The Compliance and Security Connection

There probably aren't too many of you that haven't made it to the theater to catch the latest cinematic appearance of Batman in "The Dark Knight." In just 10 days, it has already grossed more than $314 million.

While today's post is really about the recent headlines related to Terry Childs, an IT administrator with the city of San Francisco that had been virtually holding the city's new fiber backbone network hostage, there are some interesting analogies that can be drawn between fiction and reality in this case. While much of the media reviews focus around the late Heath Ledger's portrayal of the Joker, like this one from Rolling Stone,  there is also a good deal being made of Christian Bale's portrayal of of a Batman that wrestles with his own inner demons, as well as real-life villains like the Joker.

Virtually all the leading IT bloggers have had the opportunity to share their opinions, like Mike Rothman, who was somewhat entertained, Shrdlu, who provides a simple test to see if the next narcissistic IT administrator happens to be sitting in your IT department, or Professor Howard Schmidt, who correctly labels this "cautionary tale" as a "classic example of what a disgruntled person with elevated privileges can do in any enterprise."

Mike Fratto's article in last week's Informationweek is even entitled, When Heroes Go Bad: San Fran Learns the Hard Way. As Fratto puts it so well, "At one time or another, it happens in almost every IT shop: A handful of people, or even one person, has the sole responsibility for and knowledge of critical systems." In this case, we're talking about IT, but this can carryover into any mission-critical department, whether it's sales, customer service, finance, or product development.

So, how do you prevent this in your IT staff? Well, you might want to start with Shrdlu's test above, but, immediate step two would have to be Mike Fratto's suggestion to "cross-train IT staff so that no one person alone understands and controls key systems; spread responsibility for systems over several people; and adopt a practical change management process." Frank Hayes, in last week's Frankly Speaking in Computerworld, reinforced this same thought when he said, "Setting up a team structure for network administration, in which team members cross-train and rotate through one another's jobs, would make such an occurrence much less likely."

Once you get past the cross-training, where do you go from there though? In most cases, it comes down to having visibility into changes in your IT environment. Can you identify when configurations are being changed, especially those that are unauthorized? In this particular case, you might want to know the current makeup of the Domain Administrators Group on critical systems, who has Share and NTFS permissions on folder with sensitive corporate and customer data, and even individuals whose passwords are set to never expire.

Of equal importance, especially in the event your IT hero becomes a rogue villain, is to not only ensure you have personnel cross-trained and your able to get updated, current configuration reporting, but that senior management has visibility into these changes that are accurate and easily accessible. This means reports that are able to be accessed and read on today's personal digital assistants (PDAs) and provide web-accessible dashboards that quickly identify variance in current system configurations from both external regulations, but also internal policies and standards.

If this is an area of weakness for your organization, I'd urge you to investigate the capabilities of solutions like Ecora Auditor Pro by either requesting a personal demonstration or requesting a trial in a test environment where you can see how easily you can capture comprehensive configuration data about your environment.  Just don't be surprises to find a few systems where the administrator account still hasn't been renamed or the disabled user accounts don't include a lot of former employees and subcontractors.

Contributed by Mark Tordoff

This past Wednesday, we hosted a webinar with StackSafe on "The Influence of application selection on Testing and Change Management."

In this session, Dennis Powell, StackSafe's Senior Product Manager, and Shahzad Hussain, a Senior Systems Engineer with Ecora Software, discussed the following:

• Three main organizational approaches to change management and testing
• Why change management adoption can be more difficult in high stress environments
• The positive role downtime expenses play in the adoption of testing and change management processes
• The types of organizations that tend to have the most "laissez-faire" attitude towards change management
• How multiple operating systems can nearly double the cost of unplanned downtime

Today, Dennis shared more of his thoughts from this presentation in a post called, "IT's About Uptime."

If you'd like to see the presentation in its entirety, you can register and download it here.

While much of the presentation focused on environments where applications are actually developed, there are also plenty of challenges related to the deployment or third-party applications or upgrades that should be considered. In the latter portion of the presentation, Shahzad gives some examples of the types of configuration reports you'll want to be able to generate to ensure that any application, patch or service pack are upgraded on every appropriate system in your environment and how to ensure that the upgrade didn't cause additional, unanticipated changes that could render other applications inoperable because they share common dll files, as an example, that were removed when the application or upgrade was deployed.

If you are looking for this type of solution, or need a way to ensure your test environment is accurately configured to reflect your production environment, request a personal demonstration of Ecora Auditor Pro and see if will answer your configuration audit or compliance reporting questions.

Contributed by Mark Tordoff

I've been through quite a medical adventure over the past seven months, having had a seizure in January that led to the discovery of a benign brain tumor and its subsequent removal in March.

As I've shared in a prior post, the experience has left me with a much better understanding of just how much data related to my medical history is available electronically and is accessible by a large number of different medical professionals. In my situation, I've been treated at two different hospitals and have seen my personal physician, my surgeon, a few neurologists and a couple radiologists, plus all of their receptionists, nurses and billing personnel. There is also an ambulance service and a health insurance company in the equation.

