Category Archives: GLBA

Gramm-Leach-Bliley Act

Cost of regulatory security compliance? On average, $3.5M – CSO Online – Security and Risk

The cost of achieving regulatory security compliance is on average $3.5 million each year, according to a survey of 160 individuals leading the IT, privacy and audit efforts at 46 multinational organizations

via Cost of regulatory security compliance? On average, $3.5M – CSO Online – Security and Risk.

New Report Helps Enterprises Choose Their Own DAM Products – database security/Security – DarkReading

Some DAM products provide features for privileged-user monitoring and basic database auditing, two areas that have historically been underserved. Need more? The use of DAM technology is starting to be considered an essential control when demonstrating compliance with industry regulations and standards that require regular review of logs — a category that includes PCI DSS, HIPAA, the Gramm-Leach-Bliley Act, FISMA, and Sarbanes-Oxley.

via New Report Helps Enterprises Choose Their Own DAM Products – database security/Security – DarkReading.

How to Maximize Your IT Security Budget

Sophisticated cyber criminals have followed businesses into the online world; they now can steal everything from intellectual property to credit cards en masse. And that’s just the start Add social security numbers, addresses, and other personally identifying information to the list and you can essentially reconstruct and hijack entire identities. What’s worse is that cybercriminals benefit from anonymity: They can compromise entire databases of sensitive information and leave only a masked IP address behind as a trail—and that trail often ends in a foreign country where both jurisdiction and law enforcement are limited.

Regulators Focus On Large Enterprises

As cyber criminals successfully raided corporate databases and siphoned away credit card, tax, banking, healthcare and other consumer information, regulators took notice. In an effort to protect consumers, governments and industry consortiums imposed regulations and mandates like Sarbanes-Oxley Act SOX, the Health Insurance Portability and Accountability Act HIPAA, the Gramm-Leach-Bliley Act GLBA, and the Payment Card Industry PCI standard. The initial round of enforcement and deadlines, however, was mostly targeted at large enterprises. Thus it is not surprising that over the last few years, large enterprises have made significant investments in cyber security and have at least increased the barrier to such breaches.

When Cybercrime Moves Downstream

Undeterred, cybercriminals are finding it easier to move downstream and target small to medium businesses, which are increasingly online but do not have the necessary safeguards. The Privacy Rights Clearinghouse website lists a long chronology of breaches. Take a look and you’ll find that while familiar names like ChoicePoint, the U.S. Department of Veterans Affairs, TJX, and Circuit City have endured highly publicized breaches, the majority of breaches actually occur at small to medium merchants.

Regardless of whether you are a small retailer, a credit union with a single location, or a doctor’s office or clinic, you face the same problems as a global enterprise when a breach occurs: potential fines, bad press, class-action lawsuits and customer attrition. In fact, the costs of security breaches can be more devastating for a small enterprise that has fewer financial and other resources.

The squeeze doesn’t end there. Regulations increasingly apply to small and medium-sized businesses, not just larger ones. The PCI Data Security Standard (PCI DSS) must now be met by any business that stores, processes, or transmits credit card information—regardless of annual transaction volume. Similarly, publicly traded companies with a market capitalization under $75 million must now comply with SOX. HIPAA, of course, applies to the smallest doctor’s office and the largest hospitals and insurance firms.

Combating Cybercrime with the Hidden Trail

Just thinking about how to provide adequate security can seem overwhelming to a small business. But your business already has the information you need to detect breaches in a timely manner and to cost effectively address regulatory requirements. Every second of the day, your servers, laptops, applications, network infrastructure, and security devices leave a trail of activity behind in the form of logs. Everything from a login or logout to a badge swipe or file access is tracked in this hidden trail. Bring this information together and you have a powerful and cost-effective means to detect threats and protect your business.

Tips On How to Maximize Your Security Budget:

  • Improve efficiency—consider approaches to security that require less hardware and effectively support consolidation and green initiatives.
  • Manage clear visibility on the network—knowing where your internal/external threats and policy violations exist will eliminate or reduce the extraneous costs of a data breach, fraud, or cybercrime.
  • Avoid the â¬Sone size fits all⬝ solutions—look for multiple performance options and scalability to adapt to evolving security and compliance regulations.
  • Understand the impact of automation—reserve limited and valuable IT resources for more strategic tasks.
  • Integrate security as part of the business—leverage security solutions in more strategic ways by offer a clear path to ROI and productivity gains.

