The Compliance and Security Connection

Regulatory compliance laws like Sarbanes-Oxley, HIPAA, FISMA and PCI have made big headlines in the IT world the last several years, but they are not the only legal or regulatory challenges IT management needs to be concerned about. More and more, an organization is called upon in court litigation to validate aspects of their IT infrastructure

Recently, Ecora Software had the pleasure of hosting a webinar featuring William Morriss, an Associate with Frost Brown Todd LLC, on this subject, in a presentation entitled, eDiscovery: Can You Secure the Infrastructure Around the Data You Must Save?

I'm pleased to make a recording of the presentation available for you to view this presentation at a time convenient to your schedule. You can also feel free to share this email to others in your organization that might benefit from hearing this information as well. 

Click here to go directly to the page with the link to the presentation and a printable version of the Powerpoint.

In this webinar, Mr. Morriss explains why there's more to consider with electronic discovery than just putting a litigation hold on document destruction.

He'll cover:

• Identifying where data is stored in your systems
• Controlling data by understanding how the hardware it rests in is configured
• Ensuring data protection goes beyond storage
• Using a configuration auditing and compliance reporting solution to protect access to stored data

Once you've had an opportunity to watch the presentation, feel free to come back and share your views on electronic discovery and the challenge it is presenting for IT departments.

Improving Enterprise Governance, Risk and Compliance Initiatives

Technology plays a vital role in governance, risk, and compliance (GRC) initiatives. An effective enterprise GRC strategy will employ technology to drive sustainability, consistency, efficiency, and transparency into GRC oversight. The practice of GRC has evolved from siloed applications, documents, and spreadsheets to more of an enterprise content management approach. Consequently, strong workflow, communication, and analysis capabilities have become essential components of the enterprise program.

In this webinar, Marc Othersen, Senior Analyst of Security & Risk Management for Forrester Research, will discuss IT's traditional role in providing the technology capabilities to the business for enterprise GRC activities and also its obligation to manage its own GRC activities and initiatives by developing processes and establishes governance structures of its own.

Event Details:
Topic: Improving Enterprise Governance, Risk and Compliance Initiatives
Date: Wednesday, May 21^st   10:00AM EDT
Duration: 60 minutes
Speakers: Marc Othersen, Senior Analyst of Security & Risk Management for Forrester Research, Mike Godin, Ecora Senior System Engineer
Register: http://www.ecora.com/ecora/webinars/webinar.asp/2008-05-21/

In this webinar, you'll learn:

• What is IT-GRC and how does it differ from Enterprise GRC?
• Why is Compliance the Basis for IT-GRC initiatives?
• What are some common issues with current compliance programs?
• Why is automation critical to the success of IT-GRC efforts?
• What are the technologies that will bring the greatest value to IT-GRC or Enterprise GRC adoption?

Register Now
http://www.ecora.com/ecora/webinars/webinar.asp/2008-05-21/

Ecora Software, the market-proven leader for configuration auditing and compliance reporting solutions, announced the availability of Service Pack 1 for its Ecora Auditor Professional™ version 4.5 software. Auditor Professional is used by more than 800 customers worldwide to reduce the high cost of compliance mandates, lower the cost of downtime, increase overall security, and improve the operational efficiency of IT professionals. Auditor Professional 4.5 discovers, collects, analyzes and reports on configuration data from your infrastructure and delivers immediate value by leveraging pre-defined policies and rich report templates to provide the foundation for effective configuration and change management. Created to ensure that companies are prepared for any IT challenge related to system configuration, version 4.5 takes the cost and complexity out of compliance audits while providing IT professionals with a comprehensive and flexible solution to help deliver higher levels of security, reliability, and availability.

Auditor Professional 4.5 SP1 contains new capabilities and critical updates in several key areas including:

Virtualization

Ecora Auditor Pro 4.5 SP1 now offers discovery and reporting capabilities for VMware's ESX server Version 3.5. This version of VMware's virtualization infrastructure products provides advanced functionality, including the well-received VMware Storage VMotion and VMware Update Manager and provides a software upgrade path to the company's ESXi implementation which is pre-installed on select server hardware from Dell, Fujitsu, Siemens, HP, IBM, and NEC.

