Learn More

Categories

Recent Posts

Archives

Recommended Resources

Miscellaneous

Business Blogs - Blog Rankings

Information Security Strategies

Healthcare Industry Group Publishes Certifiable Security Framework

Progress continues to occur in industry regarding the establishment of common information controls standard.

Hitrust  The Health Information Trust Alliance (HITRUST) recently announced that its Common Security Framework (CSF) is now available and free, and is located at HITRUST Alliance.  HITRUST also offers a premium subscription that includes additional services and content.  The CSF is a standard IT security control framework developed specifically for health care information. The HITRUST CSF leverages recognized industry standards, including HIPAA, NIST, ISO, PCI, FTC and CoBIT.  It is scaleable and risk-based.

HITRUST believes that the capability to provide secure access, storage, and exchange of personal health information is fundamental to enabling the effective use and exchange personal health in the Healthcare industry.  This security framework is also a good an example of the type of strategies that organizations need to embrace effectively address emerging regulatory requirements and guidance in the The American Recovery and Reinvestment Act of 2009 and HITECH Act.

While this is certainly great news, you should also know that there are other security frameworks.  A cross-industry IT group recently developed the IT Unified Compliance Framework and NIST (National Institute of Standards) also recently released SP 800-53, Security Controls for Federal Information Systems & Organizations.

The important take away is that solid progress is clearly being made across industry to establish common information control standards.  This will help all of us involved in compliance, risk, and security related roles, but especially those in organizations that make use of sensitive information that is governed by different sets of laws and regulations.

Mark Brooks

Posted at 03:11 PM in Compliance and Ethics, Information Security Strategies | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , , , , , , , , , , , , , , , ,

Take the "T" out of Information Security!

Don Hoffman hits the nail on the head.  

T

 "Can someone help me understand why Information Security [IS] is in some verticals called IT Security?  Where in the hell did the T come from?  I am trying to figure this out.  Seriously, when did we start putting a T in Information Security?"

Donald's Information Security, Aug 2009

The reality is that most Information Security leaders have and were promoted up through the ranks on their technical savvy.  Human nature being what it is, we tend to gravitate back to what we are comfortable with especially during times of change and stress.  And when isn't the Information Security domain experiencing change and stress ? NEVER.  Actually that is what keeps many of us the game because it's makes our business exciting!

Mark Brooks

Posted at 03:26 PM in Information Security Strategies | | Comments (2) | TrackBack (0)

Technorati Tags: , , , , , , , , , , , , , , , , , , , , , , , , , ,

FTC PHR Breach Rule Sites Cloud Computing Requirements

Yes...that's correct "Cloud Computing" cited.  Read on.

Cloud2  The FTC issued its final rule on Health Breach Notifications on August 17th, after soliciting comments over the past several months.  The rule applies to all "Vendors of Personal Health Records" as defined in the ruling.

Definition: "Vendor of Personal Health records” is “an entity, other than a HIPAA-covered entity or an entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity, that offers or maintains a personal health record (PHR).” 

In addition, the ruling addresses some of the realities of today's market and the use of third party service providers, as well as entities that leverage the use of web based technologies to offer products and services to manage/process PHR.  In reading through the 88 page ruling (AAGH!), I found it interesting that there was a specific reference to the use of cloud computing.  The ruling addresses the breach notification requirements for cloud computing providers in the context of "third party service providers".

Listed below is the section of the ruling that references cloud computing.  The "one commenter" is a reference to an entity that made comments to the ruling during the solicitation of public comments.

"From Proposed section 318.3:  Breach notification requirement" paragraph...

First, one commenter noted that a third party service provider may be unaware that it is dealing with a vendor of personal health records.  For example, a cloud computing service provider may offer computing power and storage without knowing whether customers use them to offer PHRs.   The Commission agrees with this comment and, accordingly, adds the following sentence to paragraph 318.3(b):  “For purposes of ensuring implementation of this requirement, vendors of personal health records and PHR related entities shall notify third party service providers of their status as vendors of personal health records or PHR related entities subject to this Part.”

Second, one commenter noted that some third party service providers may have multiple vendors of personal health records as clients. [M. Brooks: Sounds just like cloud computing service provider!]  If the third party service provider experiences a breach, it should not be required to identify every individual whose information was breached to each of its clients, regardless of whether the individual is a customer of the client.  This could result in the third party service providers’ sharing customer lists with competing vendors of PHRs, and could undermine the privacy of such customers.  The Commission agrees.  Thus, instead of requiring the third party service provider to identify each “individual” whose information was breached, the Commission’s final rule requires the service provider to identify each “customer of the vendor of personal health records or PHR related entity” whose information was breached.  

