• Information security resolutions for the new year
• CISSP Training Program
• What we do

January Newsletter

It’s the time of year for New Year’s resolutions. Certainly, we all have areas in which we want to improve. How about areas of your business? One area of business where there is often plenty of room for improvement is information security. When managed effectively, information security can be a tremendous value to any organization.

So, why not make a business New Year’s resolution for information security improvement and stick to it?

Information Security Improvement

It doesn’t matter if you’re a large enterprise with millions of dollars in your information security budget, or if you’re a two-employee company with no budget; there is always room for improvement. What are some areas where you should improve your information security this year?

Some areas of improvement to consider:

• Policies – Policies provide the rules and boundaries to your information security efforts, and are critical to success. Don’t assume that everyone knows what they should do to protect your critical information, state it plainly in policy.
• Training & Awareness – Technology isn’t the most significant risk to your information, its people. The people you trust the most are the very same people who can do the most damage; often times accidentally.
• Assessment – Take the time to understand what your risks are before spending thousands of dollars to remediate them. Approaching risks blindly is ineffective and costly. How well do you build something without first determining what you will build, where and with what?
• Mobile Device Management – The past few years have brought an explosion in mobile device usage, and the amount of information leaving the office in employee pockets might scare you. Understand this risk, and do something about it.
• Incident Management – You’ve heard the old saying “it’s not a matter of if, but when”. Be prepared for an information security incident. A poor response can cost more the original incident itself.

Take a look at your organization and come up with a list of four or five information security improvements that fit you best.

Stick to It

Once you have identified some areas of information security that you should (will) improve upon in 2012, resolve to stick to it!

According to statistics, only 20% of people who set out with a New Year’s resolution actually stick to it. Don’t let information security fall victim to these same statistics. Turn your New Year’s resolution into yearlong results by implementing these simple principles:

• Commit – Just like anything worthwhile, information security requires a commitment and it requires a commitment from the top. Company executives must be familiar with their roles and responsibilities in respect to information security, and set the standards.
• Document – Documentation provides direction, reference, and proof. Direction for everyone to get on the same page, reference for measurement and enforcement, and proof of due care and due diligence. For some; if it’s not documented, it doesn’t exist.
• Measure – Measure how well you are doing in what you set out to do. If you wanted to lose weight, wouldn’t you check the scale every once in a while?
• Review – As your organization changes, so should your efforts to protect the information your organization relies on. Things that are not regularly reviewed and updated and bound to die and fail.

So, look around and be honest with yourself. Do you have areas of information security that need to improve? Make 2012 a year that you resolve to do just that!

Evan Francen is the president of FRSecure, a full-service information security consulting firm. FRSecure has helped hundreds of organizations by providing cost-effective strategies and solutions to secure today’s challenging business environment. For more information about FRSecure or FRSecure’s services, visit www.frsecure.com.

Led by Evan Francen, FRSecure President and 20 year Information Security veteran, our training program is designed to not only help you prepare for the exam, but give you real world experience that you can put to use in your organization.

Our last class went 5 for 5 passing the exam on their first try!

If you are contemplating getting your CISSP certification, or if you have information security responsibilities, this class is for you.

Click here for more information or to register.

Recently, Guy Bauer from Chicago’s FM News 101.1 did a story about the United States’ response to cyberwarfare.  In the interview, Guy asks FRSecure’s Evan Francen some questions.

From the interview; “In a report to Congress the Pentagon says, when needed they will respond to hostile attacks in cyberspace as they would to any other threat on our country.  Evan Francen owns an information security company and says cyberwarfare is nothing new…”

Click below and listen to Version 1 of the interview:

In this second version, there were no “Russian hackers”, but oh well.  We didn’t tell him that there were.

Click below and listen to Version 2 of the interview:

Cyberwarfare is not a topic that we discuss much with our clients, mainly because it isn’t directly relevant to your business.  It’s an intriguing topic that we always open to discuss, but we’d rather discuss the things that are going to help you!

