| |
|
|
 |
 |
5870 West Jefferson Blvd., Suite A
Los Angeles, CA 90016
Tel: 310.815.8855
Fax: 310.815.8808
info@OnlineSecurity.com
© 2008 Online Security
All rights reserved.
|
|
|
Forum| Posted: 08/01/2003 | Compliance: Finding Your Areas of Exposure
| | By Lucie Trepanier, Senior Product | | By Compliance: Finding Your Areas of Exposure | Companies spend millions building brand equity, increasing the customer base and maintaining their reputation in the marketplace. One click of the mouse can destroy it all in an instant. Imagine the following scenarios in your organization.
- An employee downloads KaZaA ¡V a peer-to-peer file sharing application ¡V to their computer for music file sharing and inadvertently shares company files (financial data, employee personal data, competitive data) with millions of KaZaA users.
- The main network is hacked and software is installed to monitor and record every keystroke, exposing passwords used to access secure systems.
- A disgruntled employee emails a spreadsheet of all employees with personal information ¡V social security numbers, salaries, addresses ¡V to their home email account with the intent to participate in identity theft.
While many IT groups firmly believe that they are covered through existing security technology, have locked down all possible access from the outside and have blocked any sites that are inappropriate to view from the inside, the reality is that information security gaps will always exist. Great security at a specific point in time, loses its effectiveness over time. The environment is not static and so good security cannot be static. With ever-changing forms of communication ¡V instant messaging (IM), chat, bulletin boards, email, web-based email, peer-to-peer (P2P) file sharing and much more ¡V come a greater risk of exposure for information security breaches.
These confidential information leaks become significant when identified as infractions against regulatory compliance such as the Gramm-Leach-Bliley Act (GLBA) for the financial services industry or Bill SB 1386 for any organization with customers who are California residents.
GLBA provides a formal framework of administrative, technical and physical safeguards that must be implemented to:
- Insure the security and confidentiality of customer information
- Protect against anticipated threats or hazards to such records
- Protect against unauthorized access to or use of customer information which could result in harm or inconvenience to the customer.
SB 1386 mandates that any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
In order to comply with such regulatory compliance your information security plan must include the technology infrastructure as well as a comprehensive training and awareness program for employees. The best technologies in the world won¡¦t protect your most valuable asset ¡V your data ¡V if your employees are not trained on proper procedure in handling customer information, and made aware of ramifications should an information security breach occur.
But, how do you ensure that you¡¦ve not only created a comprehensive information security infrastructure, but also have a check-and-balance mechanism in place to assure senior-level executives that the technology and procedures for handling customer data are working? The answer is, you can¡¦t, unless you are continuously monitoring all forms of Internet traffic around the clock.
- The latest CSI/FBI study reveals that theft of proprietary information caused the greatest financial loss ($70,195,900 was lost, with the average reported loss being approximately $2.7million).
If such a theft were to happen, not only would your company bear the direct loss, but what about your reputation in the marketplace? If your customers knew that there had been a security breach and their data was exposed allowing for the possibility of identify theft, how long might they stay with your company ¡V whether that be a bank, investment firm, hospital or insurance company. When customers go away, so does revenue.
Having the ability to monitor continuously for infractions of confidential information leaks provides several benefits:
- Deters employees from malicious activity on the network ¡V internal hacks, sending of unauthorized customer or confidential data across the network unencrypted
- Exposes security gaps in the network
- Provides the check-and-balance system needed to continuously monitor for information security leaks relative to regulatory compliance.
Now more than ever, it¡¦s important to CEOs, CFOs and all senior level executives to take responsibility for the activities taking place on their organization¡¦s networks. A proactive approach ¡V enforcing appropriate use policies and compliance regulations, and monitoring for information security breaches ¡V will mitigate corporate exposure and liability.
An organization having such a solution in place could see a large and immediate Return on Investment (ROI). The questions to ask yourself are, ¡§What is this business worth¡¨ and ¡§What is my reputation worth?¡¨ Imagine the scenarios above and what the cost would be for a class action lawsuit for disclosing hundreds of clients¡¦ personal information, a sexual harassment lawsuit or the rebuilding of your network after passwords were accessed and data destroyed.
There are several solutions on the market today which can provide a portion of the total solution needed. However Vericept provides the only turnkey approach through comprehensive content monitoring across all network traffic. Whether there are compliance requirements such as GLBA in the financial services industry, the Health Insurance Portability and Accountability Act (HIPAA) in the Healthcare industry, general Appropriate Use Policies (AUP) within an organization, and now SB 1386, Vericept provides a proactive method to enforce these policies and remain in compliance.
Vericept works within multiple areas of an organization ¡V Information Security, General Counsel, Internal Audits, Human Resources and Compliance. ¡§Our solutions put teeth in corporate appropriate use and compliance policies,¡¨ says Tery Larrew, President and CEO of Vericept. ¡§We monitor, capture and report on infractions against those policies, giving management the data they need to take action ¡V whether that be preventing an insider hack or finding the person who is selling customer data.¡¨
One can think of Vericept solutions as a test against an organization¡¦s information security infrastructure showing how well existing policies work as well as where the security holes might be in the network.
Vericept¡¦s approach? A sophisticated patent-pending linguistics analysis engine combined with a packet sniffer and reporting tool. The key differentiator is the ability to monitor all types of Internet traffic ¡V email, web-based email, IM, chat, P2P, telnet, FTP and bulletin board postings. With simple front-end installation as well as back-end reporting, the linguistics analysis engine sits behind the firewall passively analyzing packets of information based on pre-defined categories.
Innocuous data is cast aside, while that which is flagged as inappropriate is stored. Reports are automatically generated showing not only high level events within each category, but also detailed content for each user and each instance of an infraction.
As you review your organization¡¦s information security infrastructure, consider your reputation, your company¡¦s proprietary information and how exposed you really are. Consider the costs involved should your confidential information be exposed.
For a Bio of Lucie Trepanier click Here for |
|
|
|
|
