Archive for August, 2010

30
Aug
10

Be the Purple Cow of Security

By John Stengel Leave a Comment
Categories: HIPAA Compliance, PCI Compliance, Security Assessments and User Awareness Training

As Seth Godin says so eloquently in his book Purple Cow, you need to make yourself into something truly different.  Set yourself apart from your competition.  Most organizations do this or that to try and maintain security.  Doing the basics to give off the appearance they are serious.  Maybe they have a strong password policy but no Two Factor Authentication.

But in their main business they don’t do the minimum.  They try to outwit, outperform, and out market the competition.

What if your organization stood out from the competition as secure environment and they weren’t?  What if all your employees handled information correctly?  What if you were able to watch for sensitive data leaving?  What if your users policed themselves? 

Think of the two together.  Nothing can kill a marketing plan faster than poor security.  Even my Grandmother knows about TJ Maxx.

29
Aug
10

Listening

By John Stengel Leave a Comment
Categories: Security Assessments

On a recent drive to Spartanburg, SC to visit a new account I was re-listening to the book 7 Habits of Highly Effective People.  When I got to Habit 5, Seek First to Understand, then to be Understood, I started thinking of how many consultants don’t do this.    How can a security consultant not listen first?  How can an IT person not listen to management or end users?

As I always say, security is a process and not a purchase.  To create a secure environment we need to listen to all parties and make sure we have a complete understanding of the business and how information flows.  Then and only then can we implement process to create a secure environment.  I have never once been able to walk into an account and use a predisposed solution and send an invoice.

Want to know something really scary?  I have lost more than one job because I wouldn’t send a solution for security before we met in person.  Just goes to show you that with some companies security isn’t a big deal, they just want to say they are secure.

23
Aug
10

Email Encryption in Healthcare

By John Stengel Leave a Comment
Categories: HIPAA Compliance, Massachusetts 201, Risk Management, Security Assessments and User Awareness Training

I have written an executive whitepaper titled Email Encryption in Healthcare.  This is an executive overview explaining the background and regulations around securing email transactions.  If you would like a copy send an email to info@jstengel.net.

19
Aug
10

Massachusetts 201 CMR 17.00, to be Exact

By John Stengel Leave a Comment
Categories: Massachusetts 201, Risk Management, Security Assessments and User Awareness Training

I am not breaking any news to anyone, I think, if I tell you that a new law in Massachusetts that lays out security for protecting private information.    What I do want to write about is why I like this law.

The first thing is I like how the law says that anyone who does business with a resident of the commonwealth regardless of nexus is required to follow these guidelines, not just businesses in the commonwealth .  This is good because they are setting a standard for the rest of the union.  Too many laws are written in a form that requires a lawyer to decode them.  I read and understood the law while I waited on my Cashew Chicken at PF Chang’s.

I also like that it is very specific.  It names product segments and states exactly what needs to be done.  They don’t use terms like “Reasonable Measures”, this just confuses people and leads to inaction.  This one is clear.

I can tell you firsthand PII is handled poorly by most businesses.  You can set your company apart just by following this law.  If you become Mass 201 compliant the rest is easy, and this one is not hard.

http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf

16
Aug
10

How Secure Are Your Passwords

By John Stengel Leave a Comment
Categories: HIPAA Compliance, PCI Compliance, Risk Management and Security Assessments

Do you know what your Administrator passwords are?  Do the IT people?  I have been working with companies for years and they often share the Administrator passwords with several technical people or, in some cases, several of them.  This is a bad model.  Regular IT folks do not the company bank account numbers and they do not need these passwords.

It is true they may need Administrator level access but they do not need the password.  Keeping this at the executive and higher level is not only smart but it is basic in risk mitigation.

On the reverse, executives need to make sure they have all the passwords for administrator level accounts.   You also need to make sure you know every single user who has administrator level rights.  During a recent security assessment we found a low level user has full access to the entire domain because of testing done years earlier.

Starting with the basics in security is the beginning of reduced risk for partners and executives.

14
Aug
10

Email Security in Healthcare

By John Stengel Leave a Comment
Categories: HIPAA Compliance, PCI Compliance, Risk Management and User Awareness Training

We will be hosting a webinar this week to educate executives and provide an overview of the compliance and risk mitigation benefits of email security. We will discuss what options are out there, what to look for and what to avoid.

