Tag Archives: state

IGT Awarded The First PCI DSS 1.2 Certification | webnewswire.com

Posted by on December 22, 2008 No comments

 

 

 

IGT Awarded The First PCI DSS 1.2 Certification

 

Submitted by newsdesk on Mon, 12/22/2008 – 19:42

IGT, a pioneer and global leader in travel technologies and services received the coveted PCI DSS 1.2 certification from leading PCI DSS QSAC, ControlCase. IGT is the first Travel BPO Organization to become PCI DSS 1.2 compliant. It has successfully met the newest version of the Payment Card Industry Data Security Standard (PCI DSS) compliance requirements. ControlCase conducted a meticulous audit process of IGT’s security measures used in protecting e-commerce customers and their data involving travel transactions.

ControlCase awarded IGT with the PCI DSS 1.2 compliance rating after IGT met the 259 Requirements (grouped into 12 broad categories) that make up the control objectives. Data security continues to be a concern for customers making payments over the internet. IGT supports millions of travel transactions annually and enables consumers to make travel purchases in a highly secure manner both online and remotely. The PCI DSS 1.2 certification demonstrates IGT’s continued commitment to the protection and security of our B2C and B2B customer’s account data throughout the transaction process.

Vipul Doshi, CEO, IGT, stated “Our clients rely heavily on credit cards with more than 2/3rds of travel transactions occurring over the internet, it’s imperative that we maintain the highest standard of information security. Receiving the PCI DSS 1.2 further demonstrates our commitment to protecting our client’s and their customers.”

Internet security and personal information continues to be a top priority and concern of individuals transacting over the world wide web. Credit card companies impose hefty fines on companies not meeting PCI compliance requirements. Some reports indicate nearly one trillion dollars per year is spent on travel, and more than 2/3rds of those sales occur with credit cards. That coupled with the travel industry racking up more sales on the internet than any other industry and you have a recipe for serious credit card fraud, the very reason PCI DSS was implemented.

Mohit Magon, Vice President – Business Excellence stated “Achievement of PCI DSS 1.2 compliance reinforces our continuous commitment to the highest level of security standards. As an organization our people are committed to achieve excellence in whatever we do. Our proactive approach to comply with PCI DSS 1.2 standard is a testimony to our responsiveness towards the ever changing business environment and customer needs.”

IGT is the first Travel BPO company to achieve the recently updated version of the PCI DSS. Suresh Dadlani, COO, ControlCase stated “We are pleased to have worked closely with IGT on PCI DSS 1.2 certification. The compliances to the requirements of the standard are quite technically intensive and do not provide any scope for compromises. The achievement of PCI DSS 1.2 Certification in a short period of time was only possible due to the commitment at all levels and the technical competencies demonstrated by the team.”

IGT remains committed to meeting the highest security standards applicable in the information technology industry. With more than 1/3rd of the world’s travel transactions relying on IGT, its good to know your data is protected with IGT.

About IGT

InterGlobe Technologies (IGT) provides services and solutions to corporations worldwide in the areas of Business Process Outsourcing (BPO) and Information Technology (IT). IGT’s gamut of offerings spread across the entire technology spectrum. With some 2000 global employees operating in facilities located in India, North America and Europe, InterGlobe was ranked by The Great Place To Work Institute as the best travel company of India. In 2008, Deloitte and Touche recognized IGT as one of the fastest growing companies in India and The Black Book of Outsourcing ranked IGT as one of the top 5 Travel BPO companies in the world. www.igt.in

About PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a world-wide benchmark mandated by credit card companies for the protection of card holder’s identity and transaction information. It prevents credit card fraud, hacking and various other security vulnerabilities and threats. The standard was developed by major card brands including American Express, Discover Financial Services, JCB International, Master Card Worldwide and Visa International.

via IGT Awarded The First PCI DSS 1.2 Certification | webnewswire.com.

Feds finally put teeth into HIPAA enforcement

Posted by on December 19, 2008 No comments

Three years after the federal laws rules on securing health care data took effect, HHS has issued its first corrective action plan. And more may be on the way.

Jaikumar Vijayan

A data security audit that the U.S. Department of Health and Human Services conducted at Piedmont Hospital in Atlanta last year was widely viewed within the health care industry as a harbinger of further actions by the federal government to enforce HIPAA’s security and privacy rules.

Eighteen months after HHS quietly began the Piedmont audit, there hasn’t been much evidence of stepped-up enforcement. But now a stringent “resolution agreement” signed in July by the agency and Seattle-based Providence Health & Services is generating the same kind of buzz among health care providers that the Piedmont audit did.

On July 15, Providence agreed to adopt a so-called corrective action plan (CAP) and pay $100,000 to settle what HHS described as “potential violations” of the Health Insurance Portability and Accountability Act’s requirements forsafeguarding electronic patient data.

The resolution agreement — the first of its kind under HIPAA — stemmed from theloss or theft of laptops, optical discs and backup tapes containing the unencrypted medical records of more than 386,000 Providence patients. On several occasions in 2005 and 2006, equipment was reported missing after workers took it out of the office with them.

Under the CAP (download PDF), Providence has to revamp its security policies to include physical protections for portable devices and for the off-site transport and storage of backup media. It also is required to implement technical safeguards, such as encryption and password protection. And the not-for-profit health system, which has operations in five western states, must conduct random compliance audits and submit compliance reports to HHS for the next three years.

