between businesses and the customersthey serve, and Privacy & American Business, aleader in consumer and employee privacy anddata protection issues and education.
This Guide is made possible through the supportof corporate sponsors—industry leaders who arecommitted to the success of their small businesscustomers.
S e c u r i t y a n d P r i v a c y — Made Simpler TM
Security is a complex issue.You can manage it. This Guide will help.
Better Business Bureau®
S e c u r i t y & P r i v a c y —Made SimplerTM
1. Customer Data Security & Privacy – A Key To Your Success . . . . . . . . . . . . . . . . . .4
2. Security Challenges Facing Small Businesses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
3. Developing Your Own Data Security & Privacy Plans . . . . . . . . . . . . . . . . . . . . . . . .5
4. Creating & Communicating Your Security & Privacy Policies . . . . . . . . . . . . . . . . .6
5. Spotting Cyber Criminals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
6. Fighting Identity Theft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
7. Guidelines For Good Employee Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
8. Collecting, Protecting & Disposing Of Customer Data . . . . . . . . . . . . . . . . . . . . . . .12
9. Securing Data In Your Office & Online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
10. Internet Security Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
11. Payment Card Security Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
12. If You Have Data Lost Or Stolen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
13. Managing Official Requests For Your Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
14. If You Do Business Globally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
15. Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
16. Customized Insights from IBM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
When your customers knowyou treat their personalinformation with the care itdeserves, they will becomemore loyal and activecustomers.
Click here for moresecurity and privacytools and resources forsmall business.www.bbb.org/secur i tyandprivacy
85% of Americansare worried aboutbecoming victims ofidentity theft.
58% of Consumers sayif they were confident abusiness followed itssecurity and privacypolicies, they would belikely to recommend that business
Proud supporter of S e c u r i t y a n d
Security & Privacy — Made SimplerTM
4
1. Customer Data Securi ty & Privacy—A Key ToYour Success
Customers Care – You Should, tooWWhen your customers know that youtreat their personal information withcare and apply good security and
privacy practices, their trust and confidence inyour business will grow.
You’re Responsible For Customer Data Businesses of all sizes—not just the big corpo-rations—are held responsible for complyingwith federal and state customer data securityand privacy laws. Here is a sample of howexisting privacy laws may affect your smallbusiness:
Here is a snapshot of existing federal privacylaws with which your small business might needto comply:• All small businesses must comply with the
federal and state Fair Credit Reporting Act(FCRA) when seeking to obtain consumerreports, such as credit reports and employ-ment reports, about potential customers andemployees.
• Many small businesses in the healthcare fieldmust follow the privacy requirements of thefederal Health Insurance Portability andAccountability Act (HIPAA) Privacy Ruleand its data security requirements.
• Small financial businesses must comply withrules established by the federal Gramm-Leach-Bliley (GLB) Privacy Rules andSafeguard Rules and the federal bankingagency guidance under GLB. Companies thatneed to comply with GLB include those thatmight not necessarily think of themselves as"financial," such as automobile dealers, taxplanners, and some travel agents.
• Currently, twenty-three states have laws onreporting data breaches (outlined on page 19of this Guide), with potential penalties forsecurity lapses that apply to both large andsmall businesses.
As a business owner, it is your responsibility tostay current on privacy and security laws affect-ing your business…and your customers.
An Ounce of Prevention … Establish good security and privacy practicesnow. The alternative is decidedly distasteful. Ifyou have a data breach resulting from weaksecurity practices, you and your business canface lawsuits from federal or state agencies oryour customers. The Federal Trade Commission(FTC) recently sued 12 companies it accused ofhaving inadequate data security practices inviolation of federal law. Lawsuits stemmingfrom inadequate security practices can erodebusiness equity, consumer trust and, ultimately,your bottom line. Even if you don't face legalaction, your good reputation could be signifi-cantly compromised.
Security & Privacy Drive ConsumerPurchasing Decisions
• 85% of Americans are worried about becom-ing victims of identity theft.
• 64% of consumers say they had decided notto buy a company’s product or servicebecause they did not know how the companywould use their personal information.
• 58% of consumers say if they were confidenta business followed their declared security &privacy policies, they would recommend thatbusiness to family & friends.
Source: Privacy & American Business.
S e c u r i t y a n d P r i v a c y — Made Simpler TM P o w e r e d b y
Proud supporter of Security and P o w e r e d b y
5
Security & Privacy — Made SimplerTM
2. Securi ty Chal lenges Facing Smal l Businesses
Firewalls Are Not EnoughI n today's tech-heavy business world, youmight think that the right combination ofhardware and software will prevent data
security and privacy exposures. But technologyis just one piece of the security and privacyequation. Effective policies, along with properemployee training and business-wide implemen-tation, are the other parts.Suppose you've equipped your computer withthe latest network security software—firewalls,encryption—and you think you've deployedstrong security tools. One day a "customer"calls your business to ask what credit card youhave on file for his "account." He gives his"name" and "address" to an employee who thenlooks up the "customer's" information on yourcomputer. Your employee reads the credit cardnumber to the caller. But the caller is not a "customer." He is a crim-inal who found the name and address of one ofyour customers in a trash bin. This happens. Toprevent it, you need a data security plan thatincludes simple steps, such as properly verify-ing a caller's identity, and employee training.Software alone can't prevent employee error.Employee training can. Modern technologies, such as e-mail, e-com-merce, and cell phones, have given us wonderfulnew tools to do business more effectively andefficiently. They have also created new layers ofsecurity that businesses need to secure to pro-tect their customers' information. If you usethese new tools, you must also take reasonablesteps to secure them.
3. Developing Your Own Data Securi ty & Privacy Plans
Find Your Weak SpotsTake a few moments with a blank piece of paperand a pen, or at your keyboard. List all thedifferent ways your business collects, stores anduses personally identifiable customer andbusiness information. Now list who handles orhas access to the information—employees,relatives, customers, service providers or visi-tors. Personal information may include names,addresses, account numbers, Social Securitynumbers, credit/debit card numbers and phonenumbers, as well as account patterns andtransaction records.Anyone who appears on your list is a datahandler and should play a significant role inprotecting sensitive information. They need tobe properly trained to follow your security andprivacy policies and practices. You may want to involve managers oremployees from each business area in this
S e c u r i t y a n d P r i v a c y — Made Simpler TM
Security & Privacy Challenges Facing Small Business
• Customer and business ID theft.• Data loss and theft.• Noncompliance with federal and state
data protection laws.• Employee fraud and theft.• Loss of trust ... and customers.• Costly lawsuits stemming from sloppy
security practices.• Computer and hardware damage from
viruses.
Proud supporter of Security and Privacy P o w e r e d b y
6
Security & Privacy — Made SimplerTM
exercise, to be sure that you are not overlookingany potential security weak spots. Making youremployees a part of the security and privacyplanning process will make them feel likevaluable contributors to the team, and will alsomake it easier for them to remember yourpolicies and follow them on the job.
One Size Does Not Fit AllAll businesses are not alike. Review yoursecurity and privacy issues in light of yourparticular business and its operations, identifyweaknesses, and take stock of your current abil-ity to address them. You may discover areas where you need inputfrom a lawyer or technology consultant. It isimportant to be fully informed about yourbusiness' security risks so you can make themost appropriate, reliable and cost-efficientchoices for your business.
4. Creat ing & Communicat ing Your Securi ty & Privacy Pol ic ies
Once you identify your security needs, you canbegin to write a security and privacy policy foryour comp any. Your security and privacypolicy tells your customers how you will treattheir personal information—how you willcollect it, use it, and keep it secure. It shouldalso give your customers the ability to commu-nicate to you if they wish to receive ("opt-in")or not receive ("opt-out"), "subscribe" or"unsubscribe" information from you and howthey wish to receive marketing communications(e-mail, US postal mail, etc.). Smart companiesoffer meaningful privacy choices, andeffectively carry them out. Those that don't,risk losing their customers.
Resources to Help You Write a Policy• The Privacy Planner from BBBOnLine can
help you generate a simple, but solid onlineprivacy policy for your businessht tp ://www.pr ivacyp lanner .com .
• The Direct Marketing Association (DMA)offers a small business-friendly onlineprivacy policy generatorhttp://www.the-dma.org/privacy/privacypolicygenerator.shtml.
How to Communicate Your Policies toYour CustomersOnce you have a written policy that accuratelydescribes your intended actions with customerdata, it is wise to communicate these policies toyour customers.• Post it on a prominent sign in your store or
office.• Give customers a copy of it when they
complete a transaction with you.• Post it on the homepage of your web site.
