Archive for the 'PCI Compliance' Category

14
Oct
10

More Protection for Government Groups

By John Stengel Leave a Comment
Categories: HIPAA Compliance, Massachusetts 201, PCI Compliance and Risk Management
Tags: , , ,

Why is it that business is always treated like the criminal?  It seems like protection is built in for consumers and government only.  The City of Charlotte loses data and you barely hear about it.  Everyone seems to know the Countrywide data loss story.  Is one worse than the other or are they equal in severity?  Regulation does nothing for data security and information protection, especially when we exclude municipalities that have more information on us than the average business. 

Only you can reduce your risk and protect your assets.  Security is not just products, it is your practices around those products.  Washington is not coming to help the people that make this country work.

New Regulation Proposition:

http://www.scmagazineus.com/banking-bill-would-treat-schools-towns-like-consumers/article/180818/

Supporting Stories:

http://www.bankinfosecurity.com/articles.php?art_id=2398

http://www.databreaches.net/?p=11855

11
Oct
10

The Risks of Regulation

By John Stengel Leave a Comment
Categories: HIPAA Compliance, Massachusetts 201 and PCI Compliance
Tags: , ,

 Why is it that all regulation has to do with protecting consumers?  Where is the regulation that protects some businesses from failure or losses?

When a HIPAA violation occurs more attention is paid to the one error a business had instead of tracking the thief.  You never hear about the thief in the papers.

Everyone knows the TJ Max story.  How much do you know about the thieves?

You need to protect your own assets and hedge against losses yourself.  No one else is going to protect your organization.  But all regulation, loss, theft, etc. raises your risk as an asset owner.

01
Oct
10

Employee Monitoring

By John Stengel Leave a Comment
Categories: HIPAA Compliance, Massachusetts 201, PCI Compliance, Risk Management and User Awareness Training
Tags: , , , ,

When discussing employee productivity the conversation can go one of two very different ways.  Much like politics most people have a side that they fall into.

I fall strongly on the side of the pro category.  I do not distrust my employees.  What I am concerned about is protecting the company and all of its employees.  If I were to make a bad hire, and we all have, and this problem employee was violating policy or procedure we need to be able to act on it.

Most people do not understand the risks employers have regarding protecting information.  That doesn’t mean they are bad people, they are most likely very good at what they do and just have never considered the other side.

We have an obligation to create procedures and policies to protect our clients, employees, and partners.  Not building these into your culture is more damaging than many would have guessed.  Taking the time to explain and train the employees on the why will educate them and they will understand.  People just don’t like to be surprised, that leads to feeling violated personally.

Ask Rite-Aid what happens when employees don’t follow procedures.  Did the employees all chip in to cover the $1 Million fine?

21
Sep
10

Policy over Product

By John Stengel Leave a Comment
Categories: HIPAA Compliance, Massachusetts 201, PCI Compliance, Risk Management and Security Assessments
Tags: , , , , ,

Have you purchased all of the right products for your network?  Do you have your firewall, switch, security server, SAN, WAP, and Two-Factor authentication device?  Great then aren’t you all set for security?

Truth is you have a lot of stuff and that is it.  Without developing policies and procedures on how information should be handled and what is and is not allowed you don’t really have much of anything.

Let’s say you have a Web Blocker installed to stop traffic, but you never monitor what is being done on the allowed sites.

Let’s say you have an email security and DLP device, but rules around what should be stopped are never created or tested.

Let’s say you have a state of the art SAN configured, but the security was never applied to those sensitive folders.

The actual purchases of the products are only the beginning.  Now here comes the configuration and policy development.  Make sure your IT staff has a deep understanding of what they need to do and they are trained and thoroughly understand the devices.

20
Sep
10

Tokenization

By John Stengel Leave a Comment
Categories: HIPAA Compliance, Massachusetts 201, PCI Compliance and Risk Management
Tags: , , , ,

Trends in the security industry suggest that something called tokenization is the future of security.  So what is tokenization?

Well a general explanation is this.  Let’s say you take the work DATA ad you want to send that word to another computer (Like when you transmit cardholder data, PHI, PII, etc.)  The word gets broken up into separate letters D A T A.  Each letter is then changed with a secret word that can be decoded on the remote server, for example D becomes ;lk;k%%%.  The word is then reassembled on the remote end, processed, and sent on.

Some of us think this is the way text messages look with all the codes and abbreviations.  Kidding aside this technology is really cool.  If we can secure every character or symbol then reassemble it we can secure almost anything.  But be careful of vendors selling buzz this word.  The technology is new and only a few players are really good at this.

17
Sep
10

Changes are Coming for CHD

By John Stengel Leave a Comment
Categories: PCI Compliance, Security Assessments and User Awareness Training
Tags: , , , , ,

The PCI Security Standards Council is ready to introduce new standards this October.  A summary of the proposed changes was published recently on their site.  The changes when enacted will take effect right away and companies need to prepare for them.  The changes, while not major, clarify several points that are redundant or otherwise gray and add some more security.