Enterprise Support

Ecora has extended its capabilities for help desk and asset database integration by adding support for BMC Remedy 7 and software-as-a-service (SaaS) solutions, such as Service-now.com, to supplement previously released support for BMC Remedy 6 and HP Service Desk 4.5. Integration between Auditor Professional and these enterprise IT service management systems ensures staff are informed of changes that may not have been planned and validate configuration and asset databases are accurate and up to date with current configuration information directly from across all systems.

"The feedback from customers and the analyst community on Auditor Professional 4.5 has been tremendous," said John Walsh, Senior Vice President of Engineering, Ecora. "Service Pack 1 further extends the enterprise capabilities we shipped Auditor Pro 4.5 in January and offers new options for organizations looking to leverage virtualization to reduce costs and develop a 'green' IT environment as well as those looking to validate the effectiveness of their change management process. The addition of support for SaaS solutions such as Service-now.com means that organizations of almost any size can take advantage of IT service management systems that are integrated with deep configuration data and reporting."

Availability

Ecora's Auditor Professional 4.5 SP1 is available immediately. For more information and current pricing, contact Ecora by phone at 877-92ecora (923-2672) or by emailing sales@ecora.com. A trial evaluation of Auditor Professional can be requested on www.ecora.com.

About Auditor Pro

Ecora's Auditor Pro delivers immediate value by leveraging pre-defined policies and rich report templates to provide the foundation for effective change and configuration management. Auditor Pro has distinguished itself in the marketplace by delivering exceptional value in each of the five core competencies required for an effective configuration audit and analytics solution: Discovery, Collection, Analysis, Reporting, and Closed-Loop Change Validation.

About Ecora Software

Ecora Software is the market-proven leader for Configuration Auditing and Compliance Reporting solutions that allow a proactive view of the IT infrastructure and deliver actionable evidence ensuring critical business services remain operationally effective, secure, and compliant with internal standards and external regulations. Auditor Professional™ offers immediate value with its agentless architecture matched with rich report templates and pre-defined policies providing the foundation for effective change and configuration management. Please visit us at www.ecora.com

BMC, BMC Software, BMC Remedy are registered trademarks of BMC Software, Inc., HP Service Desk is a registered trademark of Hewlett-Packard Development Company, L.P., and Service-now.com is a registered trademark
of Service-now.com.

I came across this post on RiskAnalys.is and wanted to share it to see what thoughts you might have.

DEMING’S SEVEN DEADLY DISEASES

1.  Lack of constancy of purpose to plan product and service that will have a market and keep the company in business and provide jobs.

There’s a reason this is probably Deming’s #1.  Speaking from the angle of priority, it is the most important, no - “house divided can stand” and whatnot, right?

I think that there is a more disturbing way we can meditate on this: I would offer that we need constancy of purpose as an industry.   Ours is a big, hairy, complex problem…But basically, we’re building programs at the whim of vendor sales pitches, regulators and standards bodies far removed from the political and real world challenges we face...

2.  Emphasis on short-term profits: short term thinking, fed by fear of unfriendly takeover, and by plush from bankers and owners, for dividends.

How about “Emphasis on short-term compliance commitments, fed by fear of unfriendly audit?”   Or maybe we have so many issues with multiple changing landscapes (technology, threat innovation, governance and compliance) that we simply can’t think beyond short-term? 

3.  Personal review system, or evaluation of performance, merit rating, annual review, or annual appraisal, by whatever name, for people in management, the effects of which are devastating.  Management by fear would be better, than management by objective without a method for accomplishment.

I’m not sure I need to elaborate here, but I’ll ask - do we really have a method for accomplishment?  Can we have management by objective beyond compliance?  Let me offer that without a mature understanding of risk management, we can not.