Want to know more about FRSecure, read about us!

Subscribe to the FRSecure Blog by Email, or by using our RSS feed.

It’s time for us to re-visit 2011 and make our predictions for 2012! In the coming weeks, I’m going to write three articles that will help us close out the year and focus on what’s to come. It’s a tradition now, so we have to do it. ;)

The three articles:

• Revisiting FRSecure’s 2011 Predictions. Anyone can make predictions, but how many are actually willing to look back and see if they were right? We made our predictions on January 13^th, 2011 and we’re going to see if we were even close to getting it right!
• Last year we provided you with “The top 10 most impactful information security stories of 2010“. This year we’re going to give you our top 10 most impactful information security stories of 2011. Are you wondering if your top 10 will match with ours? Stay tuned to find out!
• Lastly, we’ll break out our crystal ball and make some predictions for the coming year. 2012 is lining up to be a crazy year!

Be sure to stay with us during this series, it’s sure to be some fun. Subscribe to the FRSecure Blog by Email, or using our RSS feed.

Want to know more about FRSecure, read about us!

-Evan

What if I told you that there is a 48% chance that your network was breached by a hacker?

How would you react if I said that there is a 26% chance (1 in 4) that an IT staff member abused their logon privileges and accessed information that they shouldn’t have?

These statistics come the “2011 Survey of IT Professionals” recently published by Lieberman Software. The survey of more than 300 IT professionals contains some interesting, if not alarming information.

Some of the more interesting findings:

• “In your organization have two or more IT staff ever shared a password to access a system or application?” – 42% answered “Yes”.
• “In your organization has an IT staff member ever abused a privileged login to access information they shouldn’t have?” – 26% answered “Yes”.
• “In your organization has the privileged password for a system, network device or application remained unchanged for more than 90 days?” – 48% answered “Yes”.
• “Have you ever worked at an organization whose network was breached by a hacker?” – 48% answered “Yes”.

These numbers are troubling, but we also think that they are probably low. Logic tells us that if you ask people who are doing something wrong if they are doing something wrong, you will probably get a certain percentage who tell you “no”.  If you’ve worked in IT long enough, you could probably answer yes to all four of these questions.

What kind of consultant would I be if I didn’t give you some advice?

Why is this really a problem?

Let’s take the first question; “In your organization have two or more IT staff ever shared a password to access a system or application?” Remember, 42% of respondents said “Yes”. There are a couple of problems with this:

• The more people who know confidential information, the harder it is to secure the confidential information. In this case, the administrator password is the confidential information. Have you ever told somebody a secret? If you tell one person a secret, there’s a pretty good chance that they will keep your secret if you can trust them. What happens if you tell five people a secret? Your chances of keeping the secret confidential (secret) are much lower.
• Accountability is shot. If two (or more) people both use “administrator” as their username and the same password, how will you be able to determine who did what? The problem is even worse if a bad guy obtained the password.

Let’s take a look at the next question; “In your organization has an IT staff member ever abused a privileged login to access information they shouldn’t have?” 26% said “Yes”.

The problem seems obvious. Just because an administrator has the opportunity to access information, does not mean that they are authorized to. Do you want your IT guy to know what your executive salaries are?

And the next question; “In your organization has the privileged password for a system, network device or application remained unchanged for more than 90 days?” – 48% answered “Yes”. The problem with this is not as obvious as the previous question, but this doesn’t mean that it’s not a serious problem. In general, the longer a password remains unchanged, the more of a chance there is that it has been (or will be) compromised. If you want your administrator password to be known by everyone (or a bad guy), leave it unchanged.

The last question; “Have you ever worked at an organization whose network was breached by a hacker?” – 48% answered “Yes”. This is interestingly low, and obviously bad. If the answers to any of the previous questions were “Yes”, then there’s a better chance that this answer would also be “Yes” (if the breach were even noticed in the first place).

What should business leaders do about this?

It’s almost like AA, first you have to admit that you have a problem. ;) Unless you are an exception to the norm, you DO have a problem.

