Category: Uncategorized

While many criticize FISMA for being all documentation and no action, the law simply emphasizes the need for each federal agency to develop, document and implement an organizationwide program to secure the information systems that support its operations and assets. NIST SP 800-53, Recommended Security Controls for Federal Information Systems, describes log management controls including the generation, review, protection and retention of audit records, plus steps to take in the event of audit failure. It describes the need for log management in federal agencies and ways to establish and maintain successful and efficient log management infrastructures — including log generation, analysis, storage and monitoring.

NIST 800-92 discusses the importance of analyzing different kinds of logs from different sources and of clearly defining specific roles and responsibilities of those teams and individuals involved in log management.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) outlines relevant security standards for health information.

NIST SP 800-66, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act Security Rule, details log management requirements for the securing of electronic protected health information.

The Payment Card Industry Data Security Standard (PCI-DSS), which applies to organizations that handle credit card transactions, mandates logging specific details and log review procedures to prevent credit card fraud, hacking and other related problems in companies that store, process or transmit credit card data.

Logs, which by nature allow for tracking IT infrastructure activity, are the best way to assess if, how, when and where a data breach has occurred. The major effect the age of compliance has had on log management is to turn it into a requirement rather than just a recommendation, and this change is certainly to the advantage of any organization subject to these regulations. It is easy to see why log collection and management is important, and the explicit inclusion of log management activities in major regulations like FISMA, HIPAA and PCI-DSS highlights how key it truly is to enterprise security as well as broader risk management needs.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9027080

The problem, Oltsik says, is that although enterprises are mostly satisfied that they are keeping their IP safe, they are mostly dissatisfied with the amount of time and effort they have to expend to do it. “The bad guys want to steal what they can sell, and often, that’s a company’s IP.”

As a result, upcoming spending on intellectual property security will probably be geared toward automating the IP discovery, classification, and protection processes, Oltsik suggests.

http://www.darkreading.com/document.asp?doc_id=127306&WT.svl=news1_4

Lost data includes customer, financial, corporate, employee, and IT security data that is stolen, leaked or destroyed. Loss of sensitive, confidential corporate data can also give a rival company a competitive advantage. It might, for example, include results of market research, competitive intelligence analysis of another company, research and development results, financial information, or a list of possible staff redundancies.

“In most organisations, the most sensitive information is in emails,” says Milton Baar, the director of IT Security consultants Swoose Partnership, and committee member of the ISO 27001 international security standard for information management. Mr Baar says three factors should be considered in assessing data loss: confidentiality, integrity, and availability. The integrity of data is maintained by ensuring that information is changed only by those allowed to do so, but organisations also need to make sure that data can be accessed when it is required. Confidentiality is often breached when emails are sent, accidentally or intentionally, to people who should not be seeing them, or when emails are sent before information should be made public.

Mr Baar says staff should be trained in the use of email, helping them understand what information is sensitive. “Have black and white lists, where the server stops sending out and/or receiving emails to or from certain places,” he says. “Have word searches in outbound emails to ensure that sensitive information isn’t disclosed, accidentally or intentionally. Mark the information physically or electronically with its security classification.” Attachments could be protected from email disclosure by having Access Control List entries that allowed them to be sent or blocked depending on the classification and destination of the information, he says.

Cybertrust security consultant Andrew Walls says that the “number one issue” for organisations is classification of their data. Is it important that some data remains confidential no matter whether its integrity is critical or how important it is to have the information readily accessible.

“The critical thing is for business to say what is important, then apply security controls. What role does the data play in an organisation’s plans, including its profitability? At a simple level decide what is a secret, and what is not. If it is a secret, talk to us before accessing it or publishing it,” Mr Walls says. “Don’t expect the IT security people to make these decisions; classifying the data is a business decision.”

Mr Walls says the Australian Government has five tiers of classification: public data, internal use only, confidential, protected and highly protected. At each tier a decision is made on how important are confidentiality, integrity and availability. Mr Baar says the proper use of information standards, such as AS/NZS4360, a risk management standard, would provide a much better basis for decision making. “Poor risk analysis means that the real risks, likelihoods and consequences are not known in detail, therefore the real losses are also unknown,” he says.

