IT Best Practices and Compliance Reporting Information

I was reading an article on the IT security risk of portable storage devices. Knowing that regulations like HIPAA (Health Information Portability and Accountability Act) and GLBA (Gramm-Leach-Bliley Act) require the protection of data on any removable media, I was more than slightly surprised by what I read.

Eric Ouellet, an analyst at Gartner Inc., was quoted as saying only about 10% of companies have any policies dealing with removable storage devices. “It’s actually a fairly big problem,” Ouellet said. “It’s just a matter of time before we hear about someone losing data because of this.” As John Webster, an analyst at Data Mobility Group LLC in Nashua, NH, said, “An iPod is just storage at the end of a wire. USB storage devices are a potential source of data leakage.”

The proliferation of USB storage devices, their small size, and, seemingly benign use, particularly an iPod or digital camera, would make these prime for misuse. Given the potential security risk, unwanted publicity from a breach, and the penalties for non-compliance, isn’t it time that the other 90% of companies did something about access control over end-point devices?

A news story Thursday revealed a hacker gained illegal access to a Georgia Technology Authority (GTA) database containing confidential information on more than 570,000 members of the state’s pension plans. According to Joyce Goldberg, a GTA spokeswoman, the hacker used “sophisticated hacking tools” to break through several layers of security after initially accessing the server hosting the database via an unpatched flaw in a “widely used security program.”

This incident underscores the threat hackers present as their techniques for illegally accessing systems grow more sophisticated. Firewalls, routers and even anti-virus and anti-spam software are all beneficial in curbing attacks, but they are not a full deterrent to a serious hacker. 

The disclosure that the initial entry point for this attack was an unpatched security software product reveals the need for the patch management process to include more than just Microsoft patches. Companies now must have a patch management solution that automates the deployment of non-Microsoft patches. Realizing more companies are improving their patching process, hackers have apparently moved on to other, less obvious targets.

An additional lesson learned from this particular breach was the ability of the hacker to break through multiple layers of security once inside the server.  Companies must establish and maintain strict security configuration controls through the entire infrastructure, including operating systems, database management systems, applications, mail servers and network devices.

Any business or organization must become even more proactive if they want to thwart the next hacker. All the hackers have to do is win once and you’ll be the next headline.

Another law aimed at protecting data is closer to enactment. With the approval of The Personal Data Privacy and Security Act, also called the Specter-Leahy Act, by a Senate panel last week, it’s clear that even more corporate emphasis will be placed on ensuring data protection.

In an interview on SearchCIO.com, University of California, San Diego professor Dr. Roger Bohn said, “This bill is actually an effort to preempt and standardize what California started with SB 1386, a law that says that if there's a breach of your personal information by any company, that company has to notify you that your information has been breached.”

Bohn was asked what impact this law would have on organizations. “I think it's going to be comparable to what SOX has set off, which is years of thinking about it and software development, and developing and implementing procedures, putting in auditing systems, and so forth”, he stated.

Knowing the extraordinary expense associated with the first year of Sarbanes-Oxley audits, it’s imperative that companies and organizations are more proactive in implementing system-wide controls around critical data.

If you haven’t explored an automated solution to identify, track, and report on key security configuration information, it’s time to begin your search.  It’s safe to assume the Specter-Leahy Act won’t be the final piece of legislation governing data protection.