The scariest thing about Dodd-Frank

The following is taken from an article that appeared on the Wells Fargo intranet today (the excerpt in quotes is from the article, the rantings at the bottom of the page are from yours truly…

“Dawning of a new agency

In addition to statutory provisions arising from the Dodd-Frank Act, a new federal agency has been established—the Consumer Financial Protection Bureau—which has been the topic of much commentary.

The new Consumer Financial Protection Bureau (CFPB) is responsible for regulating consumer financial products such as home mortgages and credit cards. The bureau summarizes its goals this way:

“Educate: An informed consumer is the first line of defense against abusive practices. The CFPB will work to promote financial education.

“Enforce: Like a neighborhood cop on the beat, the CFPB will supervise banks, credit unions, and financial companies, and it will enforce Federal consumer financial laws.

“Study: The consumer bureau will gather and analyze available information to better understand consumers, financial services providers, and consumer financial markets.”

The bureau assumes authority on July 21.”

This agency is being headed up by Elizabeth Warren (you can google her). She’s an academic (Economics) who has never held down a real job in her entire life. She hates the free market and believes strongly that Government’s main role is to intervene and control business – ESPECIALLY the BIG BAD BANKS!!! Even though the agency falls under the Treasury Department, she does not answer to the Treasurer (Geithner in this case), she has an unlimited budget (via the Treasury printing presses) which means that she does not even have to answer to Congress (because they do not fund the agency); she reports only to the President! Tell me where the checks and balances are!!?? This is REAL scary shit! Her word is law! No wonder bank stocks are sucking the fat lady’s ass… This whole governmental circle jerk is already costing Wells Fargo $1 billion (with a “B” kids) a quarter in lost revenue. Think of the knock on effects… banks adopt austerity measures; less $$ available for new projects, lay offs, over all ‘belt tightening’; this means less money going to vendors (lay offs at secondary or tertiary levels) , more people out of work (like I said, scary shit) and if you don’t think this is true, you don’t have to look very far for signs… Wells Fargo profits were up 24% year over year but our stock shit the bed (down over $1 per share), why you ask? because revenues where down and expenses were up… directly tied to our buddies Messrs Dodd and Frank (who in my opinion should both be in a small dark cell on Reikers Island with a big hairy dude called Bubba, but I digress). Anyway, that’s my rant for the day. Ya’ll have a beautiful weekend!!!

New Class Starting in July

I will be teaching a new class at Northeastern for the summer session. It is an online course (which fits my summer schedule perfectly) and although I prefer a Hybrid or Cohort taught class, online courses have their own challenges. The course is entitled ITC 1256 Information Security Management; i have attached a copy of the syllabus for anyone who might be interested, registration is still open ITC 1256 Information Security Management. Either way, with the advent of teaching a course, my postings will become more prolific, since I use this site as a teaching tool.

Regards,
Sebastian DiFelice CRISC

How To Prepare for and Survive an IT Audit

The typical audit is intended to determine whether or not the area under review is following prudent business and administrative practices consistent with the mission of the organization, official policies and bylaws of the that organization, and the laws or requirements of external authorities, as may be applicable.

One of the most important factors to remember while preparing for an IT audit is to keep your documentation (Policies, Procedures and Standards) clear, precise and up to date. This means you must implement a review process of all documentation on at least an annual basis.
One of these documents that will be asked for is an inventory of all computing assets, including but not limited to, servers, software licenses and work stations. A clear, precise inventory at the onset of the review contributes to the timely and efficient completion of audit steps and testing. The computer inventory should include resource name, IP Address, operating system, purpose of the resource, physical location of asset, and whether this resource is deemed a critical resource. The software license inventory should include application name, license number, and the resource on which the application is installed.

Another aspect in the preparation leading up to the audit is to know who you are dealing with…  Here is a “Pre Audit” list that I use once an audit has been announced.

