This article is Part 1 of an ongoing series on information security compliance. The author can be contacted by email at mputvinski[at]wolfandco[dot]com or you can follow him on Twitter: @mattputvinski.
Series Introduction
To start, let us think about the things currently happening in our world:
- Security breaches are happening almost every day.
- Reputation is the first thing to be impacted when a breach occurs.
- States are reacting to public outcry by passing laws for more stringent and proactive security measures.
- Stress increases on already stretched compliance resources.
- The cost of recovering from a breach will be expensive.
Whether it’s a lost laptop, hacked website, or theft by an employee, data security breaches are never pretty. The worst is when YOU are the headline. The questions after a breach will be varied, but rest assured they will come quickly and without mercy:
- How do I know my medical records won’t be leaked to the public?
- Why would you tell me my credit card number is secure when every employee can access it?
- How could you have let this happen?
These questions will start you on a tumultuous road because once the public’s trust has been compromised the road back is long and steep. You will lose business. Exactly how much depends on the particulars of the incident but customers will walk away if they don’t trust you to protect their personal information. One of your largest pieces of equity in business is the trust of your customers have in you to make the right decisions. Security is one of those decisions.
If you truly want to understand the bottom line impact of trust you need to look no further than the Edelman Trust Barometer. This annual survey conducted by the world’s largest public relations firm specifically addresses what consumers will do when there is no trust. 77% of the U.S. respondents said they would refuse to buy products or services from a company they do not trust. 75% would discontinue doing any business whatsoever, but most importantly, 72% said they would criticize them to people they know. And when you’re talking about the reach of blogs and message boards, that one voice can get influential quickly. Multiply that by a thousand, or even millions, and you start to see the ramifications of a customer with whom you’ve broken trust.
So in a time when every one of us is trying to cut expenses to survive in this economy, what is a businessperson to do to sustain trust as well as keep costs low? Is it possible to obtain a security level that proves to your customers that you value your relationships and can be trusted with their personal information?
I am happy to say that the answer is a resounding “Yes!” Many of the things that you read in the newspapers or see on the TV are careless security blunders that can be easily avoided with some common industry techniques. In some cases, these techniques may require investments in security tools but most often it’s a matter of tightening up current procedures and utilizing current resources more effectively through proper training.
First, let me layout some basic tenets of security.
For one thing, security is never going to be 100% reliable. No matter how much money you spend, if you have aggravated the cyber mafia and they are out to get you, they will get in. If that’s the case, it’s possible the public may give you some sympathy but don’t count on this being your saving grace. The public is less forgiving when they find out that the breach was caused by carelessness or plain stupidity. These less sophisticated attacks (i.e. a laptop was stolen from the back seat of a car or some bored kid decided to go through your trash) smack of incompetence on your company’s part. Situations like this show a lack of basic respect for the security of information and will cost you more in the arena of public opinion since they could have been avoided with a little common sense.
The goal of this series is to give you the opportunity to challenge your organization to prove that it is truly doing everything possible to protect customer data. Let’s break it down to some of the basics:
- How strong are your security policies and procedures?
- What type of security tools are you using to monitor security?
- Should you be using encryption?
- Do you know which of your vendors could cause you the most pain?
- How effective is your information security awareness training and do your employees understand why it’s important?
- What does the role of a chief security officer really look like?
- Do you have an effective risk assessment program?
- Are you prepared to adequately respond to an incident?
Beginning today and during the next few articles, we will address each of these areas. When you’re able to answer these questions effectively you can be assured you have a strong information security program. If you act as if it’s a matter of when you have a breach rather than if you have a breach, you may never have to deal with the consequences in the first place.
Information Security Best Practices
How Strong is Your Information Security Program?
Traditionally, documented security policies have been viewed as nothing more than a regulatory requirement. While this may have been true in the past, building a strong information security program (ISP) is a business imperative as you fight to keep the customers you have and work to attract new ones. Your information security policies can either work to help you grow your business or signal a red flag that security is not a top priority.
No matter how strong your security posture is now, if you don’t document it, it won’t last. You must assume that people instrumental in building your security environment will eventually move on. In that respect, training the replacement is a lot less painful and much more effective with a written guide. Without a policy manual, the new employee would eventually learn what to do but would you really want to risk a security incident while they are trying to figure it out?
It’s important to understand that there is no procedure, policy, or technology that will ever be 100% secure. It just doesn’t exist. You can, however, endeavor to get as close to perfect as possible.