S e c u r i t y a n d P r i v a c y — Made Simpler TM
Security & Privacy Reality Check• Do you transact business on the Internet?• Do you collect names, addresses, phone
numbers, e-mail addresses or SocialSecurity numbers or other personalinformation about your customers oremployees?
• Do you accept credit or debit cards?• Do you share customer information with
other companies?• Do you engage in direct mail marketing
or telemarketing?• Are you storing customer information for
any period of time?
If you answered “yes” to any ofthese questions, your small busi-ness is in serious need of a datasecurity and privacy plan.
Proud supporter of Security and Privacy P o w e r e d b y
7
Security & Privacy — Made SimplerTM
• If your customers have agreed to receivee-mail notices from you, tell them aboutyour security and privacy notice in ane-mail, and let them know where they canfind the full notice.
• Mail it to your customers as a separatepromotional piece.
Posting a Security & Privacy PolicyProvides a Competitive AdvantageHaving and following a security and privacypolicy will:• Increase the trust and confidence your
customers have in your business. When theyknow that you plan to use their informationcarefully and keep it secure, they will bemore likely to share it with you.
• Help distinguish your business from yourcompetition.
5. Spott ing Cyber CriminalsThe number and sophistication of online fraudattacks is increasing. Here are some ways crim-inals attempt to get sensitive information fromcomputers and individuals:• Viruses: man-made programs or pieces of
code that are loaded onto your computerwithout your knowledge. Viruses result in
a wide range of disruptive consequenceson a computer or network, including thedeletion or corruption of files. New virusesare introduced to the Internet every day.
• Spyware: software that secretly collectsinformation from a computer, such as whatInternet sites are visited and what key-strokes (including passwords andcredit/debit card numbers) are entered.Spyware transmits that information to athird party for a variety of uses, rangingfrom presenting tailored advertising orgeneral spam to credit/debit card fraud andID theft. Spyware is often installed on yourcomputer as part of a downloaded applica-tion or via a downloaded e-mail attachment.
• Phishing: uses fake e-mails and web sitesthat closely replicate their authentic coun-terparts to trick recipients into "verifying"their personal information.
• Pharming: redirects an individual's web siterequest to a fraudulent site that closelyreplicates its authentic counterpart.
• Keyloggers, Bots, Trojans and more: appli-cations that may appear to be benign or evenhelpful, but are actually destructive to fileson your computer. These introduce virusesor malicious code onto your computer thatcan be programmed to execute any numberof disastrous actions, and send sensitiveinformation to a third party.
Consider installing a web browser tool bar tohelp protect you from known phishing websites. Earthlink offers such a free tool, calledScamBlocker, at: http://www.earthlink.net/software/free/toolbar.eBay also offers an anti-phishing and accountprotection toolbar that alerts users when they'reon a potentially fake eBay or PayPal sitehttp://pages.ebay.com/ebay_toolbar/.
S e c u r i t y a n d P r i v a c y — Made Simpler TM
Prominent Security & PrivacyPolicies Build Businesses
• 89% of consumers felt more confident ingiving personal information to a businessthat had a detailed but readable privacypolicy.
• 58% of consumers said that if they wereconfident a business followed the privacypolicies it presented, the consumer would belikely to recommend the business to familyand friends.
Source: Privacy & American Business Study
Proud supporter of Security and P o w e r e d b y
8
Security & Privacy — Made SimplerTM
6. F ight ing Ident i ty TheftHow Ident i ty Theft Happens
ID and data thieves have an arsenal of high-techand low-tech ways to steal personal informa-tion. Once they have your information, they willbe able to assume—and misuse—the identity ofyour customers. They may even try to assumeyour identity.
S e c u r i t y a n d P r i v a c y — Made Simpler TM
Ways to Avoid Being a Victim ofOnline Fraud
• Always verify whom you are doingbusiness with before revealing personalinformation.
• Ensure your browser is current with allsecurity patches installed.
• Use anti-virus and anti-spyware software,and keep it updated.
• Be suspicious of any e-mail with "urgent"requests to validate or verify personalinformation.
• Don't download anything that comes froma source you don't know. This includese-mail graphics, screen savers, free soft-ware, etc.
• Don't fill out any forms that come to youin an e-mail and request personal informa-tion, unless you definitely know and trustthe source.
• Don't allow your children to use yourbusiness computers. Children are notaware of online threats, and can down-load items without considering whatmight be attached to them.
How Identity Thieves StrikeLow-Tech MethodsDumpster Diving: thieves steal mail or paperswith personal information left in the trashof your business or someone's home and notproperly destroyed or shredded.Mailbox Theft: thieves steal mail left in yourbusiness' unsecured mailbox or at someone'shome.Employee Theft: thieves within your businesssteal the personal information of yourcustomers or of fellow employees.General Theft: thieves steal an individual'swallet, check, credit/debit card withpersonal information, desk top and lap topcomputers—crimes often carried out byfriends, relatives, in-home workers or othersknown by the victim.
High-Tech MethodsComputer Hacking: hackers get unauthorizedaccess to your business computer or comput-er network and steal customer informationfrom your database.Phishing: thieves send fraudulent e-mailsthat appear to be from a legitimate company,and create a fake web site that looks like thelegitimate company site. They do this to trickyour customers into revealing their personalinformation.Pretexting: thieves make phone calls to yourbusiness and others in a "victim's" name, inan attempt to find out more informationabout the "victim." Or, they will call aconsumer claiming to be from a legitimatecompany, and attempt to obtain personalinformation.
Proud supporter of Security and P o w e r e d b y
9
Security & Privacy — Made SimplerTM
What ID Thieves Want—Your Customers'Personal InformationCriminals are after credit/debit card numbers,Social Security numbers, driver's license infor-mation and numbers, mailing addresses, e-mail
addresses, and telephone numbers. They alsolook for this information in your product orders,account statements and mail.
How They Use This InformationData thieves will open fraudulent credit cardaccounts in your customers' names, makepurchases without their knowledge, get a loan inyour customers' name, or open a fraudulent bankaccount in your customers' name and writechecks on that account. In addition, they canopen fraudulent accounts with your business andmake fraudulent charges to your customers'accounts…with you.
Small Businesses Can Be ID TheftVictims, TooBusiness identity theft occurs when someonesteals information about a business to commitfraud. Thieves may specifically target small andmedium sized businesses because their datasecurity programs may not be as strong as thoseof larger companies.They want your business credit/debit cardaccount numbers, your bank account numbers,your Federal Employer Identification Number,and other federal and state governmentalidentification numbers.
How They Use This InformationID thieves can use your stolen business informa-tion to open a credit card account in your busi-ness' name, make purchases without yourknowledge or get a loan in the name of yourbusiness. They will open a bank account in thename of your business, write checks on thataccount, and take out money from the existingaccounts of your business. In some cases, IDthieves may secure enough information that theycan actually sell your business or commercialproperty without your knowledge.
S e c u r i t y a n d P r i v a c y — Made Simpler TM
Real Data Theft Examples• An old laptop, with a company's customer
records still on it, was sold via a news-paper ad. The records were still openlyreadable and could have been used tocommit fraud by the purchaser, whoalerted the seller about what he'd found.
• Two computers were stolen from a medicalpractice's unlocked computer room. Theycontained easily accessible billing recordsand unencrypted sensitive personal infor-mation in the form of billing codes.
• A courier service driver, carrying a pack-age of customer data, left his unlockedvehicle running while he made anotherdelivery. While he was away from hisvehicle, the package was stolen.
• Perfectly readable, discarded printoutsof personal records were thrown into adumpster. They were later put to practi-cal use by the finder to wrap fish at anoutdoor market.
• In Florida, print-outs of thousands ofmedical records were found in varioustrash bins across the area. The recordsincluded details of sexually-transmitteddiseases, psychological problems,addictions, and even intimate detailsabout a patient's sex life.
• An employee in an accountant's officeused client data to file false income taxreturns in order to receive tax refunds ...until that employee was finally caught.
Proud supporter of Security and P o w e r e d b y
10
Security & Privacy — Made SimplerTM
What You Can DoHere is a checklist of things you can do toprotect your business from identity theft.You will find more details in Chapters 7, 8, 9,and 11.