In addition, the agreement calls for Providence’s chief information security officer to personally validate that all required policies have been put in place and that all employees have been trained on adhering to them. The CISO also has to attest that all backup media and portable devices containing health information protected by HIPAA are properly secured.

Significantly, the CAP precludes Providence Health from contesting the validity of or appealing any of its obligations under the agreement. The settlement is getting considerable attention within the health care industry because of the tough terms and conditions that the deal imposed on the provider.

“The CAP gives us some indication that the bar is being raised when it comes to HIPAA compliance,” said Lisa Gallagher, director of privacy and security at the Healthcare Information and Management Systems Society (HIMSS) in Chicago. “This is a fairly serious corrective action plan.”

Corrective Measures

The security action items that Providence Health & Services agreed to include the following:

  • Revise policies and procedures for safeguarding patient data while it is stored at or being transported to off-site facilities.
  • Train all workers on security policies and submit proof to HHS that the training has been completed.
  • Update policies as needed, but at least on an annual basis.
  • Ensure that a security risk assessment and management plan and a data breach notification policy are in place.
  • Conduct reviews that include unannounced audits, spot checks and site visits at company facilities.

 

Source: U.S. Department of Health and Human Services

Gallagher added that the deal with Providence sends a clear message to other health care providers that HHS is finally cracking down on HIPAA violators, after having been accused of lax enforcement in the past.

The harder line is in keeping with an announcement in January that the Centers for Medicare & Medicaid Services (CMS), the HHS unit responsible for administering the HIPAA security rules, had hiredPricewaterhouseCoopers to conduct audits on its behalf. At the time, the CMS said it planned to do 10 to 20 audits this year at organizations that had been the target of complaints about their data security practices.

According to Gallagher, the CMS is expected to release findings from those audits early next year. It also plans to highlight violation trends and provide guidance on the biggest problems that health care providers are having in implementing the controls required by HIPAA. “As far as I know, they are under way with these audits,” she said.

Gallagher also expects the CMS to start working more closely on enforcement with the HHS Office of Civil Rights, which administers the data privacy rules set by HIPAA.

As of press time, the CMS had yet to respond to questions that were sent via e-mail, as an agency spokesman had requested. Providence officials also asked that questions be sent via e-mail but also hadn’t responded.

Peter MacKoul, president of HIPAA Solutions LC, a consulting firm in Sugar Land, Texas, agreed with Gallagher that the Providence settlement was a dramatic example of the potential consequences of HIPAA violations.

“If you look at what they’re being forced to do, it’s scary,” he said. “They have lost their ability to contest anything; there’s no way of getting out of this agreement. And this is the best deal they could get.”

MacKoul added that while Providence was audited for data security violations, many of the corrective actions it is being required to implement fall into the privacy realm, showing that HHS is making little distinction between privacy and security for compliance purposes.

And based on the terms of the CAP, organizations that have to comply with HIPAA shouldn’t be lulled into complacency by the previous lack of enforcement, MacKoul warned. “If I were a covered entity, I wouldn’t want to roll the dice and get caught up in something like this,” he noted.

The resolution agreement does appear to be a belated attempt by HHS to get the health care industry to take HIPAA more seriously, said Chris Apgar, president of consulting firm Apgar & Associates LLC in Portland, Ore. “I think it’s about time they used somebody as an example,” he said.

Even so, it’s unrealistic to expect a large increase in the number of HIPAA enforcement actions in the near term, according to Apgar and other analysts. Such actions are triggered only when complaints are lodged against organizations. HHS has no HIPAA cops who are actively looking for violations, and health care providers aren’t required to report internal violations themselves.

Also, neither the CMS nor the HHS Office of Civil Rights has anywhere near the resources or the funding needed to investigate all of the complaints that are filed. As a result, examples such as the settlement deal with Providence will likely continue to be more the exception than the rule, Apgar said.

In fact, one of the primary reasons why Providence was investigated in the first place no doubt was the publicity generated by the incidents involving lost IT equipment, said Randy Yates, director of security at Memorial Hermann Healthcare System in Houston.

“Once something that large hits the media, the government is bound to do something,” Yates said. “[The CAP] puts out a message that says, ‘We see this thing, and we don’t like it.’”

Often, enforcement actions are important because they get the attention not just of those in charge of implementing privacy and security policies, but also of those who control the purse strings within organizations. Last year, for instance, the audit at Piedmont Hospital contributed to the approval of a $1.3 million budget item for data encryption at Memorial Hermann.

But if the investigations are as sporadic as they have been in the past, the buzz generated will fade away quickly, said Christopher Paidhrin, IT security officer at ACS Healthcare Solutions, a Dearborn, Mich.-based unit of Affiliated Computer Services Inc.

Paidhrin noted that the Piedmont audit last year initially raised a considerable amount of concern among health care providers. But most of that concern eventually melted away when the expected increase in enforcement actions failed to materialize. The same thing will likely happen in the aftermath of the Providence Health settlement, he said — unless HHS takes additional actions elsewhere and publicizes them to the same extent.

via Feds finally put teeth into HIPAA enforcement.

