Today some stories ran in multiple UK publications, such as the Techworld’s "Firms play Data Protection roulette" discussing the use of production data for test purposes.  It contained some interesting, but unsurprising, statistics.

• "Nearly half (44 percent) of companies use live data in test environments – something the 1998 Data Protection Act warns against explicitly, according to a recent survey of IT directors by Compuware.
• Half the directors (48 percent) were only ‘vaguely familiar’ with the Act itself, according to the research, which highlights the importance of understanding the demands and keeping track of how customer data is treated.
• A further "83 percent used only minimal measures such as using non disclosure agreements (NDA) to control data when outsourcing.""

These statistics come from UK organizations, and actually sound a little low.  Based upon the many business partner and vendor security program reviews I’ve performed I think the number of organizations using live data would probably be at least in the 75% – 90% range…admittedly a very unscientific estimate.

The article provides some discussion of UK’s Data Protection Act and provides a few high level recommendations.  It also reminds the reader of the risks of outsourcing and how such precautions as NDAs will still not stop the insider threat to data, such as the case of the outsourcer employee I blogged about a few days ago who committed fraud using the information he used to perform his job.

There are many, many more issues involved.  There are also many other laws and regulations that prohibit the use of live data for test, pilot and quality assurance testing…basically any type of use that is not for production. 

I wrote about this important topic in the December 2005 issue of the Computer Security Institue Alert newsletter, "Is There Privacy When Testing?"  I’ll plan to update the article and post in the reading room of my Realtime IT Compliance website sometime in the near future.

In the meantime, here are some paraphrased or abbreviated points from my article with a listing of some of the key points organizations need to address when testing, particularly how to deidentify production data to be able to then use for test purposes:

• Test and development teams need to work with databases that are structurally correct functional copies of the live environments. However, they often do not necessarily need to be able to view real confidential personal information. For test and development purposes, as long as the data looks real, the actual record content is usually irrelevant.
• De-identifying data is considered a leading practice, and is also legislated in regulations such as HIPAA.  Basically, when data is de-identified it covers, removes or alters real or production data so that the data elements cannot be linked to a specific individual.  Data that has been de-identified is generally considered acceptable to use in the test environment.

De-identifying Data
There are several options for de-identifying data, both operational and automated.  I go into more detail within the article, but here is the barebones listing to start your thinking around this topic:

1. Data deletion
2. Data NULLing
3. Data Mixing
4. Data replacement
5. Data Substitution
6. Encryption
7. Interjecting Unrelated Text
8. Modifying Numerical Data
9. Using an Isolated Testing Environment

Whatever de-identification method you use, you need to make sure the de-identification results are appropriate for the context of the application being tested, and must make sense to the person reviewing the test results.

Because testing activities occur throughout the application lifecycle, organizations must consistently follow documented procedures to thoroughly test applications while at the same time staying in compliance with privacy-related laws, regulations and contracts.  And yes, de-identifying data will be challenging, but still achievable, when the application uses relational databases. 

However, there are many data de-identification solutions and vendors out there, just a few of which include:

• Tata Research Development and Design Centre
• Princeton Softech Optim
• Camouflage Data Masking Software
• Data Masker
• GS Data Generator
• DataVantage

I am not endorsing any of these, but provide them to give you an idea of the wide range of automated products available. 

Technorati Tags
information security
IT compliance
SDLC
awareness and training
application testing
test data
encryption
privacy

I’m just getting around to reading the memo issued largely in response to the VA laptop and harddrive incident by the Office of Management and Budget (OMB) on June 23, 2006, "Protection of Sensitive Agency Information."  This is a good document to serve as a model for other agencies and organizations for protecting personally identifiable information (PII) and other sensitive information.  The key to making this document effective will be good communication of the policies, procedures and requirements through ongoing awareness and training.

Let’s look at a few of the items within this memo, issued by Clay Johnson III, Deputy Director for Management:

"I am recommending all departments and agencies take the following actions:

1. Encrypt all data on mobile computers/devices which carry agency data unless the data is determined to be non-sensitive, in writing, by your Deputy Secretary or an individual he/she may designate in writing;
2. Allow remote access only with two-factor authentication where one of the factors is provided by a device separate from the computer gaining access;
3. Use a “time-out” function for remote access and mobile devices requiring user re-authentication after 30 minutes inactivity; and
4. Log all computer-readable data extracts from databases holding sensitive information and verify each extract including sensitive data has been erased within 90 days or its use is still required."