7. Guidel ines for Good Employee Pract ices
Screen Your EmployeesIdentity theft can originate in the workplace.Exercising care to hire honest employees is oneof the best ways to help secure your businessand reduce the risk of identity theft or fraud toyou or your customers.Past behavior is widely considered to be thebest predictor of future behavior, though it isnot a perfect tool. Conducting backgroundspot-checks can assist you in learning andassessing the character pattern of prospectiveemployees (or of your current employees—ifyou did not use a background spot-check beforehiring them). The type of backgroundspot-check to use depends on the size and natureof your business. If you handle lots of sensitivepersonal information, especially financial orhealth information, you might want to considera full criminal background check. But if yourbusiness does not handle much customer person-al information, a credit report can give you auseful snapshot of an applicant. Because background spot-checks, themselves,raise privacy issues, handle this carefully. Ifyou see a "red flag" in a background spot-check,confirm the accuracy of the information with thesource before making a hiring decision.Other factors to consider in this process mightinclude:• Whenever you order a background check on
a prospective or current employee, state andfederal laws require that you notify the per-son (in writing) that you intend to use aconsumer report, and obtain their consent todo it. This process is a key element of thefederal Fair Credit Reporting Act (FCRA).Most background checks contain a "con-sumer report." If you decide to reject an
S e c u r i t y a n d P r i v a c y — Made Simpler TM
Physical Securi ty TipsTo Protect Your Business
& Your Customers
• Shred or cross-shred papers with person-ally-identifiable customer or businessdata before throwing them away, or usea document disposal company to destroythe papers for you.
• Send and receive business mail from asecured mailbox or a post office box.
• Conduct regular software audits ofcomputers.
• Train employees to watch for suspiciousactivity among other employees,customers, or people coming to yourbusiness premises.
• Consider telling your customers howthey can spot phishing efforts, and howthey should verify that it's your commu-nication before releasing any personalinformation
• Verify the identity of a customer beforediscussing or providing any customeraccount information by telephone or e-mail.Then take appropriate steps to provide it ina manner that is secure.
• Secure your physical space with locksand alarms.
• Secure your business, customer andemployee records in locked cabinets.
Proud supporter of Security and P o w e r e d b y
11
Security & Privacy — Made SimplerTM
applicant or release a current employeebased on something in their consumerreport, you must tell them that you havedone so for this reason.
• Many states have their own laws that applyto background checks and consumer creditreports. Discuss with your attorney therequirements in your business’ home state orin other states in which your business makeshiring decisions.
Control Employee Access toSensit ive Data
• Each of your employees should have accessonly to the sensitive information necessaryto do their specific jobs. When you controlemployees' access to information, you sig-nificantly reduce the risk of data exposure.
• You can limit employee access to customerinformation by using a variety of physicaland technological security measures, rang-ing from padlocks to passwords. For specif-ic suggestions, see Chapter 9, SecuringData in Your Office and Online.
Train Your EmployeesWriting privacy and security policies for yourbusiness is not enough. Your employees needtraining for how to protect the privacy,confidentiality and security of personalinformation. Your training program shouldaddress all the issues discussed in your securityand privacy policy.
S e c u r i t y a n d P r i v a c y — Made Simpler TM
Tips for Creating and Executing a Security & Privacy Training Program
• Make it relevant, personal and timely.• Tell employees why the topic is important to
everyone involved. • Role play with real-world scenarios that present
examples of privacy and security choices youremployees could face—and then explain howthey should handle them.
• Have your employees sign a nondisclosureagreement, in which they will agree to keepyour customer information confidential.
• Include your managers.• Update employees on new developments in this
area as they occur. • Train employees to use computer security tools.• Advise them on the dangers of purchasing or
downloading pirated or counterfeit software.• Train them to regularly update all security soft-
ware and browsers.• Train employees to spot phishing attempts, and
not to respond to them. Keep them updated onnew phishing ploys. For more information onphishing visit http://pages.ebay.com/education/spooftutorial/index.html orht tp ://of f i ce .microsof t . com/en-us/ass is tance/HA011400021033.aspx .
• Use specialized training for employees whose jobfunctions require it..
• Teach your employees how to look for suspiciousactivity from other employees, customers, visitors,strangers or acquaintances on your businesspremises.
• Train all new employees about your informationsecurity policies.
• Reinforce your employee training at least semi-annually to ensure that employees regularly puttheir training into practice.
Proud supporter of Security and
12
Security & Privacy — Made SimplerTM
8. Col lect ing, Protect ing & Disposing of Customer Data
Collecting The type of information you collect from yourcustomers depends on your individual business,and can range from simply a customer's name,address, telephone number, and e-mail addressto significantly more personal information, suchas credit/debit card numbers, account numbers,transaction summaries, consumer preferences,consumer credit reports, etc.If you collect and store credit card information,you need to follow security rules set by themajor credit card companies. See Chapter 11,Payment Card Security Requirements fordetails www.v isa .com/c isp .If you don't absolutely need a piece of customerinformation, don't collect it. Collectingcustomer data you do not need increases yoursecurity and privacy risks. Be particularly careful about collecting andstoring financial and personally identifiableinformation, including Social Security numbers,credit and debit card numbers, or driver'slicense numbers. Check your payment transac-tion software systems to determine if it iscollecting sensitive data you aren't even awareof, such as the magnetic stripe of a paymentcard or the PIN information from a debit cardtransaction. If you have customer data you nolonger need, discard it—securely. See Disposingfor tips.
ProtectingYou need to guard against both high-tech andlow-tech opportunists. If your business is notkept physically secure, anyone can walk in andsteal unprotected customer data from your cabi-nets, drawers, and desks. This has happened.The same is true about your own employees ifthey have access to sensitive information they
don't need or shouldn't have to do their job. Oneof the larger data breaches in 2006 stemmedfrom employee access to sensitive customer datathat was inconsistent with their job description. For tips on protecting against both high andlow-tech predators, see Chapter 9, SecuringData in Your Office & Online.
DisposingDisposing of personal data also is an accesspoint for data/identity thieves. Sloppy securitypractices in data disposal can lead to theft.The federal government issued a Disposal Ruleamendment to the Fair Credit Reporting Act(FCRA), called the Fair and Accurate CreditTransactions Act (FACT Act). Both are enforcedby the Federal Trade Commission. It mandatesthat all businesses that manage credit data—nomatter their size—must take steps to ensure thatdiscarded customer personal information is notaccessible to unauthorized access. For moreinformation on the Disposal Rule, and how itmay affect your business visit:w w w . f t c . g o v / b p / c o n l i n e / p u b s / a l e r t s /disposalalrt.htm.Currently, the law applies only to informationyour business gets from credit reports (or other"consumer reports"). However, it is goodbusiness to follow sound data disposal practiceswhen discarding sensitive customer informa-tion, whether or not the law specificallyrequires it.
Disposing of an Old ComputerBefore discarding an old computer, permanentlyerase all customer personal information on thehard drive. Deleting files by putting them in the"recycle bin" or "trash" on your computer'sdesktop is not good enough. These "deleted"files remain on the computer and can beaccessed using commercial recovery software.
S e c u r i t y a n d P r i v a c y — Made Simpler TM P o w e r e d b y
Proud supporter of P o w e r e d b y
13
Security & Privacy — Made SimplerTM
To ensure you properly "clean" an old computer,purchase commercial erasure software, avail-able from most computer and office supplystores. This will overwrite all the data on thedrive. You also can remove the hard drive andphysically destroy it, so that it cannot be usedagain.
Disposing of Electronic Files(not on a computer)If you are disposing of a computer disk, CD,DVD, or other electronic storage tool that con-tains sensitive information, the same rulesapply. Don't just delete. Permanently erase thedata, using commercial erasure software. Or,physically destroy the tool so that no one elsecan use it.
Disposing of Paper FilesBefore throwing away any papers containingcustomer information, destroy the papers byshredding or cross-shredding, burning or pul-verizing them.If you don't want to do it yourself, hire a wastedisposal company to shred or pulverize recordsfor you. Articulate your requirements for dis-posal when using an outside company, and askthem to provide you with a quarterly report stat-ing what they've disposed of, and how and whendisposal was completed. If the company is local,you may want to visit their operations site foryourself and check their record with the BetterBusiness Bureau.
9. Securing Data in Your Off ice & Onl ine
The following guidelines generally apply tobusinesses that use a blend of hard copy andelectronic methods to conduct their businessactivity, as most businesses do today. Remember
that ID thieves operate using both high-tech andlow-tech methods.
Physical Security • Keep customer account records and other
personal information in locked cabinets.• Don't leave papers or files unattended on
desktops. • Never leave a business premise open and
completely unattended, even for a shorttime.
• Use a locked mailbox or a post office boxfor incoming and outgoing mail.
• Use security envelopes for bills or othermail containing personal information.
• Shred anything with customer or employeepersonal information before discarding it.