For organizations of any size, there’s no doubt that battling cybercrime and meeting regulatory compliance will be a top business issue in 2009. However, given the state of security in today’s economy, it will be important to measure the cost-comparisons between technology and IT resources used versus the costs associated with a data breach or cybercrime attack.

Ansh Patnaik is the director of product marketing at ArcSight. He is an ISSA and ISACA member and maintains the CISSP certification. Ansh has worked in the security space for over 10 years with companies such as BindView/Symantec and Omniva Policy Systems.

How to Maximize Your IT Security Budget.

Hedge Your Bets: The Importance of IT Risk Management in M&A

Information & technology (IT) is a critical component in achieving an M&A strategy; without effective IT risk management, the value of the deal could be threatened or even eroded. IT risk management is a multi-disciplinary undertaking, and covers a variety of functional domains—ranging from data protection to change management. (See “Common IT Risk Management Areas” below) It is also a multi-faceted and complex undertaking that also entails consideration of a wide array of compliance requirements. As such, in a business environment with increasing emphasis on regulatory compliance, the role of IT risk management becomes more important as an enabler of the M&A strategy.

Often, many organizations need to demonstrate compliance with several overlapping requirements. A large financial company may need to meet Sarbanes-Oxley (SOX), Gramm-Leach-Bliley Act (GLBA), Payment Card Industry data security standard (PCI), Health Insurance Portability and Accountability Act (HIPAA), and other mandates such as those from the Federal Financial Institutions Examination Counsil, Office of the Comptroller of the Currency, and Federal Trade Commission; a global transportation company may need to meet SOX, HIPAA, PCI, FTC, and European Union and Asia-Pacific Economic Cooperation data protection requirements. The effort to meet these regulations often further complicates the efforts required to identify an approach and develop a strategy to mitigate risks when consolidating or separating companies.

Although many of these regulations address similar requirements such as data protection, access controls, transaction auditing, data availability and system monitoring; compliance with one set of regulations does not necessarily translate into compliance with another. The specifics of each set of regulations must be carefully evaluated.

Furthermore, international M&A transactions are likely to be much more complex than domestic transactions. In international transactions, companies must not only consider the regulatory compliance concerns noted above; they must also take into account the potential risks to corporate risk governance, employee data rights, customer data expectations, cross-border data flow, as well as the risk and compliance culture of the home countries of all entities involved in the M&A transaction. Failure to adequately address these factors could scuttle the transaction.

In this complex risk environment, it is clear that IT risk management must be effectively implemented to effectively address the myriad legal, regulatory, contract, and compliance requirements; otherwise, IT risk issues left unaddressed could fundamentally affect the overall M&A strategy and desired value creation.

Is the Loss of Business Value Real?
Based on Deloitte’s experience with M&A transactions, when IT risks, especially those risks that are compliance-driven, are not fully addressed, they can completely undermine the expected value creation of an M&A transaction. Generally, IT risk tends to impact M&A deal value in four primary areas: IT cost, EBITDA, technology, and regulatory and governance.

Examples of common IT risk issues that can have a serious negative impact on M&A transactions include:

  • Inevitable technology changes occur with disparate systems in combined entities and often create system consolidation delays and increase the security and compliance risks with the existing systems
  • The combined entity creates a new state, federal, and/or global jurisdiction operating footprint that often faces potential regulatory and financial risk from the possible compromise of personally identifiable information (PII)
  • The listing of IT assets assumed to be acquired during the financial due diligence process does not reconcile with detailed IT-listed assets, which results in lost value transfer
  • Unclear legal rights over existing key applications and information often inhibits integration and/or separation of IT systems
  • Sensitive information cannot be identified and located, which impedes, and can completely halt, application and system integration and/or isolation
  • The merged entities have disparate access management systems, but they have a need for immediate access to information, which often results in poorly consolidated systems that lead to segregation of duty conflicts and improper data access
  • Hidden liabilities in licenses and third-party contracts results in lost value and increased legal costs
  • Dated technology prevents customization and leads to lost business agility, opportunity and value

So, what is needed to minimize these types of risks from compromising an M&A transaction?