IT Administrators have an extraordinary amount of authority, and their credentials must be secured. Here are some (not all) tips:

• Implement policy that prohibits the sharing of accounts and passwords.
• Implement policy that mandates regular password changes for administrative accounts.
• Implement a centralized logging system for which IT administrators have no access (or read-only access). This ensures that if an administrator account is compromised, you still have the log data to conduct an investigation and protect yourself.
• Periodically engage with a 3^rd-party information security provider to conduct an assessment (or audit).
• Ensure that IT personnel are not overworked. Overworked IT personnel are more apt to cut corners out of the necessity to provide service.

What a business leader should NOT do is ignore the problem or assume that it’s not a problem.

Do I need to consider this if I outsource my IT?

The short and simple answer is “Yes”. I would even say more so than if you did not outsource IT. Here are some additional considerations with outsourced IT:

• Outsourced IT providers typically share your administrative username and password amongst their peer IT engineers. This is done in order to ensure that you get the service you contracted for, regardless of any single engineer’s availability.
• Some (dare I say most) outsourced IT providers share the same administrative username and password amongst multiple (or all) customers. It’s easier to remember a single “global” username and password.
• Would you ever know if an outsourced IT provider “abused a privileged login to access information they shouldn’t have”? When you engage with an outsourced IT provider, you rely on their due diligence AND yours. They get the keys to your kingdom, shouldn’t you make sure that they’re not making copies and distributing them to their friends?

Here are some (not all) tips in dealing with an outsourced IT provider on the (above) issues:

• Don’t just assume that an IT service provider has done their own due diligence. Demand proof of their due diligence. Do they conduct their own internal (or external) audits? If so, ask to see a copy.
• Implement a centralized logging system for which your IT service provider has no (or read-only) access. Set-up alerts for unusual activity, and review the logs regularly.
• Ensure that your IT service provider uses an administrative login that is dedicated to their use, separate from your own administrative login.
• Ensure that outsourced IT providers comply with your policies.
• Include the “right to audit” and specific information security language in IT service provider contracts.

It may seem as though I am being hard on IT service providers, but this is not the intention. The intention is to help you secure your information!

There are some exceptional IT service providers out there; in fact, we work with some of them. Choose the right IT service provider, and realize that you can’t transfer ultimate responsibility for your information security. Ultimately it’s your responsibility.

If you need help with this, or anything else information security-related; shoot me an email (here) or drop me a line (952-467-6384).

Some key findings in this year’s report:

“Data breaches in healthcare organizations are on the rise”

• An increase of 32% over last year
• “96% of all healthcare providers” claim to have had at least one data breach in the past two years
• The “average number of lost or stolen records per breach is 2,575“, a 31% increase

Data breach costs are rising

• “the average economic impact of a data breach was $2.2 million“
• “the average lifetime value of one lost patient (customer) is $113,000“

“Widespread use of mobile devices is putting patient data at risk”

• 49% of the healthcare organizations admit that they “do nothing” to protect these devices
• Only 21% of these device have passwords or keypad locks enabled

“Despite policies and federal mandates, prevention of unauthorized access to patient information is not a priority in many organizations”

• “Only 29% of respondents agree that the prevention of unauthorized access to patient data and loss or theft of such data is a priority”
• 54% claim to have an “inadequate budget for security and privacy”
• 45% claim to have “insufficient assessments for risk”

“Medical identity theft poses a greater risk to patients”

• 83% of “hospitals say that it takes in excess of one to two months to notify affected patients” after a breach has been discovered
• “The average time to notify data breach victims is approximately 7 weeks“
• 29% of respondents stated that “their data breaches led to cases of identity theft”

The top 7 causes of a data breach incident (more than one choice was permitted)

• 49% – Lost or stolen computing device (increase from 41%)
• 46% – Third-party or vendor (increase from 34%)
• 41% – Unintentional employee action (decrease from 45%)
• 33% – Technical problem (increase from 31%)
• 30% – Criminal attack (increase from 20%)
• 14% – Malicious insider (decrease from 15%)
• 9% – Intentional non-malicious employee action (decrease from 10%)

One final piece that I will leave you with from the report; 57% of respondents have little or no confidence that their organization has the ability to detect all patient data loss or theft.