Computer and Network Security• Use SSL technology for your online transac-
tions. SSL stands for "Secure SocketsLayer," a technology that applies encryption—a scrambling of the message—to sensitiveinformation traveling on the Internet, suchas credit/debit card numbers. To use SSL,you will need to purchase an SSL Certificatefrom a Certificate Authority (CA). There area number of Certificate Authorities you canbuy SSL from, such as VeriSignwww.ver is ign .com , Network Solutionswww.networkso lut ions .com , Thawtewww.thawte .com and GeoTrustwww.geot rust .com . For more informationon what encryption is and how to use it,visit HowStuffWorks ht tp ://computer .howstuf fworks .com/encrypt ion .h tm .
• Consider encrypting financial, medical andotherwise sensitive information on youron-site business computers. Your computermay already have the ability to encrypt datausing settings installed on its operatingsystem or networking hardware. Ask your
S e c u r i t y a n d P r i v a c y — Made Simpler TM
Proud supporter of P o w e r e d b y
14
Security & Privacy — Made SimplerTM
network administrator or computer vendorfor assistance. If this is not an option, youcan buy encryption software and hardwareat most computer stores.
• Use passwords and change them frequently.Don't use a password that someone whoknows even a little about you could guess,such as a spouse's or child's name, hometelephone number, or college you went to.Never write your password down. TheFederal Trade Commission provideshelpful password tips at www.onguardonline.gov/stopthinkclick.htm.
• To the extent possible, don't keep personalinformation on the hard drive of computersthat connect to the Internet. Use CDs,removable memory (flash drive), or floppydisks. Try to keep any disks or removablememory in a secure and locked location.
• Use a firewall to protect your computernetwork. Firewalls are a system of software,hardware, or both designed to preventunauthorized access to a network. A varietyof ready-to-use firewall programs areavailable from popular brands such asMcAfee www.mcafee .com , Symantecwww.symantec.com, and Zone Labswww.zone labs .com . If your businesshandles especially sensitive personalinformation on the network and needs ahigher level of protection, seek an ITconsultant or visit a trustworthy computerstore for suggestions.
• Continuously update your browsers, operat-ing system, and other software to make sureyou are using the most secure versionsavailable. Updates can be found on thewebsites of the companies that manufacturethe browsers, operating system and othersoftware you use.
• Continuously update your anti-virus andanti-spyware software. Updates aregenerally available at the website of themanufacturer of the anti-virus and anti-spyware software you use. If you don't haveanti-virus and anti-spyware softwareinstalled, contact an IT consultant or visit acomputer or business supply store that youtrust to find out what products will best fityour needs.
• Use file sharing only when you need it. Turnit off at all other times. You may want toconsult a networking professional for expertsecurity advice if especially sensitive infor-mation will be shared over a network.
• If you use wireless networking, turn on thesecurity features that come with the wirelessnetwork products you purchase and test thatthey operate properly. Again, you may wantto consult a networking professional beforeyou share any sensitive information over anetwork. Seeht tp ://www. f tc .gov/bcp/on l ine/pubs/onl ine/wi re less .h tm .
• Keep your network servers in a lockedroom.
• Turn off your computers when not in use.
• Back up all your data regularly and keepbackup disks or other back-up materials ina locked area.
• Refer to Chapter 11, Payment CardSecurity Requirements. For moreguidance, see www.v isa .com/c isp .
S e c u r i t y a n d P r i v a c y — Made Simpler TM
Proud supporter of P o w e r e d b y
15
Security & Privacy — Made SimplerTM
Laptop Computer, PDA & Cell PhoneSecurity
• Always keep your laptop, PDA, or cellphone within sight—especially when youare away from your office.
• Always keep your portable device withinreach when traveling; stealing laptops atairports and from trains and restaurants hasbecome a popular data theft technique.
• Limit the amount of any sensitive informa-tion stored on laptops, PDA's, and cellphones. If possible, do not store sensitivedata on portable devices.
• Password-protect access to the laptop, PDA,and cell phone. Also password-protectfeatures such as Internet access, e-mail,voicemail, and address books.
• Turn these devices off when not in use.
• Do not share portable communication/organization tools (or their passwords)with others.
• If an employee (a salesperson or telecom-muter, for example) needs to take personaldata off premises on a laptop, CD, flashdrive or other portable device, you shouldencrypt the data.
• Back up all data regularly and keep backupdisks or other back-up materials in a lockedarea.
Special Protections for Cell Phone UsersToday's digital cell phones feature e-mail andInternet capabilities, address book and calendarfunctions, and can store recorded memos, voice-mail, pictures, and other data files.
Although these features help businesses be moreefficient, they also create a new layer of datasecurity and privacy to protect. Criminals canhack into cell phones and steal stored files, con-tacts and voicemail. Viruses can significantlydisrupt a cell phone, just as they do a computer.This is why it is important to lock your deviceand keep it in a secure location when not in use.Do not download or accept file downloads fromunknown sources.Limit the amount of data you transmit or storeon a cell phone or PDA. Never store sensitiveinformation, such as bank account numbers,ATM codes, and credit/debit card informationon cell phones. Cellular technology changes rapidly, and cellphone capabilities and security features varysignificantly between models. Refer to yourowner's manual for help to configure thesecurity setting on your phone, or contact yourcellular provider for assistance.
10. Internet Securi ty Fundamentals
If you have an "e-business" or your businessregularly executes transactions over theInternet, your security toolkit should includeweb site security, e-mail security, and advancedcyber-security tools.
Web Site SecurityCustomers have come to expect security on yourbusiness web site. Given this, you must ensurethat you securely transmit all data over theInternet during an online purchase from yourwebsite. Secure Sockets Layer (SSL) is theindustry standard for secure, encrypted datatransfer over the Internet. SSL technology isbuilt into all major Web browsers (e.g., Explorerand Netscape). Ask your web site designer to
S e c u r i t y a n d P r i v a c y — Made Simpler TM
Proud supporter of P o w e r e d b y
16
Security & Privacy — Made SimplerTM
configure your site to accept SSL transactions,and ask for advice on how to get your SSLcertificate.SSL is a good starting point, but website securi-ty does not end there. Hackers also can stealstored information directly from computers,even if the information is not being transmittedover the Internet. As a result, go the extra stepand consider encrypting any sensitive informa-tion stored on all your computers.Refer to Chapter 9, Securing Data in YourOffice & Online for information and links onSSL and data encryption.
E-mail SecurityE-mail is not secure. Criminals can easilyintercept e-mail transmitted over the Internet,and your employees, co-workers, or familymembers at home may have the ability to accessyour e-mail without you ever noticing. It'simportant to engage safeguards when you usee-mail.
Cyber-Security Tools - The BasicsUsing the right cyber-security tools can helpyou diminish the risk of data exposure from datahandling.Here are the most widely used computersecurity tools and a brief explanation of whatthey do. • Firewalls: software and hardware that limit
external access to your business computersor network.
S e c u r i t y a n d P r i v a c y — Made Simpler TM
E-mail Security Tips
• Use e-mail filtering software to screene-mail and identify suspect messages.
• Don’t open e-mail attachments or linksfrom anyone you don’t know or trust.
• Turn off the “preview” function of youre-mail program. While this allows youto see the first few lines of the emailcontent, it can be a security risk.
continued
continued • As a general rule, do not include
sensitive information in unencryptede-mail (Social Security Numbers,credit/debit numbers, account numbers,personal address, phone or e-mailinformation, etc.).
• When e-mailing messages to a group ofpeople, put recipient addresses only inthe "BCC" header (blind carbon copy)—not in the "To" or "CC" headers. This isimportant even if there is no sensitivecontent in the body of the e-mail; other-wise you expose the e-mail ID of every-one on your distribution list.
• Beware of "phishing." These are e-mailsthat mimic the designs of well-knownsites and ask you to respond by givingpersonal information. Do not respond inany way to these e-mails. If you thinkthe e-mail is genuine, directly contactthe real organization and verify theauthenticity of the e-mail. Legitimatecompanies do not ask for personalinformation in an e-mail.
Proud supporter of P o w e r e d b y
17
Security & Privacy — Made SimplerTM
• Encryption: software or other technologythat scrambles data to prevent unauthorizedviewing.
• Vulnerability Analyzers: software that per-forms checks to determine if a computernetwork's devices and software are properlyconfigured, patched, and updated.
• Host/Network-Based Intrusion DetectionSystems: software that scans for network-related suspicious activity.
• Intrusion Prevention Systems: sensors thatdetect network security vulnerabilities.
• File Integrity Systems: systems that provideintrusion detection and verify that files havenot been tampered with.
• Network Scanners: tools that identifynetwork security holes that could giveintruders access to your network.
These tools are available commercially at mostcomputer or business supply stores. Ask yourcomputer vendor, a sales specialist at a trustedcomputer store, your network administrator, oran IT consultant for the specific brand and prod-uct recommendations that will best match yoursystem and your business needs.