This material will be presented in a non-technical form from a consultative perspective to give executives a brief overview of how to move forward.

Topic: Email Security in Healthcare
Date: Thursday, August 19, 2010
Time: 1:00 pm, Eastern Daylight Time (New York, GMT-04:00)

Go to https://freetrial.webex.com/freetrial/j.php?ED=136876647&RG=1&UID=0&RT=MiMxMQ%3D%3D and register for the event.

12
Aug
10

Don’t Test and Don’t Check

By John Stengel Leave a Comment
Categories: Risk Management and Security Assessments
Tags: , , , ,

I am amazed sometimes during assessments when I learn that critical backups and systems have never been tested.  Companies purchase the software, configure the setup and away they go.  They never bother to test.

As an executive or manager you understand the risks and what needs to be done to protect the digital assets in an organization.  Your IT staff doesn’t necessarily have that understanding of risk.  They have no liability.

Executives and managers have an obligation to their clients, companies, employees and families to have critical information protected.  I am not saying you should set a budget for an offsite facility or spend more money on hardware/software.  I am simply saying that time needs to be invested in planning, checking and testing.  Preferably this is done by an outside source.  Not because I don’t think your staff is capable, because a second opinion can shed some new light on your environment.

Ask anyone that I have ever managed in consulting, it isn’t working until it is tested.  If people don’t like me because I require testing and verification, I can live with that.  It is too important to just assume it works.

05
Aug
10

1 in 5 Users

By John Stengel Leave a Comment
Categories: Risk Management

Facebook has recently announced they have 500 million users.  The movie 500 Million Friends is due out this fall.  Recently 100 million Facebook users information was scrapped off the site.  The account information for 100 million people in the world was grabbed.  Usernames, emails, names, etc., no passwords were grabbed.  All of this information was posted to a download site that is often used to transport illegal files.  Anyone can grab this database of names and emails now.

Now, what could you do with this information?  Think about marketing.  Would your marketing department love to get 100 million names and emails at no cost?

In a bit of a counter story, a new website has started up that basically stalks Facebook founder Mark Zuckerberg.  The site posts pictures and facts about the details of his life.  The goal of the site is this is basically what he gets for his business practices.

Now I am all for standing up for yourself and fighting back.  However, the first thought I had when reading the story is that the person who use Facebook and post details is doing it by choice.  No one forces people to discuss what they had for dinner last night online, they make that choice.  Also no one forces them to even use Facebook, aren’t their other social networking sites around?

Getting mad at the founder seems like taking it out on the wrong person.  If I post something I wouldn’t want my kids to read online no one is to blame but me.

My main point for executives here is this, data leak prevention is key.  If I don’t allow Facebook in my company I don’t have to worry about my employees PII getting stolen.

http://www.foxnews.com/scitech/2010/08/04/facebook-founder-facing-personal-vendetta-privacy/?test=faces

02
Aug
10

Training, Training, Training

By John Stengel Leave a Comment
Categories: HIPAA Compliance

The Department of Health and Human Services fined the pharmacy chain Rite-Aid for a HIPAA violation.  The fine is for $1 Million and requires that Rite Aid take corrective action to improve practices.

The violation states, among other things, that Rite Aid did not properly dispose of personal identifiable information in its 4,900 retail pharmacies.  It also states that Rite Aid failed to properly train employees on how to dispose of the information.

This goes to what I have been stressing lately, products don’t make you compliant.  Policy and processes do.  This also shows the importance of properly training the other managers in the business on how to handle information.  Very intelligent people may run the various departments in your organization.  They don’t have a background in this area and need the right procedures in place.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 37 other followers

LinkedIn

Follow me on Twitter

  • We just wrapped up another week of WatchGuard training in Charlotte. Thank you to all of our students. We are h…http://t.co/QZGehP5j 19 hours ago
  • Google Wallet Hacked Again. Good thing they forced merchants to use it! http://t.co/mSjheLsi 19 hours ago
Follow

Get every new post delivered to your Inbox.

Join 37 other followers