Information Security: Keeping Data Safe
FEI Research Foundation
Issue Alert
September 2002
Information Security Kee...
39 downloads
860 Views
173KB Size
Report
This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!
Report copyright / DMCA form
Information Security: Keeping Data Safe
FEI Research Foundation
Issue Alert
September 2002
Information Security Keeping Data Safe
fei research foundation
Purpose Threats to information security come in a variety of guises, from inside and outside a company. Through research and interviews with finance and security executives, the FEI Research Foundation has categorized the threats as system, process and people risks. Numerous examples of problems and solutions are included.
As information becomes more plentiful and more readily available, the likelihood increases that a company has experienced or will experience a loss from an information security breach. Companies must consider security issues relating not only to financial information, but to customer, product, and company information. Financial executives need not be security experts, but managing systems, people and processes exposes any executive to the risk of a security breach in any one of these areas. The media regularly include stories about organizations’ lapses in protecting information. Eli Lilly was recently reprimanded by several states and the Federal Trade Commission for an admitted “human error,” when a Prozacrelated email sent to almost seven hundred Prozac users disclosed the names of the other users. An example of a costly and embarrassing information leak was the voicemail sent to Hewlett-Packard’s (HP) Chief Financial Officer by Carly Fiorina, HP’s Chief Executive Officer, during the HP/Compaq merger negotiations. The voicemail was leaked to the San Jose Mercury News and eventually became public knowledge. The annual “Computer Crime and Security Survey” conducted by the Computer Security Institute (CSI) with participation from the FBI, revealed that 90% of respondents detected computer security breaches in the last twelve months and 80% acknowledged financial losses due to these breaches. Theft of proprietary information was the reason cited for most serious financial losses. Information Security and Internal Controls A system of internal controls is the primary means for a company to maintain information security. “A policy framework (management controls) is the first step for a corporation in achieving security,” says Nancy Wong, Deputy Director of the Critical Infrastructure Assurance Office, a part of the U.S Department of Commerce’s Bureau of Industry and Security that focuses on educating organizations in security for critical infrastructure. Executive management teams who do not feel secure with their companies’ ability to protect its information will have a difficult time in the current environment. Consider that Section 404 of the Sarbanes-Oxley Act requires management to
The FEI Research Foundation report on its internal control structure. Lack of controls to protect company
information will make signing off on an adequate internal control structure
difficult. Wong highlights other risk implications arising from current events, “Terrorism's primary target within the U.S. is our economy, unlike the Cold War, where superpowers could face off against each other on the military battlefield.” In some cases losses that cannot be measured monetarily, such as the HP voicemail leak, may have a more significant impact. Executives should weigh risk of loss against the cost of protection, using a systematic method for proper assessment of information security. Wong suggests that where security is concerned, “Each senior management position in a corporation has a role to play in information security, consistent and defined for that position's governance role in the corporation. This situation is no different than assumed responsibilities for other more traditional internal management controls.” In order to break this task into more manageable components, an executive could group risks as inherent to systems, processes and people.
System Risks Most companies have identified the basics needed in any network: a firewall, anti-virus software, offsite back ups and physical security of servers and other equipment. In fact, the market for Internet security software alone is expected to reach $14.6 billion by 2006, according to IDC, a consulting firm based in Framingham, Massachusetts. But as new technology emerges, executives must update how network security is maintained. Remote users The risk related to remote users varies based on the users’ intentions, i.e., whether they are harmful or not. Authorized users, such as a salesperson on the road accessing email from a PDA, may inadvertently expose a company to a variety of risks. A network is as secure as the equipment used to access it. An employee using a computer with no anti-virus software exposes a company’s network to viruses. Cell phones and PDAs that allow access to email or other network information also introduce new exposure to a network. For resolution to these types of problems, many security experts are looking to software packages that check a remote user’s compliance with company mandated security levels. If a remote computer attempts access to the network, but does not meet the security requirement, access is denied. The wireless aspect of remote users introduces additional system vulnerability. For example, a reporter for CIO.com accessed the wireless LAN of a random company in Boston’s business district by simply installing a wireless LAN adapter card on a laptop and walking down the street. Experts suggest that executives fully understand the risks associated with wireless information transmission prior to implementing the technology. Another area of exposure may be a “remote user” that is actually another information system. Network Computing reports that Bear Stearns addressed this risk when it installed Bloomberg software. The Bloomberg program has the ability to update information on certain Bear Stearns PCs. “We were concerned about [the Bloomberg software] accidentally overriding our software,” says Jennifer Bayuk, managing director of IT security at Bear Stearns. Bear Stearns implemented a
2
The FEI Research Foundation
software package that limited the files that Bloomberg software could update to specific Bloomberg files. The more dangerous remote user is obviously one with harmful intentions, which might include accessing confidential data to use for untoward purposes or bringing an entire system down. Because remote users can attack from anywhere in the world, they are difficult to trace and apprehend. Executives who put appropriate levels of internal controls in place, such as password security, can reduce the likelihood of an “outside” attack.