New privacy guidelines for e-health records announced | Politics and Law – CNET News

Posted by on December 17, 2008 No comments

The Department of Health and Human Services this week released new privacy guidelines (PDF) for electronic health records, the use of which President-elect Barack Obama has promised to support as part of his plan to jump-start the economy.

The use of electronic medical records could reduce costs and medical errors while potentially improving the quality of care patients receive, advocates say, but the level of new privacy standards needed for e-health records has been a matter of debate.

“Consumers need an easy-to-read, standard notice about how their personal health information is protected, confidence that those who misuse information will be held accountable, and the ability to choose the degree to which they want to participate in information sharing,” HHS Secretary Mike Leavitt said Monday.

The eight principles established in the guidelines are intended to facilitate the adoption of e-health records by providing a consistent approach to questions of privacy and defining the responsibilities of those who have access to e-health records and share them through a network. The principles address issues of patient access; correction of records; openness and transparency; patient choice; limitations to the collection, use, and disclosure of personal health information; data integrity; safeguards; and accountability.

The HHS Office for Civil Rights also published new guidance documents explaining how the Health Insurance Portability and Accountability (HIPAA) Act can facilitate the exchange of information through e-records.

Privacy advocates at a meeting with Obama’s transition team on Tuesday brought up the need for more stringent privacy standards for medical information. However, some members of the software industry, which strongly supports the adoption of e-health records, have said the HIPAA Act may provide sufficient privacy safeguards.

The new HHS guidelines state that “although the HIPAA Privacy and Security Rules apply to health information in electronic form, the current landscape of electronic health information exchange poses new issues and involves additional organizations that were not contemplated at the time the rules were drafted.”

via New privacy guidelines for e-health records announced | Politics and Law – CNET News.

International Challenges in PCI Security | ITworld

Posted by on December 15, 2008 No comments

December 9, 2008, 01:01 PM — CSO —

In a country that’s seen many regulatory compliance challenges this decade, the headaches of PCI security tend to be analyzed from a largely American perspective.

In the process, companies tend to forget that PCI compliance has been a recipe for international indigestion.

“Remember that credit cards are used abroad, and many American companies have personnel handling credit card transactions in offices all over the world,” says Bruce Larson, security director at American Water, a major water utility that employs more than 10,000 people. “If you have a multinational organization, your data is not just sitting in the U.S.”

There may be some irony in hearing that from someone whose concerns are mostly based on security threats inside the U.S. Larsen has to worry about everything from cyberattacks targeting computerized water filtration systems to terrorists who might try to bomb pipelines or poison the water supply. He also loses sleep whenever there’s the chance of a natural disaster.

The inconvenience of online, global commerce
But more people are using credit cards to pay the water bill online, and he knows the credit card data is floating around in databases outside the U.S. Losing any of that data could be a body blow in terms of public confidence. Then there’s the fact that American Water does business with vendors across the globe.

“I have a very geographically distributed network — more than 1,500 locations where humans work, 150-200 of those are critical operations facilities,” Larson told attendees during a PCI security seminar CSOonline held in New York in September.

For Harshul Joshi, director of IT-risk and advisory services at CBIZ and Mayer Hoffman McCann P.C. (MHM), a professional business services company, doing business internationally can make for a lot of confusion regarding the PCI security ground rules.

“When we deal with non-U.S. companies, there is often confusion over what PCI security requires,” Joshi says. “We work with one of the largest magazine publishers with operations around the globe and if you dial an 800 number, chances are you’ll be talking to someone in a call center in Vietnam. You give your credit card number and it is recorded somewhere outside the U.S.”

On the outside looking in
If a company is based outside the U.S. — in Sweden or Ukraine, for example — the problem is usually a lack of communication and money regarding PCI security needs.

Dmitriy Tsygankov, director of the corporate customer care center at a bank based in Europe, says Visa USA tends to offer American companies more incentives and assistance for their compliance efforts. As an example, he mentions the US$20 million in financial incentives Visa USA offered nearly two years ago to encourage quicker adoption of the standard.

“Why does Visa USA offer merchants a $20 million bonus to become compliant and not other regions?” he asked. He suspects it’s because e-commerce is more popular and profitable in the U.S. In the bigger picture, he says, it can be harder for foreign companies to come up with the cash needed to achieve compliance.

No financial incentives were mentioned in a recent statement from Visa Inc. announcing new global PCI compliance deadlines. Under the deadlines, announced last week, global merchants and service providers must show by Sept. 30, 2009 that they are not storing full magnetic stripe data (track data), security codes or PIN data after a transaction is approved. Sept. 30, 2010, is the deadline for all service providers and Level 1 merchants to file compliance reports.

David Taylor, founder of the PCI Knowledge Base, agrees companies outside the U.S. don’t enjoy the same degree of financial support. “There really are no global incentives, just a marketing pitch in the Visa Global PCI Deadlines announcement last week to service providers,” he says.

Visa spokesperson Rosetta Jones confirmed Monday that the company does not currently offer any financial incentives for merchants outside the U.S.

“While Visa USA did offer some monetary incentives for U.S. merchants for a short period of time, the major motivator for merchants to achieve compliance has been their desire to properly protect cardholder data and to prevent being the target of a data compromise,” she says.