1. Who are members of the audit team, and what are their roles and assignments?
2. What are the credentials and experience of the assigned audit team
3. What orientation or training can you provide them to be comfortable within the environment?
4. Communicate with your managers and staff in the areas to be audited
5. If an area was audited before, review the prior report to see the issues raised and recommended made. Get an update of corrections or changes made as a result of prior audit work and give your staff and the audit department credit.

This is a good start and enough to digest for one sitting.  I will share more of my experience and knowledge in my next blog on this subject.  Stay tuned.

201 CMR 17.00 – So, it’s here, what do I do now?

In less than 30 days the most broadly sweeping data security and privacy legislation will become law in Massachusetts. If yours is like most small/medium (and even some large) non financial company the chances that any constructive time was spent discussing and preparing for this moment are slim and none.

Come March 1^st, 2010 it will be illegal to operate ANY company, regardless of size, without some sort of Written Information Security Plan (better known as a WISP – ah yes, the government does love its acronyms!). Now does this mean that the black helicopter are going to swoop down on your hardware store or landscape business or diner or barber shop on March 2^nd if you do not have a WISP in place? Hardly; but that does not mean that this piece of legislation can simply be ignored either. You need to sit down and plan this out and then implement what you have put down on paper. What follows are the major points that MUST be covered by any WISP. Please, do yourself a favor and get this done, you don’t want to be the test case that this legislation cuts its teeth on…do you?

First, let’s all be clear here – this legislation pertains to EVERYONE. As demonstrated by the language of Section 17.01 Purpose and Scope paragraph 2, entitled Scope. It reads as follows:

• “The provisions of this regulation apply to all persons that own, license, store or maintain personal information about a resident of the Commonwealth.”

Now that we have that straight, let’s get into the “weeds”.

The objective of a Written Information Security Plan (WISP) should be to establish and create effective administrative, technical and physical safeguards for the protection of personal information of Massachusetts residence; and to comply with obligations under 201 CMR 17.00. The WISP should set forth your procedure for evaluating your electronic and physical methods of record keeping and security around those records.

**YES, YOU HEARD CORRECTLY – this law is not JUST for electronic data, it pertains just as stringently to “physical” data as well; this includes paper records too!

• Your WISP should insure security and confidentiality of personal information
• Your WISP should protect against any anticipated threats or hazards to the security of that information
• Your WISP should protect against unauthorized access or use of such information that could lead to identity theft

How do you do this? Here are some major points to consider:

Appoint a designated “Security Team”. A minimum of two people should be selected and given the title of Data Security Coordinator. Their job will be:

• to implement the WISP
• to train employees
• to regularly test the safeguards that have been put in place
• to evaluate, on an ongoing basis, the ability of any 3^rd party service provider and make assurances that they are compliant with this law
• Reviewing the scope of the security measures in the WISP at least annually
• Conducting an annual training session for all owners, managers, employees and independent contractors, including temporary and contract employees who have access to personal information on the elements of the WISP. All attendees at such training sessions are required to certify their attendance at the training, and their familiarity with the firm’s requirements for ensuring the protection of personal information.

Here are some things to keep in mind while creating your WISP (in no particular order):

• Copier security
• Data encryption (both at rest and in transit)* – the law has VERY specific guidelines for this
• Password hardening and expiration
• Security of physical data and its location (including access to said data)
• Limit the amount of data collected on any given person to the absolute minimum
• Identify risks to the security confidentiality and integrity of the information that you hold

Please bear in mind that this is not by any means a complete list. Look on it as a good solid starting point for your WISP. Also remember that if it’s in the WISP the burden of proof to show that all your security policies were carried out to their fullest will be on you should you ever be brought to defend yourself against a personal data loss/breach case. So while being thorough, please remember to keep it simple too. Don’t put things in there just because they sound good. If you can’t do it, don’t put it in your WISP!

One last point to drive this all home; the penalties if you are ever involved in a data breach is $5,000.00 per incident (interpreted as per record/person). That’s not chicken feed!

Good luck and feel free to contact RGW Associates LLC. We are able to assist you with all your GRC needs.

