Information Security: Frequently Asked Questions

Click on the arrows below to view answers to frequently asked information security questions.

For more information, contact William M. Prohn CISSP, CISA, CGEIT, CRISC at wprohn@dopkins.com.

 

My employees want to work from home. What should I know before allowing it?

Information Security FAQ: Working From Home

The ability to work from home is often referred to as teleworking or telecommuting and has consistently gained popularity in recent years. A distinction should be made at this point between ‘teleworking’ and ‘mobile computing.’ Teleworking, as it will be addressed here, refers exclusively to an employee working from their home, whereas mobile computing may be applied to any number of non-office locations (Starbucks, hotels, etc.). The Telework Research Network, in their The State of Teleworking whitepaper, identifies 61% growth in teleworking over the last 5 years, resulting in over 3 million U.S. employees working from home in 2013. Telecommuting provides the benefit of convenience to employer and employee alike, though there are a number of important issues that an employer must be aware of.

Two key security considerations are: the control environment in the workplace and the physical equipment being used. While employers maintain a certain degree of control over the work environment on premises, they do not enjoy the same level of control when employees are working from home. An employer is likely to introduce control measures that they have deemed sufficient to ensure the security of the company’s data. In addition, employers may have implemented security features for equipment issued to employees that they believe will aid in protecting organizational information. Examples of these controls include, but are not limited to: device encryption, virus proection software, secure wireless networks and password requirements.

This is not always the case with devices owned and maintained by employees. As a result, employers encounter a serious information security risk. Sensitive data may be compromised due to a lack of the aforementioned controls. In many cases, employees feel comfortable and safe in their homes, and do not consider the risks associated with unprotected wireless networks and the need for up-to-date virus software or secure passwords. Because of this lack of awareness on the part of the employee, it is crucial that employers address these security concerns before allowing their organizational information to leave the confines of the office.

I see the benefit of my employees using social media, but what are the risks to my business?

Information Security FAQ: Social Media Security

Out of the three anchors of information security (confidentiality, integrity, availability), social media presents the greatest risk to confidentiality. In an age when Generation Y is overwhelmingly represented in the workplace, it is more important than ever for employers to take proactive action to protect any information that leaves the four walls of the office. The concern in this case is not inherent to social media, but is instead based on the level of comfort that many users feel when sharing information online and their lack of understanding in regard to confidential data. For this reason they may inadvertently disclose that data to the public.

Take, for example, an organization that handles HIPAA data. A young employee may not realize the extent of the restrictions imposed on the disclosure of Protected Health Information, and proceed to post a picture and description of a favorite young patient on Facebook. While innocent in appearance, the post constitutes a severe data breach and will result in potentially severe penalties and sanctions from regulating bodies. In fact, 60% of U.S. small businesses shut down within six months of a data breach, according to the U.S. House of Representatives House Committee on Small Businesses.

Whether the breach is in the form of a status update, a tweet or a photo, the ramifications could prove insurmountable for many businesses. It is therefore imperative that employers understand the risks associated with their employees utilizing social media in the course of business. In some cases, you may find it better to be anti-social.

In ISO 27002-13, the internationally recognized information security standard, there are eleven distinct sections that, when combined, serve to protect your organization on a holistic level. Therefore, it is important to understand that social media is merely a component of the Access Control section of ISO 27002-2013, which in turn is a component of yet an even larger framework.

Remember, a false sense of security is worse than being unsure.

My company leases our copiers/scanners/printers. What should I know before sending them back to the vendor?

Information Security FAQ: Printer Security

Did you know that your printer most likely contains a hard drive that records every document you’ve ever printed? According to a 2010 Xerox study, 60% of Americans didn’t. And it’s not just printers.  Just about any device that performs multiple functions, whether it is scanning, faxing, copying or printing, will contain a hard drive capable of storing hundreds of thousands of documents. The hard drive allows the machine to perform more efficiently, and handle multiple complex jobs at once, but poses an incredible information security threat. It is estimated that nearly every machine produced since 2002 possesses storage capabilities.

Take, for example, the Buffalo Police Department, who were unintentionally exposed during a 2010 CBS investigative report. The CBS reporter along with a security expert purchased four used copiers whose prior owners were unknown in order to analyze their hard drives. Two of the copiers had been leased by the BPD and contained hundreds of thousands of documents, including information from the sex crimes as well as narcotics divisions. In the same investigation, CBS discovered an insurance company’s protected health information (PHI), left unknowingly on their leased copier, representing a massive HIPAA/HITECH breach.