Keep the global perspective
Regardless, security experts agree companies must look at PCI security as a global mandate and ensure that the same controls used in the U.S. are being used elsewhere. There’s a danger of that not happening when companies find themselves deep in the weeds trying to get their arms around the sheer scope of the standard, says Daniel Blander, a CISM, CISSP and president of Techtonica Inc. in Los Angeles.

His advice is to not let the scope of the challenge get the better of the organization, and use every remediation and control to give something back to the business that provides a non-PCI return on investment.

“File integrity monitoring is great for improving the quality of implementations and maintaining configuration standards if used correctly; configuration standards can improve the delivery of services and systems by promoting consistency,” he says, noting that’s good for business as a whole — wherever in the world the company operates from.

via International Challenges in PCI Security | ITworld.

T-Mobile, AT&T agree to stop saying mobile voicemail is safe

Posted by on December 13, 2008 No comments

T-Mobile, AT&T agree to stop saying mobile voicemail is safe

By Robert McMillan , IDG News Service , 12/11/2008

Mobile service providers AT&T and T-Mobile have been banned from saying that their voicemail systems are safe from sabotage after agreeing to permanent injunctions filed in a Los Angeles court.

The cell-phone providers falsely advertised the security of their systems, according to the Los Angeles District Attorney’s Office. During an investigation, “cell phones purchased by undercover investigators were easily hacked into, enabling the voicemail to be changed at will,” the district attorney said in a statement Thursday.

“Hacking into voicemail allowed messages to be changed or erased. Important information could be removed from the voicemail and phony information could be inserted,” the district attorney said. “Imagine the havoc that could result.”

Investigators were able to hack into voicemail accounts using something called a SpoofCard. SpoofCard’s software lets people display any number they want on caller ID and has been used to access voicemail systems that do not require passwords such as those used by Cingular (now part of AT&T) and T-Mobile.

Related Content

Two years ago, SpoofCard suspended Paris Hilton’s account after gossip sheets linked her to the voicemail hacking of her celebrity rival, Lindsay Lohan. At the time, SpoofCard said it had suspended more than 50 customers for using the service to hack into voicemail accounts.

As part of Thursday’s settlement, AT&T will pay US$59,300 in penalties; T-Mobile will pay $25,000. The case was heard in the Superior Court of the State of California for the County of Los Angeles.

In a separate civil action, SpoofCard’s parent company TelTech Systems has agreed not to advertise its product as “legal in 50 states.” It is not legal in California and some other states, the district attorney’s office said. TelTech will also pay a $33,000 fine.

AT&T, T-Mobile and TelTech did not immediately return calls seeking comment.

via http://www.networkworld.com/news/2008/121108-t-mobile-att-agree-to-stop.html.

Federal breach law? No time soon

Posted by on December 11, 2008 No comments

Since California’s historic 2003 passage of a data breach law, most other states in the U.S. have followed suit. 44 states now have laws that lay out requirements for companies in the event that sensitive information is compromised. Despite the groundswell of interest in the issue on the state level, there is currently no similar federal law. Chris Wolf, a Washington, D.C.- based attorney with Proskauer Rose LLP and chair of its privacy and security practice group, spoke with CSO about how long it may be until we see one.

44 states now have individual breach laws on the books, but we currently have no federal law. Will we see one soon?

I dont think you will see a federal law come out of the next session of Congress. I would be very surprised of that happened given the nation’s current priorities and given the difficulties Congress has had considering bills for a federal breach law in the past. A lot of businesses want to have a very high threshold for notification that gives them a lot of discretion on when to notify. And many consumer groups think too much discretion will mean not enough notice is given to consumers. So you have that tension and this battle and, as a result, the issue is deadlocked.

Given the high-profile nature of a number of breaches, such as the TJX incident, aren’t people demanding a federal law?

Related Content

Consumers are not left unprotected with the current state of affairs, and it takes the pressure off of Congress to create a legislative remedy. But it is very difficult to comply with this patchwork quilt of laws.

Because of the individual laws in so many states, people are being notified. Many of the laws require companies to comply with the law for each state in which a client resides. So, if a company has data on people from several states, there is going to be nationwide notice.

There are certain federal breach requirements for financial institutions that are under federal supervision. For instance: All banks, broker dealers, and other investment companies. So of they are federally regulated there is a notice requirement.

You mention how difficult it is for companies to comply with all of the state laws. Why is that?

Because the triggers for notification vary from state to state. And now even the content of letters that go out vary from state to state. If a company finds they have data that has been compromised on someone from Massachusetts and also someone from Maryland, they have to send out separate letters within different content. There is also issue of notifying the appropriate regulators because each state has laws of notification obligation with respect to regulators. It’s very complicated to navigate the maze.

One example of how unreasonable these laws can be is the 2007 case of CS Stars, a Chicago-based claims management company. In that instance, the New York attorney general said waiting 7 weeks to notify clients about a breach when a computer went missing was unreasonable and a fine was imposed.

In that case, the computer was recovered and a forensic investigation was done. It turns out no one ever accessed the computer. So there was really no harm and breach was remedied by the recovery of data. But this business was fined for what was perceived to be an excessive delay in notice.

