Archive for August, 2006

The Business Leader Data Retention and E-Discovery Primer

Thursday, August 10th, 2006

Many organizations are taking advantage of using a wider range of communication systems and technologies than ever before. For example, just to name a few:

  • Voice over IP (VoIP) is used not only for voice communications but also often integrated with the corporate email system.
  • Instant messaging (IM) is commonly used to allow real-time interactive business communications.
  • Blackberry messaging devices are used by a large number of business personnel to send and receive email no matter where they are at, at any time of the day.

Many companies have been burned in many ways (revenue loss, stock value drops, reputation damage, etc.) as a result of lack of planning for retaining specific types of data inappropriately, as well as for destroying data that was court-ordered to be retained; recall the July 21, 2004, judgment against Philip Morris USA, Inc. to pay $2.75 million for destroying emails related to litigation.  There are probably thousands, if not tens of thousands, of lawsuits going on against organizations on any given day.  In many, if not most, of these cases there are data discovery issues that require organizations to be retaining specific types of data.  Because of the highly distributed locations where data is now stored, it is likely many of the storage locations are unknown, or are under the control of end-users who may be doing things with the data that can have huge impact in court and on the organization.

The evolving systems and technologies are certainly timesaving and efficient business tools. However, business leaders need to consider the archiving, retention, and discovery requirements that are involved with these technologies to ensure they are not unknowingly putting the business at information security, privacy, and/or legal risk with the ways in which the technologies are implemented. 

This week I posted a paper, "The Business Leader Data Retention and E-Discovery Primer" within which I discuss some of the important data retention and electronic discovery issues that organizations must consider and plan for.  These issues can cost organizations much time, resources and money if not addressed properly.

Technorati Tags








Another VA Computer Missing Containing Personal Data on 38,000 Vets…Are We Surprised?

Tuesday, August 8th, 2006

It was disappointing, but not really surprising, to read in Computerworld today that another VA computer was missing.  What is a bit unusual was that it was a desktop computer, as opposed to the typical missing/lost laptop, notebook, or handheld computer.  This time it was a Unisys contractor who was using the computer.

"VA officials are also working with Unisys regarding an offer of credit monitoring and individual notifications to those who may be affected."

Gee…this is kinda "deja vu all over again," isn’t it?  The veterans were initially offered credit monitoring with their last incident but then the government cancelled that offer when the computer and disk were found months later.  IF a credit monitoring offer is made, you think they will retract the offer…again…as soon as, and if, the computer is found…even though someone intentionally stole the computers?

"The loss of this computer comes just two days after Montgomery County Police in Maryland announced the arrests of two men accused of stealing a VA laptop and hard drive that contained identifying information on 26.5 million of veterans and active-duty military personnel in May. That laptop was recovered in June and the VA does not believe that any of the personal information contained on it was compromised."

Yah…right…there is no way that you can tell for certain that data has or has not been copied.  If these two men stole the computer and hard drive they very well could have made a copy, or several copies, of the data to use for years into the future.  Sensitive data on 26.5 million people is a pretty good retirement plan.

""[The] VA is making progress in efforts to reform its information technology and cyber security procedures, but this report of a missing computer at a subcontractor’s secure building underscores the complexity of the work ahead as we establish VA as a leader in data and information security," said Nicholson in the statement."

Organizations of every size need to be diligent about information security practices. Small and medium sized businesses often do not have dedicated information security personnel on staff to comprehensively address security issues.  Some organizations are such behemoths that a centralized information security office with too few employees cannot effectively address security throughout the entire organization.  Veterans Affairs is such a behemoth, with 235,974 employees…not to mention thousands of contractors…at the beginning of the year; with around 500 information security officers.  So, significantly less than 1% of the staff…around 0.2%…are responsible for securing a vast amount of sensitive data on "approximately 70 million people" that is scattered among potentially thousands of locations. 

