The Art of Data Management Compliance, Part 2: Guarding Against Theft
One of the biggest challenges companies face today is integrating the security process into day-to-day business operations in order to comply with strict data management regulations. Companies need to take a step back and -- instead of addressing individual issues -- take a holistic approach to network security.
Identity theft, a cyber-crime causing inestimable damage for scores of ordinary citizens, has prompted passage of the federal FACT Act Identity Theft Red Flags Rule, issued this year. Part of the 2003 Fair and Accurate Credit Transactions Act, the rule aims to combat the scourge of identity theft, which each year victimizes 8.3 million Americans for a total of US$15.6 billion in losses, according to the Federal Trade Commission.
The impact of the rule is broad, impacting banks, credit unions, mortgage lenders, auto dealers, credit card lenders, payday lenders, landlords, utility companies, phone companies and any consumer or small business lender in the country. By Nov. 1 -- the compliance deadline -- each affected entity must perform a risk assessment and take numerous steps to develop and implement a written identity theft prevention program.
"The rule requires millions of businesses to perform a risk assessment, map red flags to detection and response procedures, implement an identity theft prevention program, train staff, periodically update the program and perform a compliance status check at least annually," Compliance Coach CEO Sai Huda told the E-Commerce Times. "It will cost companies hundreds of hours and thousands of dollars to comply."
Part 1 of this three-part series discusses the major challenges associated with the extensive web of rules and regulations affecting data management.
More the Merrier
Other additional regulations of recent vintage require that organizations employ stricter governance over retention and access to critical organizational information (whether that data be related to personal or financial information), according to Surety CEO Tom Klaff. A few prime examples he mentioned include:
- 21 CFR (Code of Federal Regulations) Part 11, which requires FDA-regulated businesses to follow technical and procedural standards for the processing, storage, security, and retention of electronic records and electronic signatures.
- SAS 103 -- Statement on Auditing Standards from AICPA (the American Institute of Certified Public Accountants), which mandates accurate and secure records, requiring auditors to prove that their documentation has not been altered since its creation.
"Many regulations also require organizations to produce electronic records quickly and offer proof that the integrity and content security of those electronic records have not been tampered with -- either maliciously or accidentally," Klaff told the E-Commerce Times.
An enterprise's data resources and assets reside in electronic files in a variety of formats: database data fields, spreadsheet rows and columns, text, pictures and images, audio, and video. Once the raw facts and figures that make up data are assembled into information and summarized for meaning and significance (e.g., corporate trade secrets, customer account numbers, confidential plans), both value and its terrible twin -- the potential for larcenous misappropriation -- are created simultaneously. Internet miscreants go after data because it represents wealth in its basic form. Bad guys commit data theft crimes in order to use the ill-gathered information to commit further crimes.
Cyber-crime is the bastard offspring of the marriage between information and technology because technology makes the information both abundantly available and abundantly vulnerable.
The misuse of IT also facilitates traditional crimes. In addition to identity theft, these include hacking, child pornography, gambling, securities fraud, advance fee fraud and other gullibility or social engineering frauds. Even the old stalwart "dumpster diving" to steal valuable information such as credit card and Social Security numbers has morphed via computers into "phishing" and "brand spoofing," wherein bogus but official-looking e-mails are used to draw recipients into providing user IDs, passwords and account numbers.
To describe and categorize its many crafty schemes, plots and intrigues, the field of cyber-crime has developed its own unique vernacular:
- "Thumbsucking" is the intentional (or even unintentional) use of a portable Universal Serial Bus mass storage device, such as a USB flash drive or thumbdrive to illicitly download confidential data from a network endpoint.
- "Podslurping," similar to thumbsucking, is the act of using a portable data storage device such as an iPod to illicitly download large quantities of confidential data by directly plugging it into a computer (which may even be on the inside of a firewall) where the data is held.
- "Bluesnarfing" is the stealing of information by hijacking a Bluetooth connection, often between phones, desktops, laptops, PDAs and even wireless headsets. This allows access to a calendar, contact list, e-mails, text messages and, on some phones, owners' pictures and private videos.