Why just make these recommendations?  Why not make them requirements?  This is weak wording and seems to allow for agencies to not follow these security requirements at their discretion.

Hopefully the OMB has documented what constitutes sensitive and non-sensitive information.  Otherwise recommendation #1 is also subjective and a weak statement to make…open again to interpretation.  They should provide a documented definition of what is considered sensitive and non-sensitive information…perhaps this is in their documented data classification policy, if they have one.

Requiring two-factor authentication from remote locations is a good security measure.  All organizations would be wise to implement this if they allow remote users access into network information that is confidential, is PII, or they have PII and/or confidential information on their remote computer.

Requiring reauthentication after a short period of inactivity is a good idea for any computer with access to or containing your organization’s data.  Less time than 30 minutes of inactivity would be better.

Logging data access is always a good idea also.

It will be good to see the agencies issue these recommendations, with stronger statements, as requirements within each of their agencies and offices.

"Please ensure these safeguards have been reviewed and are in place within the next 45 days."

Well, this is a stronger statement…it sounds more like a requirement.  However, it’s likely the actual solutions (such as 2-factor authentication and encryption solutions) cannot be realistically implemented with 45 days…unless these initiatives are already in progress.  This is optimistic, although with good intention, and probably being stated in this way to help address the backlash from recent incidents.  All agencies should be able to have an implementation plan in place fairly quickly, though, showing an implementation timeline for each of the requirements.

The The National Institute of Standards and Technology (NIST) checklist for protection of remote information is attached to the memo.  Again, this really is a great model to use for your own remote information asset protection plan.  I really like that they included the flowchart showing the process; visually providing the flow of procedures always helps those responsible for implementing them better understanding of what is involved, and how to do it correctly.

There are many references to NIST documents within the memo attachment.  I encourage organizations to visit the NIST special publications site to take advantage of this library of great information security guidance repository.

Technorati Tags
information security
IT compliance
NIST
awareness and training
government
laptop security
encryption
privacy

Yesterday the Dallas Morning News reported "Three laptops, one of them containing personal information on thousands of blood donors ‚Äì including Social Security numbers and medical histories ‚Äì were stolen from a locked closet in the Farmers Branch office of the American Red Cross in May."   

It is good to read that this data was encrypted.  The report indicates the information could be decrypted with a password, though, so hopefully they had a strong password in effect.  Effective and successful security all comes down to human decisions and actions, as do most information security issues. If the password was a good one, the data was probably safe…assuming it was not an insider with knowledge of the password who took the laptops.

BTW, the laptops were recovered. 

Technorati Tags
information security
IT compliance
corporate governance
awareness and training
laptop theft
breach notice laws
encrypt
passwords
insider threat

privacy

Computerworld just reported the stolen VA computer and disk have been recovered.

"A missing laptop and hard disk containing personal data on over 26.5 million veterans has been recovered, Department of Veterans Affairs (VA) Secretary Jim Nicholson announced this morning.

"The investigation continues to see whether or not this information has been compromised in any way," or whether copies of the data have been made, Nicholson said just before a scheduled hearing before the House Commitee on Veterans Affairs."

I did not see any press release about it on the official VA info website however…hopefully they will post something soon.

More on this later…I want to see what the official VA press release says about this…and of course how the situation develops and impacts the credit monitoring promises…and what forensics will be done on the recovered computer and disk…etc…

Technorati Tags
information security
IT compliance
corporate governance
awareness and training
cybercrime
stolen laptop
VA breach
government
privacy

Yesterday (6/26) a Market Wire news story reported ANSI was partnering with the Council of Better Business Bureaus (CBBB) to establish a new standards panel to address identity theft prevention and identity management standards. 

This is a good proactive move; if a comprehensive federal law cannot (or will not) be created to address data protection and privacy in a way that provides good guidance and data protection requirements for all types of businesses, then it makes sense that non-profit organizations step up to grab the bull by the horns and provide sound guidance…actionable standards for businesses to use to demonstrate due care while also protecting information using realistic means.  That is my hope for such standards, anyway.  (I’m optimistic)

This partnership was actually announced by ANSI on 6/23.  The following is an excerpt:

"The prospective panel would serve to identify existing published standards (and those in development) as they pertain to identity theft protection as well as identify areas of need where updated or newly developed standards would further minimize the threat of identity theft or enhance identity management.