I believe many more organizations lose laptops, notebooks, handhelds, storage media and so on than are ever reported…even with today’s breach notification laws.  I know in speaking with several organizations that many of these losses and thefts are reported to physical security and the insurance claimed on the hardware value, and the information security department often does not find out until days, weeks, or even months later, if ever at all, and then there is often no idea of the types of data that were on the devices.

This situation points out some important lessons for organizations.

  • You need to have enough people responsible for information security to have effective information security.
  • You need to have policies and procedures in place to ensure the security of laptops, storage devices, and end-user computers, and enforce them consistently.
  • You need to have a comprehensive inventory of data and computing devices so you don’t misplace important information.
  • You need to perform consistent and effective security program reviews of the organizations to whom you entrust your information and processing of sensitive information so that their sloppy and/or insecure practices do not end up putting your organization at risk, or result in significant negative impact to your organization.
  • The more distributed data is, and the more mobile data is, the more at risk data is. 
  • The more you depend upon end-users for securing information, the more information security and privacy education, training and awareness, must be provided on an ongoing basis.

Technorati Tags








Ohio University: An Example of How A Security Incident Can Negatively Impact An Organization

Friday, August 4th, 2006

An interesting discussion of the repurcussions of a hack at Ohio University in May was discussed by Adam Dodge yesterday

“The computer system contained biographical information for more than 300,000 individuals and organizations, including the Social Security numbers of more than 137,000 individuals” was penetrated by unknown persons. A later report indicated that another breach exposed the Social Security numbers and also health records of “60,000 people including all current students as well as some school faculty.”

There are many studies about how organizations can lose customers following an incident.  Funding for universities typically comes from a wide range of sources, such as alumni donations, grants, etc.  This article is interesting in that it talks about some of the reactions from alumni and students.  What’s also interesting about this is that this incident occurred from a hack into the university’s computer system…a laptop wasn’t lost, backup tapes weren’t stolen, or some other general end-user error.  From what I understand from what has been reported the hack was possible because of inadequate security on the system.  As a result, as the article states, the university has suffered:

  • Negative publicity and resulting loss of trust and damaged reputation
  • Threats of lawsuits
  • Lost donations
  • General rants and complaints
  • Bills for the time spent to check credit reports

A few other impacts not stated in the article that will likely, or at least could, occur include:

  • Large legal fees to address the lawsuits
  • Potential regulatory noncompliance findings
  • The potential fines, penalties and other judgments
  • Costs to hire more personnel to handle the fallout (phone calls, letters, reporter questons, etc.)
  • Upgrading systems to make them more secure (which should have been done to begin with) and implementing additional safeguards
  • Increased PR efforts to counteract the impacts from the first list
  • Lost students and potential students
  • Lost faculty and employees
  • Lost funding, grants and other revenues educational institutions rely upon as part of their total funding
  • Increased insurance premiums for the various types of liability and other risk insurance that universities carry
  • Potentially having programs and classes cut because of the overall impact of the revenue loss and other impact costs
  • And probably several others…

There are always important lessons to learn from the pain, misfortune and incidents of others.  It’s better, in all ways, to prevent bad things from happening, at least doing everything you can and showing due diligence to prevent bad things, than to wait until after an incident occurs.

Technorati Tags







Butter Cows and Butter Superman

Thursday, August 3rd, 2006

Okay…this has absolutely nothing to do with information security or privacy or compliance (at least as far as I can tell), but I thought it was pretty cool that CNN actually did a story about the butter sculptures (sorry, but there is a short commercial first in this link that I couldn’t figure out how to get rid of…you can find it on the CNN site in their recent video clips) done yearly here at the Iowa State Fair (I live "just a ways outside of Des Moines").

If you ever get the chance to visit the Iowa State Fair you will have a <bleepity bleep> great time!  🙂  It truly is a way to get away from all your work stuff, mind, body and soul, and just have fun for a while.  But, know that there is *SO* much more than butter here!  I can’t do it justice by trying to explain…it has to be experienced…

BTW, the butter Superman is being done because he (Brandon Routh in this summer’s Superman Returns movie), was born and raised in the Des Moines area.

