Is it possible to declare some security policies as more critical than others? When it comes to protecting sensitive data, all security policies are important to reduce the risk of loss. However, when we look at risk mitigation from the perspective of stopping the latest attacks, some security controls rise to the top.
In September 2009 the SANS Institute released the latest version of the Top Cyber Security Risks. This analysis is based on real-world data collected from thousands of organizations. One of the objectives is to help understand the most dangerous attacks and how they happen. Based on the SANS analysis, we can highlight some of the critical information security policies that every organization should have.
Desktop Configuration Management Policies
The first step in the attack against most enterprises is the exploitation of an application running on the user desktop. Common applications are Adobe Acrobat, Flash and Microsoft Office. In short, these are the applications that many internet users use on a regular basis. Research from the SANS report suggests that IT groups are much more adept at patching servers than desktops. This makes sense, given the large and growing numbers of “end user’ devices that access email and the internet.
Desktop/Laptop Configuration Security Policies would clearly rise near the top of any prioritized list of security policies. This type of policy addresses controls that help create and manage a secure “footprint” on end-user machines. These involve a combination of both management and technical controls, including remote scanning and management of user desktops, as well as acceptable-use policies limiting what the user can download on their machine. It may also limit the ability for users to make changes to machine configurations, including updates to security settings. While in some cases these features can be automated by technology, it is still important to document these requirements in written policies. An effective Configuration Security Policy addresses the entire lifecycle of end-user equipment.
Internet and Email Acceptable Use
The second phase of an exploit involving a vulnerable machine is the user downloading an infected document. In some cases, a user would only have to visit an infected web site (see the next policy) to be exploited. However, a majority of cases still involve the distribution of infected files via email or downloads.
Internet Acceptable Use Security Policies are critical to make users aware of safe internet practices and educate them on the type of attacks that they face. Acceptable Use policies can involve a variety of controls, including limits on the type of web sites that can be visited, the duration of time spent on web activities, restrictions on software downloads, and limits on the type of software that can be used to access internet-services. For example, uncontrolled use of Peer-to-Peer (P2P) networking software has lead to a number of high-provide breaches of confidential information. Email Acceptable Use Policies are closely related and can be combined with Internet Acceptable Use policies to help reduce this risk of users making critical information security mistakes.
Web Server Security
Various forms of technical attacks against web servers are creating a growing network of infected web sites that can be used to distribute malicious software to users. By the far the most common are variations of the SQL Injection attack against web-database applications. These attacks are particularly damaging since a legitimate web site becomes an accomplice in infecting real business users of the site.
To help protect against these attacks, as well as against other potential data loss through the web, every organization should have a Web Site Security Policy. Based on our research, very few organizations have such a formal policy. A look at information security frameworks such as ISO 27002, HIPAA and NIST SP 800-53 reveal that web site security not a major focus, and certainly not called out as a key control.
A related and equally critical policy would be a Secure Application Development Policy. This policy would define various controls for designing, developing and deploying security applications. While this is a key requirement of PCI-DSS version 1.2, the rampant growth of web application exploits indicated that secure application development must be part of any organization that manages a dynamic web site that accesses a database.
Keeping Security Policies Up to Date
The evolving nature of these top threats points to the need for information security and data privacy policies to be updated on a periodic basis. Information Shield has developed our PolicyShield Security Policy Subscription to address this critical business need. PolicyShield subscribers will find all of the sample documents mentioned in this article as part of their standard subscription. Each quarter, we update the subscription with new policies that help you stay protected against the latest threats.
Tuesday, September 29, 2009
Monday, April 27, 2009
Acceptable Use Policies to Reduce Risk
A few weeks ago, Deloitte Touche Tohmatsu (DTT) released the results of its Annual Global Security Survey for 2008. The survey focuses on the information security needs, practices and priorities of the financial industry, which is among the most regulated of all vertical markets. Not surprisingly, the top priority for the security officers interviewed was “security regulatory compliance.” What is a bit surprising was that security compliance took the top spot for the first time, followed by “regulating access control”, which was the number one priority in 2007.
The report provides a number of interesting details, many of them pointing to continued problem of the “human factor” in security. According to the survey, the number one root cause of all security incidents experienced at these organizations was “human error.” (This is not a surprise, as nearly all data breach and incident studies come to a similar conclusion.) What IS surprising is that despite the concern about human error, the category for “security awareness and education” was 7th on the overall list of 15 priorities. While this tremendous gap between cause and prevention is indicated in this report, it is echoed throughout the industry. Everyone “gets it” that security is fundamentally a people problem, and yet when you look at spending and organizational priorities, education and awareness is near the middle or bottom of the list.