The IT Risk Management Framework
To mitigate the risks described above, M&A due diligance teams should incorporate a comprehensive IT risk management framework and readiness diagnostic into their planning and implementation efforts.

A sound IT risk management framework and readiness diagnostic has several key qualities. First, it is structured, risk-focused, and customizeable to cover small and large organizations. Next, it helps in the translation of information protection and technology issues into business risk impacts that will affect the overall M&A transaction. Finally, it helps address industry standards and regulatory requirements for each of the IT risk areas higlighted earlier in this paper.

The IT risk management framework and readiness diagnostic can be organized around five core components — integrated requirements, technology assessment, information assessment, business assessment, and risk quantification.

Integrated requirements establish the required IT risk management practices to be assessed during the M&A transaction. Assessment practices and criteria are established by identifying and aligning the applicable IT risk-related business requirements for each of the common IT risk management areas (see above). These should include:

  • Industry common practices (e.g. International Organization for Standardization (ISO) 27002, COBIT 4.1, Information Technology Infrastructure Library (ITIL), American Institute of Certified Public Accountant’s (AICPA) Generally Accepted Privacy Practices, etc.)
  • Laws and regulations (e.g. GLBA, HIPAA, EU Privacy Directive, CA SB1386, FTC Standards for Safeguarding Customer Information, etc.)
  • Industry standards (e.g. PCI Data Security Standard, BITS, etc.)
  • Acquiring and acquired organizations’ internal IT risk-related policies and standards for each of the common IT risk management areas previously mentioned

This particular IT risk management component is especially benefical to those organizations that worry about compliance such as How does the “new” operating structure comply with SOX quickly?’ By establishing and evaluating integrated requirements early in the IT due diligence process, the acquiring organization should have already identified the SOX related requirements and their impact on the other organization’s operations. Once the M&A transaction has been executed, the acquiring organization should be able to quickly apply their SOX control framework to the acquired organization and assimilate the various reporting entities into the new organization’s compliance testing and reporting process.

A Framework for Value Protection

The technology assessment considers core technology development, licensing and integration issues. Generally, this assessment will consider:

  • Technology software and infrastructure vulnerabilities that may affect service levels
  • Capacity and scalability of key systems to satisfy business requirements
  • System backup and power issues that may cause business disruptions
  • Unsupported systems and code
  • Vendor-owned source code that is not available for changes
  • Vendor service-level adequacy
  • Non-favorable clauses in vendor agreements that would be affected by change in ownership
  • Termination of key employees
  • Loss of quality resources required for integration efforts
  • Legal rights to existing key applications
  • Source code that is not in escrow
  • Hidden liabilities in licenses and support contracts

The information assessment considers sensitive data-handling requirements and how well data is protected. Generally, this assessment will consider:

  • Systems and data accessible by unauthorized users and how unauthorized access to such data can affect the company’s brand and reputation
  • Authorization, development, and approval processes for the records program
  • Privacy, intellectual property, and other sensitive information collection, usage, storage and complaints-handling processes
  • Third party contractual arrangement adequacy for addressing sensitive information handling

The business assessment considers technology strategy alignment with the business, business process control integrity & automation, and governance & compliance matters. Generally, this assessment will consider:

  • IT strategy that is not aligned with the current and future business requirements
  • Current systems that are not suitable for business requirements
  • Inefficient manual work-around procedures that are required to operate the business
  • Level of system automation that does not match the level disclosed by management
  • Recently-integrated business systems that have internal control integrity issues
  • Internal controls and SOX 404 issues that will impact regulatory compliance
  • Insufficient governance of IT system projects that could result in hidden future IT costs or write down of IT assets due to inappropriate system development

The risk quantification translates identified IT risks into financial impact statements and helps prioritize them for consideration in the final M&A transaction decision.

