The Compliance and Ethics Blog

SCCE/HCCA

Minimizing Data Breaches Through Secure Communication

by Leave a Comment

By Brad Spannbauer
Senior Director of Product Management

You don’t need to be an IT or cybersecurity professional to know that it’s becoming increasingly difficult to protect sensitive information against the ever-advancing skills of cybercriminals. Recent high profile data breaches from the likes of Equifax, Instagram, and Verizon have done little to stem the flow of negative news stories about how major organizations are continually failing to protect their customers’ data.

Consequently, consumers today have every right to be wary about handing over their information to companies, particularly those operating in high-risk verticals. According to the most recent Data Breach Investigations Report (DBIR) by Verizon, the three most breached industry sectors in 2017 were financial services (24%), healthcare (15%), and the public sector (12%).

The report also reminds us that, despite what we see on the news, it isn’t just big brands being exposed. In fact, 61% of data breach victims in 2017 occurred in organizations with fewer than 1,000 employees. This should serve as a stark reminder to all organizations that data breaches do not discriminate.

In a world rife with cybercrime, businesses need to be proactive in guarding every aspect of their digital environments. Maintaining secure communications is an essential part of this process; as history has taught us, failing to do so can hurt a business’s reputation, its compliance with government regulators, and ultimately, its bottom line. So starting with most common forms of communication in commercial environments today – email, text messaging, and fax – what can organizations do to stay secure? [Read more…]

Reaching Across Siloes: Compliance and Cybersecurity in Partnership

by Leave a Comment

Adam Shnider
Vice President, Delivery, Coalfire

The risks posed by the continually escalating number, variety, and sophistication of cyberthreats have in many ways worked to redefine and reshape our corporate landscapes. Over the past decade, not only have business systems, processes, and procedures adapted to the omnipresent need to minimize cyber risk, organizational structures themselves have morphed right along with them. As a result of these changes in ownership of cybersecurity and cyber compliance, many organizations do not align the activities and efforts that have so many commonalities, while both functions have the goal of reducing cyber risk for the organization.

Where once IT departments were wholly charged with both systems and security, most large enterprises have added CISOs and dedicated Cybersecurity organizations to address the pressing demands of cyber defense. Simultaneously, many companies in industries rife with risk also have Chief Risk Officers, Compliance and Risk groups, or individuals tasked exclusively to address the many regulation requirements including (but not limited to) cybersecurity regulations. And coming soon, the General Data Protection Regulation-mandated Data Protection Officer will join the crowd in every organization that hosts and/or processes EU citizen data. The debate continues regarding where this staff member should report. [Read more…]

The Components of Strong Cybersecurity Plans Part Five: Penetration Testing

by Leave a Comment

By Mark Lanterman, Chief Technology Officer, Computer Forensic Services
Carolyn Engstrom, Director of Corporate Compliance

In the fifth and final installment of this cybersecurity series, I will discuss the role of penetration testing in developing a strong security program. As described in my previous four articles, a growing awareness of cybersecurity regulations, trends, and threats has led many organizations to request a penetration test of their technical infrastructure—without really knowing what that means, what its purpose is, and what degree of assurance it really offers.

When I ask if they have already conducted a security assessment, know their controls, have implemented regular vulnerability scanning, and have security auditing procedures in place, they usually respond with “That’s what we’re asking for. We want a penetration test”. In this way, penetration testing and all the other components of cybersecurity plans have become synonymous terms. This conflation is especially prevalent in small to medium-sized firms. However, each component is separate and distinct within a mature security program all serving different purposes, leveraging different methodologies, providing different levels of assurance and benefits, requiring different skills from the assessor, providing different deliverables, and are performed at different stages of a security program’s development. In order to reap the most benefit from a penetration test, the organization should be able to answer the following five questions based on the previous maturity assessment, security risk assessment, and security audits.

  • Do we know what is connected to our systems and networks at all times?
  • Do we know what software is running, or trying to run, on our systems and networks?
  • Are we continuously managing our systems using “known good” configurations?
  • Are we continuously looking for, and managing, “known bad” software?
  • Do we limit and track the people who have the administrative privileges to change, bypass, or over-ride our security settings?

A penetration test is an attempt to defeat boundary defenses and gain access to an organization’s internal network by exploiting vulnerabilities. This test is used to determine whether an unmitigated risk exists. In this sense, it tests whether an outside attacker could bypass perimeter controls, gain access to the internal network, and establish command and control capabilities. Many techniques can be employed during a penetration test including vulnerability scanning and social engineering attacks.

Social engineering attacks are targeted at exploiting the human vulnerabilities in an organization. Spear phishing emails, unauthorized issuing of credentials, and taking advantage of physical vulnerabilities can all be examples of ways in which an assessor will use social engineering during a penetration test.