Lack of a documented security policy is a huge red flag when determining liability in the event of an incident. You do not know when the next attack will happen and if someone is aggressively targeting you, they will cause pain. When it comes time to defend yourself, no matter the strength of your security environment, the lack of a documented information security program is a message that management has not taken data security seriously. This perception becomes increasingly dangerous when we’re talking about a court of law and an untold number of potential customers in the court of public opinion.
Whether you are currently without a policy or want to ascertain where yours fits along the continuum, here are key components that should be in a best practices ISP.
The Information Security Officer
The first thing that any security program must do is establish the presence of the Information Security Officer. Depending on the size of your security environment, this could be a full-time position or a current employee who has the availability to take on further duties.
Besides the time element, the organization must clearly define the expectations of the Information Security Officer and determine if an individual is capable to fill the role. During a later post I will describe the attributes that ascertain “capability”, but the complete lack of someone in this role means that information security is not a priority in your organization.
End User Acceptable Use Guidelines
Your policy should contain specific language detailing what employees can do with “your” workstations. While we hope that all company property is used for company purposes, this just isn’t the case in real life. Instruct employees as to what is considered business use and explain the risks of downloading games or using tools like instant messaging.
Software Updates and Patches
What’s your stance when it comes to patch management? Do you require patches and upgrades to be implemented immediately? Are you sure you’re actually doing what your policy says?
Random checks to confirm you are following your own rules is the best way to monitor the activity.
If you’re scratching your head at my use of the phrase “patch management”, understand that if you don’t keep up to date on your system patches and upgrades, you leave yourself wide open for the most basic of hacks. If you never update, your vulnerabilities are exponentially increased. Your best practices Information Security Program should clearly document your patch management procedures and frequency of the updates.
Vendor Management
You’re only as strong as your weakest link, and when you work with third-party providers their information security downfall can become your issue. Make sure you document which vendors receive confidential information and how this information is treated when in the custody of the vendor. The lack of strict vendor guidelines could increase the risk of releasing your customers’ private information.
Physical Security
Documents don’t walk out of the office on their own. Having strict rules about who can physically access your offices and how they gain entry can decrease the likelihood that an unauthorized individual is present to steal information. The next step is to ensure that your policy documents how physical information is stored and destroyed.
Data Classification and Retention
Lessen your liability by classifying exactly what type of data you need and how long you need it. A breach is bad enough, what’s worse is if data is stolen that you didn’t need to keep or shouldn’t have had to begin with. In the case of TJX (“PCI DSS auditors see lessons in TJX data breach” TechTarget March 1, 2007), many of the credit card numbers affected had no business purpose in being kept.
Password Requirements and Guidelines
Your employees dread having another password to remember. The more complicated the requirements you make to ensure security, the more they decide to write them down and expose them to others. Establish a strong password policy but stay within reason for your employees. Sometimes, a little additional training as to why the policy is the way it is can be all you need to gain acceptance.
Wireless Networking
There is no doubt that the implementation of wireless networks has saved many organizations both time and money in comparison with traditional cabling. As you decide what type of network connectivity to adopt, understand that with increased flexibility allowed by wireless, a stronger encryption standard is required to ensure there is no abuse.
Employee Awareness Training
How well informed are your employees to identify or prevent a security incident? Each and every one of your employees can act as a member of your own security army with some simple training. The first step in recruiting them for the cause is to set the expectations appropriately and communicate those expectations in your policy.
Incident Response
Hands down, the worst time to create an incident response program is when you are actually having an incident. You can’t undo what has happened and you’re in crisis mode dealing with the after effects of the breach.
Not the time to be putting policy to paper.
Your reputation is severely at risk, and if you respond inadequately you risk making it worse with law enforcement as well as your customers. Act as if a breach is inevitable and take the time to develop the language and procedures you will use in the event of an incident to ensure you’re prepared when the time comes.
Annual Updates and Reporting
Don’t let all your hard work go to waste. The worst thing to do after investing time and resources into your information security program is to allow it to sit on the shelf and become obsolete. Threats and risks are changing daily and it is imperative that your policies stay up to date. Requiring an annual review, with results are reported to the Board of Directors and senior management, will help to ensure that your program remains current and can handle any future incidents.
Feel free to use this list in either building your program or as a checklist to determine your current status. Additionally, other good resources include the National Institute of Standards and Technology and the SANS Institute. The most successful policy will be one that blends in with the culture of your organization rather than just existing to fill a regulatory requirement. In doing so, you increase the security posture of your organization with as little effort as possible and help ensure you don’t become another statistic in the evening news.