When new technology is introduced into the mix, the potential knowledge gap widens as technology makes into production before the much-needed awareness and policy guidance. In fact, the report revealed a fairly large gap between the deployment of new technology and the issuing of specific policies and guidance on the safe use of the technology.
One prime example is mobile security. According to the survey, very few organizations (less that 10%) actually prohibit the use of mobile storage (USB drives, Media Players, etc.) because of fears that this will limit productivity. In other words, 90% of organizations are using mobile storage in the enterprise. Yet only 40% of these same organizations publish policies and procedures on acceptable use of mobile storage. The statistics are similar for mobile computing technology (handheld computers, PDA, etc.). Only 27% limit these devices, and yet only 42% claim to have issued acceptable use policies.
Given the facts that human error is the root cause of most security incidents, the “knowledge gap” created when organizations permit technology without written acceptable use policies represents a significant risk. Written security policies are the official “contract” between management and employees on the appropriate use and misuse of new technology. And while polices do not replace awareness and training, they significantly enhance these efforts by forcing management to think through the various risks and trade-offs of adopting new technology.
If your organization is searching for cost-effective ways to keep policies updated based on the latest technologies, we encourage you to evaluate our PolicyShield Security Policy Subscription. We believe written policies are key for enabling safe, yet productive use of new technology.
The report provides a number of interesting details, many of them pointing to continued problem of the “human factor” in security. According to the survey, the number one root cause of all security incidents experienced at these organizations was “human error.” (This is not a surprise, as nearly all data breach and incident studies come to a similar conclusion.) What IS surprising is that despite the concern about human error, the category for “security awareness and education” was 7th on the overall list of 15 priorities. While this tremendous gap between cause and prevention is indicated in this report, it is echoed throughout the industry. Everyone “gets it” that security is fundamentally a people problem, and yet when you look at spending and organizational priorities, education and awareness is near the middle or bottom of the list.
When new technology is introduced into the mix, the potential knowledge gap widens as technology makes into production before the much-needed awareness and policy guidance. In fact, the report revealed a fairly large gap between the deployment of new technology and the issuing of specific policies and guidance on the safe use of the technology.
One prime example is mobile security. According to the survey, very few organizations (less that 10%) actually prohibit the use of mobile storage (USB drives, Media Players, etc.) because of fears that this will limit productivity. In other words, 90% of organizations are using mobile storage in the enterprise. Yet only 40% of these same organizations publish policies and procedures on acceptable use of mobile storage. The statistics are similar for mobile computing technology (handheld computers, PDA, etc.). Only 27% limit these devices, and yet only 42% claim to have issued acceptable use policies.
Given the facts that human error is the root cause of most security incidents, the “knowledge gap” created when organizations permit technology without written acceptable use policies represents a significant risk. Written security policies are the official “contract” between management and employees on the appropriate use and misuse of new technology. And while polices do not replace awareness and training, they significantly enhance these efforts by forcing management to think through the various risks and trade-offs of adopting new technology.
If your organization is searching for cost-effective ways to keep policies updated based on the latest technologies, we encourage you to evaluate our PolicyShield Security Policy Subscription. We believe written policies are key for enabling safe, yet productive use of new technology.
Tuesday, February 17, 2009
Ideas for Security Policy Sanctions
In order for written information security policies to have "teeth", there must be consequences for employees that do not follow policies, and this fact must be documented as part of the published policy. The "sanctions" portion of most security policies reads something like this:
"Failure to comply with this policy will result in disciplinary action, up to and including termination."
While this idea certainly makes sense as a formal statement, it leaves a lot of gray area in the real world of policy implementation and enforcement. And it will likely leave questions in the minds of employees. "Does this mean that everyone who violates a policy gets fired?" "What happens if I violate a policy by accident?" "What offenses would warrant termination?"
When developing written policies, the organization should prepare some internal guidelines for proper sanctions. These should be developed in conjunction with Human Resources and the Legal Department, and considered with regard to consequences for violation of other policies such as Code of Conduct. Certainly, all policy violations are not the same, and some violations present greater legal and market risk that others.
The following are some ideas for possible employee sanctions with increasing levels of severity:
1. Warning from Management -The employee receives a warning from their manager that they were in violation of policy.
2. Official Warning in Personnel File - The employee is warned, and official notice is put in their personnel file. This may have negative consequences during future performance reviews or promotion considerations.
3. Revoking Privileges - Access to certain company resources, such as internet or email, can be revoked for a limited period. (Providing that they are not critical to job functions.) In one organization, the CEO gave everyone in the organization 30 days to read and acknowledge the written security policy. After 30 days, each employee had their email disabled. Within 24 hours all of the offenders had read and acknowledged the policy.
4. Requiring Additional Training - Another sanction is to require the employee to take additional training on security and privacy practices. This must be done on their own personal time, such as during lunch or after business hours.