Is it safe to conclude that the healthcare industry is not doing an adequate job of protecting sensitive data? Is it also safe to conclude that the problem is getting worse?

The results of this report are extremely disappointing; especially given the fact that we can help. In fact we have helped our clients in healthcare, but we definitely have many more to reach out to!

How can FRSecure help your healthcare organization?

FRSecure is a full service information security company dedicated to providing cost-effective solutions to our clients in healthcare.

Information Security/Risk Assessments

An information security assessment is a measure of an organization’s current information security state. Organizations use our assessments to identify risks, develop plans, and ultimately provide better security for their patients.

Information Security Program Development

We build cost-effective information security solutions for our healthcare clients. It’s one thing to know what a risk is; managing or reducing it is another.

Information Security Program Management

For many of our healthcare clients, justifying the cost of a full-time information security professional is a challenge. Why not leverage years of information security experience at a fraction of the cost?

Does this mean you should support it too? It depends. At the very least, you should know what the bill is, and what it could mean to you.

What is the “Cyber Intelligence Sharing and Protection Act of 2011″?

The bill is an amendment to Title XI of the National Security Act of 1947 (50 U.S.C. 442 et seq.). The bill is meant to foster cooperation and information sharing between the private sector and the government.

From the bill:

”(1) IN GENERAL.—The Director of National Intelligence shall establish procedures to allow elements of the intelligence community to share cyber threat intelligence with private-sector entities and to encourage the sharing of such intelligence.”

“The whole purpose of this bill is to create an environment in which companies want to cooperate” to share information, Rogers said at a news conference Wednesday.

The bill doesn’t force the private sector to share information with the government, but it does certainly provide some incentive to do so. Namely an “exemption from liability”:

“(3) EXEMPTION FROM LIABILITY.—No civil or criminal cause of action shall lie or be maintained in Federal or State court against a protected entity, self-protected entity, cybersecurity provider, or an officer, employee, or agent of a protected entity, self-protected entity, or cybersecurity provider, acting in good faith—

(A) for using cybersecurity systems or sharing information in accordance with this section; or

(B) for not acting on information obtained or shared in accordance with this section.”

This is where things can get a little fuzzy; a blanket exemption from liability? At first glance, there are a few things that make me uneasy about this bill:

1. The private sector and the government are already permitted to share threat information. Do we need another law on the books?
2. Exactly what information will be shared without liability? What happens if I accidently share personal data, or data that could be used in aggregate to assemble or deduce sensitive data?
3. Does this mean that I would be exempt from legal liability if I did not act upon real threat data (obtained through the Cyber Intelligence Sharing and Protection Act, regardless of my duty to practice due care in the operation of my company?

Don’t get me wrong, I am very supportive of the good guys sharing more with each other. I’m not sure if this is the right way to go about it.

Frankly, I have been a little leery of new bills, laws, regulations, etc. To give the benefit of the doubt, maybe I’m jaded. With the general ineffectiveness of GLBA, HIPAA, Red Flags Rules, etc., can you blame me?

We’ll continue to read through the bill in more detail and follow developments.  We strongly encourage you to read the bill for yourself and share your comments!

The basics of information security could be summed up by explaining the “What, Why, Who, When, and Where” of information security.

The Five Ws of Information Security are:

• What is Information Security?
• Why do you need Information Security?
• Who is responsible for Information Security?
• When is the right time to address Information Security?
• Where does Information Security apply?

We could also include the sixth W, which is actually and “H” for How.  The How is why FRSecure exists.

What is Information Security?

Fundamentally, information security is the application of Administrative, Physical, and Technical controls in an effort to protect the Confidentiality, Integrity, and/or Availability of information.