Standards pertinent to the panel’s work may cover areas such as:

• Protocols for managing sensitive customer data — Access, management, storage, and disposal;
• Employment records management, storage, access and disposal;
• Employee qualifications and training to handle sensitive data;
• Criteria for selecting contractors who use or maintain organizational data;
• Remedies to quickly recapture and restore the integrity of stolen identities or other personally-identifiable information;
• The possible utility of universal identifiers as a tool to combat identity theft and fraud;
• Protocols to anticipate new identity theft tactics as the marketplace continues to evolve."

Well, this list isn’t definitive; notice the news release indicated the "work may cover" these areas. 

Some of the items in the list are also noble, but lofty, goals…particularly the last three listed.  However, it is good that these issues will be addressed by organizations that will hopefully have people involved with the project who are knowledgeable in information security, privacy and realistic business practices.

I’ll monitor activity and see where the initiative goes…hopefully it will be a vast improvement!

Technorati Tags
information security
IT compliance
privacy standards
corporate governance
awareness and training
identity theft
data protection standards
privacy

Yesterday a ZDNet published a story, "Microsoft to publish its privacy rules."

"Microsoft plans in August to publicly release the privacy rules its employees have to follow when developing products.  The move, which offers a look behind the scenes at Microsoft, is meant to give the industry an example of what the software giant sees as best practices in customer privacy, said Peter Cullen, the chief privacy strategist at Microsoft."

Indeed most organizations need help with creating privacy standards.  Privacy is a relatively new concept within organizations, and most still view it solely as a legal issue.  It is so much more. 

Privacy, in addition to information security, must be built into all business processes, from the beginning of the planning stage all the way through to the retirement of a process.  Privacy policies, procedures and standards must be created to ensure consistent privacy implementation throughout all levels and areas of the enterprise.  Most organizations do not have privacy policies (beyond just their posted website privacy statement), let alone privacy procedures and standards.  If Microsoft has good standards to use as a model, then I applaud their efforts.

"This is designed for an IT pro or a developer, in terms of: ‘If you’re building an application that does X, this is what we think should be built,’" he said. "The public document will use a lot of ‘shoulds.’ Inside Microsoft, those are ‘musts.’"

This could be a fantastic document to help CISOs and CPOs partner to provide guidance to IT areas in creating standards for programmers and developers.  It would also be a good start in leading the privacy standards development efforts for the rest of any enterprise.  So many areas have access to personally identifiable information (PII) and communicate directly with customers, consumers and employees, that it is critical they know the ways in which the PII must be protected, and the ways in which communications must occur to be consistent with how they release PII and not end up being social engineered into revealing PII.  This requires more than just high-level policy statements (which are certainly necessary), but also requires detailed procedures specific to business services and products, and standards to ensure consistent application across enterprises.

This is also a good example to set for other vendors who need to be addressing privacy within their own products.  Perhaps Microsoft should challenge the other technology giants to also make their privacy standards public…I wonder how many of them actually even have such documents?

I’m not saying that Microsoft is perfect in their information security and privacy practices…no company is…they can definitely improve in places.  However, it is admirable that they are willing to open themselves up to such scrutiny; will others follow suit?

Technorati Tags
information security
IT compliance
stolen laptop
privacy standards
corporate governance
awareness and training
personal data protection
personal data protection
Microsoft
privacy

When checking the news this morning I felt like I was in the Twilight Zone; it seemed that the news of information security incidents just kept popping up, one right after the other. 

I envisioned a TZ episode, perhaps entitled, "Data Wants To Be Free," with the plotline:  Overnight all the personal data for every business in North America and the EU (yes, this needs to be an international story) has been stolen…every hard drive, every storage device and every laptop computer…CISOs and CPOs anguish about what to do while copies of everyone’s personal data that were on these devices continue to be mysteriously posted to thousands…no, make that millions…of Internet sites…the major credit reporting agencies increase their computing power to accommodate credit monitoring for basically all the U.S.’s…and rest of the world’s…population…the public panics and jams the credit card companies phone lines with requests to cancel their accounts and establish new ones…   Okay, I’ll stop with the silly storyline…but is it really so far-fetched?  🙂 

Back to the real (and in many ways equally as scary) news…

Here are the first eight incident stories that leaped out at me this morning; I found many more after these, most in smaller venues, but I think this listing demonstrates how information security and cybercrime really seem to be out of control with data virtually flying out of businesses and going to who-knows-where every day.

