Data Security by Todd Langusch, CISSP, CISM, PCI QSA Chief Security Officer, Tech Lock
What can a firm do today to improve their Data Security?
Use a data-centric risk-based approach!
Identify all types of confidential data that your company stores, processes, or transmits (e.g., cardholder data, protected health information, social security numbers, consumer information). Document how each type of data flows throughout the organization. Next, assess risks to the data flow and adjust it accordingly. Take note of who you send data to…service providers, (print/mail, hosted dialing, skip tracing, etc) and ensure proper due diligence. Finally, take the time to educate and train all employees on protection of data, procedures, acceptable use policies, and the information security program as a whole.
No single person can know how all data is stored, processed and transmitted throughout an organization, so each of the three phases mentioned below should include a representative cross-section of the company. Choose senior management, IT staff, application owners, programmers/developers, functional/operations managers, HR, facilities managers, and any other department that comes into contact with any type of data that might possibly include confidential data. This group is your Risk Management Team ("RMT").
Phase I (Identification): Have the RMT work with their own departments to document all instances which they store, process, or transmit confidential information - both physical (paper) and electronic. This documentation should be as specific as possible, and should include information such as the type of data, file/table names, server, physical location, and purpose.
Phase II (Diagramming) is a little more difficult. After the identification phase is complete, a subset of the RMT is selected to tie it all together. A technical-minded (usually in IT) person will be able to tie the documentation together into one comprehensive diagram for each type of confidential data better than someone who does not know the inner workings of the system infrastructure. Individuals from operations and accounting can help, because an IT person may need help understanding some of the processes involved in those areas while creating the diagram.
Phase III (Risk Management) puts it all together. Once the diagram is complete, it should be forwarded to the RMT for validation. After all corrections and revisions are complete, take a risk-based approach to identify the threats and vulnerabilities affecting your data flow, determine impact and overall risk, and finally implement controls to reduce or eliminate the risks. For guidance on this part of the process, see NIST SP800-30: Risk Management Guide for Information Technology Systems (http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf).
Ensure a proper due diligence on service providers that you send data to. Be wary of the marketing smoke and mirrors you may receive as well as the inaccurate compliant statements from service providers. As an example, I evaluated a service provider that said they were PCI DSS compliant. All they had was an external scan certificate which is one part of PCI DSS compliance. They also had a Self-Assessment Questionnaire (SAQ) their CIO filled out but they either unknowingly did not understand PCI DSS or took the opportunity with the SAQ to try and sneak by. However, a quick question and answer session with them touching on the Top Ten largest PCI DSS compliance gaps we have seen quickly yielded the truth…they were nowhere near PCI DSS compliant. You can download the full PCI DSS specification from the PCI Security Standards Council website https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
Take note, the word doc is 74 pages. Each of the 12 requirements has sub requirements. Don’t be fooled by companies that do one page SAQs incorrectly vs. a company that will get a Level 1 audit done by a Qualified Security Assessor (PCI QSA). Even then you need to review the PCI DSS Report on Compliance (RoC) checking all of section 3 to see how they protect the data vs. some of the more interesting ones we have seen that state they do not have to protect the data (cardholder data) as the credit card #s are in default and therefore they are not required to protect it. This is misleading. The PCI Security Standards Council released a FAQ as it relates to “hot cards, fraudulent, or invalid card numbers, or cancelled cards.” but cardholder data aside, bottom-line it is still consumer information you are sending to that service provider (Name, address etc) and if they are not securing the data properly you can end up on the six o’clock news.
In closing, performing adequate security awareness training with senior management support is something you can start quickly today, costs the least, and yields the highest return on investment. Building a security culture throughout the organization should be a priority. Employees have access to the data and are the eyes and ears of the organization. You want to ensure they know what to do and what not to do but more importantly be your “security team.”
Are there any legal issues that must be adhered to regarding data security?
Yes quite a few unfortunately. Credit and Collection Agencies are inundated with a plethora of rules, regulations, and industry standards that are required to be followed. If agencies do not they run the risk of being fined, shut down, or severely decrease revenue. I am sure everyone is familiar with the Gramm-Leach-Bliley Act (GLBA). GLBA defines "financial institutions" as companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance. The Federal Trade Commission (FTC) has jurisdiction over financial institutions similar to, and including loan brokers, banks, debt collectors, etc.