 85  Cloud computing is the provision of Internet-based computer services.  Cloud computing provides businesses and consumers with access to software, data storage, and infrastructure services that are hosted remotely. 


Here is the FTC press release, FTC Health Breach Notification Rule News.  Also, you can find the complete FTC ruling here 16. C.F.R. Part 318: Notice of Proposed Rulemaking and Request for Public Comments Concerning Proposed Health Breach Notification Rule, Pursuant to the American Recovery and Reinvestment Act of 2009

Suffice it to say, companies or vendors that are evaluating or making use of cloud computing for data that includes PHRs, will now be required to notify their cloud computing service providers.  Hopefully this isn't new news for vendors of PHRs! 

Second, it is clear that the FTC understands enough how companies are leveraging cloud computing providers and industry may see enforcement action in the cloud computing domain.  The Rule will take effect 30 days after publication in the Federal Register and the FTC said it would begin enforcement 180 days after publication.

Posted at 08:30 AM in Compliance and Ethics, Data Breach, Information Security Strategies | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , , , , , , , , , ,

IT Risks vs. Information Risks

As an Information Security professional I think it is increasingly important to understand the difference between IT Risk and Information Risks.  You should also understand the advantages in enabling business strategies by ensuring that you brand each one of these risks accordingly.  

Here are my high level definitions:

IT Risks - The probability that a vulnerability of an information technology solution or asset will be exploited and the likely damage from the exploitation.

Information Risks - The probability that information/data can be exploited and the likely damage from the exploitation.

Risk-icon While these may seem similar to the layman, they should clearly be viewed & positioned differently by the Information Security professional. Here's why:  IT Risks should have a focus on technology, while Information Risks should not.  By clearly positioning the two as different, it is easier to delineate responsibilities when partnering with the business on managing risks.  Knowing who owns what always increases your chances of being successful.  IT risks given their technology orientation, will rightfully so land more on the plate of IT professionals plate to manage vs. the business.  Information Risks should accordingly land more so on the business side.  When I say "land" from a responsibility standpoint, I mean from a custodianship standpoint, not who is ultimately (final review /approval) accountable.  The business is always ultimately accountable for managing risks.

By leveraging these two definitions, not only are you able to better delineate responsibility, it ensures that vulnerabilities in non-technology related areas are more effectively addressed through the lens of "Information Risk".  For example, if one solely focuses on IT Risks related to privacy breach you can too often over look the many vulnerabilities related to privacy risk on things like supervisors approving inappropriate access to personal information or poor physical security to offices containing personal information.

You may encounter different terminology for the above two risks.  Don't get hung up in terminology.  You can call these two things anything you want.  Some call IT Risks -(Technology Risks), some call Information Risks - (Data Risks), some even call Information Risks - (IT Risks).  Just know that one of these deals with the risk associated with technology being exploited, which of course can have an impact on information, but also on a lot of other things.  The other is focused solely on the information and data, and should not be solely tied to technology factors.

Posted at 09:38 PM in Information Security Strategies | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

HITECH Act Compliance

Recently, Brian Wolfe who heads the Security and Compliance practice at Laurus Technologies, commented in this article about the need for the health care sector to ready themselves for electronic health records (EHRs).  In fact, some of the changes and dictates to move to EHRs are found in the recently approved HITECH Act.

ImagesI agree with Mr. Wolfe that ISO 27001:2005 provides a great foundation for organizations to ready themselves for the necessary changes and controls to process EHRs.  I think IT Security professionals should appreciate that their business partners would be apprehensive in leveraging standards like those from ISO.  I think some of the apprehension is in part driven by how Information Security professionals position the use of "industry standards" and the stereotypes that are easily developed given the use of the word "standards".  It is important to remember that standards like ISO 27001:2005 are voluntary.  In fact, ISO states at their website that "ISO standards are voluntary."

I believe you are more likely to be succesful in implementing industry standards and ultimately enabling business strategies by applying standards from the perspective that they are truly VOLUNTARY.  There are many IT Security professionals that will say, "I know standards are voluntary", but many don't operate that way.  Too often I have ended up in long debates about whether to implement certain standards because IT Security professionals end up engaging and behaving in the debate like industry standards are non-negotiable.  I have to admit, I have sometimes fallen into that trap myself...