4.  Mobility of management: job hopping.

Does anyone stay at a job for more than a few years?   Do we value the catalog of organizational experience our employees gather?

5.  Use of visible figures only for management, with little or no consideration of figures that are unknown or unknowable.

accounting for uncertainty is more intellectually honest than ignoring the unknown because you’re personally not comfortable with the precision of the numbers you have.   

6.  Excessive medical costs.

The most difficult for me to think about in context of Security Services when authoring this blog post.  But in the case of Deming, I believe he was talking about industrial accidents that not only delayed production but caused extra expense.  My thoughts on the subject might be:

·       Excessive technology costs (buying yet another box).  Deming was the first person to offer that technology is not going to be anyone’s saviour.

·       Excessive security measures that frustrate business processes.  We certainly have the double cost - productivity is hurt, and then on top of that the security measures are operational expenses.

7.  Excessive costs of warranty, fueled by lawyers that work contingency fees.

Excessive losses in an incident due to excessive fines/judgments from regulatory compliance?  Sounds good to me.

Some thoughts that I thought could fit here would include adding the event-based approach to compliance made by most organizations. The audit process is constantly repeated, without any gain for the business beyond the completion of the audit itself and, maybe, no material weaknesses of any consequences. The same could be applied to number 6, but instead, it is investing in manual efforts to approach compliance without investing in technology that could not only aid in ensuring compliance is sustained, but could help reduce system downtime by improving mean time to resolution and improve security around privileged data and corporate intellectual property by providing improved identity and assess management.

What are your thoughts? Where can you find comparisons between Deming's Seven Deadly Diseases and Information Security? I'd love to hear them.

Contributed Mark Tordoff   

According to FCW.com, "Agencies reported twice as many information technology security incidents in fiscal 2007 compared with the year before. The number of incidents in six categories reached 12,986, compared with 5,146 in 2006, the Office of Management and Budget said. One of those categories, unauthorized access, jumped to 2,321 in 2007 from 706 the year before, OMB said in its report to Congress that was released today. The increase in unauthorized access is due mainly to reporting required now for all instances where personally identifiable information may have been revealed, the report states.

Although OMB is concerned by the increase in incident reporting, it’s not altogether a bad thing, said Karen Evans, OMB’s administrator for e-government and information technology.

'It’s a good thing because agencies are sharing the information with [the U.S. Computer Emergency Readiness Team] the way they’re supposed to so we can take action in a comprehensive way,' she said in a briefing call with reporters. She expects that use of secure identification cards required under Homeland Security Presidential Directive 12 will help reduce security incidents because the cards provide two-factor authentication."

GovernmentExecutive.com, in an article on the same OMB report, quoted Alan Paller, director of research at the SANS Institute, a nonprofit cybersecurity research organization in Bethesda, Md. as saying, "The fact that the number [of incidents] is going up does not reflect worse security, if reflects worse attacks. The attacks are more sophisticated."

The article goes on to share that "Members of Congress also expressed concern with the reliance on certification and accreditation for judging system security during a recent hearing. Evans said that OMB is trying to work with the National Institute of Technology and Standards and Technology to develop new metrics for evaluating information security.

To Paller, money could be better spent. 'It costs on the order of $50,000 per system to do one of those [system reviews], and on average fewer than 8 percent are ever even read by anyone that can do anything with them,' he said. 'Agencies are spending this large chunk of money for report writing, rather than using it to actually secure the systems.'"

Evans' response leads me to ask, how is a card going to correct unauthorized access? If they gained unauthorized access before, doesn’t that mean they were using someone else’s credentials or there were other access points in the system that were weak enough to be bypassed? There is clearly a need for strong access security at all levels of the enterprise, not just the initial point of entry.

Ms. Evans is a much-quoted spokesperson for IT security in the federal government. In this case, her answers seem a little bit too much like trying to put a positive spin on some bad numbers, as opposed to calling for more effort among federal agencies to improve their security efforts. That's not something a card is going to help.

