Avoiding future government regulations, such as a federal law modeled after California’s 1386, can be accomplished by proving that we’re doing a good job at self-regulation. That was the premise behind the 10 Best Practices that former U.S. security advisor Richard Clarke shared with his audience during a recent web seminar sponsored by RSA Security, Inc.
Called Information Security and Compliance: Navigating the Ever-Changing Regulatory Landscape, the Aug. 26 webinar featured Lee Zeichner, advisor to the Department of Homeland Security on critical infrastructure issues, RSA Security’s CIO Gerry Wilson, and Mr. Clarke, former White House advisor to the President on cyberspace security and author of Against All Enemies.
RSA Security Inc. (www.rsasecurity.com) bills itself as helping organizations protect private information and manage the identities of the people and applications accessing and exchanging that information. RSA Security’s solutions—including identity & access management, secure mobile & remote access, secure enterprise access and secure transactions—are all designed to provide a seamless e-security experience in the market.
How IT security fits into the compliance puzzle was the topic of the day in regards to the privacy, security, and financial reporting regulations of Sarbanes-Oxley, HIPAA, Gramm-Leach-Biley, or California’s SB 1386 which basically says if a company is hit by a hacker, that company is obligated to notify its customers regardless of the damage the hacker caused.
Mr. Zeichner said that “we’re going to see a lot more regulation, building on the California law which may become a national law.”
California’s 1386, which went into effect last year, requires companies that have customers in California to safeguard the confidentiality and privacy of their personal information. Companies and organizations that fail to disclose computer security breaches become liable for civil damages or, more critically, can face class action lawsuits. The law mandates public disclosure of computer-security breaches in which confidential information of any California resident may have been compromised.
Mr. Clarke, currently president of Good Harbor Consulting and who is an on-air security consultant for ABC News, asked: “How do we lay the groundwork now in our individual companies to make sure we don’t get hit with unnecessary cyber regulations?” The government, he added, “hasn’t been doing a very good job. The national strategy for cyberspace isn’t being developed.”
The best way to beat new regulations “is to show it’s not necessary; that we’re already far ahead in self-policing, in best practices,” said Mr. Clarke. “This is all about showing Congress that we don’t need to be regulated.”
Here are Mr. Clarke’s “Top Ten Best Practices in InfoSec” (Information Security) and his comments on each:
1. Set up automated vulnerability and compliance testing. This used to require audit teams, but you can now buy software or hardware that can check your network for vulnerabilities, or to determine if a company’s IT security policy has been violated. “Everyday you can see if you’re secure,” he said.
2. Deploy a patch management system. “CIOs tell me their No. 1 headache are patches. Then you have to test them, put them on, etc. There are a number of companies offering patch management services.”
3. Implement identity management and authentication procedures. “It’s amateur to the extreme to just use pass words to log in. You can get freeware that can crack almost any password. You must be using some form of two-factor authentication with an identity management system in place.”
4. Use encryption (e.g. data in transmission and data at rest). “The California bill says if someone has hacked their way into your network, you have an obligation to tell all your customers what has happened, but if you have encrypted the data on your network, then you don’t have to tell your customers.”
5. Participate in an early warning system. “There are a number of vendors with software that can say they see viruses or worms coming so your firewalls can be changed. Some are more credible than others, but it’s clearly worth doing.”
6. Get a service level agreement (SLA) from your ISP. “You all have that, but what does it say about security? You can negotiate good service agreements, including having your ISP searching for worms and viruses or DOS (denial of service), or providing a second source if the service goes down. There are all sorts of things you can put in an SLA.”
7. Have a significant IT security awareness program. “This includes everything from not leaving passwords under mousepads, to your employees understanding about downloads, the risks of bringing disks in from home, etc.”
8. Test your software. “The source of the worms is vulnerabilities, glitches in software; not just Microsoft but your own software that you’ve developed. A lot of simple mistakes are made by people writing software, such as the buffer overflow problem. We’ve known about that for a decade. There is software that tests the products you’re currently running.”
9. Look at your total environment, or the physical security overlap. “If you’ve done everything, yet anyone can still walk into your computer room and affect your security, then your program is out the window.”
10. Use an automated program that checks a laptop before connection to a network. “I call this ‘the road warrior problem.’ A lot of companies get hurt by their road warriors. They’re out there with their laptop, they log on at a hotel, they get a virus and not know it, then they log onto the corporate network. There are programs that look at the laptop before allowing a complete connection that will test to see if it has a virus and if its anti-virus program is up-to-date.”