A hot topic with most companies today is information security. As data loss, identity theft, malware and hacking attempts have continued to proliferate, organizations of all sizes have found themselves victimized, and the headlines continue to bring unwanted visibility to affected companies.
This fact, when coupled with increasing regulatory requirements for companies in the healthcare and financial services industries, credit card security requirements and breach notification laws in most jurisdictions (including the State of Tennessee), has brought long-overdue focus on the protection of sensitive data.
Information security is about identifying, measuring and managing the business risk related to confidentiality, integrity and availability of information assets to a level an organization can accept. A security professional’s goal should be to advise and educate the company’s management team regarding risks in the environment, and then arm them with the information they need to make well-informed decisions about the risks.
Your organization’s security program should be based on a security “framework,” a set of published security guidelines that can be used as a baseline upon which risk decisions are made.
- There are many frameworks available to use. The best approach is to adopt a framework commonly used in your company’s industry that aligns with any legal or regulatory compliance obligations you have.
- Conduct a risk assessment to identify the security weaknesses in your organization that need to be addressed.
- Once the weaknesses have been identified and prioritized, commission an action plan to address the highest-priority items.
There are a few topics that regularly show up as high-risk issues in risk assessments for today’s organizations.
One high-risk issue that often times surfaces is endpoint security. An “endpoint” is a computer system on your network used by an individual to interact with computer servers or applications. Endpoints can include:
- specialized components such as point of sale terminals.
Endpoints are particularly vulnerable because humans are vulnerable:
- they will blindly click on a link in an email
- connect a laptop to an unfamiliar network
- accidentally leave a smartphone in the seatback pocket of an airplane
All of these innocent mistakes can lead to a loss or compromise of sensitive data for an organization, and, therefore, might require a public acknowledgment of breach by the company. As a part of your security program, ensure your endpoint devices are well protected.
Anti-virus is a must for most desktop and laptop systems. Security patches are released monthly, or more frequently, and should be applied quickly and in accordance with your organization’s established framework and procedures.
Be sure your patching process includes considerations for non-operating system software such as:
- Adobe Reader
- Flash Player
- all Internet browsers installed on the system
These software applications are very frequent targets of attack and are particularly vulnerable to compromise. Also, ensure all devices, including smartphones, require a passcode in order to access the data on the device.
Finally, many of the security laws in effect today provide a company safe harbor against having to acknowledge a breach when the company has encrypted the data on the system, so organizations should strongly consider implementing encryption on endpoints to protect sensitive data.
Another high-risk security issue that should be evaluated is the security of third parties responsible for storing, processing or transmitting data on your behalf. These organizations could be vendor partners with whom a formal business relationship exists, or they could be unwitting parties brought into scope by an employee who has shared sensitive information with the third party.
Examples of “unexpected” third parties are companies that offer file-sharing services such as:
- Apple’s iCloud
These services offer convenience by integrating with endpoint devices to seamlessly copy data from the computer’s hard drive to a server somewhere on the Internet. In this way, the data is now easily accessible by other devices (such as a smartphone or tablet).
These free services do not provide any guarantee of security over the data stored on the service, and your organization cannot be sure sensitive data pushed to one of these “cloud-based” services won’t be seen by unauthorized individuals. Therefore, your company should have a clearly defined policy regarding how file-sharing services should be used (if at all), and employees should be trained accordingly.
Also, you should establish a vendor management process to ensure all third parties who store, process or transmit data on behalf of your organization have a contractual obligation to apply an appropriate degree of security to your data and that they periodically provide evidence (such as a Service Organization Control report) confirming their controls are in place and functioning.