Contributed Mark Tordoff

I saw this post on James McGovern's blog and just had to share it with you.

Ten Mistakes that CIOs consistently make that weaken enterprise security

Use process as a substitute for competence: The answer to every problem is almost always methodology, so you must focus savagely on CMMi (Capability Maturity Model® Integration) and ITIL, while not understanding the fact that hackers attack software.

Ostritch Principle: Since you were so busy aligning with the business which really means that you are neither a real IT professional nor business professional, you have spent much of your time perfecting memorization of cliche phrases and nomenclature and hoping that the problem will go away if you ignore it.

Putting network engineers in charge of security: When will you learn that folks with a network background can't possibly make your enterprise secure. If a hacker attacks software and steals data yet you respond with hardware, whom do you really think is going to win the battle?

Over rely on your vendors by relabelling them as partners: You trust your software vendors and outsourcing firms so much that you won't even perform due diligence on their staff to understand whether they have actually received one iota of training.

Rely primarily on a firewall and antivirus: Here is a revelation. Firewalls are not security devices, they are more for network hygiene. Ever consider that a firewall can't possibly stop attacks related to cross site scripting, SQL injection and so on? Network devices only protect the network and can't do much nowadays to protect applications.

Stepping in your own leadership: Authorize reactive, short-term fixes so problems re-emerge rapidly.

Thinking that security is expensive while also thinking that CMMi isn't: Why do you continue to fail to realize how much money their information and organizational reputations are worth?

The only thing you need is a consulting firm to provide you with a strategy: Fail to deal with the operational aspects of security: make a few fixes and then not allow the follow through necessary to ensure the problems stay fixed

Getting it twisted to realize that Business / IT alignment is best accomplished by talking about Security and not SOA: Failing to understand the relationship of information security to the business problem -- they understand physical security but do not see the consequences of poor information security. Let's be honest, your SOA is all about integration as you aren't smart enough to do anything else.

Put people in roles and give them titles, but don't actually train them: Assign untrained people to maintain security and provide neither the training nor the time to make it possible to do the job.

James has a lot to say here with these 10 points, but here are three I'd like to make in summarizing his thoughts.

1. Enterprise security isn't about taking classes, getting certified or learning different frameworks. It is about taking action to ensure that you put processes and controls in place and being diligent to self-audit to ensure they are followed.
2. Enterprise security isn't about a part of your infrastructure; it's about your entire infrastructure. Security involves your entire IT organization and, in fact, your entire organization from the executive department on down.
3. Enterprise security is a commitment, not a project that you can start and end.

What have you seen CIOs or other C-level executives do to sabotage enterprise security efforts? Which of James' points resonate with you and why? Do you think he's off the mark on any?

Share your responses. I'd love to hear them!

Contributed by Mark Tordoff

Ernst & Young recently released the results of its 10th Global Information Security Survey and it shows that while compliance continues to be a primary driver for information security, meeting business objectives is becoming much more of a factor.

According to an article in Sarbanes-Oxley Journal, "The annual survey, which canvassed nearly 1,300 senior executives in more than 50 countries, shows that delivering information technology (IT) and operational efficiencies and improving overall business performance are emerging as critical objectives. Although compliance-based initiatives continue to be the primary driver of information security, nearly half (45 percent) of the survey respondents ranked meeting business objectives among the top three drivers of information security.

Paul van Kessel, Global Leader of Ernst & Young’s Technology and Security Risk Services. 'Many organizations now view information security as a critical factor in meeting business objectives and significant performance improvements are resulting from this increased interaction with corporate leadership and other key stakeholders.  This alignment has a positive impact on the bottom line and elevates information security from a technology deployment function to a strategic imperative.'"

