BreachExchange mailing list archives
Breach Prevention: Eight Key Steps
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 16 Sep 2013 05:20:31 -0700 (PDT)
http://www.databreachtoday.com/blogs/breach-prevention-eight-key-steps-p-1534 Breaches are expensive, embarrassing and entice additional scrutiny from regulators and consumers alike. By taking some fundamental measures, you can help protect private information and lessen the impact of breaches when they occur. Here are eight key steps drawn from my experience managing breach prevention and response: 1. Collect Less Data. Most U.S. business models support collecting all of the data that consumers are willing to provide. Often organizations collect data without the consumers' knowledge (e.g., online mortgage calculators). Challenge the business rationale for collecting all of this data. 2. Retain Less Data. The cost of retaining data is often not considered; business executives assume data storage is cheap. But keep in mind the costs go beyond storage and include back-up, data security and breach resolution. Implement a retention policy that supports the business objectives, but uses sound logic to limit the duration it's retained. Then put a program in place to adhere to the retention periods. 3. Create a Data Inventory. Ask your information technology team where your sensitive data resides, and they will likely hand you a network diagram. Ask your business team, and they may launch their CRM application. Your marketing team might pull out locally saved Excel files. By maintaining a current business data flow diagram, you might catch outflows to vendors, USB drives and printed reports. So create and maintain a data inventory with business process data flow. 4. Adopt an Access Control Model. System access needs to be more granular to support the "business need to know" philosophy. Your local bank teller needs to be able to access information about any client that walks up to her teller line. That is a business need, and, therefore, tellers are credentialed to view all customers' data. However, during slow times, the teller should not be accessing the records of family members, neighbors or celebrities out of curiosity. A legitimate business need must be established. So granular access control and proper monitoring is a prudent measure for properly protecting information. 5. Adopt a Vendor Management Program. Many organizations use vendors to process large quantities of their most sensitive data. Make sure they have proper controls in place by adopting a vendor management program. Such a program uses a risk-based model to provide incremental due diligence when appropriate. For example, a vendor that processes W2 forms with Social Security numbers would be held to a higher standard than the lawn care service providers. And don't forget to verify they properly destroy the data when the relationship ends. 6. Limit Data Mobility. Sensitive data is showing up on a wide range of mobile devices, including USB drives, CD ROM burners, portable hard drives, laptops and smart phones. Reduce the risk of a breach by limiting the amount of data that is permitted to be copied to mobile devices and also by requiring encryption. 7. Be Careful When Testing Systems. IT invests in expensive data protection technology for use in the production environment. But too often, a development team makes a copy of production data and uses it in a test system with little or no controls. Make sure your development team uses fake data for testing. 8. Build an Incident Response Program. OK, statistically speaking, your business is experiencing breaches every year. If you have an immature security program, those incidents probably aren't being reported - or at least not through the right channels. So build an incident response program that channels breaches into a queue where they can be recorded, managed and remediated in a timely manner. If you do not have an IRP, build one now and test it annually. Taking these precautions will significantly limit risks and associated costs - both monetary and brand equity. But most important, it's the right thing to do to protect consumers.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: # OWASP http://www.appsecusa.org # Builders, Breakers and Defenders # Time Square, NYC 20-21 Nov o()xxxx[{::::::::::::::::::::::::::::::::::::::::> Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security offers security intelligence, risk management services and customized security solutions. The YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Current thread:
- Breach Prevention: Eight Key Steps Audrey McNeil (Sep 17)