What is Mass 201 CMR 17?

In an effort to protect Massachusetts residents from the rising incidence of fraud and identity theft from data loss, the State of Massachusetts has implemented aggressive regulatory requirements to protect personal information. The state now requires mandatory compliance with 201 CMR 17.00 – Standards for the Protection of Personal Information of Residents of the Commonwealth (also known as just 201 CMR 17, or the Massachusetts Privacy Law). Building on California’s landmark security regulation SB-1386, Massachusetts Privacy Law establishes a minimum standard to be met for the protection of Massachusetts resident’s personal information (PI) contained in both paper and electronic records. For the purpose of being compliant with the new Massachusetts data privacy law, PI is defined as a resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to the resident:

• Social Security number and/or a

• driver’s license number or Massachusetts identification card number and/or a

• financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password that would per-mit access to a resident’s financial account and/or

• a biometric indicator

The Massachusetts 201 CMR 17 has set a new level in state security laws by regulating both private and some public sector entities that handle Massachusetts resident’s sensitive data, regardless of where that entity is located. The law is intended to bring entities into alignment with both federal and industry security laws, including the Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA) enforced by the Federal Trade Commission (FTC) and Payment Card Industry Data Security Standards (PCI-DSS) security standards overseen by the PCI Security Standards Council. Its process and technical controls are aimed at preventing criminal activity from causing data breaches of either paper or electronic records containing PI. The requirement of securing electronic records includes PI on databases, laptops, applications, portable devices, and just about any other system in which electronic PI data can be either in transit or at rest.

Who needs Mass 201 CMR 17?

All persons, corporations, associations, partnerships or other legal entities with systems containing Massachusetts resident’s personal information in transit or at rest are responsible for complying with the 201 CMR 17 regulations by March 1, 2010. However, the regulations also require businesses to complete internal and external security risk assessments prior to the effective date. The regulation applies regardless of whether the entities or the data is either inside or outside state borders, and applies equally to private and public sector organizations.

Penalties for non-compliance

The penalties for non-compliance with 201 CMR 17 are enforced through Massachusetts General Law Title XV: Regulation of Trade, chapter 93A, section 4. Violators may be faced with a civil penalty of $5,000 for each violation (the definition of a violation has not yet been made clear), are required to pay the reasonable costs of investigation and litigation of such violation (including reasonable attorney’s fees), and are subject to additional civil action since 201 CMR 17 creates a baseline standard that allows plaintiffs in civil suits to argue that a business that lost data was negligent. Title XV also requires any data breach be reported to both the Office of Consumer Affairs and Business Regulation (OCABR) and the Attorney General.

What you need to be Mass 201 CMR 17 compliant

The new Massachusetts Privacy Law requires the following criteria be met:

• an internal and external risk assessment of the human, physical, technical environment based on the criteria outlined in 201 CMR 17

• the computer security provisions in the regulation use a risk-based approach that comply to the extent that it is technically feasible, meaning that reasonable means must be used to accomplish a required result if there is a reasonable technology is available

• the results of the internal and external risk assessments must be documented in a Written Comprehensive Information Security Program (WISP)

• the scope of the WISP must be reviewed at least on an annual basis or whenever there is a change in business practices that may impact security controls

The OCABR published the 201 CMR 17 Compliance Checklist as an aid to be used by either organizations themselves or their auditors when conducting their risk assessment. However, additional guidance on how and where to submit risk assessment results is expected from the state prior to the March 2010 deadline.

What Can You, as a Small Business Owner Do?

As a Business Owner, you can do one of two things:

1. Delegate a portion of your staff to conduct a Risk Analysis and Review and draft a WISP.  Before you go down this path you need to ask yourself if you can afford the time commitment of 2 or 3 employees to follow a process which they may not have any experience with; and will the results be accurate and hold up in court should it come to that?
2. You could hire an experienced IT Governance and Risk Assessment firm such as RGW Associates to prepare you in becoming compliant with this new Law.