Viva la Iowa! 

Okay…back to work stuff…

🙂

Technorati Tags

Tip To Prevent an Email Oops

Thursday, August 3rd, 2006

Today I almost had an email oops.  Well…perhaps not "almost" because of a habit I got into years ago.  This habit has saved me many times from sending out a message prematurely before I’ve had a chance to review.  I’ve incorporated this tip into several organizations’ awareness messages and training content and have heard back that it has prevented some email incidents.

While composing an email to a client today, someone came into my office and asked me a question, and while turning to respond, my thumb bumped my overly sensitive mouse pad (yes, I know the sensitivity is adjustable…but overall I like it at the current level) after my cursor had moved over the <send> button.  A sudden chill went over me…I wasn’t ready to send that message!  It wasn’t complete and I didn’t want to send all the raw (don’t worry, it was non-PII) data I had included as I was drafting it.  Then I looked at the TO:, CC: and BCC: lines…WHEW!  I did not have any addresses there yet…in following my email habit of the last decade+.

Many email incidents have occurred by mistakenly sending emails either with unintended information, or with incorrect or unwanted email addresses in the TO: line, etc.  I just talked about many email incidents on August 1.

A good way to avert many email incidents from accidentally happening is to compose the body of the email message BEFORE filling in the TO:, CC: and BCC: lines.  If these lines are blank, then the email composer cannot accidentally send the message before it has been finished and carefully proofread.  It is very simple, but also very effective, as are most security habits.  Effective training and awareness communications help to drill such habits into the minds and typing fingers of personnel.

My habit over the years that I’ve passed on to my co-workers and clients, and have put into communications, is simply:

  1. When writing an email, leave all the address lines blank.
  2. Write the message.
  3. Proofread the message…ALL the message!  Including attachments and being sure to scroll down to see if you have left any extraneous information that you may have copied into the message while composing.
  4. Be especially diligent about reviewing an email message you are forwarding.  Make sure all the information in the forwarded email is something you CAN be forwarding without violating the original sender’s intentions for the email, and to ensure you are not divulging information inappropriately. 
    • You will often need to remove the email address, and perhaps even name, of the email originator to protect their identity/privacy. 
    • You will likely not need to forward the entire email message.  Delete everything from the forwarded email that is not relevant to the reasons why you need to forward it to someone else.
  5. When you know the message is exactly as you want it to be, fill in the address lines with the addresses of the people you want to receive your message.
  6. DON’T HIT SEND YET!  Carefully read through the addresses.  Make sure you didn’t accidentally include an email address that was next to one of your intended recipients in your address book.
  7. Now hit send without worrying about suddenly feeling your heart miss a beat and going "DOH!" because you sent it to the wrong people, or sent inappropriate information.

"But!"  you may say, "This does not work when replying to an email!"

Ahhhh…yes…well…here is another habit I’ve gotten into that has worked well for me.  However, I realize this one requires more tenacity for end-users to follow consistently, but it can save A LOT of embarrassment and potential incident impact by doing.  If your end-users who send a lot of email to customers, business partners, and particularly others outside your organization, it is worth suggesting to them.  One of my clients from a few years ago sent me a message telling me he was happy he had told his folks about this tip, because one his marketers would have done a very big OOPS without following it.

The habit for replying to email messages is simply:

  1. After hitting <reply>, copy, then delete, all the addresses from the TO: line of your message and paste into the first line of your reply message body.
  2. Repeat #1 for the CC: line as necessary.
  3. Create your message on the lines after the lines of addresses in the body.
  4. After finishing and proofreading well, do a copy, delete and paste of the addresses from the first line of your message into the TO: line, ensuring that it/they are the recipients you really want for your message.
  5. If appropriate, do a copy, delete and paste of the remaining addresses into the CC: or BCC: lines.
  6. Determine if you need to put any addresses in the BCC: line.
  7. Proofread everything, deleting the parts of the original message not necessary, then <send>.

Yes, this is somewhat clunky, but it can avert some significant security and privacy incidents. 

