The Football Approach to Tackling Data Security Risks

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.huffingtonpost.com/tom-garrubba/the-football-approach-to-_b_6815678.html

The legendary Green Bay Packers coach Vince Lombardi was famous for his
"Gentlemen, this is a football" speech at the beginning of each season.
This return to fundamentals served his team well over the years--they won
five NFL championships, including two Super Bowls.

Businesses need the same back-to-basics approach when managing security
risks to their data. This may seem counter-intuitive given the
sophisticated nature of threats surrounding us -- nations are hacking
nations and corporations are hacking corporations. Data breaches are
everywhere as evidenced by the numerous financial and retail breaches that
have occurred over the past two years and security experts predict a
similar trend for healthcare in 2015.

Regulators are seeking assurance that proper security controls are in place
both inside an organization and among its vendors. For instance, the Office
of the Comptroller of Currency (OCC) in their bulletin OCC 2013-29 have
told the financial institution boards of directors that they are
responsible for identifying critical vendors and validating their data
protection measures. It comes down to this: either companies will police
themselves and their vendors, or the regulators will swoop in and do it for
them.

Getting Back to Basics

Despite advancing threats and regulatory scrutiny, we need to return to
what football coaches would refer to as "basic blocking and tackling" -- in
the data security world, this means instituting time-tested privacy and
security practices that, if applied correctly, will work today and into the
future. Here are my four favorite basic blocking and tackling techniques
that will serve any organization well:

1. Identify everyone in your organization who has access to your data. Yes
-- everyone. Since departments continuously share data you have to assume
anybody has or can obtain access to data at any point. The reality is that
most breaches happen inside an organization. This could be by an unhappy or
financially strapped employee looking to sell data on the dark net (i.e.,
the black market) or someone who has changed roles within the organization
and their previous access has not been removed. These users and their roles
should be reevaluated and approved periodically by appropriate management.
Employees should be continuously educated on what they are to do if they
find themselves accessing data that is not part of their job description
and understand there may be consequences for inappropriate access. Be sure
to perform reviews for all data regardless of what type of data it is.

2. Know where your data is and how it is accessed. It's easy do this
exercise if all processing and storage is done in-house, but this is rarely
the case. I've encountered many companies of various sizes who truly can't
account for all of the locations their data may reside and how it is
accessed. Third parties play a role in this dilemma as the location of the
data (e.g., backups, redundant sites, Cloud, etc.,) and how it is accessed
(say, support from personnel working from their home instead of a secured
facility)may change without the third party notifying your organization.

3. Ensure your vendors secure your data with equal or better security than
your own. Most small and many mid-size vendors still lack appropriate
levels of security across their enterprise. While a case can be argued as
to why this is so, it certainly doesn't leave you off the hook. Outsourcing
a task does not mean outsourcing the risk. With this being the case you
need to validate their controls by having an assessment performed by
qualified personnel. Furthermore, at least annually, perform analysis as to
the scope of work being performed by the vendor and evaluate if the data
elements provided are truly required for their tasks (for example, does the
vendor really need access to your customer's social security data).

4. Utilize data encryption whenever you can. Data -- especially sensitive
data -- should always be encrypted wherever it is stored. Furthermore,
sensitive data should never be unencrypted on portable devices (and yes --
that means laptops too). A good rule of thumb for reference on encryption
and portable drives is the state regulation Massachusetts State law 201
CMR17.00 entitled "Standards for the Protection of Personal Information of
Resident of the Commonwealth 201 (more commonly known as "Mass201" or
"CMR17" in data privacy circles) which directs data to be encrypted on any
portable device. While it may be costly for you and your vendors to do so,
the cost of not encrypting data, either through lost business, fines from
regulators, or anticipated class-action lawsuits, could be much higher.
Remember, regulators claim their right to investigate your third parties,
even if they themselves are not in a regulated industry.

Share your game plan with your management

Given today's threat-filled landscape, no data is ever 100 percent secure.
But by getting back to "basic blocking and tackling" by implementing simple
or even mid-level controls, you can minimize and even mitigate a high
percentage of the chances and affects of a breach. Taking such steps
consistently, and monitoring your results, will further prove to your
executive management, the board of directors, and to regulators, that you
are in lock-step with your organization's security objectives and will give
you additional leverage to focus and tackle more complex initiatives such
as addressing your cybersecurity risks.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!