The ISO 27001 ISMS specification as well as ISO 27002 the Code of Practice Information Security, provide great guidance to companies for establishing the systems and controls for securing information and enabling compliance.  Companies should leverage the use of ISO 27001:2005 for HITECH Act compliance, but should also view them as best practice guidance vs being mandatory.  Viewing these standards as best practice guidance also supports a risk based approach to securing information.

Mark Brooks

Posted at 09:03 PM in Compliance and Ethics, Information Security Strategies | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , , , , , , , , , , , , , , , , , , ,

Intellectual Property Theft - Goldman Sachs

I've had many discussions with senior management regarding the need to protect the "Crown Jewels" of a company.  This article, Ex-Goldman Programmer Out on Bailillustrates a great example of one company's "Crown Jewels" being exposed.


In this case, it would seem on the surface to be a fairly straight forward call, that this particular programming code would be highly sensitive and need the greatest protections available.  However, in most cases, it's not so easy.  Often, one difficulty encountered when identifying sensitive data results from the fact that sensitive data can be the result of combining more than one 'non-sensitive' data source.


A basic example would be these two pieces of non-sensitive data: 

1)  DOB: 01/02/1988

2)  NAME: Jane Doe.


These non-sensitive fields only become sensitive when they are linked together.  Another might be that the information in question is sensitive only for a period of time, but then becomes non-sensitive.  A simple of example of this would be information related to a yet to be announced merger.


The Goldman example also highlights the benefits and importance of companies having an Information Risk Framework to help drive the identification of sensitive information and ensure adequate controls are in place for what is identified as sensitive.


Later on, I will share what the difference is between Information Risk and IT Risk.  They are often confused.

Posted at 07:19 PM in Information Security Strategies, Intellectual Property | | Comments (2) | TrackBack (0)

Technorati Tags: , , , , , , , ,

Cloud Computing Security

This is a great article that I believe effectively summarizes the state of maturity of Cloud Computing security from Dark Reading.  I agree with the author on his assessment.  

Given the state of maturity of Cloud Computing, there are only two ways to adequately manage risks.  These will certainly change over time, but below are the best ways for managing risk today:

  • Articulating service level requirements at a granular level with quantifiable metrics.
  • Ensuring that as an IT Security professional you get a real personal level understanding and awareness of the architecture and security controls in place.

I would also add that with the Cloud, you can't assume "standard" Service Level Agreements (SLAS) are going to suffice.  SLAs will in all likelihood need to be revised or enhanced beyond the standard SLAs for most vendors.


You can learn more about Cloud Computing Security at this blog, Cloud Security, dedicated to the topic.


Posted at 10:22 PM in Information Security Strategies | | Comments (2) | TrackBack (0)

Technorati Tags: , , , ,

Intellectual Property Theft Alleged in China


This article from the Wall Street Journal highlights the dangers companies face regarding intellectual property theft.

Editor's Note: A California company alleged that an Internet-filtering program being pushed by the Chinese government contains stolen portions of the company's software...

Mr. Milburn said Solid Oak received an anonymous email Friday stating that Green Dam may contain parts of his company's code. He said engineers at the 15-person software maker, which is based in Santa Barbara, Calif., spent the morning comparing the two programs. Similarities they found include a list of CyberSitter serial numbers and an update that makes the software compatible with an old version of CyberSitter, he said.

"I am 99.99% certain that, if not the entire program, at least a good proportion of it is stolen CyberSitter code," says Mr. Milburn.


I think that this particular illustrates how important safeguarding intellectual property is as companies shift work to the country of China.  While each company needs to weigh the overall cost benefit of outsourcing to China and other countries, companies need to fully understand that the laws in China simply do not provide the same protections provided by US Law.  

Editor's Note: Some lawyers said that because the software will only be sold in China, Solid Oak faces an uphill legal battle, even if it targets U.S. companies.

"It's not a violation of U.S. copyright law if the computers are only sold in China", said Jonathan Zittrain, a professor at Harvard University Law School. "The question would have to be resolved in a Chinese court under Chinese law."


Read this as "tough luck"!  So in addition to the greater number of threats in China, companies must also know that their legal options for recourse are limited if their threats are exploited while doing business in China.

Posted at 09:34 AM in Information Security Strategies, Intellectual Property | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Preventing a Data Breach

I read this great article that I believe illustrates what is typical in Fortune 500 companies with respect to data leaks.