In ISO 27002-2013, the internationally recognized information security standard, there are eleven distinct sections that, when combined, serve to protect your organization on a holistic level. Therefore, it is important to understand that printer security is merely a component of the Physical and Environmental Security section of ISO 27002-2013, which in turn is a component of yet an even larger framework.

Remember, a false sense of security is worse than being unsure.

What are my concerns when an employee is terminated?

Information Security FAQ: Employee Termination

The Ponemon Institute along with Symantec conducted a study titled, “Data Loss Risks During Downsizing: As Employees Exit, so does Corporate Data” in 2009.  The following statistic was among the key findings of the study: 59% of respondents reported that they kept company data after leaving their employer. Regardless of the industry you are in, the risks associated with having your information walk out the door at such a rate should be alarming. Even more concerning is the breakdown of information taken by the aforementioned respondents, with 39% admitting to expropriating customer information, including contact lists, and 16% taking financial data.

Now, the aforementioned statistics refer to data that employees already possessed at the time of their termination. The organizational risk is much greater in regard to information attained after termination. The Ponemon study found that 24% of employees attempted, and were successful in accessing company systems after their employment ended, using their original credentials. Disgruntled employees always present a threat to an organization, but many companies do not mitigate the risks associated with recently terminated staff. This is evidenced by the fact that a staggering 20% of workers surveyed maintained access to organizational systems for over a week, and 26% had access for an entire 24 hours.

Ripped from the Headlines

If statistics aren’t your cup of tea, consider the following examples: a project manager in Buffalo was terminated in 2011, but not before changing the passwords of the organization’s email and web services. The digital lockdown was lifted after the two parties settled out of court. In Pennsylvania, a family medical practice had to notify 13,000 patients that their protected health information had been disclosed to a competitor by a number of disgruntled former employees. Whether it is the theft of trade secret information, disclosure of protected health information or business interruption, the information security implications of an inappropriately handled employee termination can be quite severe.

In ISO 27002-2013, the internationally recognized information security standard, there are eleven distinct sections that, when combined, serve to protect your organization on a holistic level. Therefore, it is important to understand that employee termination is merely a component of the Human Resources Security section of ISO 27002-2013, which in turn is a component of yet an even larger framework.

 

I need to provide a third party with confidential customer information. Am I at risk?

Information Security FAQ: Confidentiality with Third Parties

When you send confidential information to a third party, are you at risk? If an agreement is not in place prior to the transfer of data, you very well may be. Consider an accounting firm that regularly analyzes client data using third-party software, and let us assume that the firm and their clients have confidentiality/non-disclosure agreements in place. Now, imagine if one of the accounting firm’s staff encounters a serious technical problem with their software, at which point the software provider requests a copy of the data in question. Do you send the information along to the third-party technician? In order to answer this question it will be necessary to discuss the relationship between the three organizations involved in this dilemma.

The first consideration is that of the agreement between the accounting firm and their client. Clearly, the accounting firm will have been granted access to the client’s data for the purposes of performing their professional services, but what if a technical issue is preventing the completion of those services? Does the client expressly allow disclosure of their data if their accountants deem it necessary? Is there any uncertainty regarding the classification of the client’s data, such as being protected by HIPAA or FERPA, at which point an entirely new set of confidentiality concerns enters the picture? The accounting firm must address these issues if they wish to mitigate their risks in relation to information security.

The second consideration deals with the agreement between the accounting firm and the software provider. Even if we assume that the issues raised above have been handled, and the client allows the accounting firm to disclose their data to a third-party at the firm’s discretion, the firm is still at great risk. Once they send the client’s data to the software provider, who is to say it will remain confidential? Do the technicians understand the need to handle the data with care and prevent inappropriate disclosure or loss? Is the provider willing to accept responsibility for the continued confidentiality of the data while it is in their custody? In addition, does the agreement require disposal/destruction of the data by the software technicians upon completion of the support ticket? If not, the accounting firm remains responsible for the security of their client’s information, even though they have lost control over it.

An organization that takes information security seriously will make sure to ‘look both ways’ when considering confidentiality with third parties, for just as the old idiom states, better safe than sorry!