If a security assessor is unable to stage a successful penetration test, this confirms that, taken as a whole, internal controls are operating effectively to externally protect the organization from threats. With these results, management may mistakenly assume that the organization is secure. However, unlike broader security audits, a penetration test provides limited assurance to a specific point in time. Depending on the timeline, results could vary substantially. A penetration test conducted one day could fail to reveal serious vulnerabilities that appear the next day. Risk levels are always changing, which is part of why a complete understanding achieved through maturity assessments, security assessments, security auditing, and regular vulnerability scanning is so critical. Penetration testing provides only a glimpse of an organization’s overall security posture.

Ultimately, a penetration test is only a fraction of developing a strong cybersecurity plan. However, the fact remains that it is very important and these tests are frequently required for compliance with regulations. A penetration test’s objective is essentially to circumvent security controls, providing a different perspective than other security audit measures. Therefore, penetration testing may uncover issues that a traditional security audit or assessment may not.

In conclusion, complete security plans incorporate a number of factors, all of which are important in establishing a strong cybersecurity posture. Each stage and technique of the process ought to be regularly conducted in order to provide baselines and comparisons for improvement. But it should be noted that in spite of an organization’s best efforts, no security policy is perfect. Given the constantly changing nature of technology and its inherent risks, security policies have to evolve to meet the demands of our digital landscape.

[clickToTweet tweet=”The Components of Strong Cybersecurity Plans Part Five: Penetration Testing ” quote=”The Components of Strong Cybersecurity Plans Part Five: Penetration Testing ” theme=”style3″]

Information Security (InfoSec) for the Compliance Professional [SlideShare]

by Leave a Comment

By Doug Stupca
Social Media Coordinator at SCCE/HCCA
Original Presentation by Jim Donaldson

Here is “Information Security for the Compliance Professional” from the 2016 Compliance & Ethics Institute on our SlideShare page. This presentation highlights:

  • Security from the ground-up – Understanding the necessary elements of every InfoSec program regardless of organization size and complexity.
  • You can’t have privacy without an effective InfoSec program – how to hardwire your privacy and InfoSec efforts for ultimate data protection.
  • It’s all in the documentation – how to document your InfoSec program in a way that demonstrates compliance.

Enjoy!

The 2017 Compliance & Ethics Institute will be held October 15 – 18 in Las Vegas, NV.  Details here.

5 Ways to Enhance Information Security Compliance

by Leave a Comment

john_o_brienBy John O’Brien
JOBrien@interactiveservices.com

Before writing this article, I typed the term ‘security hack’ into Google. And the results? Over 160,000 articles. But you probably know this already if you work in the public sector or regulated industries such as utilities, legal or financial services.

This article highlights five ways to take your information security compliance to the next level. These principles are not simply about protecting yourself against prosecution from information security regulators, but they can also safeguard against reputational or financial damage to your organization.

  1. Information Security Policy Compliance Training

Every organization is obliged by law to have an information security compliance policy in place that provides a range of steps and measures to be followed and adhered to. If these policies are not in place and in practice, regulators reserve the right to prosecute your business.

But compliance is not just about having a policy in place – it needs to be a living, breathing part of the organization, and the most direct route to this is by providing formal compliance training. Training needs to be addressed at all staff levels, and should be updated regularly to take new risks or new responses into account.

  1. Access Prevention

Prevention is better than cure, so you need to constantly focus on the security measures you put in place to prevent unauthorized access to sensitive data. This could be anything from updating your level of encryption to improving the storage security of administrative passwords. Access allowance and rules should also be made clear to all employees as part of their regular Information Security Compliance Training programs.

  1. Carry Out Regular Audit Reports

The threats to security are continuously changing and evolving, so it’s important that your organization carries out regular audit reports to assess the robustness of your information security – and the measures you’re taking to keep it up-to-date. If it can’t be measured, it can’t be managed – so having an accurate audit at regular intervals allows you to decide ‘what comes next’ in terms of your overall data security plan.

  1. Response and Remediation Plan

Plan for when a security breach will take place – rather than if it takes place. That way, you’re prepared for the worst, and can also have a detailed response and remediation plan in place. How effectively and how quickly you respond to a breach can define how serious your organization is about data security and protecting the reputation of your business. Your compliance training program should prepare employees for potential breaches and highlight the importance of being on high alert. Cyber-attacks on data security are now at an all-time high so being extra vigilant is essential.

  1. Have Insurance In Place

If you accept the premise that all organizations will eventually succumb to a security breach, it follows that you need to have formal insurance measures in place – both for your business and for any of your customers who may be impacted by the breach. Response expense coverage can help to quickly restore confidence in your organization through notification to impacted customers or clients, public relations costs, legal and liability expenses.

The repercussions of a data security breach could far outweigh the cost, time and effort involved in implementing an effective information security strategy. Taking precautions to safeguard the data of you and your customers is a matter of protecting the integrity, reputation and ongoing success of your business.

Is information security a priority for your organization? If not, it should be!

John is Marketing Manager for Interactive Services, an award-winning developer of compliance training solutions for the world’s leading organizations. Our Compliance Learning Center is an innovative compliance training solution that enables client organizations to access all of their employee compliance training content one platform – Information Security, Insider Trading, AML, ABC, Workplace Conduct and more.

Twitter: @Learn_IS

Email: jobrien@interactiveservices.com