• PLEASE BE CLEAR – Ignoring this mandate is NOT AN OPTION!!!

Please feel free to contact me with any questions you might have regarding Mass 201 CMR 17 or any of your IT Governance or Risk Assessment needs; or visit us at our web site www.rgwllc.com.

Sebastian DiFelice
Managing Director
RGW Associates LLC
sdifelice@rgwllc.com
(888) 452-8445 x801
direct (617) 237-0543
fax (610) 523-4443
www.rgwllc.com

The Dangers of Cloud Computing

Cloud computing has gained momentum in recent months given the potential cost savings that can be realized and as a way to Improve IT flexibility. In addition to all the positives that computing in the cloud can add to an enterprise one cannot dismiss the potential security risks, including perils related to compliance, availability, business continuity and data integrity.

It never ceases to amaze me, the number of companies that do not fully consider these risks upfront. Let’s take business continuity and proper fail over technology that needs to be in place to meet those requirements. These same companies that overlook DR in the cloud would never think of not having fail over for established services.

Along with the tremendous potential benefits of using “The Cloud” to offload non-core business competencies, there are several risks related to using “The Cloud”. Not the least among them are loss of control, security, integrity, privacy and availability.

Most companies today are use to 24/7 support of their critical applications (e-mail for example). In the cloud, availability, control and support are all moved to a third party (often without personal on-call support). Even with premium support levels the maximum response time could be upwards of one hour.

User administration of cloud applications most likely occurs via a web based tool. The older versions of the most popular web browsers (IE, Firefox, Safari) continue to have security issues related to them, these could translate into serious security breaches.

Also regarding administration is the fact that all communication between the service provider and the user occurs over unsecured lines and (unless the user sets up a secure or encrypted line) the communications happen over the Internet in clear text.

Your organizations definition of “trusted boundaries” must now stretch and extend to “The Cloud” and the service provider you wish to entrust with your data.

Slowly there are emerging good practices for confidentiality, integrity and availability when using “The Cloud”. Some of these are:

• Store only non-private data in the cloud
• Use data-at-rest encryption when using a Database as a Service (DaaS)
• Avoid database level integration between DaaS and your on premises databases
• Retain mission critical, highly customized and transaction heavy applications in house
• Secure network connections for cloud administration
• Use multiple cloud service providers or one with multi-location presence.
• Audit, audit, audit

Cloud Computing is here to stay and for those enterprises that choose that path, the waters are still largely uncharted. My strongest recommendation to those trail blazing pioneers of this latest frontier is simply this; do your homework prior to committing to a cloud service provider, interview them, ask them the hard questions:
• What is their bandwidth?
• Do they have DR/BC plans in place in case of an emergency?
• What are their security protocols
• Are they willing and able to provide you with your own independent server of VMs? As opposed to a shared server environment.

These are just some of the questions. There is also the whole compliance issue that we will go into at another time.

Use “The Cloud” wisely but don’t take it for granted!

Sitting on the Cloud…

“Cloud Computing”, the latest buzz term to hit technology (and some believe the next big breakthrough in the way we manage Information Technology). If you haven’t heard the term, let me provide a brief definition (according to Wikipedia):

Cloud computing is Internet- (“cloud-”) based development and use of computer technology (“computing”). In concept, it is a paradigm shift whereby details are abstracted from the users who no longer need knowledge of, expertise in, or control over the technology infrastructure “in the cloud” that supports them. It typically involves the provision of dynamically scalable and often virtualized resources as a service over the Internet.

Sounds great at first glance, until one stops to think about the security issues associated with even just the most basic internet use. Today I will lay out the pitfalls (in terms of Risk and Governance) of using the “Cloud”.

Recently a Washington DC newspaper wanted to analyze over 17,000 pages of data stored as image files. They turned to a cloud service provider and launched several hundred virtual instances to process the images to the paper’s specifications. The total amount of time taken for this process was less than 10 hours and the cost somewhere around $150.00! Stories like this make cloud computing sound truly amazing and for the most part, it can be. Imagine only paying for what you use; not needing to maintain (in some cases multiple) data centers, the savings on licensing costs, administration, the list of benefits is seemingly endless!