Editor's note: Security consultancy Networks Unlimited allowed freelance reporter Sandra Gittlen to tag along as it conducted a data leak audit at a Boston pharmaceutical firm, then presented its findings to company execs. In exchange for this type of access, we agreed not to identify the pharma firm.

When the director of IT at a Boston-based, mid-size pharmaceutical firm was first approached to participate in a data leakage audit, he was thrilled. He figured the audit would uncover a few weak spots in the company's data leak defenses and he would then be able to leverage the audit results into funding for additional security resources.


While there are certainly marketing benefits of publishing such findings for the vendors, I found this article to be very good and relevant for large companies.  

The incident numbers stated may be high simply due to false positives, as the IT management team noted in the article.  In addition, since the business management did not weigh in on the criteria of the audit, it is less likely that they were able to identify leaks that require more contextual findings and analysis -- which in many cases can be the most devastating type of data leak.  Examples would be executives or key technical staff that depart companies with 1000’s of files and documents regarding strategic plans, merger and acquisition data, confidential projects, litigation strategies, or impending negative decisions on products, etc.

With that said, I believe the types of findings in this article are realistic even for companies that have extremely sound technical security controls.  Without proactive, ongoing monitoring and the sponsorship of the senior business management data, breaches of this scale are more likely the norm than the exception.

I'm confident that if a similarly designed and executed audit were done, say at the top 100 Fortune 500 companies, the audits results would be very similar in scale and nature for many of the companies.

If you are a senior business executive, I think this article illustrates that your IT group cannot do it alone.  This company certainly was counting on IT.  If you are a senior IT leader, know your IT security team can’t make it happen alone.  If you are an Information Risk Executive, I think this story is a great example to leverage in making your case for the need to understand and monitor data leak risks.

Mark Brooks

Posted at 11:02 PM in Data Breach, Information Security Strategies | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , ,

Achieving Cost Savings Through Information Security Strategies

Is it really possible to achieve cost savings through the proper deployment of a security strategy?  I think so.

Due to the shear volume of business priorities and the pace of business today, businesses routinely pass up or fail to recognize opportunities to realize cost savings or efficiencies through the effective implementation of information security strategies.  Failing to recognize these types of opportunities can result in delays or stoppages of information security investments in this economic downturn.

Here are two simple and practical opportunities for cost-savings:

1.  Over-securing information that is not sensitive

I have personal experience in this space with Sharepoint.  Sharepoint allows individuals with administrative-level privileges to establish the security and access controls for a Sharepoint collaboration space.  Unfortunately, many companies without comprehensive information security strategies fail to effectively address access controls in Sharepoint implementations.  As a result, collaboration owners can easily end up unnecessarily securing their collaboration sites.   Over securing happens because the users simply were not trained on how to effectively design access controls in their collaboration space or they resort to ‘old school’ LAN folder access of granting access to their department.  As a result, money is wasted in maintaining these unnecessary controls.

2.  Inappropriate Role-Based Security

Implementing role-based security down to such a fine level that a department of 30 people ends up having 15 or so different roles can result in unnecessary administrative overhead.  This might have worked in the past when the pace of business and technology changes were slower, but in today’s fast-paced work environments maintaining this proportion of roles to the size of a department is generally unsustainable.  In many cases, if a department reexamines their access controls, they could reduce the number of roles to just a few without substantially increasing their risk.  Again, money wasted via maintaining unnecessary controls.

The above problem areas manifest themselves in organizations that lack comprehensive information security strategies.  A good comprehensive information security strategy would:

  • Ensure all major implementations incorporate any necessary security aspects and training.
  • Help drive and influence the implementation of information classification that would help define different levels of control based upon sensitivity of company information.  Once information classification is institutionalized into procedures and employees trained on the classifications, operational controls such as setting access controls in a collaboration could be aligned with the sensitivity of information.


While effective information security is so much more and can have the benefit of increased protection and reduced risk, these straightforward examples demonstrate that a comprehensive information security strategy can enable cost savings.  Given the current downturn in the economy, this is an especially good time to leverage examples like this to assist in gaining sponsorship and support for a comprehensive information security.

Mark Brooks

Posted at 09:27 PM in Information Security Strategies | | Comments (0) | TrackBack (0)

Technorati Tags: , ,

Connect w/Mark

Blogroll

Reading or Recently Read