IT Best Practices and Compliance Reporting Information

It’s always gratifying to post your thoughts in a blog and then see it validated somewhere else.

A few weeks back, I shared my thoughts on why the Real ID Act was a really bad idea. In a recent edition of GCN, columnist William Jackson offered similar opinions to mine.

In his commentary, Jackson makes these important points:

1. The Real ID Act is an unfunded mandata
2. While the deadline for implementation is May 2008, Homeland Security still has yet to release compliance regulations for the Act
3. The Real ID Act requires interconnected databases of personal information on each of the 245 million people receiving cards, with absolutely no safeguards on the data or how it can be used
4. The Real ID Act was passed without that debate – it was slipped into a spending bill that provided relief funding for troops and tsunami relief

While 25 states are either urging Congress to repeal or reform the law, only Maine has actually passed a resolution refusing to comply.

I agree with Jackson – the issue is not what can be done to delay or reshape the act, as some in both the House and Senate are attempting to do, but, is a national ID advisable at all?

We all must understand – this is legislation that has passed. Without action, it will be implemented in just over a year.

No one should let that happen…

Frank Hayes, senior news columnist at Computerworld, is one of those writers that makes you want to read a magazine from the back to the front. Hayes’ column, Frankly Speaking, appears at the very back of each edition and is almost always a “must read.”

Last week, Hayes’ column, 8 Million Reasons, really struck a chord with me. Sometimes we spend so much time trying to blame somebody for problems, we fail to make the effort to identify ways to solve the problem.

One of the revelations coming from the TJX breach was the arrest of a Florida gang who had used some of the stolen cardholder information to obtain at least $8 million in Wal-Mart gift cards. Hayes’ identifies two key areas where IT could have thwarted or at least minimized the gift card scam.

1. After credit cards are reported stolen and have been deactivated, retailers should use the list of stolen card numbers to automatically search its own recent transactions for suspicious activity – such as the sales of gift cards. If they find cards that were purchased with stolen cardholder information, they could deactivate the card and recover some of the money.
2. Even if gift cards purchased fraudulently have been used, those transactions could be flagged so that if the merchandise is brought back for a refund, the transaction should be flagged to be spotted at that point. Again, merchandise is recovered and there is no further cash loss from providing a refund.

Hayes points out that IT has the ability to make this all possible automatically and continuously. The data is there, but the software and database performance isn’t.

It’s easy to point fingers in a case like TJX. The hard part is to do something about it. Taking steps to blunt the gift card scam is one really positive way to help blunt the value of stolen cardholder data.

Gary Min is the 43 year-old former senior scientist from DuPont who pled guilty to misappropriating $400 million worth of proprietary information. Min was due in court this past Thursday to receive his sentence.

In a Computerworld story, Jaikumar Vijayan identifies six steps to take to mitigate the risks of insider threats and keep track of what’s going on inside the firewall.

1. Get a handle on the data
2. Monitor content in motion
3. Keep an eye on databases
4. Limit user privileges
5. Cover those endpoints
6. Centralize your intellectual property data

Clearly, a list like this simplifies the real challenge each point represents, but it does remind us that we need to know what we have for data, when it changes, who can access it, and where it’s located. All of this requires constant visibility into your enterprise, down to the configuration level.

In the case of Min, it is now known that he downloaded and accessed more than 15 times as many documents as the next most active user of the system. Information like this can and should be tracked far sooner than it was in the DuPont’s case. Min’s activities were not discovered until he was already working for a rival company.

Read Vijayan’s article and see how well you’re doing following his six points…and how many more you might add to his list!