Breach Prevention: Eight Key Steps

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/blogs/breach-prevention-eight-key-steps-p-1534

Breaches are expensive, embarrassing and entice additional scrutiny from 
regulators and consumers alike. By taking some fundamental measures, you 
can help protect private information and lessen the impact of breaches when 
they occur.

Here are eight key steps drawn from my experience managing breach 
prevention and response:

1. Collect Less Data.

Most U.S. business models support collecting all of the data that consumers 
are willing to provide. Often organizations collect data without the 
consumers' knowledge (e.g., online mortgage calculators). Challenge the 
business rationale for collecting all of this data.

2. Retain Less Data.

The cost of retaining data is often not considered; business executives 
assume data storage is cheap. But keep in mind the costs go beyond storage 
and include back-up, data security and breach resolution. Implement a 
retention policy that supports the business objectives, but uses sound 
logic to limit the duration it's retained. Then put a program in place to 
adhere to the retention periods.

3. Create a Data Inventory.

Ask your information technology team where your sensitive data resides, and 
they will likely hand you a network diagram. Ask your business team, and 
they may launch their CRM application. Your marketing team might pull out 
locally saved Excel files. By maintaining a current business data flow 
diagram, you might catch outflows to vendors, USB drives and printed 
reports. So create and maintain a data inventory with business process data 
flow.

4. Adopt an Access Control Model.

System access needs to be more granular to support the "business need to 
know" philosophy. Your local bank teller needs to be able to access 
information about any client that walks up to her teller line. That is a 
business need, and, therefore, tellers are credentialed to view all 
customers' data. However, during slow times, the teller should not be 
accessing the records of family members, neighbors or celebrities out of 
curiosity. A legitimate business need must be established. So granular 
access control and proper monitoring is a prudent measure for properly 
protecting information.

5. Adopt a Vendor Management Program.

Many organizations use vendors to process large quantities of their most 
sensitive data. Make sure they have proper controls in place by adopting a 
vendor management program. Such a program uses a risk-based model to 
provide incremental due diligence when appropriate. For example, a vendor 
that processes W2 forms with Social Security numbers would be held to a 
higher standard than the lawn care service providers. And don't forget to 
verify they properly destroy the data when the relationship ends.

6. Limit Data Mobility.

Sensitive data is showing up on a wide range of mobile devices, including 
USB drives, CD ROM burners, portable hard drives, laptops and smart phones. 
Reduce the risk of a breach by limiting the amount of data that is 
permitted to be copied to mobile devices and also by requiring encryption.

7. Be Careful When Testing Systems.

IT invests in expensive data protection technology for use in the 
production environment. But too often, a development team makes a copy of 
production data and uses it in a test system with little or no controls. 
Make sure your development team uses fake data for testing.

8. Build an Incident Response Program.

OK, statistically speaking, your business is experiencing breaches every 
year. If you have an immature security program, those incidents probably 
aren't being reported - or at least not through the right channels. So 
build an incident response program that channels breaches into a queue 
where they can be recorded, managed and remediated in a timely manner. If 
you do not have an IRP, build one now and test it annually.

Taking these precautions will significantly limit risks and associated 
costs - both monetary and brand equity. But most important, it's the right 
thing to do to protect consumers.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.