Strategic Innovations, Inc.

About three months ago I was attending a national conference that happened to be right here in our own backyard at the Koury Convention Center in Greensboro, NC. At one point during the conference I wanted to get some cash from an ATM located in the hotel lobby. Upon attempting to use the ATM (the machine happened to be with the same bank as the bank card I was using), I discovered that my card was supposedly no longer valid. Not only could I not withdraw cash, I could not even check my balance. A couple days later, when I had a chance, I stopped by my bank and discovered my card was one of several thousand that had been compromised by a data security breach. You may have heard of it (Banks Issue New Debit Cards After Security Breach) as several NC (and non-NC) banks had to reissue cards. Luckily for me, it was not a major inconvenience and my bank had been aggressive in stopping any potential activity on my card before a loss occurred. The mystery continues to this day (Citibank's Cards Mysteriously Shut Down) as I still do not know which vendor that I've done business with had their data compromised.

For those in the public sector though, the ability to hide is not an option. Over the past couple weeks you may have witnessed the revelation (VA Data Breach Stirs Washington) that a major security breach occurred in the Veteran's Administration Department (the VA) of the Federal government. In case you are not familiar with the situation, a VA employee had taken a laptop home to do some work. That night, a burglary occurred at the employee's residence and the laptop was one of the items stolen. On the hard drive was a database containing identification information for well over 24 million veterans and even some current employees.

The fallout continues now as Congress had gotten involved in reviewing the situation (House panel delves into VA data breach). If you look at that page, you might want to note the long list of related articles in the sidebar. In addition to trying to manage the press coverage and responding to the inquiries, the Federal government has had to use up resources to try to keep citizens informed of what is going on.

As you can see, being the victim of a data breach is not fun or pretty. This goes for both the person whose data has been compromised and for the organization that “lost” the data. I am sure no one wants to be in the headlines for something like what has happened to the VA and no one wants the headaches that go along with it. Can you do anything to minimize your chances of being the next VA? Even the VA had received a long list of potential recommendations from the Office of Inspector General related to their data security processes. Although it would be nice to look into the details, the report is not available on-line (which is good in a way as they are not publishing details of security weaknesses). Nevertheless, we can surmise from some other references(VA OIG Semiannual Report to the Congress, April 2005 - September 2005), especially a report on management issues, what steps one should examine.

The number one thing to keep in mind though is this – data security is a management issue, not a technology issue!

Planning, Planning, Planning

Yes, it seems like a cliché, but as the saying goes - “fail to plan, plan to fail”. In the case of the VA, it was reported that the VA had failed to develop security and contingency plans regarding the data that it keeps. This is a difficult stage as part of the process will necessarily involve an assessment of your information technology assets. Such an assessment will have to cover both hard assets (computers, PDA's, etc.) and “soft” assets, including both applications and data files. In the case of these soft assets, you will need to determine who can use the different applications (maybe even down to different functions) as well as who has access to files.

For example, do you have spreadsheets used to calculate personnel cost projections? Do they contain names and SS numbers or birth dates? What about reporting time? Are these files stored locally on employees' hard drives or a server? Who has access? Do you run payroll software? Who has access to that? Is anyone exporting that data? Do you operate utilities (e.g. water or sewer)? Do you keep customer data? Do you have bank account information to do automatic drafts?

As you can see, with just a few questions we can quickly identify several potential areas where data may be exposed. Once these assets are identified, policies need to be developed to cover who has access and what kind of protection is in place for the data (e.g. is it required to be encrypted). Another issue that came to light in the VA is the need to keep these plans and policies up to date. You may have something in place covering floppies, but what about USB thumb drives that are so popular now? Likewise, you'll need to make sure your policies cover all necessary elements.

Access

Our last section dealt with security of computer applications and files. But what about access to the premises and computers. After all, if someone cannot even get to a PC, they will not be able to get to data they are not supposed to have access to. In examining premises security), you will need to look at both the entire facility and areas within the facility (e.g., individual offices).

Some of the steps will include examining whether the area can be secured against unauthorized people and how that is done. What kind of door is in place? Are security cameras installed? Is there an access system? From a policy standpoint, are visitors escorted? Are entries and exits logged? Keep in mind that you will likely need to assess the different types of users and their needs. For instance, those who regularly work in the secured area, those who need periodic access (e.g. support personnel), and then others.

Once access to a computer or IT asset is possible, do you have adequate policies and procedures in place that would let someone actually access the “soft” assets and data? Do you have a password policy? Have you looked at implementing some other identification method like biometrics or card access?

One particular issue that came up with the VA was after hours access. Is it allowed? By whom? How is it tracked?