Symantec systems engineering manager Paul Lancaster agrees that compliance is not just about the data, but its integrity and availability. Compliance means adhering to regulations that affect a business and what that means for its data storage systems. “Data loss occurs when it can’t be accessed,” says Mr Lancaster. “Organisations have their own products and services they deliver as a business and the data behind that is key. Not having the ability to obtain data to show the public that their data is intact, with no integrity loss, can be detrimental to a business.”

Backing up is one obvious strategy, but how many organisations do this critical task properly? MR BAAR says most hospitals in NSW have multiple secure systems, with servers in two locations to keep patient records secure.

For example, witness protection program lists are closely guarded, and kept on a computer system accessible to only a few, not including the systems administrator. It has Defence Signals Directorate (DSD) certification for its internet gateway service for Australian Commonwealth customers.

Pharmaceutical companies have high security networks, cut off from all other networks. They encrypt their entire networks, “down to the hardware,” Mr Walls says.

Identity theft is a more common problem in Australia, Mr Lancaster says, with fraudsters trying to access laptops and servers to get credit card details or personal information. Employees may have ASIO checks and security clearances for their staff but what about the cleaning staff?

http://www.theage.com.au/news/security/plug-the-holes-in-your-cone-of-silence/2007/05/28/1180205158743.html

Most recently updated in September, the PCI standard requires, among other things, firewalls, the encryption of cardholder and other sensitive data sent across public networks, and restrictions on physical access to cardholder data.

Still, he estimates 70% of companies who are obligated by compliance regulations to have PCI — and who would face fines and cur penalties for non-compliance — have PCI in some form today, and are heading toward full implementation.

To counteract such attitudes, Visa, one of the backers of the PCI standard, has embarked on a carrot-and-stick approach with merchants, rewarding those who comply, and threatening financial penalties and other consequences to those who don’t.

http://www.darkreading.com/document.asp?doc_id=124780&f_src=darkreading_section_318

OUT: FUD FUD stands for fear, uncertainty and doubt, and it’s long been a crutch that security leaders lean on to get the budgets they need. Whether the Board seemed reluctant to spend money on firewalls or on surveillance cameras, the convenient solution was to scare them into funding everything by pulling out an anecdote about What Happened to the Company Down the Road. In the long run, however, the tactic of exploiting FUD almost always does more damage than good. Security executives and management experts agree that FUD ultimately destroys the security team’s credibility. “That [approach] may work once or twice in a true crisis situation where the bad guys have come over the back fence,” says Jim Mecsics, vice president of corporate security for Equifax. “But when you approach corporate officers with the tactics of fear, you’re walking into a trap. Somebody will eventually say, ‘OK, show me where the real [emergency] is,’ and then your credibility is shot.” FUD is a particularly common tactic in the lower ranks of a security organization, especially among those who haven’t learned how to make a data-driven risk management argument. A CSO who doesn’t stamp out FUD in his team creates as much of a problem as the CSO who uses it in personal conversations with senior executives.

Mecsics has the stories that prove the point. Just after 9/11, he was working with a government organization that decided it needed to radically increase its manpower to cope with the concerns over terrorist threats. The organization set up a conference, and hastily gathered input from all its field agents to take to the senior leadership. Instead of research and risk analysis, many of the agents’ arguments were based on guesswork and were rooted in the fear and uncertainty of Sept. 11. Mecsics says the organization’s management started asking questions and quickly saw through the panic the security personnel were creating. The net result was that the security team lost its credibility. In another organization, Mecsics says, senior executives were so frightened by the security group’s use of scare tactics that they became obsessed with concerns that the company would be irreparably harmed by a security event. In this case, they lost the ability to look at the issue rationally. “They got worked into such a frenzy that it was like a runaway train,” says Mecsics.

FUD also wastes money by not spending it well.

Here, the CISO is putting the responsibility on the CEO. “I’m not sure why IT tends to disregard these tools,” says Bob Jacobson, president of International Security Technology (IST), a private company that consults on matters of security risk assessment. Security is supposed to educate the business leaders about the threats the organization faces, about the likelihood and consequences of those threats, and about the costs and effectiveness of possible remedies.

