Most companies have never had to deal with mandated disclosure, or even reporting breaches
Requires Free Membership to View
SearchMobileComputing.com members gain immediate and unlimited access to expert guides for mobile deployment, management and security, industry trends, and more-- all at no cost. Join me on SearchMobileComputing.com today!
Kate Gerwig, Editorial Director
to
law enforcement. Therefore, to ensure compliance with the law, you should outline detailed
procedures for reporting breaches (internally, as well as to law enforcement), investigating and
disclosing breaches and audits. Have your corporate counsel and applicable law enforcement agency
review these procedures.
If you have any third-party relationships where personal or sensitive information is involved, you may want to examine the necessity of this relationship. If it makes sense to continue this engagement, ensure that your contracts give you the control you need—of processes, investigations, notification and so on.
Educate your employees
Employees need to be educated on the importance of protecting sensitive data on all computers,
including handhelds. Training should include the policies for managing sensitive data and
recognizing signs of computer security breaches to their computers and procedures for reporting
breaches.
Encrypt sensitive data when it's not in use
Once you've narrowed the personal information you're storing, consider encrypting it. When
measuring effectiveness and reporting compliance, encrypting personal information during storage
and transmission can give you a real advantage. For example, SB-1386 only requires notification
when unencrypted personal information "was, or is reasonably believed to have been, acquired by an
unauthorized person." Choose a product that uses a non-proprietary, government-standard encryption
specification, such as AES, DES or Triple DES, and is government-certified and validated FIPS 140-2
compliant.
Prepare for a possible breach
Prevention is the best medicine. In advance of any incident, educate your customers and employees
by providing information about what they can do to protect themselves against identity theft, such
as subscribing to a service that provides credit-report activity and buying identity theft
insurance.
You may also want to draft notification document(s), in advance of any need, describing what protective and defensive measures an individual whose personal information may have been compromised can take. That means you'll need to have contact information for everyone whose personal information you retain.
Be prepared to investigate a breach efficiently and quickly using either internal or external resources, or a combination of both. If you plan to handle investigations internally, you may want to acquire forensic/incident response software that is capable of producing court-admissible evidence, should you need it.
Ensure your current software is configured correctly
According to Gartner, sixty-five percent of attacks exploit misconfigured systems. Therefore,
maximize your current investment in security-related software by ensuring it's configured correctly
and patched properly on an ongoing basis. Check to ensure that you're exploiting all applicable
logging capabilities of your existing software. If you develop custom applications, ensure your
developers are properly trained in state-of-the-art secure software development techniques, since
you can be attacked via application, as well as network, vulnerabilities.
Ensure regulatory compliance with security policy-based software
Now that you have identified policies and procedures, invest in controls that are essential for
risk management and that ensure regulatory compliance. Good policy-based software ensures that the
measures you put in place to safeguard the privacy of sensitive information is not defeated.
Protect your extended perimeter
The perimeter as we know it today is gone. With the introduction of new mobile and wireless
devices, computing is no longer restricted to a fixed location or tied to a physical network.
Sensitive data can be accessed and stored on laptop and tablet computers, as well as PDAs and
smartphones. Once beyond the firewall, that information is outside an organization's span of
control. An unsecured device in the wrong hands can expose sensitive data, as well as be used to
access network resources. Therefore, securing these devices is not only essential to protecting
sensitive data; it is a necessary component of network security.
To maximize the protection of sensitive data, devices must be protected whether in a connected or disconnected state. Implement policy-based mobile security software with robust on-device security for controlling access privileges, authenticating users and devices and encrypting sensitive data. Make sure it is implemented on each mobile computer, handheld and smartphone that is used to access your enterprise network.
Given the security risks associated with information traveling over the Internet, link-level encryption technology, such as Secure Socket Layer (SSL) or Virtual Private Network (VPN) technology, should be implemented to protect the data as it is transmitted to and from the enterprise network. In addition, a personal firewall should be implemented to further control access to mobile computing devices.
Summary
Identity theft is a major issue faced by everyone. Defense strategies, including sound practices,
deployment of sophisticated technologies and adequate staffing and training, are critical. The most
severe and overlooked threat to your organization, mobile and wireless devices must also be
included as a key component of your defense strategy. Sensitive data is stored on laptop and tablet
computers, as well as PDAs, converged PDAs and smartphones and is too easily accessible if the
mobile device is lost, stolen or left unattended.
<< Go to Page 1 or Go to Guest Column
Bob Heard is president and CEO of CREDANT Technologies, a premiere provider of mobile
security and management software (www.credant.com). He can be
reached at bheard@credant.com.
This was first published in January 2004