Even with the attraction of lower costs and greater flexibility, there are still major security concerns surrounding cloud computing and the data that flows through the cloud. A study sponsored by PGP Corporation showed that amongst IT security and IT operations executives, cloud computing came out on top with 61% of respondents ranking it as a major security concern among the emerging technology trends.

Fact:
• Any data stored on a user’s computer (e.g., records, e-mail, PowerPoint slides) may alternatively be stored in the cloud, where it is no longer in the user’s custody. Securing the privacy of personal information in data stored in this new environment is a corporate-wide problem impacting many companies and their attorneys.

One of the first instances of a publicized cloud data breach occurred in March of 2009, when Google announced a breach in connection with its Documents and Spreadsheet products. Google sent letters to their users telling them that certain documents may have been shared without their knowledge with persons with whom they had previously shared documents, but whom the users had not authorized to receive the identified documents. This data breach was different from almost all previous publicized breaches in that the data this time was maintained, not on the computer of the data owner but on a Google server, i.e., in the cloud.

So the question begs to be asked; when data gets breached in the cloud, who owns the mess? It depends entirely with whom you speak. If you visit your IaaS or SaaS provider’s terms and conditions, they make it crystal clear that they hold no responsibility with regards to security of data that they store and manage. If you are an enterprise using the cloud you want to mitigate your potential losses in case of data breach by inserting such language into the contract with your IaaS provider. In the end, it is usually the enterprise who will be sued for monetary losses due to breached data. This leaves the lion’s share of Governance and Risk on the enterprise using the service.

Please take this poll. It will help us know what you are interested in.

What IT Governance or Risk Management topics would you like to see covered here?
(polls)

201 CMR 17.00 definitions

 

What is the Definition of Personal Information?

According to the new law, Personal Information is a Massachusetts resident’s first and last name or first initial and last name in combination with any one or more of the following:

 

• Social security number
• Driver’s license number or state-issued identification card number
• Financial accounts number, or credit or debit card number

 

How Does This New Law Apply To Me?

Depending upon your firm’s existing security policies and procedures, 201 CMR 17 may affect the way that your company stores employee and client information as well as the way you exchange information with vendors and clients. There are no minimum business size requirements to be required to comply with these new laws.

 

Where do we start?

 

Phase 1 – Collect, Catalog, Evaluate, Designate

 

Collect

• What Personal Information do we have?
• Who has it?
• Where and how is it obtained?

 

Catalog

• Where and how is it stored?
• Who has access?

 

Evaluate

• Do we need it?
• How long do we need to keep it?
• How will it be destroyed?

 

Designate

• Who is responsible for its safety?
• Who is responsible for the destruction?

 

Phase II – Review & Document

Phase III – Develop a Written Plan

Phase IV – Implementation

Phase V – Testing, Review, Revision

 

Please call us with any questions you have regarding your companies compliance to M.G.L. c. 93H 201 CRM 17.00

Will Your Small Business be in Compliance With Massachusetts Law 201 CMR 17?

It’s time for a complete review of MGL c. 93H 201 CMR 17.00.  Please get paper and pencil ready, there will be a test and the penalty for failing could be as much as $50,000!!

1. On September 19, 2008, the Commonwealth of Massachusetts passed regulation 201 CMR 17 in support of M.G.L. c. 93H, which had been enacted a year earlier to establish a framework for the safeguard of personal information of residents of the Commonwealth of Massachusetts.
2. The Massachusetts Office of Consumer Affairs and Business Regulations 201 CMR 17 applies to businesses in all industries, in every state, not just companies based in Massachusetts, if they handle the personal information of Massachusetts residents.
3. This regulation was created to insure the security and confidentiality of customer information in a manner fully consistent with industry standards.
4. This regulation was created to protect against anticipated threats or hazards to the security or integrity of such information.
5. This regulation was created to protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer.