Today’s risk and compliance environment compels organizations that are developing M&A strategies to integrate IT risk management into their M&A planning and implementation processes. Left unaddressed, IT risk issues can fundamentally affect the overall M&A strategy and desired value creation. A properly structured IT risk management framework and readiness diagnostic can provide practical insights into the information and technology risk issues. Including IT risk management from the outset can make the M&A picture complete, rather than an unfinished puzzle. ##

Bill Kobel(bkobel@deloitte.com) is a Principal and John Gimpert (jgimpert@deloitte.com) is a Partnerwith Deloitte & Touche LLP.

Hedge Your Bets: The Importance of IT Risk Management in M&A.

Encryption Tech: 10 Simple Rules for Encrypting Enterprise Data

Enterprises are becoming more and more proactive about data security, with data encryption viewed as a core element to their defensive measures. They are adopting encryption at a rapid rate to comply with industry regulations, protect intellectual property, obtain safe harbor from data breach disclosure laws, and effectively manage risk. As encryption proliferates, IT professionals are making critical decisions that directly contribute to, or detract from, an organization’s ability to effectively manage encryption keys and data security.

Data is an organization’s most valuable asset and it must be protected. Designing and implementing an encryption strategy is not complicated if you understand the needs of your enterprise and establish the right decision-making criteria for encryption solutions.

Simplicity, breadth, manageability and efficiency are the primary requirements security-minded enterprises must build into their encryption strategy. A solution that has the fewest complications will make the jobs of IT professionals easier, be more cost- and time-efficient, while at the same time protect data and meet compliance standards. Here are ten simple rules for evaluating encryption and key management solutions to ensure that the investments you make today deliver strategic value for the future.

1. Encryption shouldn’t have to be painful

Encryption is necessary to secure data at its source. It provides safe harbor from data breach disclosure laws and is mandated by industry standards such as the Payment Card Industry Data Security Standard (PCI DSS) and Health Insurance Portability and Accountability Act (HIPAA). Why then are many enterprises hesitant to adopt encryption? Often, the thought of high implementation costs, changes to applications, complexity and performance degradation prevents enterprises from making smart decisions regarding data security. Encryption technology has evolved immensely in the past few years. New approaches offer cost-efficient manageability combined with stellar performance and application and database transparency. Instead of dealing with negative perceptions about encryption by disregarding the issue, spend some time learning about the new approaches to database, application and file encryption.

2.  Beware of point encryption product explosion

The more encryption products an organization has, the bigger the system management and policy management problem becomes. Avoid ending up with an exploding number of encryption products and all the related key management and policy management headaches that this will bring. Selecting encryption solutions that have the broadest coverage over the largest number of potential systems will eliminate management headaches, as well as homogenize and consolidate data security policy management.

3.  Understand the EKM problem/solution area

The primary purpose of an Enterprise Key Manager (EKM) is to provide a centralized point of key generation, key lifecycle management, key backup and key recovery. When developing an enterprise encryption strategy, it is important to remember that the need for an enterprise key manager grows in line with the number of points for key storage. In addition, enterprise key managers are passive, meaning that they do not actively control the security of the encryption keys as they are handled by the encryption system. Furthermore, a complete encryption solution also includes secure access controls to prevent unauthorized access to sensitive data. This is not something that can be addressed by an EKM alone. A comprehensive encryption strategy requires a hard look first at the methods by which keys are handled by the encryption system and,

second, at the overall key management complexities associated with the enterprise encryption program.

4.  Understand the importance of IKM

Integrated Key Management (IKM) is the actual key management structure of an encryption system. This key management process actively controls the methods by which keys are stored and accessed by the encryption system. IKM differs from EKM in that it directly controls the security, storage and handling of keys as they are accessed within the encryption solution. Integrated key management must be a critical part of the evaluation criteria for any encryption solution. If integrated key management is secure and transparent, the management overhead of an encryption solution will be significantly minimized.  It is critical to remember that the need for an EKM will grow directly in line with the number of encryption systems that have been adopted because backup and recovery of encryption keys will become a larger and larger problem as the number of places that keys are held also grows. Selecting solutions that provide integrated key management for the largest number of required encryption end points will go a long way towards eliminating the enterprise key management problem.