1. Tops employees’ personal data stolen (Buffalo News) – For the second time in a month, a laptop computer containing personal information on Tops Markets employees has been lost, the supermarket’s parent company said Friday. The computer was stolen from a Deloitte Accountants employee during a commercial airline flight, said a spokesman for Dutch supermarket company Royal Ahold NV. Neither Ahold nor Deloitte would say when or where the laptop was stolen, how many supermarket employees are affected or exactly what personal information is at risk. (click the link to read the full story)
2. Navy finds sailors’ private info on Web: Latest in string of security gaps affects 28,000 (San Francisco Chronicle) – Navy officials this week discovered that personal data for nearly 28,000 sailors and family members appeared on a public Web site, fueling more concerns about the security of sensitive information belonging to federal employees. (click the link to read the full story)
3. City Hall break-in puts thousands at risk (Hattiesburg American) – Thieves who broke into Hattiesburg City Hall made off with more than $150,000 in computer equipment, including four computer servers that contained personal information of at least 23,000 city residents and employees.  Sometime late Thursday or early Friday, two unidentified men broke out a window on the southeast side of the building to gain entry into the basement level. There they shattered the door of the information technology department and took the computer equipment, Hattiesburg Police Chief David Wynn said Friday. (click the link to read the full story)
4. Stop & Shop employees’ data stolen (Worcester Telegram) РA laptop computer containing personal information of current and former employees of supermarket chains Stop & Shop, Giant and Tops was stolen during a commercial flight, the supermarkets’ parent company said yesterday. It was the second such incident disclosed by the company this month.
   The U.S. subsidiary of Dutch parent company Royal Ahold and an auditor whose employee had the computer would not say when the laptop was stolen, how many supermarket employees were affected or describe what personal information had been divulged. (click the link to read the full story)
5. 619 students’ secure data revealed online (Bradenton Herald Today) – A number of Catawba County high school students received an unwanted adult-world graduation present: Their Social Security numbers were exposed on the Web.  The mother of a graduate found the numbers along with test scores of 619 students on a school Web site this week. She found the page while looking on Google for information about a beauty pageant contestant.  Catawba County Schools officials said the page was password protected and they had no idea how Google got access. Google was working to remove the page Friday night. (click the link to read the full story)
6. Identity data stolen along with laptop (Roanoke) – A laptop containing the personal information of more than 200 people was stolen from a Roanoke-based staff attorney for the federal Social Security Administration.  The computer contained the names, Social Security numbers and, in some cases, medical information of the 228 people whose records may have been compromised, said Mark Lassiter, a spokesman for the Social Security Administration. (click the link to read the full story)
7. Thief steals Bank of the Orient ID data (Pacific Business News) – An estimated 28,000 consumers of Bank of the Orient are potentially at risk for identity theft after a robbery at a branch in Los Angeles, the company said Friday. The San Francisco-based bank, which has two branches in Honolulu, said magnetic tapes containing customers’ names and Social Security numbers were stolen during the heist. (click the link to read the full story)
8. STOLEN LAPTOP CONTAINED STUDENTS’ PERSONAL INFORMATION (Bay City Newswire) – A laptop stolen from a San Francisco State University faculty member’s car on June 1 contained identity information of 3,035 business students, SFSU spokeswoman Ellen Griffin said today (June 23, 2006). The university was notified of the incident on June 6 and alerted students on June 13. About 95 percent of the names on the stolen computer were alumni, but some were current students.  There is no indication that information on the laptop has been used illegally, but because it contained 2,816 social security numbers and other personal data, university officials sent a warning letter to affected students. (click the link to read the full story)

Technorati Tags
information security
IT compliance
stolen laptop
cybercrime
corporate governance
awareness and training
personal data protection
privacy law
privacy

Earlier this month the AICPA, proponent of good privacy programs and creator of a privacy management methodology (actually apparently built around OECD privacy principles) reported that it did not remove personally identifiable information (PII) from a hard drive they sent to an outside repair shop, and the drive was subsequently stolen.  Irony.  Someone within their organization was not following their own advice (yep, human nature…and possibly lack of awareness and training…at work).