Craig Granger, head of multinational security for the automotive company Delphi, offers a good case study in raising an organization’s security IQ. Part of the battle is fought in the field-pressing the flesh with execs, developing an omnipresent security policy and educating every employee on process management. At Nortel Networks, Vice President of Corporate Security and Systems Timothy Williams, tries to involve as many different functions in his security process as possible. Those forms of communication don’t fly in the boardroom.

As the old saying goes: It’s not just what you say, but how you say it.

As anyone who’s ever been to a security conference knows, speeches about security can be deadly dull. Faced with the challenge of having to communicate about security to large groups both inside and outside his company, Bill Hancock, CSO of Exodus (which later became the US base of Cable & Wireless), took the unusual step of enrolling himself in a stand-up comedy course to improve his communication skills. The final project for the class was a performance of an actual stand-up routine at The Improv, New York City’s renowned comedy club, on a Friday night. “It was one of the most horrifying experiences I think I’ve ever been through,” says Hancock. “You get up in front of an audience, half the people there are probably inebriated in some fashion, and you’ve got to communicate what you have to say very quickly, very succinctly and to a whole bunch of people that don’t know you from nobody.”

The lesson here is not that CSOs need to be honing their comic routines, but rather that life is full of tough audiences.

When dealing with a weighty topic like security, it’s important to focus on how you communicate as well as what you communicate. Building and maintaining strong relationships with business executives and their groups requires the CSO to assume a number of different guises: educator, strategist, negotiator, interpreter and, sometimes, disciplinarian. Oracle’s CSO Mary Ann Davidson has one last morsel of advice for CSOs interested in smoothing their way with other executives and the company at large. “People ought to be thanked for doing their job more often,” she says, noting that CSOs will find more cooperation if they ask for it politely and show their appreciation, instead of barking out orders and throwing their weight around. “It’s not being manipulative, it’s just that you catch more flies with honey.”

Information security in one stovepipe, corporate in another, audit staring suspiciously from across the hall, disaster recovery handled by the facilities group… Security functions have a history of fragmented organization. “Each of these departments’ main mission is ‘to protect company assets;’ however, each usually reports through a different hierarchy,” one privacy and IT security manager puts it. Historically, the greatest chasm – not just organizationally, but culturally as well – laid between information security folks and their corporate security counterparts. Each side has a list of perjorative ways to describe the other’s profession and professionals (propellerheads vs. knuckledraggers, etcetera). Disjointed management and lack of communication leads to a weaker security posture and wasted money due to duplicated efforts.

“The truly sophisticated companies are starting to look at a coordinated approach to physical security, information security and risk management,” says Lance Wright, principal at the Boyden Global Executive Search company. Business continuity Mike Hager, who helped get OppenheimerFunds up and running four hours after their offices and systems at the World Trade Center were destroyed on 9/11, puts it best: “Some companies have people who do information security, and people who do physical security, and people who do business continuity. The three people may come up with three separate answers about what to protect. If you have a total protection program, you can save a lot of time, money and effort. It just simplifies the whole process and makes it more effective.”

Hiring and firing When an employee comes on board, she may need a number of assets and rights before she becomes productive… a building access card, a laptop, a network password with access to the right applications, a signed non-disclosure agreement, a business credit card, a company car. Some of these are physical and some are digital. In a company with a well-managed, holistic hiring process, that employee can be up to speed in a jiffy. And if the employee is abruptly terminated, the poorly managed company stands very little chance of recovering all its assets and disabling all necessary access rights in a timely manner.

Regulatory compliance Sarbanes-Oxley says the Board of Directors has a fiduciary responsibility to know what risks its business faces.

http://www.csoonline.com/fundamentals/abc_leadership.html?source=nlt_csocareer

Since the author’s cover story on PCI compliance ran last month, he has heard from a couple CISOs who maintain that PCI compliance was a cinch–because they already followed ISO 17799 or 2700. “This gave us the opportunity to easily adapt to other security standards such as PCI and others without much effort.”

You should be concerned about the maturity of a security practice at companies who take 2+ years to receive PCI certification. I don’t want my credit card in the hands of those companies….

Then, this morning, the author had a talk with Patrick A. Côté, information security officer of Houghton Mifflin, the venerable textbook publisher. He said, in not quite so many words, the same thing–that their PCI compliance was fairly painless because they already had the underlying processes in place.

http://blogs.csoonline.com/iso_2700_securitys_sleeper