5. Suspension without Pay - After multiple warnings, or for serious policy violations that may put the company at substantial risk, employees may be suspended for a limited time without pay.
6. Termination - The organization should consider which types of offenses could trigger a termination. If termination is an option, consult with the legal and human resources department to make sure the organization is on solid ground with respect to written policies. Some employees have sued for wrongful termination and won the case when it was shown that the company was lax in its overall deployment and enforcement of security policies.
Of course, you can combine any of these into a type of sanctions "mix" that works for the organization. The important task is to prepare the organization by thinking through the problem and deciding what works best for the employees and management. Once guidelines have been established, they can be communicated to employees as part of their regular security or human resources training activities.
If your organization has come up with some unique and effective ways to encourage compliance with policies, we would like to hear from you.
"Failure to comply with this policy will result in disciplinary action, up to and including termination."
While this idea certainly makes sense as a formal statement, it leaves a lot of gray area in the real world of policy implementation and enforcement. And it will likely leave questions in the minds of employees. "Does this mean that everyone who violates a policy gets fired?" "What happens if I violate a policy by accident?" "What offenses would warrant termination?"
When developing written policies, the organization should prepare some internal guidelines for proper sanctions. These should be developed in conjunction with Human Resources and the Legal Department, and considered with regard to consequences for violation of other policies such as Code of Conduct. Certainly, all policy violations are not the same, and some violations present greater legal and market risk that others.
The following are some ideas for possible employee sanctions with increasing levels of severity:
1. Warning from Management -The employee receives a warning from their manager that they were in violation of policy.
2. Official Warning in Personnel File - The employee is warned, and official notice is put in their personnel file. This may have negative consequences during future performance reviews or promotion considerations.
3. Revoking Privileges - Access to certain company resources, such as internet or email, can be revoked for a limited period. (Providing that they are not critical to job functions.) In one organization, the CEO gave everyone in the organization 30 days to read and acknowledge the written security policy. After 30 days, each employee had their email disabled. Within 24 hours all of the offenders had read and acknowledged the policy.
4. Requiring Additional Training - Another sanction is to require the employee to take additional training on security and privacy practices. This must be done on their own personal time, such as during lunch or after business hours.
5. Suspension without Pay - After multiple warnings, or for serious policy violations that may put the company at substantial risk, employees may be suspended for a limited time without pay.
6. Termination - The organization should consider which types of offenses could trigger a termination. If termination is an option, consult with the legal and human resources department to make sure the organization is on solid ground with respect to written policies. Some employees have sued for wrongful termination and won the case when it was shown that the company was lax in its overall deployment and enforcement of security policies.
Of course, you can combine any of these into a type of sanctions "mix" that works for the organization. The important task is to prepare the organization by thinking through the problem and deciding what works best for the employees and management. Once guidelines have been established, they can be communicated to employees as part of their regular security or human resources training activities.
If your organization has come up with some unique and effective ways to encourage compliance with policies, we would like to hear from you.
Monday, January 26, 2009
Top Security Policy Priorities for 2009
A New Year is always a good time to reflect on the past and make plans for the future. 2008 was a very busy year for security breaches, with 656 reported breaches exposing up to 35 million customer records according to a recent report by the Identity Theft Resource Center (ITRC). This was nearly a 50% jump from 2007.
Since our focus is the development of information security policies, we decided to take a look back at 2008 and see if we could draw some conclusions about trends and priorities for 2009. Think of this as an industry-wide risk assessment exercise. Based on some of the largest incidents of 2008, which information security and data privacy policies, if properly implemented, would have helped reduce the likelihood or impact of these incidents? (Needless to say, many of these policies are contained within Information Security Policies Made Easy.)
The stakes are getting higher. According to a study conducted by the Ponemon Institute, data breaches are costing businesses an average of $197 per customer record, up from $182 in 2006. So, based on some of the top incidents of 2008, here are our suggested top security policy priorities for 2009:
1. Data Breach Notification Policies
Despite the many costly, embarrassing data breaches that have been reported over the last several years, organizations seem to get caught without a plan for dealing with breaches that involve sensitive customer data. Slow or poorly organized responses end up creating confusion and increasing the potential damage of the breaches.
Six months after a breach happened at the parent company of the Montgomery Ward website, the company Direct Marketing Services finally began notifying customers that their credit card information was stolen in part of a hack that stole at least 51,000 records in December 2007. In March, the Maine-based Hannaford Brothers grocery store chain announced that 4.2 million customer card transactions had been compromised by hackers. More than 1800 credit card numbers were immediately used for fraudulent transactions.
A data breach notification policy must include a variety of possible elements, including breach reporting procedures, documentation of breach notification requirements (by state or country), notification methods and schedules, and the establishment of breach response teams. (See our free Privacy Breach Calculator from the Privacy Management Toolkit.)