I have been asked to repeat my social security number and birthdate numerous times, as well as my name, to confirm I am who I say I am. All the while, I'm thinking "I'm not sure I'm comfortable repeating this to everyone, even if you do have a HIPAA policy statement you'd like to give me!"

But, what's that got to do with the title for this post?

Well, in trying to do a little catch up on my back reading, I came across a story in AIS's Health Business Daily on a recent HIPAA patient privacy violation by a plastic surgeon at University of Florida - Jacksonville.

Apparently, the surgeon, Dr. Francis D. Ong, saved digital images of his patients and, in some cases, copies of documents that may that "may have included names, dates of birth, Social Security or Medicare numbers, and other private data, including some individual patient medical information."

Dr. Ong's practice was apparently purchased by UF, including his computer equipment, but he apparently had a mindset that it was "technically still his", so he donated it. Ong is a leader in the Filipino community in Jacksonville, Florida and regularly organizes large donations to be shipped to annually to the Philippines.

Ong has resigned his position with  UF- Jacksonville and the Shands Jacksonville Medical Center, although he has indicated he was already planning to not renew his contract.

In the past year, we've seen some incidents surrounding the leaking of medical records of celebrities like George Clooney and Britney Spears, but what happens if it's you or me? In my case, my employer knows of my recent medical issues, but what if I needed to seek employment and someone inappropriately shared records related to my seizure or tumor? How would that impact my prospects for getting the job? What about if I wanted to purchase additional life insurance?

As more and more of our personal health information is available electronically and as more and more healthcare organizations consolidate, as in the case of Dr. Ong's practice, how vulnerable will we become to our information falling into the hands of someone looking to use it to spite you, bribe you, or limit your job opportunities?

The more I have to interact with the healthcare industry, the more certain I am that HIPAA enforcement needs to be taken seriously by the Department of Health and Human Services, the US Congress, and each of us.

Contributed by Mark Tordoff

I've been through quite a medical adventure over the past seven months, having had a seizure in January that led to the discovery of a benign brain tumor and its subsequent removal in March.

As I've shared in a prior post, the experience has left me with a much better understanding of just how much data related to my medical history is available electronically and is accessible by a large number of different medical professionals. In my situation, I've been treated at two different hospitals and have seen my personal physician, my surgeon, a few neurologists and a couple radiologists, plus all of their receptionists, nurses and billing personnel. There is also an ambulance service and a health insurance company in the equation.

I have been asked to repeat my social security number and birthdate numerous times, as well as my name, to confirm I am who I say I am. All the while, I'm thinking "I'm not sure I'm comfortable repeating this to everyone, even if you do have a HIPAA policy statement you'd like to give me!"

But, what's that got to do with the title for this post?

Well, in trying to do a little catch up on my back reading, I came across a story in AIS's Health Business Daily on a recent HIPAA patient privacy violation by a plastic surgeon at University of Florida - Jacksonville.

Apparently, the surgeon, Dr. Francis D. Ong, saved digital images of his patients and, in some cases, copies of documents that may that "may have included names, dates of birth, Social Security or Medicare numbers, and other private data, including some individual patient medical information."

Dr. Ong's practice was apparently purchased by UF, including his computer equipment, but he apparently had a mindset that it was "technically still his", so he donated it. Ong is a leader in the Filipino community in Jacksonville, Florida and regularly organizes large donations to be shipped to annually to the Philippines.

Ong has resigned his position with  UF- Jacksonville and the Shands Jacksonville Medical Center, although he has indicated he was already planning to not renew his contract.

In the past year, we've seen some incidents surrounding the leaking of medical records of celebrities like George Clooney and Britney Spears, but what happens if it's you or me? In my case, my employer knows of my recent medical issues, but what if I needed to seek employment and someone inappropriately shared records related to my seizure or tumor? How would that impact my prospects for getting the job? What about if I wanted to purchase additional life insurance?

As more and more of our personal health information is available electronically and as more and more healthcare organizations consolidate, as in the case of Dr. Ong's practice, how vulnerable will we become to our information falling into the hands of someone looking to use it to spite you, bribe you, or limit your job opportunities?

The more I have to interact with the healthcare industry, the more certain I am that HIPAA enforcement needs to be taken seriously by the Department of Health and Human Services, the US Congress, and each of us.

Contributed by Mark Tordoff

Could it be that the same oversight protections that were put in place to ensure consumer and shareholder protection are actually creating a higher degree of security risk?  A closer examination of the issue may lead you to believe that this concept isn’t as far fetched as it may seem upon first glance.

The idea behind the creation of Sarbanes-Oxley and all subsequent regulations concerning everything from financial reporting to e-discovery was so that a record would be kept of all critical information that could later be reviewed should any hint of impropriety arise.  Compliance was out to put an end to the days of companies purging critical data that could provide evidence of any corporate wrong doing.

While that is all well and good, another thing happened along the way.  By forcing corporations and other organizations to maintain large amounts of data for longer periods of time, coupled with the onslaught of data that is being created in the new digital world we live in, has created a high risk environment. 