What are you doing for ongoing security to maintain PCI?  PCI is not a typical regulation, meaning it is actively enforced.  Private industry has designed the standards and requires companies to be compliant.  Noncompliance will result in revocation of your ability to process credit and debit transactions.

Protecting CHD is not hard.  Basic security practices just need to be followed in a timely manner.  Here is a summary of all 12, in regular terms.

  • Build and Maintain a Secure Network – Have firewall, change passwords, etc.
  • Protect Cardholder Data – Don’t store data in the open.  CHD is the credit card numbers, Expiration, name, etc.
  • Maintain a Vulnerability Management Program – This refers to having AV, malware protection, develop and maintain secure systems (i.e. don’t use the homemade application your cousin made for you 12 years ago).
  • Implement Strong Access Control Measures – Keep people from accessing the information unless they need it.
  • Regularly Monitor and Test Networks – You can’t set a network up and walk away.  You should be assessing regularly and making sure nothing is out of the ordinary.
  • Maintain an Information Security Policy – Maintain security policies so your data doesn’t walk off.  All the products in the world will not keep you secure if you don’t use policies around them.  Train your employees or hire someone too.  They don’t think about these things like you do.

Summary of Changes

Video of Requirements

03
Sep
10

The Cost of Inaction

By John Stengel Leave a Comment
Categories: HIPAA Compliance, Massachusetts 201, PCI Compliance, Risk Management and Security Assessments
Tags: , , , , ,

Think about these questions in the context of inaction:

What if you don’t renew your auto insurance?

What if you don’t lock your car and leave a laptop on the seat?

What if you eat at that restaurant with the failing health score?

What if you don’t train your employees on the new MRI machines you just purchased?

What if your employees never call back customers?

What if you don’t secure your email until after the audit?

What if you don’t worry about patient confidentiality until after a lawsuit is filed?

Not doing something pro-actively is actually more costly than being doing it ahead of time.  Diligence is paramount in any organization.  Too often I see concerns over money up front cause a project to fail.  More money is then spent on the backend to fix the mistakes with the original install.

Assess, train, and happen to something.  Don’t wait for it to happen to you.

30
Aug
10

Be the Purple Cow of Security

By John Stengel Leave a Comment
Categories: HIPAA Compliance, PCI Compliance, Security Assessments and User Awareness Training

As Seth Godin says so eloquently in his book Purple Cow, you need to make yourself into something truly different.  Set yourself apart from your competition.  Most organizations do this or that to try and maintain security.  Doing the basics to give off the appearance they are serious.  Maybe they have a strong password policy but no Two Factor Authentication.

But in their main business they don’t do the minimum.  They try to outwit, outperform, and out market the competition.

What if your organization stood out from the competition as secure environment and they weren’t?  What if all your employees handled information correctly?  What if you were able to watch for sensitive data leaving?  What if your users policed themselves? 

Think of the two together.  Nothing can kill a marketing plan faster than poor security.  Even my Grandmother knows about TJ Maxx.

16
Aug
10

How Secure Are Your Passwords

By John Stengel Leave a Comment
Categories: HIPAA Compliance, PCI Compliance, Risk Management and Security Assessments

Do you know what your Administrator passwords are?  Do the IT people?  I have been working with companies for years and they often share the Administrator passwords with several technical people or, in some cases, several of them.  This is a bad model.  Regular IT folks do not the company bank account numbers and they do not need these passwords.

It is true they may need Administrator level access but they do not need the password.  Keeping this at the executive and higher level is not only smart but it is basic in risk mitigation.

On the reverse, executives need to make sure they have all the passwords for administrator level accounts.   You also need to make sure you know every single user who has administrator level rights.  During a recent security assessment we found a low level user has full access to the entire domain because of testing done years earlier.

Starting with the basics in security is the beginning of reduced risk for partners and executives.

14
Aug
10

Email Security in Healthcare

By John Stengel Leave a Comment
Categories: HIPAA Compliance, PCI Compliance, Risk Management and User Awareness Training

We will be hosting a webinar this week to educate executives and provide an overview of the compliance and risk mitigation benefits of email security. We will discuss what options are out there, what to look for and what to avoid.

This material will be presented in a non-technical form from a consultative perspective to give executives a brief overview of how to move forward.

Topic: Email Security in Healthcare
Date: Thursday, August 19, 2010
Time: 1:00 pm, Eastern Daylight Time (New York, GMT-04:00)

Go to https://freetrial.webex.com/freetrial/j.php?ED=136876647&RG=1&UID=0&RT=MiMxMQ%3D%3D and register for the event.

« Previous Entries

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 37 other followers

LinkedIn

Follow me on Twitter

  • We just wrapped up another week of WatchGuard training in Charlotte. Thank you to all of our students. We are h…http://t.co/QZGehP5j 19 hours ago
  • Google Wallet Hacked Again. Good thing they forced merchants to use it! http://t.co/mSjheLsi 19 hours ago
Follow

Get every new post delivered to your Inbox.

Join 37 other followers