The Gramm-Leach-Bliley Act (GLBA) is a federal law enacted November 12, 1999 and contains a Privacy Rule as well as a Safeguards rule. The Safeguards rule requires ARM companies to develop a written information security program. The program must contain administrative, technical, and physical safeguards. No matter what the size or complexity, each institution must:
• Designate one or more employees to coordinate its program;
• Assess risks to the security of customer information;
• Design and implement safeguards to address risks, and test and monitor their effectiveness over time;
• Oversee and monitor service providers
• Adjust the program to address developments
Every ARM company is covered and must adhere to the Safeguards Rule. More information can be found on the FTC website:
Also at the federal level is the Red Flags Rule which goes into effect June 1, 2010.
Issued by the Federal Trade Commission (FTC) requires Credit and Collection companies to implement an identity theft program. The program must provide for the identification, detection, and response to patterns, practices, or specific activities known as "red flags". Therefore, companies need to have updated incident response procedures, employee training to identify red flags, and a policy that is approved and signed by the board members or owners.
When implementing your Red Flags program, ensure that you:
• Identify relevant red flags
• Explain how you will detect and respond to red flags
• Designate a senior employee to administer the program
• Get approval of the program by Board of Directors, Committee of your Board, or a senior manager
• Describe how you will train your staff
• Describe how you will supervise your service providers
• Describe how the program will be updated
A great How-To Guide for Credit and Collection companies can be found here:
If any Credit or Collection agency is in healthcare the HITECH Act deadline recently passed, Feb 17, 2010 requiring Business Associates (BA) to be fully HIPAA compliant. Agencies should have received new business associate agreements detailing the new requirements. HITECH Act gave HIPAA teeth and agencies should ensure they have implemented the necessary administrative, technical, and physical safeguards outlined in HIPAA §164.306 Security Standards: General Rules, §164.308 Administrative safeguards, §164.310 Physical safeguards, §164.312 Technical safeguards, §164.314 Organizational requirements, §164.316 Policies and procedures and documentation requirements.
If any Credit or Collection agency is performing government subcontract work, student loans as an example, then the Federal Information Security Management Act (FISMA) is applicable. FISMA is not a checklist audit but references National Institute of Standards and technology (NIST) as well as Federal Information Processing Standard (FIPS). The NIST 800-53 document provides a good compliance roadmap with controls.
Switching to State level…
Nearly all States have enacted Data Breach Notification laws similar to California's SB 1386. They are not all the same and some provide a "safe harbor" exemption if the data is encrypted. Additionally, there are differences in the:
• Method of notice
• Notification requirements
• Timeframe to notify
• Permissible delays
• Substitute notice
Credit and Collection Companies should incorporate State data breach notification in their incident response procedures.
Some states have enacted their own data security standards. Effective March 1, 2010, Massachusetts 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth requires that any person that owns or licenses personal information about a resident of Massachusetts must maintain a written information security program (WISP) as well as meet the computer system security requirements. For agencies, owns or licenses is defined as:
receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment.
Therefore, if your agency has personal information of a resident of Massachusetts, you need to review the requirements to ensure compliance. The requirements and a checklist can be found here:
Requirements - http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf
Checklist - http://www.mass.gov/Eoca/docs/idtheft/compliance_checklist.pdf
Massachusetts originally had a date of January 1st, 2010 but moved the compliance date to March 1, 2010 and “softened” the requirements a little bit with emphasis on “risk-based” approach to ease burdens on small business.
Nevada Personal Information Law NRS 603a - https://www.leg.state.nv.us/75th2009/Bills/SB/SB227_EN.pdf Until Nevada, recently, Minnesota was the only State to pass legislation with regards to PCI DSS. Minnesota’s Plastic Card Security Act which focuses on the card security code, PIN verification code, and the magnetic stripe data (Section 3 of PCI DSS) was only a provision of PCI DSS, whereas Nevada included the entire PCI DSS standard.
Credit and Collection companies that want to grow their revenue accept payment in many forms. Credit cards are an example of one form of payment. Organizations that store, process or transmit cardholder data must comply with the Payment Card Industry Standard (PCI DSS). Failure to comply with PCI DSS requirements can result in steep fines but also potential risk to customer information and your systems.