Process Risks Business processes contribute to information security risks. Several risks and suggested solutions follow. Regulatory issues Not complying with regulatory issues can be risky and expensive. The Lilly case is a good example of regulatory risks associated with information, in this case, privacy protection. Two recently enacted or introduced pieces of legislation that present exposure within certain industries are the Health Insurance Portability Accountability Act (HIPAA), which affects organizations dealing with patient information, and the Gramm-Leach-Bliley (GLB) Act, which requires financial institutions to protect their customers from breaches in information security. Rick Shaw, president and founder of CorpNet Security, Inc., a security and privacy consulting service provider, says “HIPAA covers consents for oral, written and electronic information sharing. Companies subject to these regulations need to educate all employees on HIPAA or risk the consequences.” Companies must be diligent about maintaining compliance with regulations. This can be particularly challenging for companies with a multi-state or multinational presence. For example, a company doing business internationally is subject to that country’s regulations. This presents a risk in areas like privacy, because privacy regulations in the European Union (EU) are much more stringent than those in the U. S. Specifically, the ability of companies in the EU to share customer information for direct email purposes is severely limited compared to the U.S. Regulations like these affect the way a company structures sales, customer service and marketing functions for EU citizens. Outsourcing As outsourcing becomes more prevalent, the risk associated with information security breaches increases—particularly with sensitive areas such as human resources or accounting. Companies should work closely with their outsourcing provider to ensure that the provider has a thorough understanding of information security risks and a plan for addressing them. Risks that an outsource provider may not address through technology cures may be mitigated through other internal controls. For example, a company that is outsourcing the payroll function needs to ensure that the outsource provider has controls in place to block pay raises that have not been properly approved. On the flip side, an outsource provider may result in a better internal control. For The FEI Research Foundation
3
example, Dewey Norton, longtime FEI member and former Chief Financial Officer for a company that outsourced desktop management, commented that the provider “probably did a better job of network security than the internal IT function could have,” adding that the provider had more technology expertise in the area of security. Incident Response Plan An ounce of prevention is worth a pound of cure. However, no information system is completely safe. Greg Shipley, Chief Technology Officer of Neohapsis, Inc, a security consulting firm based in Chicago, advises companies to take the first step with an incident response plan. One method used for incident response is a Computer Incident Response Team (CIRT). According to Computerworld, a CIRT’s key mission is “to orchestrate a speedy and organized company-wide response to computer threats.” Steve Romig, manager of the network security group at Ohio State University in Columbus, adds that incident response at companies without a CIRT tends to be ad hoc and costly. The Computerworld article also provides recommendations for companies to develop written procedures and policies for CIRT team members and test those policies through mock emergencies. Norton suggests that a team with dedicated people enables institutional learning around each incident. Shipley points out that having a team, per se, isn’t critical. “Some organizations can’t afford a team, but every organization can afford a plan,” he says. “The plan should include guidelines for defining incident severity and for escalating incidences to the appropriate level decision-maker.” Reading and Researching Logs Regularly An August 2002 article in Businessweek.com describes a recent incident experienced at Niku Corporation, a software developer based in Redwood City, California, that was planning a demo for Nike Corporation. On the day of the presentation, the Nike employee to whom they were presenting, received a call from Niku’s biggest competitor, Business Engine. Believing the incident to be too coincidental, Warren Leggett, Niku’s Chief Information Officer, reviewed the company’s web access logs. He found many incidences of Business Engines’ Internet addresses accessing Niku’s files via the web. It was later discovered that by using Niku employee passwords, Business Engine accessed Niku’s network more than 6000 times and downloaded approximately 1000 documents. Had review of logs been performed on a timely basis, Niku may have discovered the intrusions before so much information was stolen. Though Niku and FBI investigations are still underway, the federal court has required Business Engine to ask its business partners and customers to return any propriety information received. Many IT departments have put proper software in place to prepare logs of logon attempts or back-up procedures. However, if logs are not periodically reviewed for unusual activity, valuable information could be lost. Companies should consider establishing processes and procedures to ensure the appropriate people are reviewing these important documents on a timely basis. Shipley suggests that the vast majority of companies are not sufficiently logging. Of
4
The FEI Research Foundation
