This preview shows page 1. Sign up to view the full content.
Unformatted text preview: u pro bably spent o n yo ur last lunch (a f ire, thef t, o r similar event co uld also result in the lo ss o f any backups sto red o n-site, but Internet backup services can
pro vide o f f -site sto rage and access if disaster strikes).
Check w ith yo ur administrato r. All o rganizatio ns that help yo u co nnect to the Internet—yo ur
ISP , f irm, o r scho o l—sho uld have security pages. Many pro vide f ree security so f tware to o ls.
Use them as reso urces. Remember—it’s in their interest to keep yo u saf e, to o ! Taking Action as an Organization
Frameworks, Standards, and Compliance
Develo ping o rganizatio nal security is a daunting task. Yo u’re in an arms race with adversaries that
are tenacio us and co nstantly o n the lo o ko ut f o r new explo its. Fo rtunately, no f irm is starting f ro m
scratch—o thers have go ne bef o re yo u and many have wo rked to gether to create published best
practices. There are several f ramewo rks, but perhaps the best kno wn o f these ef f o rts co mes f ro m the
Internatio nal Organizatio n f o r Standards (ISO), and is bro adly ref erred to as ISO27k o r the ISO
27000 series. Acco rding to ISO.o rg, this evo lving set o f standards pro vides “a mo del f o r
establishing, implementing, o perating, mo nito ring, reviewing, maintaining, and impro ving an
Inf o rmatio n Security Management System.” Firms may also f ace co mpliance requirements—legal o r pro f essio nally binding steps that must be
taken. Failure to do so co uld result in f ine, sanctio n, and o ther punitive measures. At the f ederal
level, examples include HIP AA (the Health Insurance P o rtability and Acco untability Act), which
regulates health data; the Graham-Leach-Bliley Act, which regulates f inancial data; and the
Children’s Online P rivacy P ro tectio n Act, which regulates data co llectio n o n mino rs. U.S.
go vernment agencies must also co mply with FISMA (the Federal Inf o rmatio n Security
Management Act), and there are several initiatives at the o ther go vernment levels. By 2009, so me
level o f state data breach laws had been passed by o ver thirty states, while multinatio nals f ace a
gro wing number o f statues thro ugho ut the wo rld. Yo ur legal team and trade asso ciatio ns can help
yo u understand yo ur do mestic and internatio nal o bligatio ns. Fo rtunately, there are o f ten
f ramewo rks and guidelines to assist in co mpliance. Fo r example, the ISO standards include subsets
targeted at the teleco mmunicatio ns and health care industries, and majo r credit card f irms have
created the P CI (payment card industry) standards. And there are skilled co nsulting pro f essio nals
who can help bring f irms up to speed in these areas, and help expand their o rganizatio nal radar as
new issues develo p. Here is a wo rd o f warning o n f ramewo rks and standards: co mpliance do es no t equal security.
Outso urcing po rtio ns security ef f o rts witho ut a co mplete, o rganizatio nal co mmitment to being
secure can also be dangero us. So me o rganizatio ns simply appro ach co mpliance as a necessary evil:
a so rt o f checklist that can reduce the likeliho o d o f a lawsuit o r o ther punitive measure.M. Davis,
“What Will It Take?” Info rmatio nWeek, No vember 23, 2009. While yo u want to make sure yo u’re
do ing everything in yo ur po wer no t to get sued, this isn’t the go al. The go al is taking all appro priate
measures to ensure that yo ur f irm is secure f o r yo ur custo mers, emplo yees, shareho lders, and
o thers. Framewo rks help shape yo ur thinking and expo se things yo u sho uld do , but security do esn’t
sto p there—this is a co nstant, evo lving pro cess that needs to pervade the o rganizatio n f ro m the
CEO suite and bo ard, do wn to f ro nt line wo rkers and po tentially o ut to custo mers and partners.
And be aware o f the security issues asso ciated with any mergers and acquisitio ns. Bringing in new
f irms, emplo yees, techno lo gies, and pro cedures means reassessing the security enviro nment f o r all
players invo lved. The Heartland Breach
On inauguratio n day 2009, credit card pro cesso r Heartland anno unced that it had experienced
what was o ne o f the largest security breaches in histo ry. The P rinceto n, New Jersey, based f irm
was, at the time, the natio n’s f if th largest payments pro cesso r. Its business was respo nsible f o r
handling the transf er o f f unds and inf o rmatio n between retailers and cardho lders’ f inancial
institutio ns. That means inf iltrating Heartland was like breaking into Fo rt Kno x. It’s been estimated that as many as 100 millio n cards issued by mo re than 650 f inancial
services co mpanies may have been co mpro mised during the Heartland breach. Said the f irm’s
CEO, this was “the wo rst thing that can happen to a payments co mpany and it happened to
us.”R. King, “Lesso ns f ro m the Data Breach at Heartland,” BusinessWeek, July 6, 2009. Wall
Street no ticed. The f irm’s sto ck tanked—within a mo nth, its market c...
View Full Document
This document was uploaded on 01/31/2014.
- Winter '14