All businesses who store, transmit or process credit card data are required to follow the PCI DSS, and should have become PCI compliant by the end of 2007. If you are one of these businesses and are not yet compliant, you are constantly at risk of losing sensitive cardholder data, which will most likely result in PCI DSS fines, legal action and bad publicity. Organizations that fail to comply face fines of up to $500,000 if the data is lost or stolen and risk not being allowed to handle cardholder data.
High-status cases concerning big corporations have hit the headlines in the last couple of years. The Payment Card Industry has threatened huge fines against some larger merchants of up to $25,000 per month until compliance is obtained. In the high-profile case of TJX (owner of T.J. Maxx, Marshalls, Home Goods and A.J. Wright retail chains), the company reported spending $202 million because of the PCI violation that compromised the cardholder account information of as many as 40 million customers. The money is being spent to handle more 20 lawsuits brought against it by banks and consumers in the U.S. and Canada and to pay settlements with credit-card associations.
More information regarding PCI DSS can be found here:
What is a necessary IT security expense vs. a luxury IT expense?
This is a great question. I am sure there are security folks out there that would say you cannot spend enough on security when actually you can. When the expense exceeds the loss through a risk analysis you can certainly say the expense was not justifiable and call it a luxury. Risk management is always the first step in information security and will determine the expense requirements. Risk is the net negative impact of the exercise of a vulnerability, considering both the probability or likelihood and the impact of occurrence. Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level which could be through a security expense.
Every organization has a mission. In this digital era, as organizations use automated information technology (IT) systems to process their information for better support of their missions, risk management plays a critical role in protecting an organization’s information assets, and therefore its mission, from IT-related risk. The principal goal of an organization’s risk management process should be to protect the organization and its ability to perform their mission, not just its IT assets.
Therefore, the risk management process should not be treated primarily as a technical function carried out by the IT experts who operate and manage the IT system, but as an essential management function of the organization. Too often, senior management is extremely disconnected from security issues and security expenses, despite the fact that when a security breach takes place, senior management must explain the reasons to business partners, shareholders, and the public. After this humbling experience, the opposite problem tends to arise – senior management becomes too involved.
Inadequate management can undermine the entire security effort in a company in addition to improper security expenditures. Among the possible reasons for inadequate management are that management does not fully understand the necessity of security; security is in competition with other management goals; management views security as expensive and unnecessary; or management views security as keeping the “bad guys” out and not as a business enabler. Management should ask the following risk based questions when approving or disapproving security expenses:
What is the Asset value? Maybe it is a day’s worth of operational revenue combined with paid wages to workers.
What is the threat frequency and threat exposure factor?
What is the safeguard effectiveness?
What is the safeguard cost?
Let’s take an easy one as an example, Anti-Virus Software, as this is pretty common software among companies but sometimes misunderstood.
Company ABC pulls in about $100,000 a day in revenue.
The threat frequency and threat exposure factor are high. Meaning that in a twelve month period it is probable it will happen once so the multiple is 1.0 If it would only occur once in ten years, a fire in the facility as an example, the multiple would be .1
The safeguard cost is $10 per workstation or server and let’s assume 100 workstations so cost is $1,000
Safeguard effectiveness…here is where anti-virus software is misunderstood as it is a reactive tool. Yes it can be viewed as proactive or preventative meaning the virus was identified hitting the workstation and inoculated but how did it get into the environment in the first place?? So additional preventive safeguards should be reviewed as well.
Back to the equation. If the Asset is Data or a full production day ($100,000), the threat Virus, Annual Rate of Occurrence (1.0) then spending $1,000 to save $100,000 is certainly justifiable. Conversely, if an organization was deciding on data center or availability infrastructure, such as, power and cooling and was going to spend $1,000,000 on backup generators to ensure they were not down for a day then that would be a luxury IT expense if the annual rate of occurrence was (1.0)
It always comes down to a risk based management decision
Ask the Expert!
The information provided is for entertainment and informational purposes only. Always consult with your legal counsel before implementing any new policies or procedures. Readers of CCN should note that Credit and Collection News and ask advisors deny any responsibility should readers utilize information and implement any or all the information provided.