Archive for May, 2006

What Businesses Need to Know About Compliance

Monday, May 8th, 2006

This whole concept of "compliance" is rather nebulous and fuzzy.  I see different vendors referencing it in different ways.  I hear different practitioners worrying about different things.  I wanted to speak with some IT compliance professionals with significant experience to see how they are handling this "compliance" responsibility.  I wanted to get the viewpoint of not only a practitioner responsible for an organization’s compliance efforts, but also a consultant who has worked with a wide range of organizations to see where the compliance efforts, successes and challenges are greatest.  On April 17, I had the opportunity to speak with two such folks, Chris Pick, Vice President of Corporate Strategy at NetIQ, and Wayne Crane, CIO, also from NetIQ, about a wide range of compliance issues, and what‚Äîfrom their perspectives and based on their experiences‚Äîthey believe businesses need to know about the whole concept of compliance.  As a publicly traded company, NetIQ must meet the same strict regulatory requirements, such as SOX, as many other organizations, so it was interesting to hear their thoughts. 

I posted my interview with Chris and Wayne in the Realtime IT Compliance reading room, "What Businesses Need to Know About Compliance." See their thoughts on:

  • What "compliance" means to businesses
  • International compliance approaches
  • Industry-specific compliance challenges
  • The most challenging compliance areas
  • The use of frameworks, such as ITIL, for compliance
  • The most challenging regulation for compliance
  • What executives need to know about compliance
  • Budgeting for compliance
  • Using automation for compliance
  • The single most important compliance activity
  • The importance of executive support for compliance activities

New Privacy Bill Proposed in Canada: Highlights Need for Organizations to Implement Global Data Protection Activities

Monday, May 8th, 2006

David T.S. Fraser has a great blog covering information privacy in Canada, The Canadian Privacy Law Blog.  He just posted the proposed Bill 16, the Personal Information International Disclosure Protection Act, that was introduced in the Nova Scotia legislature last week.

Just one of the interesting passages within:

"5(1)  A public body shall ensure that personal information in its custody or under its control is stored only in Canada and accessed only in Canada, unless
           (a)  where the individual the information is about has identified the information and has consented, in the manner prescribed by the regulations to it being stored in or accessed from, as the case may be, outside Canada;
           (b)  where it is stored in or accessed from outside Canada for the purpose of disclosure allowed under this Act; or
           (c)  the head of the public body has allowed storage or access outside Canada pursuant to subsection (2).

       (2)  The head of a public body may allow storage or acess outside Canada of personal information in its custody or under its control, subject to any restrictions or conditions the head considers advisable, if the head considers the storage or access is to meet the necessary requirements of the public body’s operation."

The proposed bill is 11 pages long, and there is much, much more.  However, this gives you a good indication and good flavor for how this *proposed* bill is incorporating more and more of the OECD privacy principles and aligning even more more with the types of requirements such as those found within the EU Data Protection Directive than their existing laws, such as Canada’s PIPEDA.

In the past few years it seems most U.S. organizations, with regard to international data protection activities, have been primarily concerned with data protection issues within their EU offices and for their EU customers.  This proposed Canadian bill is likely to be a bellwether for more and similar bills within other countries.  A good reason for organizations everywhere to start thinking more globally and in a more unified manner with regard to handling the personal information they collect.

Technorati Tags







Another Example of Insider Threat: Computer Security Specialist Uses Access to Snoop in the Department of Education Computer He Was Auditing

Sunday, May 7th, 2006

I’m catching up on the news from this past week, and I ran across a story from March 1 on the Department of Justice site of a systems auditor who was given access to place software on the computer he was auditing, and he "used that access on numerous occasions to view his supervisor’s email and Internet activity as well as other communications, and to share those communications with others in his office. Kwak carried out his crime and invaded his supervisor’s privacy for personal entertainment; there is no indication he profited financially from his actions." 

The auditor pleaded guilty and "faces a maximum penalty of five years in prison and a fine of $250,000 for the crimes to which he pled guilty."  The crimes included "unauthorized access to a protected computer in furtherance of a criminal or tortious act."