In ISO 27002:2013, the internationally recognized information security standard, there are eleven distinct sections that, when combined, serve to protect your organization on a holistic level. Therefore, it is important to understand that confidentiality with third parties is merely a component of the Organizing Information Security section of ISO 27002, which in turn is a component of yet an even larger framework.

My employees use their smartphones at work. Are they able to view work emails?

Information Security FAQ: Work Email on Smartphones

Many employers are unaware that their employees have the ability to view their work email on smartphones and tablets, such as iPhones and iPads.

In many cases, management authorization is not required in order to add a business account to a personal mobile device. This presents organizations with a critical information security concern.

Microsoft Exchange employs a service called “Exchange ActiveSync” which allows users to receive their work email on their smartphone or tablet. The primary concern with ActiveSync technology is that it is “on” by default. This means that often employees can begin syncing their work email without the need for management approval. Viewed from the perspective of asset management, it is impossible to know how many devices are walking out the door containing confidential information or who possesses those devices.

Once an employee utilizes ActiveSync, an organization’s data, including emails, contacts and attachments, may easily end up being stored locally on the personal device. For organizations that must comply with HIPAA, HITECH, FERPA and other regulations, this could jeopardize their compliance standing. Mobile devices, an Android smartphone for example, are easy to compromise and even easier to lose, presenting yet another information security risk for organizations. Discouraging research by gadget insurance company ProtectYourBubble estimates that 113 mobile devices are lost or stolen every minute in the United States. When faced with such a formidable statistic it is no wonder why businesses must confront the security risk presented by ActiveSync push email.

A common misconception regarding data breaches, in this context concerning push email, are the requirements for an incident to be labeled a ‘breach.’ Data need not be proven to have been used inappropriately. On the contrary, if it is likely that the information has been accessed, used or disclosed, and there is a significant risk of harm to the affected individuals, the incident is considered a breach. So, if an iPhone containing unprotected Protected Health Information (PHI) is lost or stolen, it will likely fulfill the requirements of a breach. In fact, the Information Systems Audit and Control Association (ISACA) reports that 49% of U.S. organizations do not protect employee mobile devices containing PHI.

In ISO 27002-2013, the internationally recognized information security standard, there are eleven distinct sections that, when combined, serve to protect your organization on a holistic level. Therefore, it is important to understand that push e-mail is merely a component of the Access Control section of ISO 27002-2013, which in turn is a component of yet an even larger framework.

Remember, a false sense of security is worse than being unsure.

I know I need to protect my company’s servers, but where do I start?

Information Security FAQ: Server Room Safety

While often overlooked, a company’s servers may be one of an organization’s most critical assets. For this reason, it is especially important that servers, as well as their surroundings, are adequately protected from environmental hazards. Now, servers also face a number of technological threats such as hacking and viruses, but the focus of this article will be on physical and environmental risks exclusively.

Heat plays a significant role in the security of a server room as moderate changes in temperature, both up and down, could lead to a host of different problems. For example, a spike in temperature of just 10 degrees could lead to a system meltdown (literally!) or at the very least dramatically increase chances of system failure down the road. Just as important as the actual degree of heat surrounding your servers is the consistency with which that heat is maintained. A study by the University of Toronto found that the relationship between system failures and temperature fluctuation showed a greater correlation than that of failure and degrees Fahrenheit.

Along with heat, moisture presents a constant threat to server health, and while some instances of moisture may appear obvious, such as flooding, less conspicuous examples like humidity and condensation are equally dangerous. In some cases, moisture in a server room may come from condensation formed on air conditioning units or dripping utility pipes, while in others, an uptick in humidity may increase the level of moisture within a room to a critical level. While not as intuitive, a lack of moisture surrounding servers also presents a concern as it increases the likelihood of static-related damage and electrical failures.

Power failures and surges have historically wreaked havoc on server equipment and continue to present many challenges to IT staff members. One risk that may go unnoticed when discussing methods of protection is the failure of monitors and temperature regulators within the room, as opposed to the actual server units. Imagine this scenario: a widespread power failure occurs within an organization, including the server room. The server itself is protected with an uninterruptable power supply (UPS), but the air conditioning unit and temperature monitors are no longer operational as they were not provided UPS protection. Clearly, the response time for this environmental hazard is affected and may ultimately lead to a system meltdown.