those that are, only 10% are sufficiently reviewing logs. In his article from Network Computing.com, he says IT departments are turning to security information management (SIM) products to assist them in more efficient review of their logs. SIM products collect log data and use correlation techniques to pinpoint unusual or suspicious system activity. Patrice Walker, Chief Information Officer for Fender Musical Instruments Corporation, prefers a different approach to log review, triggering "exceptions" as they occur. "Any software that provides logs should be written or modified to alert you with realtime exceptions. The trick is identifying what is an exception." For example, a company might define one exception as more than five failed logon attempts, which could indicate an intruder fishing for a password. Policy for Document Retention As a result of the Andersen trial and conviction, a company’s exposure from poorly enforced document retention policies and procedures is evident. Companies should consider revisiting existing policies to address retention of both physical and virtual documents. Periodic review of these policies can become more crucial as the form of documents change with advances in technology. Michael Overly, an attorney with Foley & Lardner and author of Document Retention in the Electronic Workplace notes that two-thirds of companies have a formal e-mail management policy. Many of these policies include parameters for deletion that save on storage space and keep system response times high.
People Risks People risks can include current and former employees, consultants, customers and vendors. Consequently, risk resulting from their use of company information can pose a challenge. Disgruntled Employees At Intel, a terminated employee disrupted automated manufacturing processes by dialing in remotely and deleting computer files. His internal access had been turned off, but his remote access had not been. According to Wong, based on statistics collected by federal law enforcement, 70% of cybercrime attacks are perpetrated by insiders. “Identity management” software helps companies manage individuals’ network access. The software serves as a central storehouse of all employee information, such as passwords, systems to which they have access, key entry cards and company cell phones. Once an employee is terminated or exhibits suspicious behavior, system management can turn off all employee access using this software. Executives can manage risk around disgruntled employees through the implementation of employee termination policies and internal controls for limiting employee access to systems and data. Shipley comments, “We see a lot of companies with poor internal controls [around information security. For example,] we have seen companies where the IT department was responsible for determining employee access levels. The business needs to take responsibility for who has access to what data.”
The FEI Research Foundation
5
Outside Consultants Most companies engage outside consultants from time to time. However, they pose an additional threat to a company because of their access to company information. Again, this risk can be mitigated through strong internal controls. A large insurance company, with a complicated IT infrastructure, regularly uses outside consultants. Before they engage a consultant, a background check is performed that is as extensive as the background check for employees. The company uses consultants from outside agencies only if the agency is a preferred vendor. If the consultant is hired through an outside agency, the agency is required to perform the same background check that the company performs. Once the consultant is engaged, they are given limited access to systems and physical locations. Poor Passwords The Niku story cited earlier provides an example of where poor passwords may have made network intrusion easier. What may further complicate poor password risk is the fact that the average person has passwords for business and personal computers, cell phones and voicemail, ATM cards, credit cards…the possibilities are endless. This leads to people using easy-to-remember passwords that represent a security hazard. An article in ZDNet News recently reported Neohapsis cracked 30% of a client’s passwords (10,000 user accounts) in one hour. They used a software program called “John the Ripper,” which was developed specifically for password cracking. Companies can minimize the risks associated with passwords by implementing simple procedures like requiring employees to change passwords every 60 days and advising employees to use different personal and business passwords. Taylor Hawes, Assistant Corporate Controller for Microsoft Corp., says “It is not adequate to have a ‘strong password’ policy, without regular review and verification to ensure that employees are following the policy.” Walker adds, “IT departments have the responsibility for enabling users to do the right thing when it comes to passwords. One way is by providing users with a single logon environment, one login that will give them access to all applicable systems.” As a result, users do not have several different complicated logon names and passwords to remember. Uninformed Employees Employees, with no harmful intentions, can expose companies to costly risks. For example, an employee sending dirty jokes to other employees could be construed as sexual harassment, leaving the door open for expensive lawsuits. Or an employee opens an email attachment unleashing a virus that wreaks havoc on a company’s network. Often, the employee has no idea about the risks associated with his or her behavior. Shaw provides employee training to help companies address this issue. “Employees should be trained in four areas: government regulations, company policies, appropriate use of technology and the consequences to them or their company for violations.” Employee training should be a continuous process particularly during
6
The FEI Research Foundation
implementation of new technology, processes or regulations. Walker suggests “Management should always communicate that it is not okay to share passwords. It is not okay to leave passwords on a post-it next to your computer screen.” In fact, all important policies related to security should be continuously communicated.