11. Payment Card Security Requirements
Securi ty Rules Your Business MustFol lowThe major credit card associations (Visa,MasterCard, American Express, and Discover)have established security requirements for bothcredit card processors and merchants accepting
payment cards. The following rules are espe-cially applicable for your business.• Do not store the contents of any credit
card's magnetic stripe.
• Do not store the CVV or CVV2 (card verifi-cation value), two security features of debitand credit cards that should never be storedby businesses. The CVV is a secret codeembedded in the magnetic stripe of paymentcards that is used to prevent counterfeiting.The CVV2 is the three or four number codeon the signature panel of most cards or thefront of an American Express card.
• Store only the account information you needto complete and service your transaction.Under no circumstances should the CVV,CVV2 or PIN be stored.
• If you store the basic 16-digit credit or debitcard account number, have a plan to destroyit when it's no longer needed. You may wantto establish a policy that specifies the lengthof time your business holds on to credit cardinformation.
• Ensure your business partners and vendorsfollow the payment card security require-ments. A complete list of PCI compliantservice providers is available atwww.v isa .com/c isp .
• Additionally, be aware of the unintendedconsequences of any software you are using.Merchants are encouraged to use point-of-sale payment software that has been validat-ed compliant with the Payment ApplicationBest Practices (PABP). A list of softwareproviders/software applications that havebeen validated by PABP is available atwww.v isa .com/c isp .
S e c u r i t y a n d P r i v a c y — Made Simpler TM
Proud supporter of P o w e r e d b y
18
Security & Privacy — Made SimplerTM
• Your business may have to comply withsecurity audits according to the PCI require-ments. You may be asked for a system'sscan or self-assessment. Contact the bankor the company that manages your paymentcard processing for details or log on towww.visa.com/cisp for more details on thePayment Card Industry Data SecurityRequirements.
Security Rules for Processors—WhichAlso Apply to Small BusinessesIn addition to the guidelines listed above,payment card processors and merchants arerequired to follow these rules:
• Use firewalls.
• Change passwords and security codes fromthose supplied originally by the softwaremanufacturer, to secure the processor's dataand computer network.
• Encrypt all payment card information storedon the processor's computers.
• Encrypt any card data transmitted over theInternet or other public network.
• Use anti-virus software and keep it updated.
• Keep other software, such as operatingsystems, secure and updated.
• Provide employee access to data on a need-to-know basis only.
• Give each company employee who uses acomputer a unique ID.
• Restrict physical access to hard-copypayment card data.
• Your business may have to comply with ·Track card data access on the company'scomputer network.
• Test the company's security systems on aregular basis.
• Have an information security policy thatspells out rules for employees who handledata and reinforce it regularly.
• For a full listing of these rules, go towww.visa.com/cisp. Click "PCI DataSecurity Standard."
By following the payment card securityrequirements, you will protect your customers'sensitive data, and put your business at a com-petitive advantage with other businesses that arenot in compliance. The alternative can be disastrous. If yourbusiness has a security breach and is found notin compliance with the payment card securityrules, there are severe penalties, includingbarring your business from accepting paymentcards.
Choosing a Payment Card ProcessingCompanyAs a business, you have a choice in processors,and credit/debit card processors can vary intheir performance. If your customers' informa-tion is lost or stolen from your card processor,you and your business could become the targetof negative publicity, loss of customer trust,fines, and costly lawsuits.
S e c u r i t y a n d P r i v a c y — Made Simpler TM
Proud supporter of P o w e r e d b y
19
Security & Privacy — Made SimplerTM
As you select a processor, verify that theyfollow all the security rules required by themajor payment card associations. If acredit/debit card processor fails to follow thoserules, a major data security breach is possible.In 2005, hackers accessed information onapproximately 40 million cardholder accountsfrom a credit card processor that was found notto be compliant with the credit card securityrequirements.
12. I f You Have Data Lost or Stolen
Consider Notifying Your CustomersCurrently, twenty-three states (listed here) havelaws that require customer notification in theevent personal data is lost, stolen, or inadver-tently disclosed, and these laws may expand to anational level soon. Many states require you tonotify your customers of any data breach. Otherstates require notification when harm to poten-tial victims is likely. Even if the law doesn't require it, consider theadvantages of giving notice to your customerswhose information was compromised. If you tell your customers about the breach:• Describe the nature of the incident.• Tell them what you have done to address the
problem.• Tell them what you will do in the future to
further reduce the chance of it happeningagain.
Notify Law Enforcement and OtherAuthoritiesIf a breach occurs, it is important to alert appro-priate law enforcement officials immediately so
they can investigate the incident. Talk to alawyer to get advice on which law enforcementauthorities you should contact. This couldinclude local police, state authorities, or eventhe FBI. The major payment companies alsoadvise that you immediately contact yourpayment processor and your acquiring bank ifyou have a credit/debit card security breach. It is also recommended that if you have any kindof customer data breach, you alert the threenational consumer reporting agencies:Equifax w w w . e q u i f a x . c o m , TransUnionw w w . t r a n s u n i o n . c o m , and Experianwww.exper ian .com . Visit the FTC Web site(w w w . f t c . g o v ) for more information onresponding to a data breach.Also alert the bank or company that you hire toprocess your payment cards. It's important thatthe compromised accounts are watched or
S e c u r i t y a n d P r i v a c y — Made Simpler TM
States with Breach Notification Laws*Arkansas
California
*Connecticut
*Delaware
*Florida
Georgia
Illinois
Indiana
*Louisiana
Maine
Minnesota
*Montana
Nevada
*New Jersey
New York
*NorthCarolina
North Dakota
*Ohio
Pennsylvania
*RhodeIsland
Tennessee
Texas
*Washington
* Requires notification only when there is risk of harm to consumer victims
Proud supporter of P o w e r e d b y
20
Security & Privacy — Made SimplerTM
closed to prevent fraud from occurring on them.You could have liability for the resulting fraud,so quick notification to the payment cardcompanies can help.Ask your lawyer about this now, so that in theevent something does happen, you are immedi-ately prepared and know which law enforcementagencies to contact. Some local law enforce-ment departments have even set up special unitsto investigate such incidents.
Support Your CustomersIf a breach occurs:• Encourage your customers to monitor their
credit reports for signs of identity theft. Ifyou can afford the expense, consider payingfor a credit monitoring service for youraffected customers for a designated periodof time (generally 6-12 months).
• Encourage any customer experiencing orsuspecting identity theft to notify you, file apolice report, and notify the three nationalconsumer reporting agencies, outlined in thesection on the previous page.
Responding quickly to a data breach may helpyou retain your customers.
13. Managing Official Requests For Your Data
You Have Both Duties and RightsWhen you receive a request for customerrecords from a law enforcement officer or agovernment agency, balance your general incli-nation to respond immediately with yourresponsibility as a trustee of your customers'information.
14. If You Do Business GloballyYou Could Be Subject to Foreign DataProtection LawsOver 50 nations have personal data protectionlaws that regulate the handling of consumerinformation by businesses. Most data protectionlaws apply to all businesses that handlecustomer information, regardless of size. Even acompany with no physical presence in anothercountry—but which engages in internationalbusiness-to-consumer e-commerce—is oftenrequired to comply with these laws. These dataprotection laws are found throughout Europe,Canada, South America, Asia, Africa, and theMiddle East.
S e c u r i t y a n d P r i v a c y — Made Simpler TM
Responding to Government Agency or Law Enforcement Requests for Data
• State your company's policies on respond-ing to these requests in your security andprivacy policy. If your business sharescustomer personal information with thegovernment when it is required to do soby law or valid access request—say so.
• Consult with your attorney about yourobligations to respond to governmentinformation requests and to ensure thatyou are complying with your privacypolicy.
• Train your employees. Tell them what todo when they receive a request forcustomer information from law enforce-ment or other government agency.
Proud supporter of P o w e r e d b y
21
Security & Privacy — Made SimplerTM
What These Laws Require fromBusinesses In general, data protection laws: • Provide information to consumers about the
collection and processing of their data.
• Process consumer data in a fair and lawfulmanner, and only for the purposes communi-cated to the consumer.
• Restrict the collection and processing ofcertain "sensitive" types of consumer data.
• Collect only relevant (and not excessiveamounts of) personal data from consumers.
• Take reasonable steps to protect consumerdata from accidental loss, destruction orunauthorized disclosure. This includessupervising employees and contractors whotouch consumer data on a business' behalf.
• Ensure that safeguards are in place at desti-nation points before transferring consumerinformation outside of the country.
• Check on whether a country requiresbusinesses to file a notification with thenational data protection authority beforecollecting and handling any consumer data.