Many of the state regulators that are focusing on this are focused on the chronological amount of time between breach and notice. I’m not sure they have sufficient amount of knowledge of what is involved when a company needs to get it arms around a breach. Before a company can notify, they need to find out who has been affected and what has been exposed. There has been a violent reaction by regulators to a perceived delay in notice when in fact the passage of time is totally understandable. It is better to have an accurate notice to people affected than to cry wolf.

That said, what would you advise companies when it comes to data breach?

Related Content

Businesses need to be ready in advance of a breach to know what needs to be done. Who is going to be responsible? Who’s going to do what? This is necessary to avoid the regulator scrutiny that has occurred in past cases. If I were going to give one piece of advice to businesses it’s get ready in advance of a breach because it is more than likely going to happen to you.

All contents copyright 1995-2008 Network World, Inc. http://www.networkworld.com


via http://www.networkworld.com/news/2008/121108-federal-breach-law-no-time.html.

How to Maximize Your IT Security Budget

Posted by on December 11, 2008 No comments

Sophisticated cyber criminals have followed businesses into the online world; they now can steal everything from intellectual property to credit cards en masse. And that’s just the start Add social security numbers, addresses, and other personally identifying information to the list and you can essentially reconstruct and hijack entire identities. What’s worse is that cybercriminals benefit from anonymity: They can compromise entire databases of sensitive information and leave only a masked IP address behind as a trail—and that trail often ends in a foreign country where both jurisdiction and law enforcement are limited.

Regulators Focus On Large Enterprises

As cyber criminals successfully raided corporate databases and siphoned away credit card, tax, banking, healthcare and other consumer information, regulators took notice. In an effort to protect consumers, governments and industry consortiums imposed regulations and mandates like Sarbanes-Oxley Act SOX, the Health Insurance Portability and Accountability Act HIPAA, the Gramm-Leach-Bliley Act GLBA, and the Payment Card Industry PCI standard. The initial round of enforcement and deadlines, however, was mostly targeted at large enterprises. Thus it is not surprising that over the last few years, large enterprises have made significant investments in cyber security and have at least increased the barrier to such breaches.

When Cybercrime Moves Downstream

Undeterred, cybercriminals are finding it easier to move downstream and target small to medium businesses, which are increasingly online but do not have the necessary safeguards. The Privacy Rights Clearinghouse website lists a long chronology of breaches. Take a look and you’ll find that while familiar names like ChoicePoint, the U.S. Department of Veterans Affairs, TJX, and Circuit City have endured highly publicized breaches, the majority of breaches actually occur at small to medium merchants.

Regardless of whether you are a small retailer, a credit union with a single location, or a doctor’s office or clinic, you face the same problems as a global enterprise when a breach occurs: potential fines, bad press, class-action lawsuits and customer attrition. In fact, the costs of security breaches can be more devastating for a small enterprise that has fewer financial and other resources.

The squeeze doesn’t end there. Regulations increasingly apply to small and medium-sized businesses, not just larger ones. The PCI Data Security Standard (PCI DSS) must now be met by any business that stores, processes, or transmits credit card information—regardless of annual transaction volume. Similarly, publicly traded companies with a market capitalization under $75 million must now comply with SOX. HIPAA, of course, applies to the smallest doctor’s office and the largest hospitals and insurance firms.

Combating Cybercrime with the Hidden Trail

Just thinking about how to provide adequate security can seem overwhelming to a small business. But your business already has the information you need to detect breaches in a timely manner and to cost effectively address regulatory requirements. Every second of the day, your servers, laptops, applications, network infrastructure, and security devices leave a trail of activity behind in the form of logs. Everything from a login or logout to a badge swipe or file access is tracked in this hidden trail. Bring this information together and you have a powerful and cost-effective means to detect threats and protect your business.

Tips On How to Maximize Your Security Budget:

  • Improve efficiency—consider approaches to security that require less hardware and effectively support consolidation and green initiatives.
  • Manage clear visibility on the network—knowing where your internal/external threats and policy violations exist will eliminate or reduce the extraneous costs of a data breach, fraud, or cybercrime.
  • Avoid the â¬Sone size fits all⬝ solutions—look for multiple performance options and scalability to adapt to evolving security and compliance regulations.
  • Understand the impact of automation—reserve limited and valuable IT resources for more strategic tasks.
  • Integrate security as part of the business—leverage security solutions in more strategic ways by offer a clear path to ROI and productivity gains.

For organizations of any size, there’s no doubt that battling cybercrime and meeting regulatory compliance will be a top business issue in 2009. However, given the state of security in today’s economy, it will be important to measure the cost-comparisons between technology and IT resources used versus the costs associated with a data breach or cybercrime attack.

Ansh Patnaik is the director of product marketing at ArcSight. He is an ISSA and ISACA member and maintains the CISSP certification. Ansh has worked in the security space for over 10 years with companies such as BindView/Symantec and Omniva Policy Systems.

How to Maximize Your IT Security Budget.

PCI’s Post-Audit Pain Points

Posted by on December 9, 2008 No comments

hose who thought their PCI security challenges would be over after the first passing compliance audit say they continue to be dogged by the same problems that caused pain in the beginning.

For Jennifer Atwell, point-of-sale and communication support manager at Apple Gold Group, log management continues to be a pesky nuisance.

“Log management, while necessary, has turned out to be the biggest issue for us,” says Atwell, who is based in the Raleigh-Durham, North Carolina area. “Partnering with a good vendor helps, but when you’re starting from scratch, it’s a big project.”