In order for us to understand this statement, we have to gain an understanding of some well-established information security concepts; Administrative Control, Physical Control, Technical Control, Confidentiality, Integrity, and Availability.  We’ll start with the controls.

Administrative Control – Addresses the human factors of information security.  Typically administrative controls come in the form of management directives, policies, guidelines, standards, and/or procedures.  Good examples of administrative controls are:

• Information security policies
• Training and awareness programs
• Business continuity and/or disaster recovery plans
• Hiring and termination procedures

Physical Control – Addresses the physical factors of information security.  Physical controls are typically the easiest type of control for people to relate to.  Physical controls can usually be touched and/or seen.  They control physical access to information.  Good examples of physical controls are:

• Locks
• Fences
• Building alarm systems
• Construction materials

Technical Control – Addresses the technical factors of information security.  Technical controls use technology to control access.  Much of the information we use every day cannot be touched, and often times the control cannot be either.  Good examples of technical controls are:

• Firewalls
• Access control lists
• File permissions
• Anti-virus software

Easy enough, right?  Some controls are meant to prevent an event from occurring; some are meant to detect when an event has occurred; and some are meant to help restore (or correct) things to normal after an event has already occurred.  Thus, we have Preventive, Detective, and Corrective controls.  These controls are somewhat self-explanatory.  Let’s pair these controls with the three mentioned earlier.

• Preventive/Administrative – ex. Background checks, training, policy, etc.
• Detective/Administrative – ex. Performance reviews, drug screening, etc.
• Corrective/Administrative – ex. Disciplinary procedures, incident response procedures, training, etc.
• Preventive/Physical – ex. Locks, building layout and construction, fences, etc.
• Detective/Physical – ex. CCTV surveillance, alarm systems, etc.
• Corrective/Physical – ex. Guards, fire suppression, etc.
• Preventive/Technical – ex. Access control lists, authentication, firewalls, etc.
• Detective/Technical – ex. Intrusion detection systems (IDS), anti-virus software, logs, etc.
• Corrective/Technical – ex. Backups, standard builds, snapshots, etc.

A single control can serve more than one need and fit more than one type.  These are the basic types of controls used to protect the Confidentiality, Integrity, and/or Availability of information, which is the second part of our definition

“in an effort to protect the Confidentiality, Integrity, and/or Availability of information.”

Confidentiality – In essence, keeping information secret and only allowing disclosure to authorized entities.  The classic military “need-to-know” principle applies pretty well.  Think of the information that could cause harm to you or your company if it were given into the wrong hands.

Integrity – Ensuring that information is accurate.  If a company’s inventory systems report 50 units are available, there should be 50 units physically available.  This is a very simple example of external integrity.

Availability – Ensuring that information is available when it is needed (by an authorized entity).  When feasible, information needs to be available following a disaster or incident.  Business continuity plans, disaster recovery plans, and incident response plans are all tied to availability.

Information security people like to use acronyms as much as anyone else, so we use C.I.A. to refer to Confidentiality, Integrity, and Availability.  The opposite of C.I.A is D.A.D., Disclosure, Alteration, and Destruction.

Why do you need Information Security?

This is sometimes tough to answer because the answer seems obvious.  No?

Read on.

As we know from the previous section, information security is all about protecting the confidentiality, integrity and availability of information.  Answer these questions:

• Do you have information that needs to be kept confidential (secret)?
• Do you have information that needs to be accurate?
• Do you have information that must be available when you need it?

If you answered yes to any of these questions, then you have a need for information security.  Maybe you’re expecting more.  Let’s go back to our three questions above.

Do you have information that needs to be kept confidential?  Or accurate?  Or available?  You likely answered yes if your company has any or all of the following:

• Intellectual property
• Financial data
• Personally identifiable information (Social Security Numbers and the like)
• Personal Health Information
• Business Intelligence
• Future planning information

You can add to the list as you see fit.  We would be hard pressed to find a company that doesn’t have information that needs to be protected.  The lack of control (security) often has an impact on the bottom line (your profits), which leads us to consequences.