Data breach response is going to end up on the radar sooner or later. The recent Homeland Security Agenda announced from President Obama includes a goal for a nationwide breach notification law, but so far no national law has been passed, leaving a patchwork of state-level requirements within the United States.
2. Tracking of Physical Media in Transit
Another common theme in many incidents is the loss of physical media, including laptops, PDAs, hard drives and backup tapes. Since the data is often not encrypted (See item #3), the loss triggers breach notification requirements (See item #1).
There are a variety of controls that can be addressed in policy, from the most basic (tracking the delivery of sensitive equipment) to the more complex (laptop tracking software, RFID tags). As always, employees play a key role since they are often the ones transporting the sensitive information. An effective Mobile Device security policy must cover the controls around the logical and physical protection of mobile devices.
The number of incidents involved lost media and mobile devices are too numerous to talk about in detail. (Several web sites do maintain such a list, including the Open Security Foundation (OSF) Loss Database and the Privacy Rights Clearinghouse. According to the Open Security Foundation, stolen laptops account for the largest share of data breaches, at 22% of the total.
3. Encryption of Sensitive Data Backups
This policy is really a subset of a wider set of controls involving the monitoring and tracking of sensitive customer data throughout its lifecycle. However, this one deserves special attention due to some large incidents in 2008.
In February 2008, an unencrypted backup tape with 4.5 million customers of the Bank of New York Mellon went missing after it was sent to a storage facility. The missing tape contains social security numbers and bank account information on 4.5 million customers - including several hundred thousand depositors and investors of People's United Bank of Connecticut. Early in January, Iron Mountain reported that it could not find a backup tape that belonged to GE Money, containing information on over 650,000 J.C. Penney customers and 100 other retailers.
Encryption policies involve a variety of control areas, including identifying the data that must be encrypted, choosing and implementing encryption methods, and encryption key management. (ISPME has over 50 security policies addressing this topic.) Many organizations that process sensitive customer data are finding it more cost effective to simply encrypt all data, rather than identifying the subsets required. Despite the obvious need for encryption, according to ITRC reports, only 2.4% of all breaches had encryption or other strong protection methods in use.
4. Malicious Software Prevention
Companies are increasingly falling prey to malicious software being installed and resident on their systems. Trojans and keystroke loggers were responsible for a number of high-profile breaches, including the Best Western Hotels, where thousands of user accounts were stolen and began appearing on Russian Mafia web sites within hours of the heist. In potentially one of the largest recent breaches, Heartland Data Systems has acknowledged a data security breach that may affect tens of millions of payment card accounts. Initial investigation revealed malicious software on their network.
In November, security vendor RSA said it found a single Trojan that had taken more than 500,000 online banking accounts credentials, credit cards and other resources. The reported indicated that the hacking gang behind the Trojan may have been operating for as long as three years. The compromised data came from hundreds of financial institutions around the world.
There are a number of related information security policies that can help address this common threat. These include standard security configurations for desktop and mobile devices, regular updates of virus and malicious software signatures, regular scanning of networked systems, and user education and awareness on software downloading and responding to phishing emails (see Item #5).
5. Employee Security - Screening, Education and Awareness
It is unlikely that there will be a year when employee education and awareness would not be a top information security priority. From rogue insiders going undetected to employees accidentally downloading spyware from a phishing attack, users are always at the front lines of many attacks. It has been said so many times that we can be numb from hearing it – educated users are essential to any security program. And yet, organizational priorities to not always follow this basic premise. A 2008 study by the Computer Security Institute showed that the average organization spends less than 1% of their budget on security awareness.
There are a number of security policies that can help integrate information security responsibilities into the workforce. Some examples include the requirements for annual security training, quarterly awareness activities, the formal documentation of information security responsibilities for various job roles, and validation of these in formal job reviews.
5.1 - The Insider Threat
This special area of employee-related security deserves special attention.
An alarming number of breaches now involve malicious employees or contractors. The breaches range from cases of espionage, to the simple pilfering of customer data for personal gain. According the ITRC report, insider theft - now at 15.7% of all breaches - has more than doubled between 2007 and 2008.
In one of the largest insider incidents of 2008, a former Countrywide Financial Corp. senior financial analyst was arrested and charged by the FBI for stealing and selling sensitive personal information of an estimated 2 million mortgage loan applicants. The data was taken over a two year period and sold to competitors. In March 2008, a former bank programmer at Compass Bank was charged after he had stolen a hard drive with 1 million customer records and used it to commit debit-card fraud.
A recent case involved a database administrator of a UK company, who was fined and sentenced to three months in jail after hacking into his former employer’s computer system. Later investigation revealed that the man had lied on his resume and also had prior criminal charges.