Legacy applications continue to challenge PCI security at Lifestyle Services Group, according to Jim Griffiths, the company’s UK-based information security and compliance chief. And at the National Bank of Kuwait, Information Security Officer Imran Minhas continues to be challenged by the task of database encryption.

“Database encryption is turning out to be a huge project in itself,” Minhas says. “A place where no cardholder data is encrypted at all, all of a sudden has to encrypt almost every one of its databases. It’s a bit hard to get everyone to prioritize this project to everything else. Upper management is good with it, but it comes down to the people who are going to implement the solutions.”

But for the vast majority of security pros surveyed by CSOonline in recent weeks, the biggest problem is upper management.

The top brass may be fully supportive during that initial PCI security effort. But once that first audit is complete and the company gets a passing grade, the executives assume the task is done. Instead, security pros have found that the work is never done.

“Everyone, especially senior management, thinks that if we pass a PCI audit then we are safe for a year,” says David Glosser, network security administrator for a company in New York City. “There’s a perception that PCI-compliant shops are perfect.”

The upper management problem
Others polled by CSOonline reported running into the same wall Glosser spoke of. Daniel Blander, a CISM, CISSP and president of Techtonica Inc. in Los Angeles, says he has seen the problem up close.

“Having worked on two PCI projects, the biggest challenge is typically management’s view, ‘Well, were compliant, so we’re done.’” He says. “Some parts of management understand the ‘why’ of PCI, but don’t understand overall risk management. Maintaining attention after the fact is the biggest challenge.”

Serg Anishchenko, the technical manager at a company in Hungary, offered a “funny” example of how clueless upper management can be:

“They were sure I would be able to fix the system alone in couple of weeks,” he says of the top brass at his company. “Another challenge is working out a roadmap to find the easiest way to get compliant and stay that way for the longest period of time.”

Tim Holman, senior consultant at QCC Information Security Ltd. in the UK, says PCI security is still generally being seen as an IT security project, lacking buy-in from senior management, which “leads to all sorts of fun and games.” Taking credit card payments is rarely seen as a risk at the board level.

Documentation, please
The second-biggest ongoing challenge security pros mentioned is log management and documentation. Auditors rabidly digest those logs during audits, and they are a critical tool for spotting security holes and attempted breaches. Unfortunately, good log management isn’t an easy process to maintain.

“My experience with PCI DSS compliance showed that documentation is a problem. Merchants could have good security installations, but it’s a problem to write policy for change management procedures,” says Dmitriy Tsygankov, director of the corporate customer care center at Swedbank in Ukraine. “It’s not difficult to change IP tables or to buy a new server, but it’s much more difficult to use and control all procedures” once they are in place, according the documentation procedures.

Survival tips
Blander says there are a host of other PCI challenges companies continue to wrestle with. For one thing, he says, the sheer scope of remediation can be overwhelming, given that the standards are so broad. “For a retailer that means all stores (typically in the many hundreds),” he says. “The sheer cost of addressing that large a scope is a factor given the current state of retail. This doesn’t make the standards bad, just a challenge to tightening budgets and limited resources.”

His advice is to not let the scope of the challenge get the better of the organization, and use every remediation and control to give something back to the business that provides a non-PCI return on investment.

“File integrity monitoring is great for improving the quality of implementations and maintaining configuration standards if used correctly; configuration standards can improve the delivery of services and systems by promoting consistency,” he says, noting that’s good for business as a whole.

Griffiths has experienced many of the challenges listed above. But he remains confident in his organization’s ability to do right by PCI security.

“None of the pain points are insurmountable,” he says. “PCI is either a logical extension of current security practices or a huge undertaking in organizations with little or no security appetite.”

The most important ingredient for any organization dealing with PCI security, security experts generally agree, is the security appetite Griffiths mentions.

PCI’s Post-Audit Pain Points | ITworld.

Sweeping FMLA Changes Require Quick Action From Employers

Posted by on December 4, 2008 No comments

On November 17 the Department of Labor revealed the final revisions to the Family Medical Leave Act (FMLA), a major overhaul of the law, and the first since its enactment in 1993. To assist employers with navigating the revised regulation and implementing policies as they prepare for it to become law on January 16, 2009, Business & Legal Reports, Inc. (BLR(R)) has launched the BLR FMLA Information Center at www.blr.com/information-fmla.

“The impact of the final FMLA rule cannot be overstated. Employers will need to reconsider all of their leave policies and practices and make significant changes to avoid costly FMLA violations,” said Susan Schoenfeld, J.D., BLR legal editor and FMLA expert. “This will require employers to devote time and resources to understanding the new rules and changing their FMLA leave administration programs. The time employers have to actually make those changes is dangerously short — with only 60 days until the rule becomes effective on January 16.”

FMLA revisions affect the following areas of policy:

– Serious Health Condition

– Intermittent Leave

– Employee and Employer Notice

– Light Duty

– Perfect Attendance Awards

– Medical Certification

– Fitness-for-Duty Certification

– Military Caregiver Leave

– Leave for Qualifying Exigencies for Families of National Guard and

Reserves

– Revised Forms

What the Revisions Mean for Employers

The Department of Labor says that many of the revisions were designed to clarify the requirements that the FMLA imposes on both employees and employers and to improve communication between the parties.