Among the key findings shared from the survey are the following:

• In addition to the growing focus on business objectives, information security is more integrated into overall risk management
• Information security is now credited with improving IT and operational efficiency.
• Compliance continues to be the primary driver of information security improvements and a top-ranked influencer in risk management integration.
• Privacy and data protection increased significantly as drivers of information security.    
• Information security is too isolated from executive management and the strategic decision-making process. 
• The greatest challenge to delivering information security projects is the availability of experienced and trained resources. More than 60 percent of respondents say they are outsourcing certain elements of information security.

This mirrors the conversations I've been having with our customers here at Ecora. Compliance really needs to become an outcome, rather than an isolated event. Part of the key is being able to invest in technologies that will enhance business performance, while providing appropriate validation and reporting for auditors.

It is especially important to provide executive management with a view into compliance. In most organizations, it is the board and the executive team who must set the tone at the top if compliance initiatives are to be taken seriously. 

Contributed by Mark Tordoff

A recent story in eWeek focuses on Huntsville Hospital's deployment of 900 virtual desktops.The subhead of the article by Sharon Linsenbach promotes the deployment of virtualized desktops to improve security and compliance, while reducing costs.

Certainly there are risks to having hundreds or even thousands of individual desktops or laptops distributed, all with hard drives, USB ports, and CD-Rom drives capable of being used to improperly retain and even extract electronic personal health information from a healthcare organization's system.

"The VDI significantly has reduced the time it takes to manage and troubleshoot users' PCs and allows referring physicians to access the centralized patient data via a Web browser,"Tony Wilburn, a network specialist at Huntsville Hospital, in Huntsville, Ala..

The article goes on to say that "The VDI also allows hospitals to centralize patient data into a single data center, giving administrators a much higher degree of control over who can access patient records.

Wilburn noted that storing patient data in the data center, rather than on user machines, helps Huntsville Hospital comply with HIPAA (Health Insurance Portability and Accountability Act) regulations and allows administrators to access and provide compliance information quickly and securely.   

Virtualization also helps secure information from physical theft, which is a significant compliance challenge for health care organizations. 

'If someone stole a PC off the registration desk, there's a good chance they'd get patient information.  If they grab one of our thin clients, they get a doorstop,' said Shawn Scott, a network specialist at Huntsville Hospital."

The more complex an IT environment, the more difficult it is to manage, secure and ensure compliance. However, the potential for problems are not completely eliminated by the move to virtualized desktops. With one central database, the importance of protecting access to that database is even greater. Now, anyone looking to maliciously grab personal data will only need to penetrate that one database to successfully capture the entire database. Conversely, it should be easier for IT to protect a database in a controlled environment, rather than hundreds or thousands of individual user hard drives.

Perhaps the biggest threat remains establishing and maintaining strong access rights. With the data being web-accessible, getting ahold of a physician's log-in information, for example, could give someone looking to market personal health information all the access they need to successfully make some additional income.

Having spent more time in hospitals than I'd anticipated over the last two months following a seizure and the removal of a brain tumor, I am more aware of how often you give out your personal information in the course of medical treatment and how crucial as a patient it is to have that information disclosed only to those directly involved in your medical care.

In my case, I have been dealing with two separate physicians' offices that are associated with two completely different hospitals. Even for my surgery, my MRI was on one campus, my pre-op was at a second, and the surgery was at a third location. All of them had access to my data, thanks to a centralized infrastructure. As I walked past all the computer monitors, I realized just how many people could have exposure to your information, both directly and just walking by someone's desk.

As medical organizations continue to merge, protection of electronic personal health information (ePHI) is only going to grow in importance.

Virtualization may be part of the answer, but only if security standards are vigorously enforced.

Contributed by Mark Tordoff

A report (GAO-08-496), which GAO presented to Congress during a hearing several weeks ago, summarized agency progress in performing key control activities, the effectiveness of information security efforts, and opportunities to strengthen security, based upon prior audits, federal policies, and inspectors general reports, according to an article by Jill Aitoro on GovernmentExecutive.com.

In the area of access controls, GAO found that 19 of 24 major agencies reported weaknesses, including failure to identify and authenticate users, enforce measures to ensure access is appropriate, encrypt sensitive data on networks and mobile devices, and monitor network activities.

