Category: Vulnerability Testing & Management

Education, HIPAA / HITECH Enforcement, Risk Analysis/Risk Management, Vulnerability Testing & Management

How to Manage Change

Rose

by CJ Michael

One of the most difficult systems to manage is change. Every organization undergoes change in their applications or operating environment; it is difficult to stay relevant in your industry without keeping up-to-date. One of the most convincing reasons to implement a formal process to document and approve changes is that it really only takes one oversight to create chaos in your organization and unintentionally expose information security problems.

Change control can be defined as “a formal process used to ensure that changes to an application or system are conducted in a systematic, controlled, and coordinated manner.”1 The benefits of having a system for implementing changes in the organization are numerous and include reducing unauthorized changes and/or downtime, improving communication, maintaining system integrity, and preventing unnecessary security exposures. These benefits can translate into better sales, improved margins, and a more productive workforce. In determining the processes to follow for tracking and approving changes, an organization-wide decision must be made with risk management in mind. Consider any current processes in place and their effectiveness or what change tracking system is most compatible with existing infrastructure. Remember that the goal of a project like this is to improve processes, not make them more difficult or complex!

Change control is a “standard method and set of procedures for handling changes within the IT environment to help minimize risk to the business” and is a part of the more comprehensive discipline of change management. When employing a change management system, your organization should consider including all or most of the following steps for effective change management. This is a pattern recommended by Michelle Bigelow, contributor to Implementing Information Security in Healthcare: Building a Security Program.

  • A change is requested
  • The change is reviewed
  • The change is either approved for testing or denied
  • An approved change request is tested
  • The change is documented
  • The change is scheduled
  • Information about the change is communicated to all affected parties
  • The change is implemented
  • The change is evaluated
  • Technical vulnerabilities are assessed
  • The change control database is updated

This is a very high-level process for managing changes within your organization. There are many other potential steps that are necessary depending on the importance of the system or regularity of the changes or updates. Unfortunately for many organizations, a lack of controls and documentation around change management is adding to risk exposure on a daily basis. If this type of program is something that your organization needs, please contact RISC Management for assistance. Remember that with any security program decision, the first step is always a Risk Analysis. If you don’t identify, analyze, and document your risk, you’ll never effectively manage it.

Sponsored by: RISC Management, www.RISCsecurity.com

References

Implementing Information Security in Healthcare: Building a Security Program

 

Data Breach, News Events, Tip of the Week, Trends & Technology, Vulnerability Testing & Management

Worldwide ATM Heist Stole $45 million Across Several Banks

Rose

Privacy and Security is important not just for healthcare information but in everyday aspects of our life, such as banking, that affect all of us. Recently, in Brooklyn, New York, six people were arrested and charged for stealing 45 million dollars from Middle East banks. According to NBC News, the “hackers stole debit card data from the National Bank of Ras Al-Khaimah in the United Arab Emirates and Bank Muscat in Oman in two attacks in December 2012 and February 2013, according to prosecutors. These individuals allegedly broke into payment-processing companies used by the two banks and raised the balances and withdrawal limits on the cards, prosecutors said. Crews in more than 20 countries, such as the cell arrested Monday, then withdrew $5 million between Dec. 21 and Dec. 22 and $40 million between Feb. 19 and Feb. 20.”

Exploiting cyber weaknesses

It would seem the same technology the healthcare industry is implementing for ensuring their protected health information stays private and secure is similar to banking industry needs and governmental-spying prevention. The Morning Sentinel reports encrypted email, and other privacy solutions are increasing in popularity in the wake of the National Security Agency’s reported surveillance programs. As a whole, our society has been tolerating privacy issues for many years, including those broken by our own National Security Agency (NSA) reported by the Washington Post on August 15th, 2013. Many organizations such as Google shared the importance of encrypting their own data centers around the world to deter snooping, and protect their clients.

For one solution, Pogoplug, business is booming – it’s garnered close to 1 million paid subscribers in its first year – and the company is anxious to accommodate concerned clients. This month Pogoplug launched a $49 software package called Safeplug that prevents third parties, from the NSA to Google, from learning about a user’s location or browsing habits.

But many warn that encryption offers a false sense of security.

“The fundamental designers of cryptography are in an arms race right now, but there are a series of weaknesses and missing oversights that have nothing to do with encryption that leave people vulnerable,” says Patrick Peterson, CEO of Silicon Valley-based email security firm Agari. And many that do work, bog down or freeze computers, forcing “a trade-off between security and convenience,” he says.

Many hacking or data breach security incidents were not the result of complex attacks or zero day vulnerability exploitation. Rather they occur because of disinterest, overwork, poor configuration management, slow patching, and a complete lack of assessing, or PEN-testing an organization’s own systems.

Many security incidents, such as the too-popular crypto-locker, occur because an untrained or trained-but-curious employee opened an email with an attachment. Regardless of coaching and formal training employees find it hard to resist opening an interesting email.

Regardless, an information security, data privacy, and awareness training program for all members of your workforce is critical both to reduce risk and to show a track record of sincere and sustained efforts at compliance, according to Chris Heuman, Practice Leader at RISC Management.

This post brought to you by RISC Management & Consulting. Visit us at www.RISCsecurity.com

Resources:

Morning Sentinel: http://www.onlinesentinel.com/news/Computer_privacy_services_booming_in_wake_of_NSA_surveillance_fears.html?pagenum=2

NBC News: http://www.nbcnews.com/technology/6-arrested-45-million-global-atm-bank-cyberheist-2D11617858 and http://www.nbcnews.com/id/51850893/ns/technology_and_science-tech_and_gadgets/#.UpkQhcSsh8F

Washington Post: http://articles.washingtonpost.com/keyword/national-security-agency and http://articles.washingtonpost.com/2013-09-06/business/41831756_1_encryption-data-centers-intelligence-agencies