The consequences of poor information security can include:

• Civil penalties – individual, class-action, and/or regulatory
• Lost opportunity – intellectual property loss, marketing plan loss, competitive advantage, missed deadlines and service level agreements (SLAs)
• Damaged corporate image – embarrassing media coverage, lost consumer confidence, and identity theft, and;
• Criminal penalties (it’s only a matter of time)

We usually use consequences as a last resort to justify the existence of information security.

Reality is what it is, but can information security actually provide value to a business beyond protection?  Absolutely!  An effective information security program translates into formalized processes and improvement, which leads to efficiencies, which leads to greater profits for your company.  Effective information security programs reduce risk and improve efficiency.  Let’s take one real-life example…

A client needed to send large files containing sensitive information to a vendor of theirs on a regular basis.  The personnel sending the large files knew that it would be infeasible (and potentially risky) to send them through email, so they decided to burn the files to DVD and ship the DVDs to the vendor.  Nobody knew this was happening except for the business unit personnel responsible for getting the files to the vendor.

The company hired FRSecure to conduct an information security (sometimes called risk) assessment.  During the assessment this practice was identified and reported as a significant risk.  The risk was reported as “High” due to the fact that the files contained sensitive intellectual property and clinical trial data.  On a side note, you do conduct regular independent information security assessments at your company, right? Needless to say, the risk was unacceptable to management.

If a risk is unacceptable as is, then we need to mitigate (or transfer) the risk.  The risk mitigation strategy in this instance was to devise a “secure” method of transferring the files to the vendor online.  The company purchased and installed an SFTP/HTTPS server that allowed files to be transferred online securely (i.e. encrypted, authenticated, etc.).  The added benefit was the fact that the process could now be automated which significantly improved efficiency.  The company saved up to 30 FTE hours per week because there was no longer the need to copy files, burn DVDs, and mail DVDs to vendors.  The SFTP/HTTPS solution paid for itself within 10 weeks!  The improved efficiency translated to less expense, which translated into increased profit.

Let’s sum this up.  Why do we need information security?

We need information security to reduce the risk of unauthorized information disclosure, modification, and destruction.  We need information security to reduce risk to a level that is acceptable to the business (management).  We need information security to improve the way we do business.

Who is responsible for Information Security?

This is an easy one.  Everyone is responsible for information security!   A better question might be “Who is responsible for what?”

We’ll tackle this from two perspectives.  The first is a top-down approach, and the second is a role-based, data-centric approach.  Both approaches should be used simultaneously, not one in lieu of the other.

Top-down Approach

Senior Management

First off, information security must start at the top.  The “top” is senior management and the “start” is commitment.   Senior management must make a commitment to information security in order for information security to be effective.  This can’t be stressed enough.  Senior management’s commitment to information security needs to be communicated and understood by all company personnel and third-party partners.

The communicated commitment often comes in the form of policy.  Senior management demonstrates the commitment by being actively involved in the information security strategy, risk acceptance, and budget approval among other things.

Without senior management commitment, information security is a wasted effort.

Business Unit Leaders

Keep in mind that a business is in business to make money.  Making money is the primary objective, and protecting the information that drives the business is a secondary (and supporting) objective.  Information security personnel need to understand how the business uses information.  Failure to do so can lead to ineffective controls and process obstruction.

Arguably, nobody knows how information is used to fulfill business objectives more than employees.  While it’s not practical to incorporate every employee’s opinion into an information security program, it is practical to seek the opinions of the people who represent every employee.  Establish an information security steering committee comprised of business unit leaders.  Business unit leaders must see to it that information security permeates through their respective organizations within the company.

Employees

All employees are responsible for understanding and complying with all information security policies and supporting documentation (guidelines, standards, and procedures).  Employees are responsible for seeking guidance when the security implications of their actions (or planned actions) are not well understood.  Information security personnel need employees to participate, observe and report.

