Business Continuity, Cyber Security, Data Breach, Education, HIPAA / HITECH Enforcement, Risk Analysis/Risk Management, Tip of the Week, Vulnerability Testing & Management

Data Loss Prevention Solutions

Critical to Enterprises With Sensitive or Confidential Information

Data Loss Prevention, often abbreviated DLP, is no longer an optional solution for organizations that:

  1. Are in possession or use of data that is regulated, confidential, sensitive, or otherwise limited from public access;
  2. Are large enough to have more than a single, structured data repository such as only one server and dumb terminals (hardly the case anymore);
  3. Need to be able to prove to management, auditors, or regulatory bodies that they know where their data is, and how it is being protected.

Business owners should consult with security professionals according to Siciliano (Entrepreneur, 2014), CEO of IDTheftSecurity.com, Inc. Siciliano reported the importance of installing data-loss prevention software and performing a risk assessment, “it’s possible to monitor the entire network’s activities to detect events that could lead to a data breach and detect trespassers before it occurs” (p. 3).

Part of the Guide to Privacy and Security of Health Information explains the HIPAA Security Rule requirement that a covered entity must conduct a Risk Analysis [§ 164.308(a) (1) (ii) (A)] to identify risks and vulnerabilities to electronic protected health information. Performing a “risk analysis is the first step in an organization’s Security Rule compliance efforts” (Office of the National Coordinator for Health Information Technology, 2014, p. 10) in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule. In addition, organizations must perform an Application and Data Criticality Analysis [§ 164.308(a) (7) (ii) (E)] to, “Assess the relative criticality of specific applications and data…”

The first step in any information security and compliance program is understanding what data your organization has, where it is located, and who is using it; authorized or unauthorized. Complete and accurate knowledge is necessary in order to understand what laws or requirements apply to your organization, and which members of your workforce may require training or monitoring.

Data Classification

Classifying your data into categories such as a Data Classification Matrix makes it easier to apply controls based upon the data type, rather than in a discretionary manner, or simply guessing. Most organizations know that they should protect credit card information differently than public marketing materials. But can they explain the differences in controls applied to ePHI versus Social Security Numbers? What are the requirements for this data? Who enforces them? How much trouble are we in if we have an unauthorized breach of this data?

Every organization should determine the classes that their data types fall into, not the data repositories. For example, classify your data as “Regulated” as opposed to “ePHI” or “Confidential” as opposed to “Payroll Records”. Remember, for data privacy and security regulations and industry requirements, the purpose of the data is irrelevant, it’s the existence of the data that matters.

An example of a data classification matrix that RISC has assisted its clients in successfully deploying is:

  1. Regulated
  2. Confidential
  3. Non-public
  4. Public

Once your data is classified, control mechanisms can be assigned to that classification as a whole, rather than piecemeal.

Roads

Now, your DLP solution is ready to find that data, and let you know where it is, at high speed, with pretty good accuracy. A DLP solution, or even a DLP assessment, can perform a year’s worth of human analysis in a week or two of close to pure automation!

RISC Management’s DLP solution

  • Can assist you in finding the sensitive information that is created, collected, stored, processed, transmitted, disclosed, or archived by your organization;
  • Will deliver Data Loss Prevention (DLP) solutions that protect regulated, sensitive, or confidential employee, customer, or company information and safeguard intellectual property across all electronic communications channels;
  • Can help you watch the sensitive information flowing into, throughout, and out of your network without impacting performance or requiring infrastructure modifications.

Key Benefits

  1. Compliance with regulations such as HIPAA, Red Flags Rule, PCI, and state/federal privacy regulations
  2. Automated email encryption utilizing policy-driven healthcare data classification and filtering
  3. Unobtrusive enforcement of data loss prevention policies across all popular Internet communication channels
  4. Healthcare code sets (e.g. HCPCS, ICD-9, LOINC, and NDC) as built-in dictionaries
  5. Inclusive data logs of confidential data copied, sent, or downloaded

An important definition to understand is the term Vulnerability and Technical vulnerability. Vulnerability is defined in NIST (2012) Special Publication (SP) 800-30 as “[a] flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.” Technical vulnerabilities may include: holes, flaws or weaknesses in the development of information systems; or incorrectly implemented and/or configured information systems. The NIST (SP) 800-30 guide is a 95 page document published and developed by the National Institute of Standards and Technology (NIST) under the Federal Information Security Management Act (FISMA), Public Law 107-347.

Vulnerability Testing

Included in the risks that should be identified by an organization regularly are technical vulnerabilities. These vulnerabilities may include missing patches on computing devices, misconfigurations accidentally performed by staff members or consultants, or insecure network architecture. While the reasons are many, the result is the same, elevated risk to the confidentiality, integrity, and availability of your organization’s sensitive information.

RISC Management & Consulting can assist your organization in performing comprehensive technical vulnerability testing. The Security Engineers at RISC use numerous best in class tools to establish a thorough view of your security posture. The output of these tools is used in a number of ways including:

  •  Comparing security controls and system configuration to organizational policy.
  • Comparing the state of security to compliance requirements such as HIPAA, PCI-DSS, and ISO 27002.
  • Comparing the actual network architecture to the organization’s understanding of the network architecture.
  • Developing a technical vulnerability assessment report that provides a compliance, business, and technical review of the state of information security.

Contact RISC Management and Consulting today to discover how we can help you! www.RISCsecurity.com or 630-270-9336

References

Entrepreneur.(2014). 11 Ways to protect your business from cyber criminals. Retrieved from http://www.entrepreneur.com/article/238369

National Institute of Standards & Technology. (2012). Guide for conducting risk assessments: Information security. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf

 

 

Advertisements
Data Breach, Vulnerability Testing & Management

Another Data Breach…

Launching Part One of Practical Security Series: Scenarios

Recently the University of Maryland was the victim of a sophisticated computer security attack, or hacking incident, that involved the breach of a significant database at the University. This breach may have exposed the records of over 309,000 faculty members, staff members, students, and other affiliated personnel from some of the University’s campuses.

Once again, similar to far too many other data breach events, the breached information included Social Security Numbers, or SSNs. While the University is offering free credit monitoring to those affected, anyone who has endured an identity theft incident knows that the inconvenience is far more extensive than twenty dollars and one year of credit monitoring.

While it may take the incident forensic specialists, and their recently doubled IT Security Staff (self-claimed), some time to determine the root cause, the actual and total information breached, and whether procedural or technical reasons permitted the breach to happen, the incident as a whole serves to remind us that we all must be continually diligent.

Continued diligence involves assessing your own organization, and your data security controls in an authorized and controlled manner. Unauthorized parties are assessing your security controls on a constant basis. The benefit to performing your own assessment, such as a Technical Vulnerability Assessment, is that you are privy to the results. When a “hacker” assesses your controls the only results you may receive, or maybe not, is success or failure of their efforts.

RISC Management & Consulting specializes in data privacy and information security regulations and frameworks,  visit our website for details call:  800.648.4358