Patch management and vulnerabilities

Patch management is becoming an increasingly important area of concern. For those unfamiliar with the term, patch management is concerned with making sure your operating system and applications are kept up to date and secure against known vulnerabilities. This may sound easy, but it is actually quite challenging. And it will increase in complexity as you introduce new operating systems and applications into your environment. Some of the components) of a patch management program will include:

• identify sources of information on security issues and patch information. These should be reviewed on a regular basis, preferably by a designated individual.
• scheduling of patches. Increasingly, patches may introduce new challenges to an organization. Thus, decided when to apply patches can be critical as you will want to minimize any potential downtime. In other words, applying a patch just before running payroll may not be the best idea. Keep in mind you will need a policy that distinguishes between different types of patches from critical to routine.
• testing patches. This can range from simple to complex and will likely depend on the resources you have available. Larger organizations may have a test environment available to be able to try new patches out on. Others may have to apply the patch on a (hopefully) non-critical, live system to make sure it works first before rolling out to everyone else.
• assessing the results. This activity will probably be ongoing as you monitor any potential problems introduced by patches.

The list above provides an outline of the very basic components of a patch management program. Once again, to get started though you will need to conduct an assessment to determine what systems you have, what versions of operating systems and applications, what patches have been applied, and any known vulnerabilities.

Monitoring

You may think this refers to the monitoring of e-mail or web sites being visited. While you may have such policies in place, this component of IT security refers to monitoring of the application of policies and procedures. For example, is anyone going back and checking that password policies are being followed? Are logs really being kept of access to secure areas? Is someone looking over those logs for anything unusual? Similar to internal control systems for accounting, having the proper policies and procedures in place is only half the battle – you then have to make sure they are being followed.

Annual security awareness training!

Recently, someone I know very well started a new job in the private sector with a large employer. They noted that during orientation, the subject of IT security was not even addressed. Nothing about use of IT assets, nothing about passwords, etc. This contrasted with some of my past experience in which IT staff at least sat down with new hires to cover some of these topics and to go over our Usage policies and obtain signatures.

But even with an initial orientation regarding security, annual training should be part of your program. Not only will it provide an update on changing security threats, it can provide a good refresher of the basics (e.g., deleting e-mails from unknown people, not opening attachments, etc.). Consensus opinion is that we humans are typically the weakest link in IT security because we are subject to social engineering efforts and we get lazy about little things like not leaving passwords on sticky notes. A regular training program can help combat this.

Other issues

In addition to the major areas already noted, the recommendations for the VA covered some other security issues that needed improvement. These included topics like:

• Protection of wired and wireless networks – typically, many security efforts are focused on the perimeter of your IT systems. Firewalls, virus scanners on incoming e-mail, etc. However, within your network additional security may be needed. For instance, if you have wireless access points setup, you will want to take steps to secure them and then monitor them to make sure nothing is being introduced via that route. Likewise, you will want to routinely scan your wired network looking for open ports and insecure services. This will be particularly important if you have staff who return from a trip with a laptop and want to reconnect to your local network. Make sure they haven't picked up something while out in the field.
• Intrusion detection – Closely related to all of the above recommendations, you will want to look for signs that your systems have been compromised on a regular basis. Again, policies and procedures need to be in place to designate who is going to monitor systems, what they do when they find something, and what the response will be if a problem is found.
• External connections – this can cover both inbound and outbound connections. For instance, if you are going to allow VPN access to your network, will there be any requirements for the connecting party? Likewise, in many cases your vendors may require access to your network to provide support for their applications. With regard to outbound connections, are you going to require all users to connect to the Internet through a central, pooled connection with appropriate safeguards in place? Or is everybody connecting on their own? How does that impact your internal network security?
• Configuration management – this is an area of IT security concerned with making sure your systems are well defined and any changes are done with proper approval and justification. This can cover a wide variety of areas. For instance, if you are going to allow instant messaging(IM) for users, what client will be used? How will they connect? Another aspect of configuration management might involve the setup of a document management system – how will it be setup, what will the contents be, etc.

Conclusions

As you may have figured out by this point, information security is not an easy area to address. As our world has become more complex and we all take advantage of the new technologies available to us, it requires a stepped up effort to maintain security. In the past, we could rely on physical locks to protect assets against those who might be pursuing illicit activities. But even then, if someone forgot to lock something up or left the keys accessible, all of the policies and procedures were for naught.

Likewise, even with firewalls installed and anti-virus scanners running on our PC's, all it takes is some bad luck or carelessness and you could be reading about how your organization has lost valuable data that can harm your constituents.

If you would like more information or help with your information security policies and procedures, please feel free to . In the meantime, I hope this article has provided you with some useful information to get you pointed in the right direction!

Jeffrey G. Causey, CPA, CAPM
President