Master data resides in a master file, a common point of reference used by an enterprise to link all of its critical data. A master file is a collection of records containing descriptive data about the subjects of the organization, such as name and address, as well as summary information, such as amount due and year-to-date sales. Master files are updated with the data from transaction files, collections of transaction records.
This data is made vulnerable to criminal activity because critically important and confidential information is typically stored on different systems and shared by multiple users and groups across an organization. Vulnerability increases as the number and diversity of organizational departments, worker roles and computing applications expand. Large companies in particular often have IT systems that are used by diverse business functions (e.g., finance, sales, R&D, etc.) and span across multiple countries. These diverse systems usually need to share key data that is relevant to the parent company (e.g., products, customers, and suppliers). It is critical for the company to consistently use these shared data elements through various IT systems.
Breaches and Theft
A data breach (a.k.a. spill, leak, etc.) involves the release -- often unintentional -- of secure information to an insecure environment. Typical breach incidents include loss of media like computer tapes storing unencrypted information, Web postings of information lacking proper security precautions, and transfer of information such as unencrypted e-mail to unsecured systems.
Office workers are often responsible in huge numbers for a growing problem of theft involving desktop computers and handheld devices capable of storing digital information such as flash drives, iPods and even digital cameras. The damage caused by data theft can be considerable with today's ability to transmit very large files via e-mail, web pages, USB devices, DVD storage and other handheld devices. Removable media devices are getting smaller with increased hard drive capacity, and activities such as podslurping are becoming more and more common.
"In terms of technology, one of the most significant challenges organizations seem to face is preserving what's known as the 'chain of custody' of electronic records," said Surety's Klaff. "How can you prove that your records have not been altered since their creation in order to meet compliance requirements? Data management and integrity is something organizations need to think about proactively -- not after they haven't achieved compliance or they've encountered another related problem."
Full Data Security = Compliance
Data security seeks to prevent breaches and theft and to ensure that data is kept safe from corruption and cooptation and that access to it is suitably controlled.
"The largest challenge is changing the corporate mindset around data security," said Derek Tumulak, product management vice president at SafeNet.
"Ten years ago, it was acceptable in many enterprises for most of the IT staff to have access to customer and employee information, as long as it was kept internal," he told the E-Commerce Times. "Even contractors were typically given access to sensitive information. Today, this is no longer acceptable as it can mean a significant exposure for any company."
The biggest challenge faced by companies today is integrating the security process into the day-to-day business process, according to TraceSecurity CCO Rob Guba.
"Take a step back and, rather than addressing individual components, address the holistic approach to security and its effect on the business," he told the E-Commerce Times. "Companies today want to comply and most are doing so by individually addressing each regulation or compliance requirement. This is time-consuming, costly and a nightmare to manage -- and provides no measure to guide performance against."
As a specialty within the broader discipline of computer security, database security includes the system, processes and procedures that protect a database from unintended activity like inadvertent mistakes made by authorized individuals, but also authenticated misuse or even malicious attacks. Database security is more critical as networks have become more open.
"Companies who deploy database security have the ability to capture the data necessary to demonstrate compliance across the regulatory plane," Sam Paone, sales vice president at the database security firm Secerno, told the E-Commerce Times. "The complexity and cost arises when differing regulations require varying views of database activity."
Corporate America is fighting back against cyber-crime with its own brand of cyber-security in areas like cryptography for protecting mobile data; forensics and malware analysis; "fuzz" testing of software for weaknesses; secure coding practices; and application program vulnerability prevention. Companies are also working to physically limit access to computers to only those who will not compromise security.
However, systems are ideally designed for ease of use, and converting negative requirements into positive enforceable rules is a significant challenge.
"The reality is that even the best-equipped companies have data breach challenges caused by determined criminals, noncompliant employees and organizations and, of course, simple human error," said Wasim Ahmad, vice president of marketing for Voltage Security.
"Looking at the payment care industry regulations in particular, the solutions available to date for protecting customer information like credit card numbers all require massive infrastructure modifications, and none are comprehensive," Ahmad told the E-Commerce Times.