Third Parties

Third parties such as contractors and vendors must protect your business information at least as well as you do yourself.  Information security requirements should be included in contractual agreements.  Your right to audit the third-party’s information security controls should also be included in contracts, whenever possible.  The responsibility of the third-party is to comply with the language contained in contracts.

Role-Based Approach

A good and creative information security professional can apply the top-down approach mentioned above with our other approach; the role-based approach.  The role-based approach is more data-centric and is comprised of three roles.  The three roles are Data Owner, Data Custodian, and Data User.

Data Owner

The Data Owner is normally the person responsible for, or dependent upon the business process associated with an information asset.  The Data Owner is knowledgeable about how the information is acquired, transmitted, stored, deleted, and otherwise processed.

• The Data Owner determines the appropriate value and classification of information generated by the owner or department;
• The Data Owner must communicate the information classification when the information is released outside of the department and/or company;
• The Data Owner controls access to his/her information and must be consulted when access is extended or modified; and
• The Data Owner must communicate the information classification to the Data Custodian so that the Data Custodian may provide the appropriate levels of protection.

Data Custodian

• The Data Custodian maintains the protection of data according to the information classification associated to it by the Data Owner.
• The Data Custodian role is delegated by the Data Owner and is usually Information Technology personnel.

Data User

The Data User is a person, organization or entity that interacts with data for the purpose of performing an authorized task.  A Data User is responsible for using data in a manner that is consistent with the purpose intended and in compliance with policy.

No matter how you assign information security roles and responsibilities, just make sure that you DO assign roles and responsibilities!  Define specific information security roles and responsibilities and be sure to do so formally.  Add information security responsibilities in policy, job descriptions, and wherever else you see fit.  Responsibility leads to accountability and accountability leads to enforceability.

When is the right time to address Information Security?

On the surface, the answer is simple.  The right time to address information security is now and always.

There are a couple of characteristics to good, effective information security that apply here.

Information security must be holistic.  Information security is not an IT issue any more or less than it is an accounting or HR issue.  Information security is a business issue.  A disgruntled employee is just as dangerous as a hacker from Eastern Europe.  A printed account statement thrown in the garbage can cause as much damage as a lost backup tape.  You get the picture.  Information security needs to be integrated into the business and should be considered in most (if not all) business decisions.  This point stresses the importance of addressing information security all of the time.

Information security is a lifecycle discipline.  In order to be effective, your information security program must be ever changing, constantly evolving and continuously improving.  Businesses and the environments they operate in are constantly changing.  A business that does not adapt is dead.  An information security program that does not adapt is also dead.  This is just another point to stress the importance of addressing information security all of the time.

Perhaps your company hasn’t designed and/or implemented an information security program yet, or maybe your company has written a few policies and that was that.  When is the right time to implement and information security program?  When is the right time to update your existing program?

You have the option of being proactive or reactive.

Proactive information security is always less expensive.  Less expensive is important if your company is into making money as most are.  Don’t take my word for it, let’s use an example.  Arguably the most common source of breaches is a lost or stolen laptop computer.  21% of all breaches reported in the Open Security Foundation’s DataLossDB come as a result of a lost or stolen laptop, compared with 16% from hacking (or cracking).

Situation: A laptop is stolen from an outside salesperson’s car.  Stored on the laptop’s hard drive is an Excel spreadsheet containing approximately 15,000 customer records.  It is not known if the spreadsheet contains Social Security Numbers, but it is known that the database from which the data comes from does.  It is feasible (and probable) that the spreadsheet does contain Social Security Numbers.  The laptop computer was not encrypted.

The average cost of a breach like this, according to the Ponemon Institute, is $202 per lost record.  Do the math and it appears as though this breach could end up costing the company over $3,000,000!  The costs include consulting fees, attorney fees, customer notification, call center support, media management, credit monitoring, regulatory fees, and state/federal fines or fees.