Today it was reported that two laptops were stolen from the car of an FTC employee that contained PII about 110 individuals.   More irony.

"The information includes individuals’ names, addresses, Social Security numbers, birth dates, and "in some cases, financial account numbers," the regulatory agency said this week."

"The analyst had violated a department security policy by taking home the sensitive data. The incident prompted calls for all government agencies to adhere more closely to the Federal Information Security Management Act."

It makes you wonder, will a regulatory oversite agency such as the FTC fine itself?  Appears they need to beef up their information security program.  Should they require themselves to have independent, 3rd party audits for the next 20 years?  Should they require an extensive list of information security and privacy actions to be implemented?  Well, okay…I’m being facetious…but this really is ironic…the agency that is constantly scolding businesses for lax security…WHICH IS A GOOD THING; WE NEED AGENCIES THAT UPHOLD THE LAWS AND BUSINESS PROMISES…now experiences an incident.  This is the type of situation all CISOs and CPOs have nightmares about…trying as hard as the can to have a good program, and then having a hugely publicized incident occur as a result of one person’s lack of knowledge about security, or carelessness, or whatever other excuse can be attributed.

The FTC actually did provide information about this event on their website:

"Commission Notifies Individuals of Theft

The Commission today announced it is notifying approximately 110 individuals that two FTC laptop computers, one of which contained some of their personally identifiable information, were stolen from a locked vehicle. The FTC has no reason to believe the information on the laptops, as opposed to the laptops themselves, was the target of the theft. In addition, the stolen laptops were password protected and the personal information was a very small part of several thousand files contained in one of the laptops. The personal information was gathered in law enforcement investigations and included, variously, names, addresses, Social Security numbers, dates of birth, and in some instances, financial account numbers. The letters being sent to the individuals, some of whom are defendants in current and past FTC cases, explain the type of information about that individual that may have been on the laptop, and the steps the individuals should consider taking to limit their risk of identity theft. The FTC will offer these individuals one year of free credit monitoring.

The FTC’s Inspector General has been notified and is investigating the theft. The local police department, as well as appropriate federal law enforcement agencies, including the Department of Homeland Security and the Federal Bureau of Investigation, also have been notified."

Well, their information within the message certainly is lacking…they are using statements similar to the ones that they have scolded other organizations for using…such as, "In addition, the stolen laptops were password protected and the personal information was a very small part of several thousand files contained in one of the laptops."  Come on, now…it would have been much more effective to just say, look, we made a mistake.  We should have ensured all the PII on our mobile computing devices were encrypted.  We were silly not to.

The fact there were "several thousand files" contained on the laptops is pretty  much irrelevant; it takes just a few seconds to a few minutes to do a search using the native OS utilities to find data within any of hundreds of thousands of files.

Most of the individuals whose PII were compromised were defendants in current cases.  What would REALLY be ironic is if they were defendents in laptop theft cases!  🙂

Technorati Tags
information security
IT compliance
stolen laptop
FTC
corporate governance
awareness and training
government
data protection law
privacy law
privacy

A friend of mine (thanks Barry!) pointed out an interesting article from a couple of days ago that reported a new Virginia law will go into effect July 1 requiring all public and private colleges and universities to submit student names, birthdates and social security numbers (SSNs) to state police to cross-check against sex offender registries. 

Hmm…interesting and disconcerting article…let’s see more about the law…

Appears the law, known as HB 984, Sex Offender and Crimes Against Minors Registry, was actually signed by Governor Kaine on April 24 and covers a very wide range of actions to identify and catch sexual predators in an effort to keep children safe, and I applaud such efforts when they are well considered and thoughtfully framed. 

However, it appears in the quest to catch all these disgusting monsters, the zealousness of the law writers went beyond just accumulating known offenders, and even likely offenders, and cast a net lumping a large group of individuals who have absolutely no characteristics of being sexual predators, but are merely a targeted stratum of the population…those attending institutions of higher education.  Within all the text outlining the characteristics and requirements for known sexual criminals, the following text is curiously dropped:

"¬ß 23-2.2:1.  Reporting of student information to Sex Offender and Crimes Against Minor Registry.