Schoenfeld states that “since it was first enacted in 1993, employers have really struggled to understand and implement the FMLA in the ‘real world.’ Unlike many other federal employment laws, employers never really reached a comfort level in understanding the FMLA. The new FMLA rule comes with new forms that may assist with recordkeeping; however, the FMLA rule also adds two new types of leave which place extra burden on employers.

“The bottom line,” added Schoenfeld, “is that employers will be significantly impacted by the FMLA changes, especially at first while they struggle to learn and understand the new FMLA requirements.”

Sweeping FMLA Changes Require Quick Action From Employers – MarketWatch.

IT Management Building an IT Governance Foundation – Baseline

Posted by on November 26, 2008 No comments

While organizations have similar goals such as controlling costs and achieving data consistency, IT departments across government, corporations and nonprofits operate differently. IT management needs an overarching governance model like CobiT, ITIL, CMM and Six Sigma to ensure that investments in technology generate business value and mitigate risks.

Information technology governance defines the overall structure, policies, processes and relationships necessary to provide the desired level of standardization and consistency across an IT organization. It encompasses systems, performance measures and risk management procedures, helping organizations make informed decisions about their operations and investments. While organizations have similar goals—such as controlling costs and achieving data consistency—IT departments across government, corporations and nonprofits operate differently.

Even after a rigorous focus on compliance initiatives—and the widespread acknowledgment that large-scale, complex, strategic IT projects commonly progress beyond scope and budget without due attention—standardization around IT governance models is still being sought.

When organizations are examined and the use of best-practice disciplines are polled, a number of frameworks and standards for varying aspects of IT operations are found. These frameworks typically include:

* IT Infrastructure Library (ITIL), developed by the United Kingdom’s Office of Government Commerce, focuses on service support and service delivery.

* ISO/IEC 27001 (ISO 27001) consists of a set of best practices to implement and maintain an information security program.

* AS8015-2005 is the Australian Standard for Corporate Governance of Information and Communication Technology.

* Capability Maturity Model Integration focuses on software engineering, people and implementation.

* Balanced Scorecard is a strategic planning and management system used to align business activities to the organization’s vision and strategy.

* Six Sigma is a manufacturing-based system focusing on quality assurance.

IT management needs an overarching governance model to ensure that investments in technology generate business value and mitigate associated risks. The model should also provide a common language for IT and users, enable more focused planning, and create a level of standardization, consistency and predictability.

Building IT Governance: Enter CobiT

First published in 1996, Control Objectives for Information and Related Technology (CobiT) provides a set of generally accepted best-practice objectives to help maximize the benefits derived through IT use. It further aids in developing appropriate IT governance and control in an organization. Managed by the Information Systems Audit and Control Association and its research body, the IT Governance Institute (ITGI), CobiT became the IT governance standard against which auditors measured process and control maturity in support of compliance with the Sarbanes-Oxley Act of 2002.

CobiT provides a control- and objective-based foundation upon which decisions and investments can be based. These include defining a strategic plan; defining the information architecture; acquiring the necessary hardware and software to execute a strategy; managing projects; ensuring continuous service; and monitoring the performance of the IT system.

This is achieved by providing tools to assess and measure the performance of 34 high-level processes that cover 214 control objectives, which are categorized in four domains: Plan and Organize; Acquire and Implement; Deliver and Support; and Monitor and Evaluate. By implementing processes and procedures supporting the CobiT objectives and identifying and monitoring associated controls, users and auditors will recognize greater reliability and performance throughout the enterprise.

Building IT Governance: Overcoming Challenges

Throughout IT organizations, common themes are described as areas of opportunity: improve project planning and investment; increase collaboration and information sharing; facilitate effective communication and transition across the lifecycle; control cost while providing efficient operations and support; enhance service delivery; and improve security. These themes are usually approached as individual programs or are carefully orchestrated as an overarching organizational transformation related to technology operations.

Certain areas, such as security and managing data across an enterprise, require heavy investment and monitoring. These are also areas that auditors commonly spend time scrutinizing and directing change for heightened control.

When remediation is essential, reactive solutions are typically implemented. Though necessary, these solutions can be costly and inefficient. Once a baseline is set, however, and the auditors leave, it is far more efficient for IT management to proactively design and support an improvement plan with cross-functional reach. The CobiT model can help with this.

By understanding the four domains and the underlying process areas, IT management and staff can begin communicating from a common frame of reference. Leveraging the CobiT toolkits, IT management can promote a standard set of metrics, process structures, improvement plans and self-assessment mechanisms. This allows each area to initiate, report and monitor in a similar fashion.

In almost every change-management or operational-improvement approach, stakeholder involvement is critical, yet this is often where things fall apart. Think how many project managers ask for executive stakeholder meetings to communicate issues and detailed plans. Now ask how many IT managers have enough time to devote to such detail. The answer would be “very few.”

With an understanding of CobiT and having a common approach to managing and measuring processes, IT management will have an informed understanding of the objectives to be achieved. This understanding allows IT management to focus on the actions that require their attention, enabling the program to stay on track based on meaningful risk and opportunity reviews.

From the ITGI CobiT 4.1 framework document, the four domains and their relationships are described and the related process areas listed. The relationships can help IT management focus on areas of opportunity or risk.