Customers Have Rights UnderInternational Data Protection LawsCustomer rights under data protection lawsgenerally include:
• The right to withdraw consent to certainuses of personal data (generally for directmarketing uses).
• The right to obtain information about howpersonal data is processed.
• The right to view their personal informationand request that any errors in that informa-tion be corrected.
• The right to sue a business in court forcompensation or damages resulting fromharm caused by a breach of the data protec-tion laws.
Law EnforcementMost countries with data protection laws havedesignated a separate data protection authorityto supervise and enforce the law. These agenciesgenerally have the power to receive and investi-gate complaints about businesses from con-sumers, or to initiate their own investigations.Some have the power to impose fines and otherpenalties for violations of the law, while othersmay only make non-binding determinations(which may be enforceable by a court).
S e c u r i t y a n d P r i v a c y — Made Simpler TM
What You Need To Know About Global Commerce
• Learn about the data protection laws incountries in which you do business. Agood place to start is with the web sitesof national data protection authorities foreach country. Some publish guides totheir laws that are customized for smallbusinesses, such as the UK and Australia.For a list of data protection authorities incountries around the globe visithttp://www.dataprotection.ie/docs/European_Functions-Useful_Links/99.htm
• Consumers in these countries expectbusinesses to understand and comply withlocal data protection laws, no matter whatthe business size.
Proud supporter of P o w e r e d b y
22
Security & Privacy — Made SimplerTM
15. Additional ResourcesManaging security and privacy in your businessactivities doesn't need to be an undulyexpensive or time-consuming activity. Takingpractical steps to protect the sensitive data yourcustomers entrust to you will produce manydividends in return. Establishing solid datasecurity and privacy policies and practices will:• Put your business in compliance with
federal and state law.
• Help protect your business and customersfrom data theft and criminal activity,including ID theft.
• Create a bond of respect and trust betweenyour business and your customers.
Customers expect their information to be keptsecurely. Consider this your initial Guide tosecurity and privacy best practices. However,note that security has new manifestations all thetime, so it's a changing landscape. Here areadditional resources to help keep you current.• The Better Business Bureau: Find updates
for small business owners about changes insecurity and privacy laws as well as newrisks they need to manage.www.bbb.org/securityandprivacy.
• The Federal Trade Commission: The site ofthe nation's consumer protection agency hasa collection of resources for businesses andconsumers www.f tc .gov . The FTC alsoprovides a one-stop national resource on IDTheft at www.consumer .gov/ id thef t .
• Privacy Manager's Resource Center: acomprehensive resource from BBBOnLineto help businesses promote trust in con-sumer relationships www.bbbonline.org/UnderstandingPrivacy/PMRC.
• IBM's Small Business Center: a collectionof resources for small business ownersincluding white papers, technologysolutions and expert Q&A www. ibm.com/bus inesscenter/smal lbus iness .
• Visa: Full briefing of payment card industry(PCI) standards for merchantswww.v isa .com/c isp .
• Business for Social Responsibility: IssueBrief—Consumer and Employee Privacywww.bsr .o rg .
• OnGuard Online: provides practical tipsfrom the federal government and thetechnology industry to help you be onguard against Internet fraud, secure yourcomputer, and protect your personalinformation. Managed by the FTCwww.onguard on l ine .gov/ index .h tml .
• Small Business Computing.com: an onlinemagazine-style guide by Jupiter MediaCorporation for small business ownersfeaturing technology articles, reviews,and a message board www.smal lbus inesscomput ing .com .
S e c u r i t y a n d P r i v a c y — Made Simpler TM
Proud supporter of Security and P o w e r e d b y
23
Security & Privacy — Made SimplerTM
16. Customized Insights from IBM
In addition to the solid security and privacymaterial provided in this Guide, IBM offersthese key reinforcements and additionalthoughts.1. Ensure your antivirus software is installed,
and up to date. Believe it or not, there con-tinues to be activity from viruses as old asCodeRed and Nimda, which first appearedyears ago.
2. Install a firewall for your home and businesscomputer network, especially if you use analways-on connection like broadband orDSL. Intruders are continuously scanningfor home and business systems they canhijack to create a “list bomb” to send toyour entire address list.
3. Fend off “airsnarfs” – hackers who piggy-back onto to your wireless connection – byensuring your laptop has its own firewall.
4. Do not respond to unsolicited e-mail, spit,spim or spam. Even the Unsubscribe func-tion on a spam e-mail probably won’t takeyou off any junk lists, and it may even redi-rect you unknowingly to a malicious website that creates a backdoor or downloads avirus onto your PC.
5. Did you know that 40% of all computerusers use the word “password” as their pass-word? When choosing a password, here aresome tips to slow down programs that arespecifically written to crack your password.
• Don’t choose obvious things like the name of a pet, friend or your birth month.
• Select longer passwords–at least eightcharacters.
• Mix letters with non-letters, such as num-bers and punctuation.
• If you absolutely have to use a real word,misspell it.
6. If you are an IM user, be cautious about fol-lowing links or running software sent to youby someone else. These are commonly usedto build networks of computers that areunwittingly part of a denial of serviceattack. Experts project that two billionspam messages will bombard InstantMessage applications this year.
7. Don’t be fooled by “spoofers.” There is nogood reason to give out your password,social security number or bank accountinformation in response to an e-mail orphone call. Most legitimate banks andInternet service providers would never askyou to send them that kind of information.If in doubt, call them.
8. Look for a third party privacy seal to ensurethat the transaction is secure when purchas-ing over the internet.
9. Last, but not least – When was the last timeyou backed up your files? There is no suchthing as 100% protection from phreaks,spoofers and spammers, so make sure youhave a recent back-up before a wicked wab-bit brings your system to a halt.
For more information and tools to help youprotect your small business, visithttp://www.ibm.com/businesscenter/small -business
S e c u r i t y a n d P r i v a c y — Made Simpler TM
Highlights
IT solutions for midmarket On Demand Business
IBM security solutions: Protecting
your business from spam, viruses
and spyware
Addresses today’s e-mail
security issues with effective,
easy-to-manage and affordable
security solutions
Offers protection against
current risks with the flexibility
to adapt to ever-changing
e-mail threats
Provides highly secure,
automated user management
Helps reduce costs by leverag-
ing open-source technology
A secure e-mail system is a vital part of
becoming an On Demand Business,
in which your business processes
are integrated end-to-end with key
partners, suppliers and clients. This
enables you to respond with speed
to virtually any client demand, market
opportunity or threat. And innovation
is the key to creating business value
and differentiation. It’s what makes your
company indispensable to customers.
IBM and IBM Business Partners can
help you differentiate your company
from the competition — our On
Demand Business strategy can help
you become more responsive to your
customers..
More common than the telephone in
business communication, e-mail is
more than a convenience for today’s
business—it’s essential. This quality
also makes e-mail a prime target for
security threats.
The 2005 IBM Global Business
Security Index Report assessed a
number of security threats, nearly all of
which pose a threat to e-mail. Viruses
have been on the upswing, despite
extensive efforts to contain them. Spam
has continued to proliferate, despite
the U.S. Federal Trade Commission’s
Controlling the Assault of Non-Solicited
Pornography and Marketing (CAN-
SPAM) Act of 2003. Phishing continues
to grow, attempting to scam users
into surrendering private information
through e-mail that falsely claims to be
sent from an established enterprise.
What can you do to prevent productiv-
ity loss, damage-containment costs,
and other potentially severe financial
impacts resulting from a security
breach? What measures can you take
to comply with regulations that require
you to keep a record of e-mail commu-
nications and secure the confidentiality
of information? What can you do to
keep your e-mail secure?
Easy-to-manage and affordable
e-mail security solutions
IBM offers easy-to-manage and afford-
able security solutions that address
today’s e-mail security issues. These
solutions help manage current risks
with the flexibility to adapt to ever-
changing e-mail threats.
Comprising hardware, software and
services from IBM and IBM Business
Partners, the security solutions span
three areas: managed e-mail security
services, network e-mail security, and
access and identity management.
Express managed security services
Protect your e-mail infrastructure and
network with a comprehensive solution
designed for mid-sized businesses.
IBM Express Managed Security Services
for Web security
IBM Express Managed Security
Services for Web security suite is
designed to protect IT investments
and productivity with around-the-clock
scanning that reduces the threat of
spyware and viruses delivered through
Web browsing. The solution is easy to
deploy and manage, and effectively
enforces corporate Internet usage
policies by filtering access to inappro-
priate or potentially dangerous URLs.