In the past, companies would simply purge their systems of data that presented security risks for the company rather than keeping it stored in files that could ultimately be lost through either malicious or accidental occurrences.  Data leakage is currently one of the most pressing issues CIOs face and a major reason for this is the sheer volume of confidential information (data) they are forced to contend with in order to ensure compliance with the multiple regulations and other mandates they are subject to.

While I am certainly not advocating the abolishment of compliance, for it has served its purpose in restoring investor confidence in the market and along the way forced companies to clean up questionable business practices.  However, this could be a case where a review may be in order to ensure that the system created to help keep consumers safe is ultimately doing more harm than good by keeping their critical data around longer and where they may become the victim of malicious behavior.

I would suggest that along with installing the tools to meet compliance that companies also give equal time to ensuring that their environment is able to sustain the level of data required safely and securely.  One of the biggest issues I hear from CIO’s I talk to in the field is that the points of vulnerability seem to shift with every change to the company’s IT infrastructure and that trying to close the door on all areas of threat has become extremely complicated.  Getting a handle on your own environment is the first step in managing IT security in a compliance world.

Submitted by Bryan Cote

Disaster recovery is on a lot of minds recently, especially in light of the floods in the Midwest and the beginning of hurricane season. Even man-made disaster issues like the collapse of two cranes on two separate occasions has fueled conversations about a businesses' disaster recovery planning.

Tomorrow, I'll be joined by Patrick Dunn, Practice Lead with Orange Parachute, Inc. to share the basics of disaster recovery.  Disaster recovery is a key element of an effective Business Continuity Management Program. One fundamental ingredient to being properly prepared for a disaster and having an effective Business Continuity Management System is current, detailed documentation of your infrastructure configuration.

Here are four key reasons why documentation is important:

1. A full configuration documentation of all systems in the event that you must build a system from scratch following a disaster.

2. Many organizations have DR environments that mirror their normal production environment. Change reports between the two environments can identify any areas where the two are different and could cause systems and applications to not function properly.

3. It is also important to be sure user access rights and permissions are the same in both environments so someone isn’t locked out or, equally important, don’t gain greater access rights when switching to a back up environment.

4. Most DR environments must hold a copy of the company’s financial and customer data. This will require the DR environment to be as compliant during an audit as the production environment. However, many of these DR environments may be in virtual machines on a VMware server and are more challenging for most organizations to audit.

Get advice on how your IT department can prepare for any disaster and what kind of system documentation will help you restore business services more quickly from this industry expert by registering today. The session is at 1pm EDT tomorrow.

Contributed by Mark Tordoff

As you know, if you're flying anywhere with your laptop these days, you have to remove it from whatever case you are carrying it in and send it on its own through the scanner while you walk through your own personal scan for whatever metal objects you might be hiding.

Depending on when you fly, it can be pretty hectic getting through the scan and over to retrieve your stuff from however many bins you might have had to use. But, it never crossed my mind that you could actually forget to collect something as important as a laptop.

However, in a study conducted for Dell computers, the Ponemon Institute found that, nationwide in the US, an average of 12,000 laptops are lost each week and only a third of those are ever recovered by the owners. Surprisingly, 40% of those laptops are lost going through security. That's more than 600,000 laptops a year, with nearly a quarter million lost right in security! Who knew security could be so insecure.

As David Hughes quotes from the report in his article on AviationWeek.com, "there are 'potentially millions of files containing sensitive or confidential data that may be accessible to a large number of airport employees and contractors.'"

LAX was the most likely airport to lose a laptop, with over 1200 a week showing up lost. Miami and New York's three airports were the other likely departure sites for leaving your laptop behind.

Seems like a subject most companies might want to consider addressing, both with the employees who can't seem to remember they have a laptop and how they may want to address access rights and data storage on laptops.

Contributed by Mark Tordoff

As you know, if you're flying anywhere with your laptop these days, you have to remove it from whatever case you are carrying it in and send it on its own through the scanner while you walk through your own personal scan for whatever metal objects you might be hiding.

Depending on when you fly, it can be pretty hectic getting through the scan and over to retrieve your stuff from however many bins you might have had to use. But, it never crossed my mind that you could actually forget to collect something as important as a laptop.

However, in a study conducted for Dell computers, the Ponemon Institute found that, nationwide in the US, an average of 12,000 laptops are lost each week and only a third of those are ever recovered by the owners. Surprisingly, 40% of those laptops are lost going through security. That's more than 600,000 laptops a year, with nearly a quarter million lost right in security! Who knew security could be so insecure.

As David Hughes quotes from the report in his article on AviationWeek.com, "there are 'potentially millions of files containing sensitive or confidential data that may be accessible to a large number of airport employees and contractors.'"

LAX was the most likely airport to lose a laptop, with over 1200 a week showing up lost. Miami and New York's three airports were the other likely departure sites for leaving your laptop behind.

Seems like a subject most companies might want to consider addressing, both with the employees who can't seem to remember they have a laptop and how they may want to address access rights and data storage on laptops.

Contributed by Mark Tordoff