Written security policies can also help address the growing insider threat, and must focus on the entire lifecycle of employees and contractors. Examples include screening of employees in positions of trust, regular review of access rights, integration of security roles into job descriptions, monitoring of systems for unusually large transactions, and post-employment removal of logical and physical access rights.
Summary
So there are our top five categories. They are certainly not comprehensive, but they can give you a start on your priorities for 2009.
So what can we learn from this list? First, most data breaches involve a variety of factors, including both people and technology. So a variety of controls are required to help reduce the risk of these incidents. As we see from the analysis, most security policies are dependent on other policies to be completely effective. Privacy policies, encryption policies and backup policies must work together to prevent a breach involving stored sensitive data. User awareness and training policies must worth with malicious software detection and configuration control to help stop identity theft and the spread of botnets.
That is why Information Shield strives to provide the most comprehensive library of information security policies available. If your organization has gaps in any of these key areas, we encourage you to take a look at our security policy products. We look forward to serving you in 2009.
Since our focus is the development of information security policies, we decided to take a look back at 2008 and see if we could draw some conclusions about trends and priorities for 2009. Think of this as an industry-wide risk assessment exercise. Based on some of the largest incidents of 2008, which information security and data privacy policies, if properly implemented, would have helped reduce the likelihood or impact of these incidents? (Needless to say, many of these policies are contained within Information Security Policies Made Easy.)
The stakes are getting higher. According to a study conducted by the Ponemon Institute, data breaches are costing businesses an average of $197 per customer record, up from $182 in 2006. So, based on some of the top incidents of 2008, here are our suggested top security policy priorities for 2009:
1. Data Breach Notification Policies
Despite the many costly, embarrassing data breaches that have been reported over the last several years, organizations seem to get caught without a plan for dealing with breaches that involve sensitive customer data. Slow or poorly organized responses end up creating confusion and increasing the potential damage of the breaches.
Six months after a breach happened at the parent company of the Montgomery Ward website, the company Direct Marketing Services finally began notifying customers that their credit card information was stolen in part of a hack that stole at least 51,000 records in December 2007. In March, the Maine-based Hannaford Brothers grocery store chain announced that 4.2 million customer card transactions had been compromised by hackers. More than 1800 credit card numbers were immediately used for fraudulent transactions.
A data breach notification policy must include a variety of possible elements, including breach reporting procedures, documentation of breach notification requirements (by state or country), notification methods and schedules, and the establishment of breach response teams. (See our free Privacy Breach Calculator from the Privacy Management Toolkit.)
Data breach response is going to end up on the radar sooner or later. The recent Homeland Security Agenda announced from President Obama includes a goal for a nationwide breach notification law, but so far no national law has been passed, leaving a patchwork of state-level requirements within the United States.
2. Tracking of Physical Media in Transit
Another common theme in many incidents is the loss of physical media, including laptops, PDAs, hard drives and backup tapes. Since the data is often not encrypted (See item #3), the loss triggers breach notification requirements (See item #1).
There are a variety of controls that can be addressed in policy, from the most basic (tracking the delivery of sensitive equipment) to the more complex (laptop tracking software, RFID tags). As always, employees play a key role since they are often the ones transporting the sensitive information. An effective Mobile Device security policy must cover the controls around the logical and physical protection of mobile devices.
The number of incidents involved lost media and mobile devices are too numerous to talk about in detail. (Several web sites do maintain such a list, including the Open Security Foundation (OSF) Loss Database and the Privacy Rights Clearinghouse. According to the Open Security Foundation, stolen laptops account for the largest share of data breaches, at 22% of the total.
3. Encryption of Sensitive Data Backups
This policy is really a subset of a wider set of controls involving the monitoring and tracking of sensitive customer data throughout its lifecycle. However, this one deserves special attention due to some large incidents in 2008.
In February 2008, an unencrypted backup tape with 4.5 million customers of the Bank of New York Mellon went missing after it was sent to a storage facility. The missing tape contains social security numbers and bank account information on 4.5 million customers - including several hundred thousand depositors and investors of People's United Bank of Connecticut. Early in January, Iron Mountain reported that it could not find a backup tape that belonged to GE Money, containing information on over 650,000 J.C. Penney customers and 100 other retailers.
Encryption policies involve a variety of control areas, including identifying the data that must be encrypted, choosing and implementing encryption methods, and encryption key management. (ISPME has over 50 security policies addressing this topic.) Many organizations that process sensitive customer data are finding it more cost effective to simply encrypt all data, rather than identifying the subsets required. Despite the obvious need for encryption, according to ITRC reports, only 2.4% of all breaches had encryption or other strong protection methods in use.
