By Kevin Hamel
Computers offer myriad places to store data -- file servers, desktop PCs, or even a laptop that leaves the office on weekends or business trips. Imagine doing that with cash.
Bankers, bank customers, credit card companies, law enforcement and government all want personal information to be secure. We spend, re-execute our risk assessment, plan, and spend even more, and still the data breaches continue. But despite all the legislation, regulations, and standards out there, we’re quickly learning that compliance doesn’t always equal security, and security doesn’t always equal compliance.
Why haven’t we stopped these data breaches altogether? Perhaps it’s because of how information has traditionally been viewed. Organized crime, terrorist groups and hackers will often work together for financial gain. Criminals have figured out that personal information can be as good as cash.
So let’s look at how a financial institution handles cash. Over time, institutions have developed strict cash handling procedures. They know exactly how much cash is in each teller drawer, branch safe and ATM at all times – all the way up to the CEO level.
Now consider personal information. Do we always handle personal information in as controlled a manner as cash? Do we keep close tabs on who has access to this personal information? Do we know who has accessed the personal data and what they did with it? It would seem that most organizations know far less about their information assets than their cash. This is likely due to the fact that, as little as 20 years ago, personal information was not viewed as cash.
Let’s explore how a “cash” approach to information management might change our ability to protect information assets.
Four key questions should be asked to determining if personal information is safe:
1. Where is the data?
2. Who has access to the data?
3. How is the data protected at rest and in transit?
4. What changed on our network?
Let’s explore these questions from a “cash” point of view:
Where is the data?
Companies need to know where their customer data is at all times. Computers offer myriad places to store data. Personal information can be stored on this file server, or that one, on an employee’s desktop PC, or even on a laptop that leaves the office on weekends or business trips.
Imagine doing that with cash! We know that the more dispersed our assets are, the more difficult they are to protect. Institutions know that it’s easier to protect cash when it’s stored in fewer locations. Why not take the same approach with personal information and store it in the fewest locations possible?
Who has access
to the data?
Companies need to know who has access to their personal information. Many data breaches are executed through the use of legitimate user ID’s, in some cases with access rights that are too broad. Access to personal information should be given only to those who truly need access based on their job function. Looking at the cash analogy, not everyone needs access to the branch vault, right?
Gaining access to personal information should be a controlled procedure requiring some level of approval, and access should be reviewed periodically. People move from one job to another, and job functions can change. It makes good business sense to periodically validate that Joe Smith still needs the access he was given two years ago.
How is the data protected at rest and in transit?
We’re really talking about risk assessments here. Every bank and retail store protects its cash at rest and in transit through the use of vaults, locked teller drawers, armored cars, and dye packs. The FDIC’s Rules of Practice and Procedure requires financial institutions to document all reasonably foreseeable vulnerabilities and all relevant controls for cash. The Graham Leach Bliley Act requires financial institutions to apply the same principles to their information assets.
Companies that store customer information assets need to document and assess the controls over data, noting any gaps in security. This basic step will enable you to determine the most appropriate actions to reduce your level of risk.
on our network?
While this may be the most difficult task on your security list, it remains the most important. Reviewing the Hannaford, TJX and possibly Heartland incidents, it appears that the criminals used legitimate access rights to install malware on these systems that enabled them to capture customer information.
This is much like an individual granting himself, or herself, access to the branch vault and using it to slowly siphon off cash. Your company can protect itself by carefully monitoring what has changed in the environment to ensure that the activity is legitimate.
The overriding theme here is to be vigilant and protective. Implementation of the cash model for information management isn’t easy and grows in complexity with the size of the organization. Companies with many employees, multiple locations, and complex networks may face a seemingly insurmountable task.
Still, the question is not whether we can afford to apply the banker’s “cash” model of oversight to information management. The question ought to be: Can we afford not to?
Kevin Hamel is the vice president and corporate security officer at COCC, Inc. (www.cocc.com), a 42-year-old Avon, CT-based firm specializing in outsourced information technology and support.