Once people get into the habit, it truly does become second-nature…like today when I briefly panicked when I heard the <send> button click, then realized that my email habit had saved me from a bit of embarrassment from an unfinished email message.

Technorati Tags







Breaking Down Privacy and Security for Programmers

Wednesday, August 2nd, 2006

I read an interesting brief article today by Dr. Arnat Leemakdej, "Breaking down programming for non-programmers."  It focuses on turning "government officers into an army of programmers" in the easiest and most efficient way possible using fourth-generation languages (4GL).  (Please, you skeptics, no laughing…I’m not going to address the feasibility of that today.)  It provided a very high-level overview.  The goals are:

"Goal #1: The tool has to be easy. A non-programmer can write a business description much like a human language and mix and match activities to create a process. The tool has to be able to grab that language, understand what the writer is trying to do and then do it.

Goal #2: Since the main servers are all over the place with all kinds of security and firewalls in place, the system needs to be able to access disparate servers regardless of their environment. So web service support is mandatory since it uses standard XML asynchronous messaging infrastructure. The web services mechanism will also maintain security via several authentication methods. Reliability can be implemented through MOM or Enterprise Service Bus (ESB). So Service Oriented Architecture (SOA) is an ideal choice."

I’ve been speaking to organizations and writing about the need to integrate security and privacy into the applications and systems development process for several years.  While Goal 2 in the excerpt discusses security, it really only touches upon security as being provided by firewalls and authentication.  Of course there is so much more than that. 

"But once the UI and web services are in place, the business owner can mix and match the process flow however he wants without bothering the tech guys. When the rules change, he just rewrites his business process using available templates."

I’m all for streamlining development and ensuring efficiency.  However, with any application being built, security and privacy must be considered and integrated appropriately.  This is critical not only for compliance requirements, but also to keep security incidents from happening and to maintain privacy appropriately.  I really the article indicates "once the UI and web services are in place" but security and privacy must still be considered at all points along an application lifecycle, even when it is just being mixed and matched. 

The tech guys and the information security and compliance guys should definitely be involved ("be bothered") if the application involves personally identifiable information (PII), or connections outside the enterprise, and sometimes within the enterprise when communicating between different security zones. True, there may be times where, if these applications are small and only used within the department and generating no new data, there may not be a need to "bother" the tech or security folks.  However, how to make that decision should clearly be documented, preferably within a decision tree with accompanying documentation.  Don’t assume the business folks will know what to do or the appropriate times to contact IT and info sec.

The article provided a sample business process.  Such processes should be used to map out the information security and privacy activities throughout development.  A high level example could be similar to the notes I’ve added into the sample within the article (organizations need to add more detail for their own specific situation).

"- Activity 1: customer files request."

Privacy and info security issues to address; you may need to do a privacy impact assessment (PIA) or risk analysis:

  • Is the request via the Internet?  A public kiosk?  An electronic request from somewhere outside the enterprise network?
  • Is PII collected?  How will it be encrypted?
  • Is identity verification and/or authentication necessary?
  • What laws, regulations and/or contractual requirements cover this activity?  What controls are need to be built in to meet compliance?

"- Activity 2: operator enters request. "

Privacy and info security issues to address; you may need to do a privacy impact assessment (PIA) or risk analysis:

  • Does the information entered need to be encrypted?
  • Where does the request go?  To an outside entity?  Does it stay internal to the enterprise network?
  • Does PII cross any country borders?

"- Activity 3: system sends all entered data to Organisation A’s web service for posting on central server. "

Privacy and info security issues to address; you may need to do a privacy impact assessment (PIA) or risk analysis:

  • Is the web service an outside entity?  If so, do they have security in place to protect the data?
  • Are backups made of the data?
  • What are the controls for access to the data on the central server?

"- Activity 4: Organisation A sends back acknowledgement that everything is okay. "

Privacy and info security issues to address; you may need to do a privacy impact assessment (PIA) or risk analysis:

  • How does the ackowledgement get sent?  Via website? Email?  Some other method?
  • Does the acknowledgement contain PII?  If so, how will it be encrypted?
  • Is the acknowledgement worded in such a way that complies with applicable laws and regulations?