"The prosecution was part of the ‚Äúzero-tolerance policy‚Äù recently adopted by the U.S. Attorney’s Office regarding intrusions into U.S. government computer systems."

I think this type of activity probably occurs quite often.  As just one example, I know of a situation in one company where the documents within the print queue were viewable, and one middle-manager who discovered this made it a daily practice of constantly monitoring the documents printed…and he was quite proud of always having the inside scoop after reading all the emails and confidential memos.  He was very disappointed when the print queue documents became unviewable, along with the document names and those printing them.  He had been using the information he got on the sly to make proposals using others’ ideas, joke about others in the organization, and worse.  Too bad the company did not have a policy at the time covering this and his activity.

Many people often only think of criminal activity or fraud when considering the insider threat.  An additional insider threat is clear violation of confidentiality and privacy of others in the workplace.

Notice the actions and the resulting crime to which he pleaded guilty.  Let’s see…what types of activities are defined as "unauthorized access to a protected computer in furtherance of a criminal or tortious act"?  Let’s look at US Code Title 18, 1030, Fraud and related activity in connection with computers.   Likely this clause:

 
"(3) intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States;"

But, wait…he had authorization…to the computer system…but was he also given authorization to the email and Internet logs to perform that work?

I wonder how the situation impacted that office? 

Yes, this news story is a few weeks old…but it is still a good example of one of the many types of insider threats that exist, and the consequences.

It is also an example of computer ethics…or the lack thereof.  Just because you have the ability to exploit the information to which you have access does not mean you should…ethics must be promoted and enforced in the workplace. 

Also something good for your awareness files, perhaps.

Technorati Tags




Using Airline Ticket Stubs for Identity Theft…or Worse…

Friday, May 5th, 2006

An interesting story was published in the Guardian Unlimited on Wednesday, "Q. What could a boarding pass tell an identity fraudster about you? A. Way too much."  So many little pieces of personal information floating around, and being tossed, it’s really amazing how much can be done with seemingly innocuous papers…such as those airline ticket stubs. 

The author of the article, Steve Boggan, indicated the stub contained the traveller’s name, was a discarded British Airways boarding-pass stub, contained the seat number, indicated he was a "Gold" standard passenger and had the frequent-flyer number.

The article author took the stub to a security guru, Adam Laurie, logged on to the BA website, bought a ticket in the traveller’s name and then, using the frequent flyer number on the boarding pass stub, without being required to submit a password, was given full access to all his personal details – including his passport number, the date it expired, his nationality and date of birth. The system also allowed them the opportunity to change the information.

They then used the information to find out on the Internet, within 15 minutes, where the traveller lived, who lived there with him, where he worked, the universities he had attended and how much his house was worth when he bought it.

Amazing…and scary…just a few pieces of seemingly innocent personal information can lead to so much…

Technorati Tags




Medical Identity Theft: Not Only Privacy Concerns, But Real Health Concerns According to Report Released Today

Wednesday, May 3rd, 2006

Over the years I’ve thought about the many different issues involved with privacy, but something I had not pondered before came to my attention today as I read the just-released World Privacy Forum report, "Medical Identity Theft: The Information Crime That Can Kill You."

It has always been a concern of mine, and many others, that lack of security controls within computer systems and lack of privacy protections can have real, physical impact upon people.  For example, some small modifications to the hospital databases for the amounts of medicine to administer to the patients could have insidious widespread and lethal impacts.  However, this new report brings up another possibility…having medical files modified and/or falsified by unauthorized persons, and then the real persons receiving the wrong, potentially fatal, medical treatment based upon the modifications in the records. 

The report indicates that, according to their research, between 225,000 and 500,000 people in the United States have been victims of this type of medical identity theft.

This is a 57-page report, quite intriguing reading.  Here are a few of the many findings I found interesting and sometimes somewhat shocking:

First, their definition of medical identity theft: 

"Medical identity theft occurs when someone uses a person’s name and sometimes other parts of their identity ‚Äì such as insurance information — without the person’s knowledge or consent to obtain medical services or goods, or uses the person’s identity information to make false claims for medical services or goods. Medical identity theft frequently results in erroneous entries being put into existing medical records, and can involve the creation of fictitious medical records in the victim’s name."