In an Information Week article by George Hulme, he states, "You'd think federal agencies would have clearly heard the message: citizens want their personal information maintained securely and responsibly. And so does the legislature. If they've heard the message, they certainly haven't listened."

The article goes on to state, "At first blush, these results might not seem so bad. After all, 22 of 24 agencies have developed 'policies requiring personally identifiable information to be encrypted on mobile computers and devices.'

That's a start. But the devil is in the implementation and enforcement of polices. Anyone can set a policy requiring data be encrypted. Just as anyone can set a policy to live within a budget, lose weight, quit smoking, or start exercising. Follow-through is the tough part.

And that's the rub here, according to the GAO: 'Gaps in their [federal agency] policies and procedures reduced agencies' ability to protect personally identifiable information from improper disclosure.'

According to an SC Magazine story by Sue Marquette Poremba, "Only two agencies – Treasury and Transportation – meet all the recommendations for compliance, while two others – Small Business Administration and National Science Foundation – met none, the GAO report said."

Given the focus on compliance over the last several years, it is unconscionable to me that two departments could score a complete goose egg on compliance. It is especially unnerving that one is connected to small business and another to science. The Small Business Administration should be leading the way, given the number of members that are likely to have Sarbanes-Oxley issues this coming year and the many who are probably wrestling with PCI compliance. And you'd like to think that scientists would be quick to embrace the kind of technology existing to automate a lot of this process.

The U.S. Congress certainly has plenty of legislation floating around to add further compliance pressures to corporate America. Perhaps it's time they focus on getting their own governmental IT security compliance in order.

Contributed by Mark Tordoff

Most of the time when I write about the risks for credit card data fraud, I don't expect to be writing about being personally at risk. However, with yesterday's announcement by the Hannaford supermarket chain yesterday that more than 4.1 million customers' credit or debit card information may have been exposed, I can be sure that we're in that group somewhere.

There are lots of issues with this breach that should be of concern. First, is the length of time this has been happening.According to all reports, it appears this breach has been ongoing since December and was only discovered February 27th.

Second, is the breadth of geography represented by the breach and that the breach goes beyond just Hannaford's own properties. Not only does it impact more than 250 stores in the Northeast and Florida, but, according to a statement on the Hannaford website, it also impacts "certain independently-owned retail locations in the Northeast that carry Hannaford products." As Evan Schuman on StorefrontBacktalk points out, "The fact that the breach accessed data from outside merchants that just happened to carry Hannaford products suggested something more extensive than a mere encryption hole at POS, presumably allowing the cyberthief—assuming it wasn't an inside job—to access credit and debit card data as it came into the system from other merchants, who presumably already charged the customers at their own POS."

Third, while the statement from Hannaford CEO Ron Hodge states "No personal information, such as names or addresses, was accessed. Hannaford doesn’t collect, know or keep any personally identifiable customer information from transactions", the reality is, according to the Portland Press Herald, there are already "1,800 fraud complaints tied to the security failure thus far." It will be interesting to determine how these 1,800 transactions were processed without some level of customer information being involved too.

The fourth disturbing element of this breach are the reports from Hannaford personnel that the data was collected at the register. "Carol Eleazer, a Hannaford spokeswoman, said thieves accessed card numbers and expiration dates as they were being transmitted for authorization in checkout lines," according to the Press Herald account. It is difficult to imagine that there were people at every checkout of all 250 plus stores for a three month period. It seems far more likely that whoever committed this crime was able to access a vulnerability in a local store system to find a way to access the companies' entire database, either at a corporate data center or an external card processor, depending on their set-up.

While this is still far smaller than the TJX breach involving more than 40 million customer accounts, it still leaves many questions to be answered about what steps major retailers are taking to help protect their customers' private information from being used maliciously.

You might want to think about paying for your groceries with paper rather than plastic for a while.

Contributed by Mark Tordoff