Here is a wo rd o f warning o n f ramewo rks and

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: u pro bably spent o n yo ur last lunch (a f ire, thef t, o r similar event co uld also result in the lo ss o f any backups sto red o n-site, but Internet backup services can pro vide o f f -site sto rage and access if disaster strikes). Check w ith yo ur administrato r. All o rganizatio ns that help yo u co nnect to the Internet—yo ur ISP , f irm, o r scho o l—sho uld have security pages. Many pro vide f ree security so f tware to o ls. Use them as reso urces. Remember—it’s in their interest to keep yo u saf e, to o ! Taking Action as an Organization Frameworks, Standards, and Compliance Develo ping o rganizatio nal security is a daunting task. Yo u’re in an arms race with adversaries that are tenacio us and co nstantly o n the lo o ko ut f o r new explo its. Fo rtunately, no f irm is starting f ro m scratch—o thers have go ne bef o re yo u and many have wo rked to gether to create published best practices. There are several f ramewo rks, but perhaps the best kno wn o f these ef f o rts co mes f ro m the Internatio nal Organizatio n f o r Standards (ISO), and is bro adly ref erred to as ISO27k o r the ISO 27000 series. Acco rding to ISO.o rg, this evo lving set o f standards pro vides “a mo del f o r establishing, implementing, o perating, mo nito ring, reviewing, maintaining, and impro ving an Inf o rmatio n Security Management System.” Firms may also f ace co mpliance requirements—legal o r pro f essio nally binding steps that must be taken. Failure to do so co uld result in f ine, sanctio n, and o ther punitive measures. At the f ederal level, examples include HIP AA (the Health Insurance P o rtability and Acco untability Act), which regulates health data; the Graham-Leach-Bliley Act, which regulates f inancial data; and the Children’s Online P rivacy P ro tectio n Act, which regulates data co llectio n o n mino rs. U.S. go vernment agencies must also co mply with FISMA (the Federal Inf o rmatio n Security Management Act), and there are several initiatives at the o ther go vernment levels. By 2009, so me level o f state data breach laws had been passed by o ver thirty states, while multinatio nals f ace a gro wing number o f statues thro ugho ut the wo rld. Yo ur legal team and trade asso ciatio ns can help yo u understand yo ur do mestic and internatio nal o bligatio ns. Fo rtunately, there are o f ten f ramewo rks and guidelines to assist in co mpliance. Fo r example, the ISO standards include subsets targeted at the teleco mmunicatio ns and health care industries, and majo r credit card f irms have created the P CI (payment card industry) standards. And there are skilled co nsulting pro f essio nals who can help bring f irms up to speed in these areas, and help expand their o rganizatio nal radar as new issues develo p. Here is a wo rd o f warning o n f ramewo rks and standards: co mpliance do es no t equal security. Outso urcing po rtio ns security ef f o rts witho ut a co mplete, o rganizatio nal co mmitment to being secure can also be dangero us. So me o rganizatio ns simply appro ach co mpliance as a necessary evil: a so rt o f checklist that can reduce the likeliho o d o f a lawsuit o r o ther punitive measure.M. Davis, “What Will It Take?” Info rmatio nWeek, No vember 23, 2009. While yo u want to make sure yo u’re do ing everything in yo ur po wer no t to get sued, this isn’t the go al. The go al is taking all appro priate measures to ensure that yo ur f irm is secure f o r yo ur custo mers, emplo yees, shareho lders, and o thers. Framewo rks help shape yo ur thinking and expo se things yo u sho uld do , but security do esn’t sto p there—this is a co nstant, evo lving pro cess that needs to pervade the o rganizatio n f ro m the CEO suite and bo ard, do wn to f ro nt line wo rkers and po tentially o ut to custo mers and partners. And be aware o f the security issues asso ciated with any mergers and acquisitio ns. Bringing in new f irms, emplo yees, techno lo gies, and pro cedures means reassessing the security enviro nment f o r all players invo lved. The Heartland Breach On inauguratio n day 2009, credit card pro cesso r Heartland anno unced that it had experienced what was o ne o f the largest security breaches in histo ry. The P rinceto n, New Jersey, based f irm was, at the time, the natio n’s f if th largest payments pro cesso r. Its business was respo nsible f o r handling the transf er o f f unds and inf o rmatio n between retailers and cardho lders’ f inancial institutio ns. That means inf iltrating Heartland was like breaking into Fo rt Kno x. It’s been estimated that as many as 100 millio n cards issued by mo re than 650 f inancial services co mpanies may have been co mpro mised during the Heartland breach. Said the f irm’s CEO, this was “the wo rst thing that can happen to a payments co mpany and it happened to us.”R. King, “Lesso ns f ro m the Data Breach at Heartland,” BusinessWeek, July 6, 2009. Wall Street no ticed. The f irm’s sto ck tanked—within a mo nth, its market c...
View Full Document

This document was uploaded on 01/31/2014.

Ask a homework question - tutors are online