Plan and Organize (PO) provides direction to solution delivery (AI) and service delivery (DS); Acquire and Implement (AI) provides the solutions and passes them to be turned into services; Deliver and Support (DS) receives the solutions and makes them usable for end users; and Monitor and Evaluate (ME) monitors all processes to ensure that the direction is followed.

A governance framework is worthwhile only if it is actually used; otherwise, it becomes a waste of money and a burden to the staff. To be effective, its language must permeate regular conversations among the leadership team and find its way into dashboards and documents.

By using CobiT tools, IT management can quickly assess strengths, weaknesses and opportunities. It can then reduce costs, improve the top-line, enhance customer service, or meet compliance and regulatory reporting by balancing risk mitigation and process improvement in a proactive fashion.

Building IT Governance: Collaboration and Support

As an example, one state government’s IT strategic planning group wanted higher levels of collaboration and a stronger sense of support. The sense of buy-in across multiple agencies would strengthen appropriation requests for strategic initiatives, allowing for economies of scale, including:

  • Solutions that address and automate inter- and intra-agency business processes
  • Smaller, more focused teams to drive progress more quickly
  • More statewide, standardized technology platforms and tool sets
  • Enhanced information sharing and increased reusability
  • Lower total cost of ownership for solutions.

To achieve its goals, the state government embarked on a more collaborative planning effort, beginning with an agency director approach. This top-down model was meant to align agencies having similar business-oriented goals and challenges. Facilitated discussion and collaborative decision making identified and defined capabilities that would help alleviate challenges in support of goals that could be met through technology. This transition—from business-driven need to technology-based capability—also allowed the agency directors to communicate more effectively with the IT directors.

The transition to technology occurred when enabling capabilities, such as business intelligence, were identified. More than 50 agencies were represented and more than 100 directors, chiefs of staff, and IT leads collaborated in the process to iterate balanced objectives and identify existing and new initiatives.

The state’s intent for the strategic planning process was a set of IT-oriented priorities that support state and agency business goals and can be translated into a set of recommended projects and budgets. With the iterative, collaborative process utilized, it was essential to be sensitive to time and competing priorities. In support of the process, the state established a legislative technology committee and formalized the agency director advisory committee.

The state’s approach—developing output for the framework—was designed to facilitate discussion and move quickly toward decisions in a collaborative fashion that built support and consensus.

Looking at CobiT’s Planning and Organizing domain, the very first process area is Define a Strategic IT Plan. This satisfies the business requirement for IT to sustain or extend the strategy and governance requirements, while still being transparent about benefits, costs and risks.

Another CobiT process area, Define the IT Processes, Organization and Relationships, has several applicable objectives. These include Defining an IT Process Framework, Establishing an IT Strategy Committee and Establishing an IT Steering Committee.

The state government achieved several CobiT objectives through its planning process, which had the goal of developing a long-term strategic plan—not overtly aligning with the CobiT framework. This is a model of success that other standard and framework maturity programs can learn from.

{mospagebreak title=Building IT Governance: IT Governance Transformation

Enabling IT Governance Transformation

The steps enabling transformation—in the context of an IT governance, compliance or enterprise risk management initiative—describe a business process. Similar to any other business process, it must be documented, followed with discipline and improved with every iteration.

For a successful CobiT experience, always begin from a perspective of knowledge and leverage experienced support. Implementing an enterprise risk management, compliance or IT governance program is like any other transformation: It must have the support of a dedicated team to be successful.

Lessons taken from enabling organizational transformation hold true for an IT governance program to reduce cost and effort, while enhancing chances of success and building support across an organization. There are only so many tasks that one person or a group working part-time can push forward simultaneously.

For an IT governance effort to succeed, therefore, dedicated resources must be allocated, IT management must have a common understanding to allow for more focused decision making, and progress must not be predetermined by an arbitrary schedule, such as a quarterly earnings call.

PLAN AND ORGANIZE

  • Define a strategic IT plan.
  • Define the information architecture.
  • Determine the technological direction.
  • Define the IT processes, organization and relationships.
  • Manage the IT investment.
  • Communicate management aims and direction.
  • Manage IT human resources.
  • Manage quality.
  • Assess and manage IT risks.
  • Manage projects.

ACQUIRE AND IMPLEMENT

  • Identify automated solutions.
  • Acquire and maintain application software.
  • Acquire and maintain technology infrastructure.
  • Enable operation and use.
  • Procure IT resources.
  • Manage changes.
  • Install and accredit solutions and changes.

DELIVER AND SUPPORT

  • Define and manage service levels.
  • Manage third-party services.
  • Manage performance and capacity.
  • Ensure continuous service.
  • Ensure systems security.
  • Identify and allocate costs.
  • Educate and train users.
  • Manage service desk and incidents.
  • Manage the configuration.
  • Manage problems.
  • Manage data.
  • Manage the physical environment.
  • Manage operations.

MONITOR AND EVALUATE

  • Monitor and evaluate IT performance.
  • Monitor and evaluate internal control.
  • Ensure compliance with external requirements.
  • Provide IT governance.

Adam Nelson is director of management and IT consulting at Keane, a global IT consulting firm headquartered in San Ramon, Calif.

Baseline.