In ISO 27002, the internationally recognized information security standard, there are eleven distinct sections that, when combined, serve to protect your organization on a holistic level. Therefore, it is important to understand that server room safety is merely a component of the Physical and Environmental Security section of ISO 27002, which in turn is a component of yet an even larger framework. Remember, a false sense of security is worse than being unsure.

My company is evaluating Cloud Service Providers. What should we know before selecting a CSP?

Information Security FAQ: Cloud Computing – Liability and Assurance

Download our White Paper – Lifting the Fog to See the Cloud

If you were to ask 10 experts to define ‘cloud computing,’ you would likely receive 12 different answers. Due to the breadth of the subject, it is necessary to break it down in to more manageable pieces. Therefore, our discussion will only address the issue of liability and assurance when dealing with a Cloud Service Provider (CSP).

The initial agreement that is reached with a CSP is crucial to an organization’s information security, as it will establish the responsibilities each party must bear throughout the relationship. Too often, companies do not recognize, or understand the imbalance of responsibility and liability that exists within their third party agreements. For companies that will be storing sensitive data at a remote location, owned and maintained by a provider, there are an abundance of risks. For instance, a CSP may encounter a system failure resulting in lost data, business interruption or accidental disclosure. In addition, sensitive data is often transmitted between the customer and provider over the internet, which presents additional opportunities for interception, loss or disclosure.

While these risks are inherent to the cloud computing platform, the financial losses associated with these incidents must be assumed by one or another party. If a power loss or natural disaster occurs – responsible for 54% of outages according to cloud management firm RightScale – interrupting business for four hours, who will make the company whole? Unfortunately for many organizations, inadequate agreements leave the vast majority of the financial burden resting squarely on their shoulders. On the flip-side, the Information Systems Audit and Control Association (ISACA) points out that the security of servers, certain algorithms and data in the public cloud may in fact be the responsibility of the customer, not the CSP in some circumstances.

A further concern of cloud computing can be summarized in a simple question: “How do I know my CSP is doing what they say they are doing?” Many providers promise that they will maintain the integrity, confidentiality and availability of your data, but how can you be sure? More often than not, your CSP’s data center will be located hundreds or thousands of miles away, eliminating the opportunity to witness their operation first-hand. Will you be informed of who has come in contact with your data, for how long and for what reason? If a breach occurs, will you be immediately notified and assured that the necessary steps were taken to mitigate your risk?

In ISO 27002-2013, the internationally recognized information security standard, there are eleven distinct sections that, when combined, serve to protect your organization on a holistic level. Therefore, it is important to understand that cloud computing – liability and assurance is merely a component of the Business Continuity Management section of ISO 27002-2013, which in turn is a component of yet an even larger framework.

Remember, a false sense of security is worse than being unsure.

I rarely hear of information security concerns at my company. Are we protected?

Reporting Information Security Events

head_in_the_sand.jpgStaff employees are often the first users to discover information security vulnerabilities or encounter a security incident, but that does not necessarily mean that management or IT are notified of these events. Without a formal information security reporting procedure employees are likely to ignore inconsistencies or weaknesses that they uncover or may not be aware of the appropriate individual or group to report to. The result of such circumstances is the perpetuation of system vulnerabilities that could lead to potentially damaging security incidents down the road.

For example, imagine an accounting clerk who discovers that they have access to highly sensitive payroll information. It is important that the clerk knows to alert the necessary IT staff or appropriate administrator in order to remedy the user access concern. Should the IT staff member find out that the weakness is more widespread than originally understood, he/she should be familiar with the escalation protocol to ensure that the appropriate members of management are made aware of the vulnerability without delay.

Clearly the preceding example relies on a few assumptions, such as the clerk’s ability to identify a weakness when he/she sees one and the existence of a security incident escalation protocol. Unfortunately, there are many examples of organizations that have failed to establish appropriate information security reporting procedures, and have suffered as a result. The costs of data breaches and corporate fraud are well documented, and the lack of necessary incident reporting provides the perfect set of circumstances for just such an occurrence. It is for this reason that proactive action is always recommended in order to mitigate the risks associated with information security event reporting.

Remember, just because you don’t hear about them, doesn’t mean they don’t exist!

In ISO 27002-2013, the internationally recognized information security standard, there are eleven distinct sections that, when combined, serve to protect your organization on a holistic level. Therefore, it is important to understand that reporting information security events is merely a component of the Information Security Management section of ISO 27002-2013, which in turn is a component of yet an even larger framework.