By Neysha Arcelay, Precixa
You have gotten the letters and the calls “Important Information about your account with us,” or “We have noticed suspicious transactions in your accounts” among others. These types of outreach originate from one of the many data bread crumbs we leave while visiting the doctor, getting gas, renting a car, or even when signing up for credit monitoring. After the proper checks to make sure it is a legitimate communication from your provider, you keep on reading: “Our Company databases containing our customer’s personal, and account information, has been accessed by unauthorized individuals. This communication is to let you know that part, or all of your information contained within our systems may have been accessed …”
Putting aside all the noise and excitement these types of events create, a proper approach to security should be influenced by the type of regulated information your organization depends for business, and elements like risk & exposure. Of course, you are not going to run for the hills and shutdown your business, but you need to take a fresh look and implement processes that ensure information security practices are independent of the services your IT organization provides in support of the business.
Let’s address regulated information:
Confidentiality, integrity, and availability is at the core of Information Security contrary to Information Technology which focuses on Services. While simplistic, the following will help visualize the difference between the two of them; IT is responsible for the service levels of the applications and servers supporting the business; security, works with the legal and compliance team to ensure there are repeatable controls, that are capable of being tested, to address the risks and compliance needs outlined by regulation, laws or the industry your business serves.
Regarding risk and exposure:
Case law suggests that directors, and officers, are responsible for overseeing the safety of corporate assets, which includes electronic information. Corporate Directors, and officers in exercising their duties of care must establish policies & procedures to protect the company’s business‐critical e‐information. Employees through the Organization must ensure to keep up to date on policy & procedural changes, and question any deviations.
Unfortunately, a lot of organizations juggling multiple priorities (which you have to if you want to stay competitive), only think of information security when unauthorized access headlines hit the news, or even when your own Company is in the news. We often hear: “Well I have policies, and procedures, and I train my IT staff, so I am not sure what failed.” or “That’s an IT thing”. During our engagements, we focus in the correlation of business risks associated with the processes and technology implementations. We look for existing processes on: control testing and validation, correlation practices, data classification schemes, alert generation, monitoring and incident response. In a nutshell, we target proper governance, as well as dispersion of the business risk across the controls implemented to safeguard the revenue generating activities.
Our value add, is that we help organizations to transition the implementation of proper security controls and risk management practices to the business. That is the key for a successful Information Security Program, Information Security is a business risk with direct impact on business operations and the executive officers of the company. It does not matter how big or small is the organization or the industry sector, if it deals with sensitive, regulated or confidential information the only way to protect itself is by implementing a program that addresses proper controls, procedures and recurrent performance tests, not just when the auditor comes around.
Precixa’s methodology, and program assessment toolkit, enables our team to provide concrete remediation advice, and the steps to address any potential control deviation to reduce the business risk exposure. These next areas are a good self-assessment starting point:
• Ensure that all externally exposed applications handling regulated data are behind a web application firewall in blocking mode.
• Identify all the hardware and networks where regulated data is stored, processed or transmitted.
• Ensure that anything handling regulated data with a web front end, has gone through the proper software security defects validation, and hands-on penetration testing before going online.
• Ensure to have all the logs from firewall, routers and servers from touch points dealing with regulated data.
• Monitor thoroughly new accounts, and disable any user accounts not used in 45 days.
• Inventory all the service accounts and ensure to change the password periodically.
• Ensure your environment is patched and kept to the latest release.
• Lock down local user accounts at the server and end points.
• Ensure that your cyber security personnel are experienced and capable of following a methodical approach to implementing security services.
• Ensure that training and continuous communication is prioritized through the organization.
In any case, we are here to help!