Now, just a few of the other excerpts:

"There have been 19,428 complaints regarding medical identity theft to the Federal Trade Commission since January 1, 1992, the earliest date the FTC began recording such complaints.

  • Data from government identity theft hotlines and from identity theft surveys containing questions about medical use of data point with some consistency toward a range of approximately 1.5 to 2 percent for the rate of medicallyrelated identity theft in comparison with other forms of identity theft.
  • Medical identity theft, as articulated by these numbers, translates in number of victims in 2003 to a range of a minimum of about 3,500 victims to up to a theoretical maximum of almost 3.25 million victims. However, our best estimate is that there could be as many as a quarter to a half million people who have been victims of this crime."

"Victims do not have clear pathways for recourse and recovery. The Fair Credit Reporting Act allows for greater recourse for victims of financial identity theft than the HIPAA health privacy rule provides for victims of medical identity theft. For example, victims do not have the legal right to demand correction of their medical information that was not created by the provider or insurer currently maintaining or using the information. This circularity can make it impossible for a medical identity theft victim to erase false entries from a medical or insurance record. This is true even when false entries were put in the record during the commission of a crime, such as health care fraud or medical identity theft."

Hmm…is this completely true?  CEs are supposed to investigate, with demonstrated reasonable care, all requests from patients to correct PHI.  Of course, if the fraud is committed by an insider (which it sounds like many times it is), these tracks can be covered pretty easily.

Remember that incident that occurred in January 2006, where Providence Health System notified 365,000 individuals that on December 31, 2005 their protected health information was stolen from an employee’s car?  Well, after reading this report seems that that is the type of data that could be used to commit medical identity theft and not be readily noticed.  So many of the companies who have such incidents, and even judges who make determinations of the penalties (or lack of) for such incidents, take into consideration if any known fraud has occurred.  In the instance of medical identity theft it would be very hard to know until long after the fact, as in the cases of the victims that are described in this report.

The report’s summary and findings include:

"This report finds that medical identity theft is deeply entrenched in the health care system. Identity theft may be done by criminals, doctors, nurses, hospital employees, and increasingly, by highly sophisticated crime rings. The report finds that medical identity theft victims need an expanded right to correct their medical files in order to recover from this crime, and need more specialized consumer education that is focused on correcting the specific harms of medical identity theft. Key recommendations in the report include:

  • Individuals‚Äô rights to correct errors in their medical histories and files need to be expanded to allow them to remove false information from their files.
  • Individuals should have the right to receive one free copy of their medical file.
  • Individuals should have expanded rights to obtain an accounting of disclosures of health information.
  • Studies are needed to determine what the incidence of medical identity theft is, how and where it is occurring, and how it can be detected and prevented.
  • Notification of medical data breaches to consumers has the potential to save lives, protect health, and prevent losses.
  • All working prototypes for the National Health Information Network need comprehensive risk assessments focused on preventing medical identity theft while protecting patient privacy."

Technorati Tags






How Often are National Security Letters Really Used?

Tuesday, May 2nd, 2006

Last Friday a news article was published in several places, "FBI sought information on 3,501 people last year using powerful investigative tool".  The story:

"The FBI secretly sought information last year on 3,501 U.S. citizens and legal residents from their banks and credit card, telephone and Internet companies without a court’s approval, the Justice Department said Friday. It was the first time the Bush administration has publicly disclosed how often it uses the administrative subpoena known as a national security letter, which allows the executive branch of government to obtain records about people in terrorism and espionage investigations without court approval.

Friday’s disclosure was mandated as part of the renewal of the Patriot Act, the administration’s sweeping anti-terror law.  The FBI delivered a total of 9,254 NSLs relating to 3,501 people in 2005, according to a report submitted late Friday to Democratic and Republican leaders in the House and Senate. In some cases, the bureau demanded information about one person from several companies.The department also reported it received a secret court’s approval for 155 warrants to examine business records last year, under a Patriot Act provision that includes library records. However, Attorney General Alberto Gonzales has said the department has never used the provision to ask for library records.  The number was a significant jump over past use of the warrant for business records. A year ago, Gonzales told Congress there had been 35 warrants approved between November 2003 and April 2005."

