Tag: information security
Free Whitepaper download for County/Municipal executives.by
Free Download – County and Municipal Cybersecurity Whitepaper:
This isn’t about partisan politics or law. It is about good, common sense IT Governance. The ongoing revelations of the Clinton e-mail scandal demonstrate a total failure of IT Governance at the highest levels of the US Government. Not only is no IT Governance in evidence, the situation has displayed astonishing hubris, casual disregard for information security, and a massive sense of entitlement of all the parties involved. Common sense, good judgement and even a basic understanding of handling sensitive information seem to be completely absent. Where were all of the tens of thousands of security professionals employed by the federal government? Who was keeping an eye on the ball while all this was going on?
Having served for four years in Army intelligence, I can assure you that had this situation been perpetrated by minions and peons in the military, the culprits would already have been behind bars facing long sentences in military prison. Were similar revelations made about highly regulated corporations required to comply with regulations such as GLBA and SOX, we would have already seen dozens of executives and managers doing perp walks and making plea deals to stay out of prison.
We can’t easily fix what goes on in Washington, but you can take steps to ensure that your organization does not suffer this kind of embarrassment. I hope you are using this as a lesson and an opportunity to review your Acceptable Use, e-mail and information security policies and procedures. Make sure that all your policies, processes, and procedures comply with best practices, applicable regulations, and common sense. And make sure your staff receives annual training on these policies and procedures.
In general, large corporate entities tend to have strict policies because of the enormous quantity of regulatory compliance issues they face. However, many municipal and county organizations have elected or appointed officials who use personal e-mail addresses for conducting official business. There is absolutely no reason for this. E-mail is a dirt cheap commodity and a strict policy on e-mail is likely to prevent embarrassment, civil litigation, or criminal indictments down the road.
Here are some tips for e-mail usage and your policies:
- Never, never send confidential information in an unencrypted e-mail. E-mail is not a secure method of transmission.
- Never put anything in an unencrypted e-mail that you wouldn’t want the entire world to see. Even if it is encrypted, the recipient may decrypt it and accidentally (or purposely) forward it to EVERYONE. This happens all the time. Moreover, if your e-mail is FOIL’ed or subpoenaed you may find yourself in an embarrassing situation.
- Everyone on your staff should be using business e-mail for business purposes, and personal e-mail for personal purposes. Don’t cooperate with bad actors by communicating about a business issue to a personal e-mail account.
- Consider an e-mail archiving solution and have it configured to comply with all applicable regulations affecting your operation.
- Consider whether or not a DLP (Data Loss Prevention) solution would make sense for your organization.
If you require assistance determining appropriate e-mail and acceptable use policies, send me an e-mail at email@example.com.
Read more about IT Governance issues at http://blog.e-volvellc.com. If you are snowed in and want to read about hubris and entitlement with a real sleaze factor, pick up a copy of Tom Wolfe’s Bonfire of the Vanities.
Copyright © Jeffrey Morgan 2016
Is your information secure?
Are your organization’s information assets absolutely secure? Do your staff and contractors assure you that everything is safe? How do they know? And how about all those paper files? Is confidential data appropriately labeled and stored in a secure, locked and monitored facility? How do you know? How would anyone even know if there was a breach?
The role of IT Staff
I have sat in meetings with IT Staff who have sworn up and down that the network is secure without any facts or data to support that assertion. What are your IT staff and contractors doing every day to ensure that your information is secure? And what about staff that maintain other types of physical instruments and records?
The role of vendors
I have also sat in many meetings with security vendors who have made outrageous and patently false statements, like “our product is HIPAA compliant.” (There is no such thing. The HIPAA Security Rule is a federal regulation that describes the framework for developing a security policy for certain types of information and organizations. HIPAA is purposely technology and vendor-neutral). Every security vendor wants you to believe that they are selling a magical product that will keep your organization secure from all the evils that result from being connected to the entire world through the Internet.