4. Malicious Software Prevention
Companies are increasingly falling prey to malicious software being installed and resident on their systems. Trojans and keystroke loggers were responsible for a number of high-profile breaches, including the Best Western Hotels, where thousands of user accounts were stolen and began appearing on Russian Mafia web sites within hours of the heist. In potentially one of the largest recent breaches, Heartland Data Systems has acknowledged a data security breach that may affect tens of millions of payment card accounts. Initial investigation revealed malicious software on their network.
In November, security vendor RSA said it found a single Trojan that had taken more than 500,000 online banking accounts credentials, credit cards and other resources. The reported indicated that the hacking gang behind the Trojan may have been operating for as long as three years. The compromised data came from hundreds of financial institutions around the world.
There are a number of related information security policies that can help address this common threat. These include standard security configurations for desktop and mobile devices, regular updates of virus and malicious software signatures, regular scanning of networked systems, and user education and awareness on software downloading and responding to phishing emails (see Item #5).
5. Employee Security - Screening, Education and Awareness
It is unlikely that there will be a year when employee education and awareness would not be a top information security priority. From rogue insiders going undetected to employees accidentally downloading spyware from a phishing attack, users are always at the front lines of many attacks. It has been said so many times that we can be numb from hearing it – educated users are essential to any security program. And yet, organizational priorities to not always follow this basic premise. A 2008 study by the Computer Security Institute showed that the average organization spends less than 1% of their budget on security awareness.
There are a number of security policies that can help integrate information security responsibilities into the workforce. Some examples include the requirements for annual security training, quarterly awareness activities, the formal documentation of information security responsibilities for various job roles, and validation of these in formal job reviews.
5.1 - The Insider Threat
This special area of employee-related security deserves special attention.
An alarming number of breaches now involve malicious employees or contractors. The breaches range from cases of espionage, to the simple pilfering of customer data for personal gain. According the ITRC report, insider theft - now at 15.7% of all breaches - has more than doubled between 2007 and 2008.
In one of the largest insider incidents of 2008, a former Countrywide Financial Corp. senior financial analyst was arrested and charged by the FBI for stealing and selling sensitive personal information of an estimated 2 million mortgage loan applicants. The data was taken over a two year period and sold to competitors. In March 2008, a former bank programmer at Compass Bank was charged after he had stolen a hard drive with 1 million customer records and used it to commit debit-card fraud.
A recent case involved a database administrator of a UK company, who was fined and sentenced to three months in jail after hacking into his former employer’s computer system. Later investigation revealed that the man had lied on his resume and also had prior criminal charges.
Written security policies can also help address the growing insider threat, and must focus on the entire lifecycle of employees and contractors. Examples include screening of employees in positions of trust, regular review of access rights, integration of security roles into job descriptions, monitoring of systems for unusually large transactions, and post-employment removal of logical and physical access rights.
Summary
So there are our top five categories. They are certainly not comprehensive, but they can give you a start on your priorities for 2009.
So what can we learn from this list? First, most data breaches involve a variety of factors, including both people and technology. So a variety of controls are required to help reduce the risk of these incidents. As we see from the analysis, most security policies are dependent on other policies to be completely effective. Privacy policies, encryption policies and backup policies must work together to prevent a breach involving stored sensitive data. User awareness and training policies must worth with malicious software detection and configuration control to help stop identity theft and the spread of botnets.
That is why Information Shield strives to provide the most comprehensive library of information security policies available. If your organization has gaps in any of these key areas, we encourage you to take a look at our security policy products. We look forward to serving you in 2009.
Effective Security Policy Management - Part 1
How mature is your information security policy program? Do you have a set of outdated documents stored in a binder or intranet site? Or do you have a documented management program that keeps your policies up to date, your users informed and your internal auditors sleeping at night?
This is the first article in the series: Seven Elements of an Effective Information Secrurity Policy Management Program. (Find more on this in our Security Policy Whitepapers) In this series we review seven key characteristics of an effective policy management program. These characteristics are culled from leading practices, security and privacy frameworks, and incidents involving information security policies. Organizations can use this quick checklist to evaluate the maturity of their existing management program.
Part 1: Written documents with version control
Even though it seems obvious, nearly every information security standard and framework specifically requires information security policies to be written. Since security policies define management’s expectations and stated objectives for protecting information, policies cannot be “implied” – but have to be documented. Having a “written policy document” is the first key control established within the international standard ISO/IEC 1-7799:2005, and is critical to performing both internal and external audits. But what are some characteristics that make for an effectively-written policy document?
Policy documents should be written in plain and simple language. Many information security and privacy policies are written in legalese that is difficult for end users to read and understand. Since user education and training is a key component of all information security frameworks, clear, user-oriented language is critical. If your information security policies are written by either the information technology (IT) or legal department, make sure you employ a technical writer or other editor who can help simplify the language of your documents.