Lost or Stolen Laptops Stories of laptops stolen from hotel rooms and other examples of corporate espionage may seem made for the movies. But a stolen laptop could provide a thief with access to anything on the computer’s hard drive and network access, if the laptop has saved logon information. Software vendors have begun to address this issue. One product senses a computer’s distance from its owner. Once the owner-specified distance is exceeded, theft is assumed and the computers operating system is locked down. Another solution reports its phone location to a central system once the stolen computer is plugged into a phone line. It will report even unlisted or Caller ID blocked numbers. A good employee control is to promote the use of password protection on laptops. A company may choose to include this requirement in the policies and procedures manual and check employee laptops periodically.
Conclusion Current events are forcing executives to look at information security with renewed vigor and intensity. Executives can manage risks and threats to information security by first establishing and reinforcing an internal control structure that targets the issues. Experts agree that this involves specifically identifying what information needs protection. A company should make security a part of each system or initiative, so that all users feel responsible. That being said, having one person in charge of security is necessary. The individual tapped for security responsibility can monitor that all departments are diligent in their efforts to protect the company. A constantly changing technological and business environment makes keeping a company’s data safe a never-ending task. In order to cover all exposure areas, executives must stay abreast of external changes, such as new technologies and regulations, and internal changes.
The FEI Research Foundation
7
Upcoming and recent FEI Research Foundation releases… • • • • • • • • •
Corporate Reporting and the Internet— Understanding and Using XBRL
(FEI Member price $15.00, Non-members $40.00 )
Commercial Insurance—Strategies for Renewal (coming soon) Software Industry Discounting (coming soon) The Planning Process (coming soon) Financial Leadership (coming soon) Self-Directed Brokerage Accounts in 401(k) Plans
(free download for FEI members)
Business Performance Intelligence Software—A Market Evaluation
(free download for FEI members)
Promoting Ethical Conduct—A Review of Corporate Practices
(free download for FEI members)
MD&A Trends and Techniques—How Leading Companies Promote Transparency
(free download for FEI members)
To download selected free reports or to order publications, log on to www.fei.org/ rfbookstore or call 973-898-4612. Discounts available to FEI members and Foundation donors. *Shipping and handling charges are $4.75 per item For overseas orders, add $10.00. For overnight delivery, add $20.00.
Report authored by Tiffany McCann, CPA The FEI Research Foundation Copyright © 2002 by Financial Executives Research Foundation, Inc. All rights reserved. No part of this publication may be reproduced in any form or by any means without written permission from the publisher. Financial Executives Research Foundation, Inc. is an affiliate of Financial Executives International. The purpose of the Foundation is to sponsor research and publish informative material in the field of business management, with particular emphasis on the practice of financial management and its evolving role in the management of business.
The FEI Research Foundation is a 501(c)(3) independent nonprofit educational organization. The Foundation relies on voluntary, tax-deductible contributions from corporations, FEI chapters and individuals. The Foundation receives no portion of FEI membership dues.
10 Madison Avenue PO Box 1938 Morristown, NJ 07962-1938 973.898.4608 www.fei.org
The FEI Research Foundation