IBM Express Managed Security
Services for Web security protects
with robust antivirus, anti-spyware,
and URL-filtering technologies. It is
a complete solution that:
• Stops virus and spyware outside
the network
• Filters out inappropriate Internet
material
• Lowers the cost of protection by
eliminating hardware and software
maintenance
IBM Express Managed Security Services
for E-mail Security
IBM Express Managed Security
Services for E-mail Security can act as
your first line of defense by scanning
e-mail and eliminating threats originat-
ing from outside your network. This IBM
managed service provides worldwide
24x7 service and support with threat
monitoring and response at a poten-
tially lower cost than can be achieved
in-house. It requires no additional
hardware, software, updates or IT staff.
IBM Express Managed Security
Services for E-mail Security offers
you the flexibility to choose only the
security components you need. These
services include:
• Virus protection
Unlike desktop virus software, the
antivirus service option is designed
to clean e-mail of viruses before
they reach your network, helping
eliminate the downtime caused by
virus infections.
• Spam protection
The antispam service option com-
bines predictive technology with fully
customizable sender lists to help
identify and reroute spam before it
ever reaches your network.
• Image filtering
This image control solution com-
bines multiple techniques, including
groundbreaking image composition
analysis to detect and control
pornographic images.
• Content control
Applying a combination of advanced
technology and configurable usage
rules for filtering inbound and
outbound e-mail, content control
enables you to identify and control
confidential, malicious or inappropri-
ate content sent or received by
your organization.
An additional level of security provided
by this service helps reduce the
opportunity for hackers to attack your
corporate infrastructure. If corporate
servers go down, this solution provides
e-mail continuity by delivering incom-
ing messages when service is restored.
Network-based security
IBM offers an easy-to-install, easy-
to-use and easy-to-manage e-mail
appliance designed and priced for
small and mid-sized companies. It is
powerful enough to plug network e-mail
security gaps, and flexible enough to
readily adapt to changing threats.
IBM System p5 Network E-mail
Security Express
This solution provides a multilayered
approach and an adaptable framework
to meet the ever-changing challenges
of network e-mail security. It combines
the outstanding price and perfor-
mance of IBM System p5™ platforms,
the flexibility of the Linux® operating
system, and the adaptability and
ease of management of an innovative
message processing platform. The
high-performance, cost-effective and
scalable solution helps reduce cost
by eliminating the need for costly,
internally developed solutions, and
reducing management and adminis-
trative requirements.
Network access and identity
management
IBM Tivoli® software, IBM Global
Services and IBM Business Partners
provide robust perimeter control,
preventing unauthorized intrusions
and reducing the likelihood of
e-mail attacks.
IBM Tivoli Access Manager
IBM Tivoli Access Manager software
enables you to give employees,
partners, suppliers and customers
dynamic, role-based access to your
business applications, based on their
need to know. This is accomplished by
defining a comprehensive policy based
on user roles or business rules to man-
age access to your applications. You
can create user groups and assign per-
missions to groups, which can simplify
administration of access control across
multiple applications and resources.
IBM Tivoli Identity Manager Express
IBM Tivoli Identity Manager Express
provides highly secure, automated
and policy-based user management
and single-signon capabilities. It
helps ensure that the right people
can access the right applications and
infrastructure. It enables automated
setup of new accounts and passwords
for employees and customers, and
provides users with the ability to reset
and synchronize their own passwords
without help desk support. It helps
improve visibility into security manage-
ment operations, and can quickly
produce reports for auditors with
predefined reports and audit events.
IBM Express Vulnerability Assessment
IBM Express Vulnerability Assessment
is a reliable, affordable starting point
for reducing security-related risks and
protecting confidential data. It’s a cross-
industry security solution that helps
clients better understand vulnerabilities
in their Web-based applications and
networks and how to address them.
Low-, medium- and high-risk expo-
sures are identified and documented
for the client, along with recommenda-
tions for improvements. This solution
is packaged and priced for mid-sized
businesses and features IBM Business
Consulting Services’ industry-leading
methodologies and tools.
IBM Managed Security Services
IBM Global Services provides robust,
comprehensive managed security
services to help decrease system
vulnerability, and optimize security and
privacy strategies and procedures.
• Network intrusion detection
Guard your Web sites against attacks
with around-the-clock monitoring
of all Internet Protocol (IP) network
An IBM customer success story
A manufacturing company found
that each of its 100 employees was
receiving approximately 400 spam
e-mails per day. The organization
also did not have virus protection
in place. It needed to eradicate
viruses and minimize the amount
of spam being received.
IBM Global Services and IBM
Business Partners provided a
complete e-mail security manage-
ment system to this company. This
solution provided e-mail antivirus,
antispam and other undesirable
content filtering. As a result of the
e-mail security services, no viruses
could penetrate the network through
e-mail. The solution eliminated 98
percent of spam. In addition, during
a recent e-mail server outage, IBM
held e-mail for the company until
the company restored its e-mail
server operations two days later.
IBM e-mail security services helped
the company achieve greater pro-
ductivity, reduce the risk of legal
liability and achieve greater network
bandwidth by stopping spam at the
Internet level.
traffic within a hosted environment.
Services include installing and man-
aging an intrusion sensor, logging
and analyzing events, and recom-
mending security enhancements.
• Ethical hacking
IBM security consultants can
perform a range of intrusion tests
using the same techniques known
to be used by the most common
hackers. By identifying weaknesses
and recommending specific security
measures that can protect informa-
tion and processes, these services
can help you circumvent actual loss.
IBM Express Advantage
The IBM Express Advantage is your
gateway to a comprehensive line of
hardware, software, services and
financing solutions designed, devel-
oped and priced specifically for
mid-sized businesses. These offerings
are available through the IBM network
of Business Partners, who combine
their applications and services with
IBM offerings to solve midmarket busi-
ness challenges. The IBM Express
Advantage also offers financing and
enhanced capabilities to help mid-
sized customers find the right IBM
and Business Partner resources.
IBM Express Portfolio
In addition to the Express solutions
mentioned before, IBM Express
Portfolio™ offers competitively priced
solutions developed exclusively for
mid-sized businesses. This portfolio,
which includes hardware, middleware,
storage capabilities, consulting and
financing services, addresses the
special challenges that mid-sized
businesses face—limited IT staffs,
fewer skills and resources, and smaller
budgets than large companies. With
Express, IBM provides solutions
that are easy to install, manage and
integrate with existing systems, and are
available from IBM as well as from our
vast network of Business Partners.
Financing offerings
You can get the security solution you
need, while preserving your cash and
credit lines, with the IBM Financing
Advantage program. This suite of smart,
simple financial solutions, designed
specifically for small and mid-sized
business, offers:
• Highly competitive rates on IBM
or non-IBM hardware, software
and services
• A 5 percent rebate on selected IBM
products in selected countries
• Cash for your unwanted equipment
(or safe, secure disposal services)
• IBM Certified Used Equipment, if
acquiring new equipment is simply
not an option
For more information
IBM and IBM Business Partners can
help you achieve business objectives,
and avoid loss of business, reputation,
and competitive advantage resulting
from unsecure e-mail systems. To learn
more about IBM solutions for e-mail
security, please contact your IBM
representative or IBM Business Partner,
or visit
ibm.com/businesscenter/smb/us/
en/solutionssecurity
© Copyright IBM Corporation 2006
Route 100
Somers, NY 10589
U.S.A.
Produced in the United States of America
03-06
All Rights Reserved
Express Portfolio, IBM, the IBM logo, the On
Demand Business logo, System p5 and Tivoli are
trademarks of International Business Machines
Corporation in the United States, other countries
or both.
Linux is a trademark of Linus Torvalds in the
United States, other countries, or both.
Other company, product and service names
may be trademarks or service marks of others.
References in this publication to IBM products
or services do not imply that IBM intends to
make them available in all countries in which
IBM operates.
G299-0740-01
Security and privacy
September 2006
Stopping insider attacks: how
organizations can protect their
sensitive information.
Stopping insider attacks: how organizations
can protect their sensitive information.
Page 2
2 Introduction
3 The growing threat of insider
attacks
5 Your organization at risk:
understanding the stakes
6 Building greater sophistication
into security measures
11 Conclusion
ContentsIntroduction
Stopping insider attacks: how organizations
can protect their sensitive information.
Page 3
Highlights
The growing threat of insider attacks
Strong perimeter defenses can
block external threats effectively,
but provide only part of the
protection organizations need.
Though often overshadowed by
attacks from the outside, the risk
of insider threats is nevertheless
a pressing concern for practically
every organization.
Stopping insider attacks: how organizations
can protect their sensitive information.
Page 4
Highlights
A list kept by the Privacy Rights
Clearinghouse shows hundreds
of data breaches reported in the
United States alone since February
of 2005.