There are no magic products
The truth of the matter is that there are no products or services that will inherently ensure and maintain the confidentiality, integrity and availability (CIA) of your information. Information Security is about process, policy, procedure, and training rather than about installing products. A successful security program comes as a result of looking closely at both the macro view and the micro details and taking appropriate, thoughtful actions using a cycle of continuous improvement. Security products might be a part of your overall security strategy, but without sensible policies. procedures, and training the products themselves are unlikely to produce the desired, advertised result.
Do you have a Comprehensive Information Security Policy?
If you are larger than a Mom and Pop operation, you should have a Comprehensive Information Security Policy. If you are running a municipality or corporation with dozens or hundreds of employees, the lack of such a policy probably constitutes organizational malpractice or malfeasance at some level. Moreover, your policy shouldn’t be just a dusty book on the shelf – all your employees should have had training on and understand the policy.
You can wait for a catastrophic security event to wake your organization up, or you can take action now to prevent an embarrassing and costly revelation. For instance, if your organization is required to comply with HIPAA, the wake up call could come in the form of a multi-million dollar fine from HHS or civil litigation. Or you might end up paying ransom to buy back your data from data pirates. These risks are real and well documented.
How do I get started with a Security Policy?
There are many options for developing a comprehensive information security policy. You can purchase kits, buy books, hire consultants, etc. You can do it yourself, or contract it out, but the process will be largely the same either way. I will give you a 40,000 foot view and you can decide how to proceed. Other than time, the initial costs should not be high, but securing your information infrastructure will definitely have some impact on your budget, albeit less than the eventual cost of not addressing security. Even if this is a DIY project, outsourcing some aspects is probably appropriate unless you have staff members who have been extensively trained in information security domains and disciplines.
Make sure the right people are at the table!
This is NOT an Information Technology project. It is a critical enterprise business, policy and security project, so you want to make sure you have the appropriate stakeholders at the table. Establish a multi-disciplinary committee to participate in the process. Managers and Department Heads from different departments may provide illuminating perspectives and the group must also include rank and file members of your staff who actually do the work (AKA the minions). Staff members with security and military backgrounds may have much to contribute. People who may have had experience in highly regulated industries, such as Pharmaceutical, Insurance, Medical, Public and Mental Health, and Law Enforcement may also have much to contribute to the process. HR and Legal must be at the table. I am certain that your organization has untapped, expert resources, so find them and use them.
Inventory your Assets
Once your Information Security Committee is assembled, its time to get to work. The first step is going to be a Risk Assessment. Since you have already established your Information Security committee, begin the Risk Assessment process by cataloging and categorizing all your information resources. Information in this catalog may include paper files, network and computer files including backups, archival and historical records, microfilm, tax records, specifications, etc. There are payroll records, health insurance records, possibly protected medical information, HR information, meeting records, AR and AP records. All of these records may contain information protected by local, state or federal statute. There may be proprietary information related to manufacturing or other information such as videos, films, sound recordings that you may want or need to protect in some way. Use an interrogative process to identify, catalog, and categorize all this information. The output of this process should be a detailed document that clearly identifies all of these assets.
It may be appropriate to contract a qualified consultant for the Risk Assessment process. Why? Regardless of how intelligent and qualified the members of your staff are, they are probably immersed in your organizational culture. They may have biases and make assumptions because “we have always done it this way.” Outsiders may be able to see past the assumptions and biases that your staff members can’t
Once you have completed this process, you will almost certainly have found information that you didn’t even know you had. If you found sensitive information without any plan for protecting it, you might have trouble sleeping until your committee comes up with a plan.
Once you know what types of information for which you are responsible, ask yourself and the Subject Matter Experts on your committee what statutes apply. There are at least a handful of regulations that always apply, and there may be dozens of regulations dealing with information-specific data you have to consider. You probably also found information not protected by statute that needs to be addressed. Do your current policies cover all the information in your catalog? In a subsequent article, I will continue with the next steps for securing your information.
Thinking of your staff will not change overnight.
If you want to discuss Information Security in your organization, send me an e-mail at firstname.lastname@example.org.
Copyright © Jeffrey Morgan 2015by