Hmm…well, curiosity led me to the Representative Fazio website, where I found a floor statement from November 8, 2005.  This statement indicates, among other things, that:

""Mr. Speaker, the Sunday Washington Post had an extraordinary story as a result of investigative journalism. The FBI has issued 30,000 national security letters. Now, we will have to back up for a moment to understand what that means. Four years ago, this Congress was stampeded under the anthrax attack and 9/11 into passing a bill it had not read, the U.S.A. PATRIOT Act, which contained many unconstitutional and dubious provisions, many bad ideas from past attorneys general, rejected by previous Congresses, passed in a hysterical time for the Congress.  Now it is about to be reauthorized, and, in fact, strengthened in many ways. This is one of the most disturbing aspects of that legislation. These national security letters used to be fairly rare. They used to issue about 300 a year. They are now issuing 30,000 a year, a 100-fold increase. This is an extraordinary intrusion into the personal lives of many Americans who are not accused of or even suspected of crimes."

I couldn’t find anything on the FBI site indicating 30,000 NSLs had been issued…but the first article indicated that this (2006) was the first year that the Bush adminstration publicly disclosed the number of NSLs…9,254 in 2005.  I’m trying to figure out the incongruity here…

I couldn’t find any official counts for the number of times NSLs have been used on the Dept of Justice site, nor on the FBI’s site, nor on the Government Accounting Office site.  Shouldn’t this information be available to the public under the FOIA, or does the USA PATRIOT Act trump that?  Is this information classified?

Just trying to figure out often NSLs really are used…

Technorati Tags



Penn State Creates the Privacy-preserving Access Control Toolkit (PACT) That Utilizes Encryption For Database Access Control

Monday, May 1st, 2006

An interesting but short story was just published by the Malaysia Sun, and some other worldwide publications, "Penn State develops security software."  My interest piqued, I looked on the Penn State site, and yes, there was more information released about it there today.

"University Park, Pa. — Penn State researchers have developed software that allows databases to "talk to each other" automatically without compromising the security of the data and metadata because the queries, data communicated and other information are encrypted.  The Privacy-preserving Access Control Toolkit (PACT) acts like a filter but is resilient to eavesdropping or other attacks because of the encryption.  "The software automatically regulates access to data, so some information can be exchanged while other data remains confidential and private," said Prasenjit Mitra, assistant professor of information sciences and technology and member of the research team that developed the software. "Often when we implement security, we decide not to give access to data. This tool preserves security while allowing permitted access."

Organizations like government agencies, non-profits and corporations frequently need to access data belonging to other organizations. But sharing data is difficult because databases are typically constructed using different terms or vocabularies.  Consequently, in order to share data, organizations have to develop special-purpose applications. But organizations also need to protect sources, intellectual property and competitive advantages, so the applications must address security.  In addition to being time consuming to develop, such applications are expensive as they have limited use.  Unlike those special-purpose applications, PACT is more generic. That means it can be applied to a wide range of scenarios, Mitra said. It addresses security concerns through encryption and access control.

PACT is described in a paper, "Privacy-preserving Semantic Interoperation and Access Control of Heterogeneous Databases," given at ACM’s recent Symposium on Information, Communication and Computer Security in Taiwan. The authors include Mitra, a faculty member in the Penn State College of Information Sciences and Technology (IST); Chi-Chun Pan, a graduate student in Penn State’s industrial and manufacturing engineering department; Peng Liu, assistant professor, Penn State’s IST; and Vijay Atluri, associate professor, Rutgers University.

According to the researchers, PACT is the first software to provide a framework that protects metadata while enabling "semantic interoperation" or sharing of information. Additionally, results from the researchers’ experiments demonstrate that PACT can easily be extended to large database systems in practical applications, Mitra said.  Future research involving PACT will focus on performance enhancements for query processing and development of a new rule language for improving interoperability, Mitra said.""

Wow…sounds interesting and very promising! 

So…now…to find the paper… 

Yes!  Here it is, ""Privacy-preserving Semantic Interoperation and Access Control of Heterogeneous Databases."  Quite interesting indeed!

Technorati Tags