Information Security 101: an Introduction to Being Compliant and Protecting Your Assets

E-mail, Internet access, and collaborative tools (whether a phone system’s conferencing capabilities, or document-sharing applications) are “must-haves” for most businesses today.

But by now many managers know that you shouldn’t stop at just implementing these tools and then going ahead, footloose and fancy-free, with using them. As with any other asset, you need to protect not just the technology that enables these tools and applications, but also the information that these tools allow users to share.
To ensure the confidentiality of private information—and help ensure compliance with regulations and internal policies—information security software is now also a “must have.”

A recent survey by Milford, Massachusetts (US)-based Enterprise Strategy Group revealed that the majority of organizations (59 percent of those that responded) do not even have a formal policy in place to define the sharing of data, particularly intellectual property.

What does this mean? Many companies “are flying by the seat of their pants and hoping not to get burned,” when it comes to data breaches, says Jon Oltsik, senior analyst with ESG.

But those who do get a little too close to the fire may find that not only the seats of their pants get scorched, but that they come close to losing the shirts off their backs too, as costly compliance violations add up. And never mind the costs that result from trying to stay on top of compliance by continually checking internal controls. And never mind the possibility of serving time in the slammer if the compliance violation is severe enough.

And, oh, never mind the damage that can be done to the reputation of your company in the face of public disclosure of your compliance violations.

It follows, then, that one of the first steps in boosting your security measures is to create a security and compliance policy. This internal policy should be a working document that clearly states your company’s security and data classification policies, (and that includes, depending on your industry or business activities, a functional definition of intellectual property).

Once that’s done, you need to make sure all employees know about those policies. One of the final steps to ensuring your assets are covered (think of it as flame-retardant for the seat of your pants) for data breach: install an up-to-date information security system that helps you enforce those policies and that helps maximize data protection.

In order to choose the right information security system, you’ll need to identify the ways that users may currently be allowing sensitive information beyond the confines of your organization. And with e-mail, Internet access, and other collaborative tools, the ways data can be leaked, manipulated, or lost are numerous.

And as for compliance—many organizations are still struggling to get their heads around the cumbersome (and potentially costly) US Sarbanes-Oxley Act (SOX) of 2002.

Which Companies Need to Be Particularly Concerned with Data Security?

Companies in any manufacturing industry that need to ensure the confidentiality or secrecy of recipes or processes

· Companies in any industry known for innovation or thought leadership

· Enterprises in any industry needing to maintain records for auditing in accordance with SOX

· Hospitals and other health care facilities dealing with thousands of pieces of confidential patient data on a daily basis.

· Companies at the end of the supply chain, involved in accepting credit card payment by phone or Internet

How Can Information Security Specifically Address Your Data Confidentiality and Compliance Needs?

· Create levels of authorized access to vulnerable data, and ensure limited access with private passwords

· Establish secure communication channels between terminals or remote offices with electronic data interchange (EDI) and virtual private networks (VPNs)

· Mitigate the risk of both internal and external data breach with firewalls and data encryption methods

· Automatically analyze potential new threats to the system, and send alerts to the appropriate administrators

· Aid in compliance with SOX, and other regulations, such as the requirements created by the Payment Card Industry (PCI) Security Standards Council, the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), or in Japan, the Financial Instruments and Exchange Law (J-SOX) and the Protection of Personal Information Law

· Capture, monitor, and keep financial file logs (from financial reporting systems) for at least one year, for SOX audits

Information Security Slip Ups—or Why Chains around Your Computer Hardware Won’t Keep Your Data Safe

  • When hackers access the credit card numbers (or other confidential personal information) of your customers, it can cost you from $90 to $305 USD for each breached record. For US-based retail chain TJX, which let nearly 100 million credit card numbers get into the virtual sticky fingers of hackers, the damage has been dear indeed. (This may happen more often than you realize… bought jeans or a watch over the Internet lately? Lingerie? Books? How about a CD or DVD? In addition to the company cited above, the same or a similar issue has plagued Guess, Victoria’s Secret, Barnes & Noble, Tower Records, Eli Lilly, and even—gasp!—Microsoft, to name but a few. )

  • Never underestimate the wrath of an employee spurned… a woman employed as an administrative assistant recently deleted $2.5 million (USD) (and seven years’) worth of architectural drawings to seek revenge (or would that be pre-venge?) on her employer, whom she believed was planning to fire her. The woman used her own account credentials to access the files, which it took her about four hours to delete. The files have since been restored. But clearly, this firm could have benefited from an information security package that would have ensured that the administrative assistance did not have authorization to access the files in question.

  • The spouse of an employee at Pfizer performed an unauthorized installation of a peer-to-peer (P2P) protocol on a company laptop, which led to a flood of exposed employee data. In attempt to make amends, the company felt obliged to offer the more than 17,000 affected employees a years’ free credit monitoring, at a reported cost of $25,000 (USD). Again, had the company been aware of the potential risks of mobile devices such as laptops, and the need for not just passwords but security features that prevent the download of unauthorized programs or applications, this breach could have been prevented. Pfizer is probably thanking its lucky stars the damage wasn’t more costly, and that customer information was not part of the breach.

What an Information Security System Can Do to Tackle These Risks:

  • Strengthen encryption methods, so that even remotely hosted private or confidential data cannot be (so easily) cracked

  • Make sure that your information security solution can protect you against structured query language attacks, and that the vendor agrees to provide upgrades that will help protect you against new viruses, trojans, and malware.

  • Limit or deny use of vendor-supplied password defaults, to minimize the possibility of password breaches

  • With data forensic abilities, information security solutions can respond to threats and analyze events in order to better predict potential future security breaches

Want More Information about How to Find the Best Information Security Software for Your Needs?

Any comments, questions, or advice about Iiformation security? Let everybody know below.
comments powered by Disqus