Now that we know why this law was enacted, let’s see what you, as a business owner, can do to comply.

As those of you who regularly visit my site know, I have written about 201 CMR 17.00 on several occasions and have tried to approach it from various angles.  That having been said, there are questions that the passing of this law brings into sharp focus:

1. Do you know where your data is (and do you need it)?
2. What is the right approach to insure compliance?

It seems that the most rudimentary function in bringing any business into meeting their regulatory requirements is finding where the data is located and evaluating the need and importance of that data once it is identified.  All too often companies try to avoid this step claiming that it would be too difficult and costly to perform such a task.  Inevitably they end up doing some data location to segregate information, because the broader task of evaluating the data’s value to the organization and creating a data destruction protocol is often too expensive.  One thing is for sure and that is – for companies large and small who are affected by 201 CMR 17:00, it is crucial to discover where your information is and then rationalize and segregate.  RGW Associates has tools at its disposal that can assist you in performing this sometimes daunting task.

Once you’ve located the information a data flow chart should be created to ensure you understand how confidential data enters your organization, where it is routed, and where it is eventually stored.  So, we now know where the data is, it’s importance and how it circulates within your business; congratulations, you are in the home stretch!

The next step is to understand how you are going to secure the information that you have just located. Every company should invest time to create a written information security policy (WISP) that includes the storage, access and transportation of records containing personal information and what is to be done in the event that information is breached.  Unfortunately, especially for smaller companies with limited resources, this has not always been the case, until now.

While bringing in external consultants is an obvious action at this point, small businesses with limited resources should evaluate sample policies on the web as well as tool kits that can be bought and serve as building blocks towards the process of creating a policy that’s in line with your business objectives and more importantly in keeping with the requirements of 201 CMR 17.00.

I always like to start by creating the policy first and then map out standards and procedures that meet the technical requirements needed to protect the types and the locations of the personal data your company needs to store.

Fortunately for us, The Commonwealth has outlined the technology requirements necessary to be in compliance with this law.  The actual section can be found at 17.04: Computer System Security Requirements of the reulation.  A high level overview can be summerized as follows:

1. Secure user authentication protocols
2. . Secure access control
3. Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted via wireless means.
4. Reasonable monitoring of systems, for unauthorized use or access to personal information.
5. Encryption of all personal information stored on laptops or other portable devices.
6. Up-to-date firewall protection and operating system security patches.
7. Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions.
8. Education and training of employees on the proper use of the computer security system and the importance of personal information security.

In addition, it is good business sense to really analyze any foreseeable risks to personal information and come up with a plan to eliminate or reduce those risks. The controls selected should be in line with the amount of data and the risk involved. Small organizations that store only personal records of their employees should simply ensure that information is kept under lock and key and handled in a manner that ensures it cannot be lost or stolen. Organizations that are handling large amounts of personal data, including sensitive customer information, need to put in place more stringent controls, such as real-time monitoring.

What makes this regulation so different from any other is its risk-based approach to compliance.  Unlike so many other State or Federal laws that regulate the flow and use of Personal Data, such as Sarbains-Oxley or PCI DSS, this is the first that takes into account the initial risk of a data breach based on company size and the amount of data being kept.  I believe this is due to several factors.

• The risk-based approach in the Massachusetts law is based on the concerns surrounding costs to small businesses for securing information.  This may or may not be a good thing, we’ll see
• The lack of legal precedence.  No law to date has mandated the technology that must be used
• The lack of knowledge on what controls are appropriate for varying risk levels.

The above points make this law and how to comply to it very confusing to business even if it is perhaps the best way to approach a risk mitigation plan.  I feel that Office of Consumer Affairs needs to establish better guidelines, especially for small businesses before they start enforcing this new regulation.

Sebastian DiFelice is a managing director of RGW Associates LLC, an independent consultancy specializing in IT Governance, Risk and Data Security.  Please visit them at RGW Associates LLC