|
MANAGEMENT
MOXIE Nimble News
The Path to Better Information Safety
by Kevin Peters
Guest Author from Recordsoft
The Department of Homeland Security recently reported Internet crime loss complaints in the U.S. more than doubled from 2008 to 2009, totaling just over $1.5 million per day. Stolen social security numbers and credit card numbers are routinely sold on the black market, while stolen bank account numbers and financial account numbers are used by criminals to drain accounts.
Cybercrime is an ever-growing business threat and Recordsoft has a series of affordable, actionable steps to help protect both you and your clients. For information on their computer security services, contact info@recordsoft.com. For legal questions on your WISP, or other workplace matters, contact Foley & Foley at mike@foleylawpractice.com.
With the new Privacy Law, 201 CMR 17, Massachusetts is taking the lead in the nation to combat this rising epidemic. In complying with the law, you should have adopted a Written Information Security Plan ("WISP") which is the foundation for protecting your clients, your employees, and your business reputation.
Your WISP contains a number of security related policies and procedures that you must integrate into your business. The technical controls of your WISP often represent uncharted territory. Our approach is to break the technical control implementation into basic three steps:
- Assess the current environment
- Mitigate current exposures
- Establish ongoing reporting and accountability controls.
Assess the Current Environment
This establishes a starting point and helps identify possible risks. By performing a complete inventory and assessment of all computers and networking equipment, the goal is to identify the gap between what is required by the WISP and your current technology infrastructure.
The assessment can be eye opening. While performing numerous assessments, we've had some interesting, and sometimes surprising discussions. Such as:
"What do you mean they didn't like the company provided computer and brought one from home?"
"My prior IT support company can still log into my server remotely? I had no idea."
"Our anti-virus software hasn't been updated for 2 years?"
"My back-up has not run correctly for the last six months?"
"On-line gambling software? You're kidding, right?"
"No, I didn't know he had turned off auto-update because it was too time consuming. It's not good to be three years behind on operating system patches, is it?"
The difficulty here is not really in the fixing, but in the finding. Our experience has been it's far better to have these "interesting" conversations with us than with State Officials.
Mitigate current exposures This phase closes the gap, bringing you into compliance with your WISP. It often includes updating operating systems and applications and verifying adequate password protection and access control to personal information.
Establish ongoing reporting and accountability controls The only way to remain in compliance with your WISP, and to create a safe environment, is to establish ongoing reporting and corrective controls. Your WISP has identified a data security coordinator who is ultimately responsible for maintaining compliance. Since this is rarely a full time position, WISP related responsibilities tend to seem non-urgent and drop to the bottom of to do lists. Consequently, we recommend using automated tools to identify weaknesses in a timely manner and also create an audit trail to demonstrate WISP compliance.
The Bottom Line There is a lot of discussion and uncertainty on how the state will audit and enforce compliance with 201 CMR 17. One topic that is not open to discussion is that if you experience a data breach, you will be subject to significant fines and will have a lot of explaining to do to your clients and employees. As such, it is vital you embrace the controls within your WISP, develop methods to remain in compliance, and continue to maintain a safe computing environment in the face of rising cyber crime threats.
How can we help? www.foleylawpractice.com
|