"- Activity 5: operator informs customer. "

Privacy and info security issues to address; you may need to do a privacy impact assessment (PIA) or risk analysis:

  • How is the customer informed?
  • Does an audit log of this activity need to be generated?

"- Activity 6: customer can make payment to operator. "

Privacy and info security issues to address; you may need to do a privacy impact assessment (PIA) or risk analysis:

  • In what ways can payment be made?
  • What need to be done to meet regulatory, PCI, etc. compliance?
  • What are the security risks involved with each method?
  • What are the legal requirements for each method?

"- Activity 7: operator prints out receipt for customer."

Privacy and info security issues to address; you may need to do a privacy impact assessment (PIA) or risk analysis:

  • Where is the receipt printed?
  • Is it a hard copy print?  What are the safeguards that need to be in place?
  • How is the receipt sent to the customer?  What are the risks involved?

 
This is a very rudimentary exercise, but should give you an idea of the types of considerations that need to be made for integrating security and privacy into applications and systems, even for 4GL and BPAL apps. 

If organizations can consistently integrate security and privacy into the applications and systems development process many incidents and noncompliance issues can be prevented from materializing once the application or system is in production.

Wouldn’t that be nice?  🙂

Technorati Tags







Email Security Incidents: Stories for Your Awareness and Training Files

Tuesday, August 1st, 2006

I’m creating some information security training content, and today I spent some time researching for some actual stories of email incidents to add to my already bulging email incident file.  So many of the reported incidents in the news over the past couple of years involve emails; mistakenly sent to too many people; putting IDs into TO: lines instead of BCC: lines where they should have been; not encrypting data that is subsequently accessed by those who shouldn’t be seeing it; and so many other incidents resulting from end-user errors, lack of knowledge, and incorrect assumptions.

Email decisions are ultimately made by the people sending them.  It is important they know and understand the impacts their email boo-boos can have…not only upon themselves, but also for their companies. 

I found some great stories, some recent and some older ones that I have just stumbled upon but that are still relevant today, that would be great for any organization’s awareness and training incident story arsenal.  Here are a few of them, with a few of my thoughts interspersed…

  • A story from last week from Riverside, California reports "an information technology worker inadvertently sent a routine e-mail intended for the payroll department to every inbox on the city’s system. The e-mail had an attachment with the names, addresses, Social Security numbers and 401(k) account numbers of 1,974 city employees."

Of course accidents will happen.  Even with awareness and training.  Be sure you have an incident response plan in place when such accidents do occur.

  • At the end of June Mich Kabay wrote an entertaining and good example about how the use, or non-use, of BCC: could create an e-mail incident.  "The problems caused by CC are worse when the recipients do not know each other. I have often received messages from technically unsophisticated correspondents who put dozens of e-mail addresses in the CC field even though many of the recipients are total strangers to each other. Such exposure of e-mail addresses always makes me nervous; who knows whether everyone on the list is trustworthy?"

Email addresses are considered as personally identifiable information (PII) by many laws.  Putting them clearly in the CC: or TO: lines can lead to major impact to your company.  The FTC certainly does not look kindly upon revealing email addresses; remember the Eli Lilly incident from 2002?  It is the poster child story of this type of incident.  The impact of that incident is lasting 20 years and is costing the company millions of dollars.  A big price to pay for an "oops"!

  • There are many great examples of email incidents in a piece from PC World from 2002, "D’oh! The Most Disastrous E-Mail Mistakes."  This article provides many examples of email gone wrong…accidentally sending inappropriate email to a mail group…accidentally copying everyone on the email system on a personal email…inappropriate email messages being discovered through monitoring…accidentally sending PII to others…and so many others. 

I know many more email incidents occur than are reported; most companies keep these ethereal email woes to themselves if at all possible.  However, even the most innocent email incident can have profound long-lasting impact.

Technorati Tags