In today’s corporate digital world, where paranoia over data security abounds, at least one business believes in the value of getting inside a person’s head—and it may be onto something.
First Financial Credit Union, serving 70,000 members in California, falls under data-security regulations mandated by the Graham-Leach-Bliley Act. Also known as the Financial Modernization Act, the law regulates the sharing of personal information about individuals who obtain financial products or services from financial institutions.
To that end, the credit union does the usual chores of locking data centers, monitoring controls, and constantly auditing IT security.
And then there’s the personality test.
All job applicants at First Financial, and even current employees, must take a 100-question test to determine who is trustworthy enough to have access to customer records. “We don’t have one layer of security; we have multiple layers of security,” explains Joseph Kim, the credit union’s vice president of information technology. “Everybody concurs that having multiple layers is the best thing in case a single layer fails.”
Few corporate missteps these days are as painful as a failure to protect data. The Sarbanes-Oxley Act requires that financial data be free from tampering, and laws specific to the healthcare and finance industries obligate those businesses to keep customer data safe from information thieves. And thanks to disclosure laws enacted in several states—like California's SB 1386, which requires companies conducting business in California to disclose any breach of security—pity the firm that loses consumer data and finds itself in the crosshairs of the media.
Quiroga
“With everything being upfront now and things in the news, we want to make sure we were doing the best we could possibly do,” says Jerome Quiroga, IT director of Credit Protection Association, a collections agency in Dallas that compiles data on millions of people.
Given the overlapping and converging regulations, the 'best' for most companies is now a coordinated approach to achieving IT security goals. Five years ago, executives addressed regulations as they emerged one by one—say, healthcare executives worrying about HIPAA alone—without considering how a broad IT security policy might also protect financial data.
Eggebrecht
No longer, says Robert Eggebrecht, a senior partner at Colorado-based systems integrator BEW Global. With the advent of Sarbanes-Oxley and state laws mandating disclosure of data theft, says Eggebrecht, executives “are now looking at regulations that overlap and would provide them one point of reference, and then they can do stopgap measures.”
Two IT security standards are emerging as benchmarks for data protection. One is the Payment Card Industry standard, created by Visa USA and mandatory for any merchant wanting to accept payment by credit card. The other is ISO 17779, a set of best practices for IT security that details controls in system access, business continuity, system development and more.
Eggebrecht particularly welcomes ISO 17779 as a comprehensive set of standards that should satisfy Sarbanes and many other regulations. Its required controls for system monitoring, for example, include audit logs and system-administrator logs, as well as protection for both (see box at right).
FRAMEWORKS
PCI Data Security
Payment Card Industry Data Security Requirements apply to all Visa members, merchants, and service providers that store, process or transmit cardholder data:
Build, Maintain Secure Network
Install and maintain a firewall configuration to protect data
Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Protect stored data
Encrypt transmission of cardholder data and sensitive information across
public networks
Maintain Vulnerability Mgmt. Program
Use and regularly update anti-virus software
Develop and maintain secure systems and applications
Implement Strong Access Controls
Restrict access to data by business need-to-know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
Regularly Monitor, Test Networks
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes.
Maintain Information Security Policy
Maintain a policy that addresses information security
ISO 17799
ISO/IEC 17799:2005 establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. The objectives outlined provide general guidance on the commonly accepted goals of information security management. ISO/IEC 17799:2005 contains best practices of control objectives and controls in the following areas of information security management:
Security policy;
Organization of information security;
Asset management;
Human resources security;
Physical and environmental security;
Communications and operations management;
Access control;
Information systems acquisition, development and maintenance;
Information security incident management;
Business continuity management;
Compliance.
The control objectives and controls in ISO/IEC 17799:2005 are intended to be implemented to meet the requirements identified by a risk assessment. ISO/IEC 17799:2005 is intended as a common basis and practical guideline for developing organizational security standards and effective security management practices, and to help build confidence in inter-organizational activities.
Such logs are precisely what auditors would inspect for Federal Trade Commission or Graham-Leach regulations, he says, “and obviously monitoring is a large part of Sarbanes … Not only do you need a cohesive methodology and controls in place from an IT standpoint; they’re talking about best practices, social engineering, management responsiveness and document control at the physical layer.”
Meanwhile, the PCI standard spells out compliance for items such as firewall configurations, data disposal policies, encryption and anti-virus software updates. For any company dealing with consumers, especially those purchasing with VISA cards, PCI compliance is considered indispensable. The Credit Protection Association, for example, worked with Eggebrecht for a year to achieve PCI compliance so it could collect debts via credit card. And while PCI’s standards are exacting, they clear the path to achieve other compliance milestones such as an SAS 70 Level II audit.
APlus.Net, for example, a Web hosting company in San Diego, expects to be PCI-compliant by this fall. Until now, APlus has pursued small retailers as customers rather than larger enterprises that might ask about an SAS 70 audit or HIPAA compliance, says John Martis, vice president of operations.
“Now that we’ve gone through all the PCI hoops, we’ll probably look deeper into those things,” Martis says. Some customers are already asking about APlus’ ability to achieve SAS standards, and PCI compliance “definitely makes a jump to SAS a lot easier.”
Coordinated Frameworks
James Koenig, co-leader of the privacy practice at PWC, advises a data-security framework that starts by examining the business processes that use personal data; perhaps substitute data might suffice or the process could be eliminated. Koenig recalls one retail client that spent $500,000 annually to duplicate register tapes, when register failures were so rare they cost the company only $10,000.
He also urges compliance directors to consider the federal sentencing guidelines’ recommendations on training programs, governance and monitoring—all of which can be just as vital to IT security as the technology controls specified in HIPAA, Graham-Leach and other laws.
“Lots of companies are very deep and technical in their protection of personal information, but because they don’t have a complete and effective compliance framework for operationalizing these, they create vulnerability,” Koenig says. “You have all these things in place, but the staff isn’t trained.”
Indeed, at First Financial, Kim views the ever-evolving challenge from hackers and data thieves as a relatively minor threat to data security. Much more worrisome, he says, are accidental threats like the employee who takes a laptop home and his child exposes the machine to a virus or Trojan horse.
Enter the coordinated IT security framework. First Financial automatically updates all workstations’ virus definitions monthly; whenever a workstation temporarily exits and then rejoins the network—that is, when dad returns to work the next morning—the network re-confirms that anti-virus software is current and scans the device to find any nasty surprises, regardless of whether friend or foe brings them into contact with company data.
“It’s all automated, so even if there is a laptop out there trying to infect other machines, it can’t get to those machines,” Kim says. “The multi-layered approach prevents us from losing data and helps us to concentrate on providing financial services.”
Related coverage and outlines of the frameworks mentioned in this article can be found in the boxes above, right.
No comments yet