Each public and private two- and four-year institution of higher education physically located in the Commonwealth shall electronically transmit data including (i) complete name, (ii) social security number or other identifying number, (iii) date of birth, and (iv) gender to the Department of State Police, in a format approved by the State Police, for comparison with information contained in the Virginia Criminal Information Network and National Crime Information Center Convicted Sexual Offender Registry File, for all applicants that are offered acceptance to attend the institution. This data shall be transmitted before such time that an applicant becomes a "student in attendance" pursuant to 20 U.S.C. 1232g(a)(6) at that institution. However, institutions with a rolling or instantaneous admissions policy shall report enrollment in accordance with guidelines developed by the Department of State Police in consultation with the State Council of Higher Education and the Virginia Community College System. Such guidelines shall be developed no later than January 1, 2007.

Whenever it appears from the records of the State Police that a person has failed to comply with the duty to register or reregister pursuant to Chapter 9 (§9.1-900 et seq.) of Title 9.1, the State Police shall promptly investigate and, if there is probable cause to believe a violation has occurred, obtain a warrant or assist in obtaining an indictment charging a violation of § 18.2-472.1 in the jurisdiction in which the person was enrolled with the educational institution."

So individuals who are pursuing a college education in Virginia now by default have all their personal information combined in with all the known sex offenders and criminals? The intent is certainly noble, but what kind of precedent does this set to collecting the personal information of individuals from basically any other population stratum?  And where will this information about all the students be stored?  How will access to it be protected?  How long will it be retained?  Will it be combined within the databases of known sexual predators?  And what will prevent this personal data from being used for other purposes?

I am all for catching criminals and the horrible monsters who shatter childhoods.  No one wants to see these disgusting poor substitutes for human beings be locked away with the key thrown away more than I.  However, incorporating the personal informtion of innocent individuals who happen to be pursuing high education into a database with these animals is not the right thing to do. 

Noble intentions are good.  However, lawmakers really need to consider the negative impacts their good and noble intentions, and poorly written laws, have upon innocent people.

Technorati Tags
information security
IT compliance
corporate governance
awareness and training
government
data protection law
privacy law
privacy

Today the FTC released news that Executive Financial Home Loan Corp. was given a $1.1 million fine, reduced to $50,000 because of "inability to pay", for using the Do-Not-Call list to call "tens of thousands of consumers who are on the National Do Not Call (DNC) Registry for telemarketers and for failing to pay the annual fee required to access the DNC Registry. In addition, the company and its officers are permanently barred from violating the DNC provisions of the Telemarketing Sales Rule (TSR) and from making illegal telemarketing calls in the future." 

Executive Financial Home Loan Corp. claimed they purchased lead lists that they had been assured were not on the list.  However, the FTC indicated that even when an organization purchases such lists, ‚ÄúThe bottom line is that telemarketers are responsible for complying with the Do Not Call provisions of the Telemarketing Sales Rule, and cannot hide behind the claims of their service providers."

I have spoken with many organizations, and most depend upon the claims of their business partners about such situations, and do not go the step further to ensure the lists purchased truly does consist of consumers who have given their permission to use their personal information for marketing. 

This is a good example, and lesson, for the need for organizations to perform due diligence activities to validate the customer lists they are purchasing actually do consist of valid, legal, information.  If they don’t, not only could they face a fine and accompanying consent orders, but they may face even more damaging negative publicity…and significant lost customers and revenue…as a result.  Never underestimate the impact of bad PR.  Go the step further and validate the legality of any customer/marketing lists you purchase.

The FTC also indicated that the Executive Financial Home Loan Corp. did not "pay the required fees to gain access to the phone numbers in the Registry itself."  I wrote about another situation where the FTC took action against a telemarketer that was inappropriately using the Do-Not-Call list for marketing and did not pay the required fees to get access to the Registry.  How do these organizations get access to the Registry without paying the fee?  Hmm…another topic to explore…

Learn from these experiences of others.

It is good to see the FTC is taking actions to enforce the laws for which they are responsible for overseeing; it is the only way in which the laws will be effective.  The Department of Health and Human Services should take note and consider being more proactive for the HIPAA rules that are so limp and ineffective without active enforcement.

Technorati Tags
information security
IT compliance
corporate governance
awareness and training
government
data protection law
privacy law
do not call list
FTC
privacy