Policy documents should also have a standard format so that they can be effectively managed and updated. The standard format not only enforces consistency among documents, it ensures that each document contains key elements that facilitate the overall management of the information security policies, such as the owner/author, title, scope and effective dates of the policy. Written documents should also have a policy version number. A policy version number clearly articulates which version of the policy is in force at the time of publication, and helps maintain a version history of each document. Maintaining a version history is not only good practice for preserving digital evidence in case of a lawsuit, it also demonstrates that the organization was performing due-diligence by updating its security policies on a regular basis.
In order to facilitate a clear document history that can be reviewed by auditors, some form of access-controlled document management system should be used. It can be as simple as folders on a network drive or a full-blown document management system. Complete systems usually provide a detailed audit trail of all changes and updates to documents.
This is the first article in the series: Seven Elements of an Effective Information Secrurity Policy Management Program. (Find more on this in our Security Policy Whitepapers) In this series we review seven key characteristics of an effective policy management program. These characteristics are culled from leading practices, security and privacy frameworks, and incidents involving information security policies. Organizations can use this quick checklist to evaluate the maturity of their existing management program.
Part 1: Written documents with version control
Even though it seems obvious, nearly every information security standard and framework specifically requires information security policies to be written. Since security policies define management’s expectations and stated objectives for protecting information, policies cannot be “implied” – but have to be documented. Having a “written policy document” is the first key control established within the international standard ISO/IEC 1-7799:2005, and is critical to performing both internal and external audits. But what are some characteristics that make for an effectively-written policy document?
Policy documents should be written in plain and simple language. Many information security and privacy policies are written in legalese that is difficult for end users to read and understand. Since user education and training is a key component of all information security frameworks, clear, user-oriented language is critical. If your information security policies are written by either the information technology (IT) or legal department, make sure you employ a technical writer or other editor who can help simplify the language of your documents.
Policy documents should also have a standard format so that they can be effectively managed and updated. The standard format not only enforces consistency among documents, it ensures that each document contains key elements that facilitate the overall management of the information security policies, such as the owner/author, title, scope and effective dates of the policy. Written documents should also have a policy version number. A policy version number clearly articulates which version of the policy is in force at the time of publication, and helps maintain a version history of each document. Maintaining a version history is not only good practice for preserving digital evidence in case of a lawsuit, it also demonstrates that the organization was performing due-diligence by updating its security policies on a regular basis.
In order to facilitate a clear document history that can be reviewed by auditors, some form of access-controlled document management system should be used. It can be as simple as folders on a network drive or a full-blown document management system. Complete systems usually provide a detailed audit trail of all changes and updates to documents.
Thursday, August 21, 2008
Information Security Policies and BITS Assessment
The events of 2007 and 2008 have led to an increased focus on governance, security and privacy within the financial services market. One increasingly common scenario is when a third-party service provider must have their security program validated by the financial institution that it serves.
Historically, these audits were based on the BITS framework and have been somewhat painful for both the service providers and the financial organizations due to a lack of standardization. While BITS provided an overall framework, the specific assessment methods and questionnaires varied widely between organizations and projects.
An initiative called the "The Financial Institution Shared Assessments Program " aims to bring some order and consistency to these audits. The program was created by BITS and member financial institutions to fix the cumbersome and expensive service provider assessment process. The shared assessments are managed and promoted by the BITS consortium and the Sante Fe Group.
Many organizations that are subject to these assessments discover weaknesses in written security policies. For example, one of the major BITS/Shared Assessment control areas is "Asset Classification and Control." Within the guidance for this section, one of the documents that may be requested for verification is a written Asset Control Policy.
For these organizations, Information Security Policies Made Easy and the PolicyShield Security Policy Subcription can help fill in the gaps with high-quality, pre-written security policies. Using Data Classification as an example, ISPME provides over 100 pre-written policy statements relating to the classification, labeling, and management of assets. It also includes a sample, pre-written "Data Classification Policy" that can easily be customized with a minimum of effort.
ISPME and PolicyShield provide pre-written policy-level controls for each section of the BITS/Shared Asssessment framework. Organizations can save hundreds of man-hours by customizing ISPME policies versus creating them from scratch. Since ISPME is organized around ISO 17799, there is an easy mapping between the BITS requirements and the security policies with ISPME.
Historically, these audits were based on the BITS framework and have been somewhat painful for both the service providers and the financial organizations due to a lack of standardization. While BITS provided an overall framework, the specific assessment methods and questionnaires varied widely between organizations and projects.
An initiative called the "The Financial Institution Shared Assessments Program " aims to bring some order and consistency to these audits. The program was created by BITS and member financial institutions to fix the cumbersome and expensive service provider assessment process. The shared assessments are managed and promoted by the BITS consortium and the Sante Fe Group.