5.  Learn from the success of SSL

SSL is the most broadly used encryption method in the world today simply because it is transparent to users and applications and is easily managed.   As demonstrated by the success of SSL, the more transparent the encryption solution, the more easily it can be integrated and supported for the long term. Organizations seeking success in implementing encryption should make transparency an important part of their decision-making criteria.  Without transparency, encryption solutions can take as long as twelve months to install and cause significant costs during application change processes.  With transparency, encryption can be implemented within days, and never needs to be considered as an inhibitor as the organizations seeks to optimize their information management programs.

6.  Look beyond the column

While column-level encryption can intuitively seem like the most practical method to encrypt database data, its invasiveness and lack of scalability make it inefficient, offer limited protection and, sometimes, render it unusable. Column-level encryption is not transparent to databases or applications. This lack of transparency can drastically complicate application change management requirements, require a significant amount of customization of both the database and the application and places the performance burden directly on the database itself. Furthermore, as projects to protect a single column, such as credit card numbers, evolve into broader data protection requirements for personally identifiable information (PII), the number of columns that need to be encrypted explodes, drastically hurting database performance and raising implementation costs. Most importantly, databases send sensitive information to a myriad of locations, including database log files, application log files, document outputs to servers, and backups.  Column-level encryption offers no protection for unstructured data. Before leaping to undertake a potentially extensive and long column-level encryption project, organizations should fully educate themselves on the costs and benefits of every approach to database encryption, including database file level and column-level encryption.

7.  Prepare for virtualization

Virtualization changes the overall security model. Because the operating system is not tied to a physical disk, it can be moved from system to system. Full disk encryption and physical security, which have been broadly implemented to protect operating environments and the data housed within them, lose their effectiveness in virtualized environments. Instead of stealing the physical disk, entire operating environments can be logically accessed and easily transferred.  Organizations that plan on implementing virtualization should re-evaluate their data and system protection mechanisms in light of the new security risks.  Implementing data encryption that travels with the operating system environment in conjunction with or instead of full disk encryption will go a long way as the use of virtualization exponentially increases throughout enterprise infrastructure.

8.  Policy is key

Encryption is easy – getting decryption right is hard! By combining encryption with an access control based decryption policy, the value of encryption grows from a simple scrambling of bits as a physical theft deterrent to a dynamic data security solution that places controls directly on the data itself. To gain strong security benefit from their encryption projects, organizations should look for solutions that not only scramble bits, but apply security policies on the data itself.

9.  Consider all applications and operating systems

Many encryption solutions are tied to specific versions of  applications and operating systems. For example, enterprises typically have numerous versions of the same database across various parts of the enterprise. They also have numerous databases running on a wide array of different operating systems. While it seems natural to implement encryption solutions that come as part of the application, this leads to an explosion in the number of encryption solutions. If encryption is only available for a specific version of a database for example, but enterprises are unable to update all of their databases to the most up to date version, it leaves them with a hole in their overall security solution. Furthermore, training costs increase with a wide array of point solutions that are tied to the application or the operating system. Solutions exist today that, due to the transparent nature of their operation, can cover all applications across multiple operating systems. This allows the enterprise to deploy a single solution, reduce their key management issues and minimize both implementation and administration costs.

10.  Think of encryption as an enabler

Encryption can help your business. Data security is a proactive way to comply with government and industry regulations and ensure customer confidence. Regulations like the Gramm-Leach-Bliley Act (GBLA) of 1999, California SB 1386, California AB1950, HIPAA, and PCI DSS require enterprises to protect sensitive information with penalties for noncompliance, such as hefty fines and litigation. In addition, in the event of a data breach, an enterprise will suffer damage to its reputation and the loss of customer confidence. By using encryption, an enterprise demonstrates its proactive dedication to data protection.

Encryption should no longer be feared! Enterprises can find effective, cost-efficient solutions and strategies that allow their business to gain the benefits of a broad data security program without changing their applications or requiring their administrators to learn multiple different solutions. Thanks to advancements in encryption approaches, solutions now exist that secure data without creating management complexities or performance nightmares.

Steve Pate is the chief technology officer for Vormetric.

Encryption Tech: 10 Simple Rules for Encrypting Enterprise Data | Computer Technology Review: Data Storage and Network Solutions.