Had the company taken a proactive approach to information security it would have likely identified the actions that led to this breach to be an unacceptable risk.  Furthermore, a proactive company would have likely mitigated this risk.  The costs of proactive security and implementation of mitigating controls would have been considerably less than $3,000,000!  A preventative control such as full-disk encryption would cost less than $150 per laptop.

The example outlined above is hypothetical; hypothetical but based in reality and backed-up by some statistical data.  The fact of the matter is that breaches happen and information is lost every day.  Companies that make the investment of time and money into information security based upon the risks come out ahead in the long term.

In conclusion, the right time to address information security is now.  Companies have learned time and time again that;

1. Proactive information security is less expensive than reactive information security; and,
2. Information security takes a long-term, continuous commitment.

Don’t wait for something bad to happen.

Where does Information Security Apply?

You may recall from our definition in “What is Information Security?”, that fundamentally information security is:

The application of Administrative, Physical, and Technical controls in an effort to protect the Confidentiality, Integrity, and Availability of information.

We could have made the definition more accurate by adding the word “holistic” before the word application.

(adj) holistic (emphasizing the organic or functional relation between parts and the whole); Source: Princeton WordNet

In order to gain the most benefit from information security it must be applied to the business as a whole.  A weakness in one part of the information security program affects the entire program.  Now we are starting to understand where information security applies in your organization.  It applies throughout the enterprise.

Information Security is NOT and IT Issue

It IS a business issue.  The thought that information security is an IT issue is a common misconception that has prevailed for years.  Evidence of this can be found in where many companies align information security.  Information security often reports up through the IT organization to the Chief Information Officer (CIO).  Smaller companies often rely on their information technology consultants for information security guidance.  So, what’s the problem?

When information security is treated as an IT issue, there is often:

• A lack of visibility – Information security personnel must understand how the business uses information in order to understand the risks to the confidentiality, integrity, and availability of information in its various forms; written, printed, spoken, and electronic.  A well-run IT department will often align technology with the business, but not necessarily information security.
• A lack of specialized skill and/or training – Information security personnel have acquired specialized skills that are not found in an IT skill set.  Some examples of skills not typically found in an IT skill set include; policy development, physical security, human resources security, risk assessment, and compliance.
• A conflict of interest – Information technology uses technology to enable and improve business efficiency.  Information security is often not viewed as a business enabler (even though it can be) and is often not given proper priority or budget.
• Significant physical and administrative risk – We know that information security consists of administrative, physical, and technical controls.  IT controls are most often technical controls.  Administrative and physical controls are critical to the success of an information security program as well.

Some examples of unaccounted for risks in IT-centric information security programs*:

• Information security training and awareness – The most effective way to get your organization’s information is to ask you (or an employee) for it.  Employees need to be made aware of information security and integrate it into their daily work.  Social engineering, employee mistakes, and risky behaviors introduce serious risks to employees and the organization they work for.
• Human resources security – Hiring and termination practices, the on boarding process, personal information handling, and disciplinary actions should all be assessed for risk, but are often missed.
• Physical controls – Tailgating, alarm systems, environmental controls, and external security.

*a very small representation of risks.  An FRSecure information security assessment may evaluate 1000 or more risks, depending on the organization being assessed.

Where does information security apply?  It applies throughout your organization.

An information security assessment will help you determine where information security is sufficient and where it may be lacking in your organization.

Hopefully, we cleared up some of the confusion about information security.  If you have questions, contact us!

About FRSecure

FRSecure LLC is a full-service information security consulting company dedicated to information security education, awareness, application, and improvement. FRSecure works with businesses of all sizes, in all industries; enabling clients to achieve optimal results per every information security dollar spent. All of our clients are in business to make money, so we design secure solutions that drive business, protect sensitive information assets, and improve the bottom line.

Regulatory and industry compliance is built into our solutions. Our experience has shown that good information security equals compliance, not the other way around.

To read more about FRSecure, visit us online at http://www.frsecure.com.

Chicago Tribune Article
 

Visit us at www.frsecure.com