Many organizations that are subject to these assessments discover weaknesses in written security policies. For example, one of the major BITS/Shared Assessment control areas is "Asset Classification and Control." Within the guidance for this section, one of the documents that may be requested for verification is a written Asset Control Policy.
For these organizations, Information Security Policies Made Easy and the PolicyShield Security Policy Subcription can help fill in the gaps with high-quality, pre-written security policies. Using Data Classification as an example, ISPME provides over 100 pre-written policy statements relating to the classification, labeling, and management of assets. It also includes a sample, pre-written "Data Classification Policy" that can easily be customized with a minimum of effort.
ISPME and PolicyShield provide pre-written policy-level controls for each section of the BITS/Shared Asssessment framework. Organizations can save hundreds of man-hours by customizing ISPME policies versus creating them from scratch. Since ISPME is organized around ISO 17799, there is an easy mapping between the BITS requirements and the security policies with ISPME.
Monday, October 29, 2007
Policy Sound-Off - Responding to Email Requests
Phishers are coming up with increasingly sophisticated ways to encourage corporate users to open emails. Two recent incidents using two different attack methods help illustrate the increased threat.
In the first, a large retail grocery chain narrowly escaped a $10 million loss when employees were instructed via email to begin depositing funds to a new bank account for two existing vendors. In this case of very narrow “spear phishing” the attackers clearly had specialized knowledge about the company operations that made the emails seem legitimate. They targeted specific individuals within one organization, making detection more difficult.
Another recent phishing attack involves fake email messages claiming to come from the Equal Employment Opportunity Comm (EEOC). In this attack, the fake emails claim to be notifying the company of an employee complaint made against the organization. This is one of the many examples of phishers playing on the desire of employees to comply with state and federal legislation. In these attacks, many organizations are targeted but with a more credible-sounding business message. In both the narrow and broad approaches, attacks are getting more sophisticated and often contain logos and content that is stolen directly from the organization being spoofed in the emails.
Does your organization have a formal policy on how your employees and contractors should respond to external requests for sensitive information? Are employees educated on the various types of phishing attacks, including where and how to report a suspected attack?
(Note: For organizations that wish to include phishing attacks in their formal training and awareness programs, the January 2008 issue of Protecting Information will cover social engineering in more detail.)
In the first, a large retail grocery chain narrowly escaped a $10 million loss when employees were instructed via email to begin depositing funds to a new bank account for two existing vendors. In this case of very narrow “spear phishing” the attackers clearly had specialized knowledge about the company operations that made the emails seem legitimate. They targeted specific individuals within one organization, making detection more difficult.
Another recent phishing attack involves fake email messages claiming to come from the Equal Employment Opportunity Comm (EEOC). In this attack, the fake emails claim to be notifying the company of an employee complaint made against the organization. This is one of the many examples of phishers playing on the desire of employees to comply with state and federal legislation. In these attacks, many organizations are targeted but with a more credible-sounding business message. In both the narrow and broad approaches, attacks are getting more sophisticated and often contain logos and content that is stolen directly from the organization being spoofed in the emails.
Does your organization have a formal policy on how your employees and contractors should respond to external requests for sensitive information? Are employees educated on the various types of phishing attacks, including where and how to report a suspected attack?
(Note: For organizations that wish to include phishing attacks in their formal training and awareness programs, the January 2008 issue of Protecting Information will cover social engineering in more detail.)
Wednesday, September 26, 2007
Security Policy on Social Networking Sites
Social Networking sites present some unique challenges for organizations that must attract and keep young workers. Is the use of social networking sites at work a necessary perk or an unacceptable risk to corporate information? Some argue that organizations must allow access to social networking and other Web 2.0 sites to help attract a more "fickly" twenty-something workforce that are used to life online. Others say that the risks are simply too great, both in terms of wasted time and potential for infected computers.
The Fall 2007 issue of the security awareness newsletter Protecting Information covers the most common risks of social networking sites. In the issue Rebecca Herold describes several incidents where employees were terminated based on content posted on their personal pages on various social networking sites. Clearly this issue is going to grow as fast as the number of people that use social networking sites - now estimated at over 200 million.
Does your organization block social networking sites? Is social networking addressed within your information security policies? What are some of the concerns that you feel should be addressed in policy?
The Fall 2007 issue of the security awareness newsletter Protecting Information covers the most common risks of social networking sites. In the issue Rebecca Herold describes several incidents where employees were terminated based on content posted on their personal pages on various social networking sites. Clearly this issue is going to grow as fast as the number of people that use social networking sites - now estimated at over 200 million.
Does your organization block social networking sites? Is social networking addressed within your information security policies? What are some of the concerns that you feel should be addressed in policy?
Subscribe to:
Posts (Atom)