“Dishonest insiders” can exploit
an organization’s vulnerabilities to
commit identity fraud and expose
confidential information—for
personal gain or as part of a larger
crime ring.
Stopping insider attacks: how organizations
can protect their sensitive information.
Page 5
HighlightsYour organization at risk: understanding the stakes
Because employees carry valid
authorization and are privy to
the organization’s vulnerabilities,
insider attacks can be more
difficult to detect than external
penetration attempts.
Undetected attacks can cause
serious harm, including legal
liability for compromised data,
loss of competitive position and
disrupted business operations.
According to a recent study, the
average fraud scheme continues
undetected for 18 months.
Stopping insider attacks: how organizations
can protect their sensitive information.
Page 6
HighlightsBuilding greater sophistication into security measures
Behavioral analysis
Distributed, global work environ-
ments and rapidly changing
business conditions require
a balance between end user
accessibility and data protection.
Protecting against attacks from
the inside requires greater
sophistication and granularity
on the part of security systems.
There are four basic elements
that can provide the sophistication
needed to help prevent insider
attacks.
Stopping insider attacks: how organizations
can protect their sensitive information.
Page 7
Highlights
Security systems should
automatically monitor the online
activities of authorized users,
detect abnormal behavior and even
help to prevent potential misuse.
Behavioral analysis can help
pinpoint small deviations and
unusual patterns in high-traffic,
dynamic work environments.
Stopping insider attacks: how organizations
can protect their sensitive information.
Page 8
HighlightsIntegrated security components
Security elements should interact
seamlessly—in real time—to
enable thorough analysis and quick
response to potential threats.
Effective pattern detection
depends on the ability to correlate
messages and events from
different monitoring systems
across the IT environment.
Stopping insider attacks: how organizations
can protect their sensitive information.
Page 9
Highlights
Automatic response
The security systems themselves
must be capable of responding
immediately to unacceptable
user behavior.
Automatic denial of access can
thwart attacks before they occur—
and give network administrators
the opportunity to determine a
suitable course of action.
Stopping insider attacks: how organizations
can protect their sensitive information.
Page 10
HighlightsIterative modeling process
To stay a step ahead of evolving
security threats, organizations must
continuously revise and enhance
their security efforts.
Self-tuning systems should react
appropriately and intelligently to
dynamic business conditions—
without human intervention.
Stopping insider attacks: how organizations
can protect their sensitive information.
Page 11
HighlightsConclusion
For more information
IBM Center for Business Optimization
IBM Information Security Framework
ibm.com/services
Organizations must be prepared
to fend off attacks wherever they
originate—even as the boundaries
between organizations, partners,
users and customers blur.
© Copyright IBM Corporation 2006
IBM Global Services
Route 100
Somers, NY 10589
U.S.A.
Produced in the United States of America
09-06
All Rights Reserved
IBM and the IBM logo are trademarks or registered
trademarks of International Business Machines
Corporation in the United States, other countries,
or both.
Other company, product and service names may
be trademarks or service marks of others.
References in this publication to IBM products or
services do not imply that IBM intends to make them
available in all countries in which IBM operates.
IBM assumes no responsibility regarding the ac-
curacy of the information provided herein and use
of such information is at the recipient’s own risk.
Information herein may be changed or updated
without notice. IBM may also make improvements
and/or changes in the products and/or the pro-
grams described herein at any time without notice.
1 California Security Breach Information Act
(S.B. 1386), enacted July 1, 2003; http://info.
sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/
sb_1386_bill_20020926_chaptered.html
2 IBM global business security index report, 2005.
3 Scott Berinato (with Research Editor Lorraine
Cosgrove Ware), “The Global State of Information
Security 2005,” September 15, 2005, published
by PricewaterhouseCoopers and CIO; http://www.
cio.com/archive/091505/global.html
4 “A Chronology of Data Breaches Reported
Since the ChoicePoint Incident,” Privacy Rights
Clearinghouse; August 5, 2006, used with
permission of the Privacy Rights Clearinghouse,
www.privacyrights.org
5 John Ribeiro, “HSBC claims customer fraud in Indian
services center,” Network World (IDG NewsService),
June 27, 2006; http://www.networkworld.com/news/
2006/062706-hsbc-claims-customer-fraud-in.html
6 “2006 ACFE Report to the Nation on Occupational
Fraud and Abuse,” Association of Certified Fraud
Examiners; http://www.acfe.com/fraud/report.asp
GSW00316-USEN-00
Simpler, smarter choices,customized for you.
Your one-stop IT financing partner
IBM Global Financing
Just as today’s businesses increasingly rely
on sophisticated IT solutions—hardware, soft-
ware and services from multiple vendors—the
financing requirements associated with them
can become similarly complex. That’s why it’s
important to choose a financing partner that can
help you make simpler, smarter choices—offer-
ing financing solutions that are customized for
your business needs and are flexible over time.
In the same way that IBM knows how innovative
IT solutions can contribute to the success of
your business, IBM Global Financing knows how
innovative financing can contribute to the value
your company realizes from its IT investments.
Our objective is to be your partner—providing a
one-stop source of competitively priced IT
financing solutions. When you choose
IBM Global Financing, you’re getting a strategic
partner for managing all aspects of your financed
solution.
Over the lifecycle of your IT investment,
IBM Global Financing offers asset tracking, serv-
ices for the disposal of assets no longer required
and high quality used equipment. IBM Global
Financing also offers channel financing for
resellers, value-added resellers and independent
software vendors.
“ Leasing from IBM Global Financing gives us the flexibility to
migrate to a new architecture—and better utilize our capital.”
– Jesse Perez, CFO, Geotrace Technologies, Inc.
Smarter financing decisions
IBM Global Financing has the expertise to help you make
smarter financing decisions. We work with companies of all
sizes and can create customized financing packages.
Depending on your business, IT and financial priorities, we
offer plans that take into account the lifecycle of your
investment, helping you acquire, manage and even eventu-
ally dispose of technology assets. Our financing solutions
are competitive and can give you the flexibility to change or
upgrade hardware and software—so you can keep your IT
capabilities in line with an evolving business and technology
environment.
Partnership across the lifecycle
As the world’s largest provider of IT financing, IBM Global
Financing has a worldwide asset base of nearly
US$31 billion, enabling us to provide financing expertise,
comprehensive solutions and competitive terms. Whether
you are a global business or a smaller local company, we
can apply our experience and innovative thinking to serve
your goals—something we already do for 91 of the United
States Fortune 100 and for 125,000 customers in more
than 40 countries.
Right from the start, we’ve operated from a simple, core
assumption—it’s in our best interest to serve your best
interest. We value our client relationships and emphasize
clear, straightforward contracts that can minimize surprises
and bumps in the road. When finances are tight, you can
include IBM Certified Used Equipment™ as part of your
financing solution. We build partnerships that put the full
range of our expertise and resources to work for you.
A simpler experience—one-stop financing
We know you want to acquire technology more easily, so
IBM Global Financing works to simplify the decision-making
process for IT financing. We provide rapid quotes and
approvals. We can provide customized financial solutions
and easy online tools for tracking and managing your
financed assets.
Finally, we know you want a comprehensive financing pack-
age that addresses your total IT solution—for hardware,
software, services and maintenance, including both
IBM and non-IBM components. IBM Global Financing pro-
vides one-stop shopping for IT financing, with a single point
of contact to make it easier for you to address all the ele-
ments of your financing solution.
“ Leasing from IBM helps to give us the ability to grow. We’re
going to have to make a lot of critical spending decisions
[when we build our new medical center], and it will be nice to
have the cash.”
– Kevin Fitch, senior treasury analyst, Elmhurst Memorial Healthcare
For more information
To learn more about simpler, smarter financing, contact
your IBM representative or visit:
ibm.com/financing
© Copyright IBM Corporation 2006
IBM Global Financing
North Castle Drive
Armonk, NY 10504-1785 USA
ibm.com/financing
Produced in the United States
March 2006
All Rights Reserved
IBM, the IBM logo and IBM Certified Used
Equipment are trademarks or registered
trademarks of International Business
Machines Corporation in the United States,
other countries, or both.
Other company, product and service names
may be trademarks or service marks of
others.
References in this publication to IBM products
or services do not imply that IBM intends to
make them available in all countries in which
IBM operates.
IBM Global Financing offerings are provided
through IBM Credit LLC in the United States
and other IBM subsidiaries and divisions
worldwide to qualified commercial and
government customers. Rates are based on a
customer’s credit rating, financing terms,
offering type, equipment type and options,
and may vary by country. Other restrictions
may apply. Rates and offerings are subject to
change, extension or withdrawal without
notice.
IGF4-a085-03
GFB02045-USEN-03