CIO
Blog: Information Security: 7 Data Leaks You Can't Ignore
Matt Roedell  30 August, 2007 10:08:49
Page:

Information security controls are an essential part of operations for all financial institutions. Members expect that their local Credit Union is just as secure as the "big bank" located a few hundred feet away in the same parking lot at the mall. The only difference is that the local Credit Union information security budget pales in comparison to the multi million that the big bank will spend.

When a limited budget is combined with a lack of understanding proper security controls, many Credit Unions turn to local consulting companies who often times roll out ineffective "security programs" that can be costly and don't add much value to increasing their security posture.

Paying a vendor to monitor your IDS and firewall may get you a check mark on this year's audit (at least for now) but I challenge the fact that it is an effective solution. Every credit union needs an employee on staff that has a deep understanding of information security or at a minimum a vendor or consultant that can steer them in the right direction. If you completely outsource you information security program the balance between operations and security is "broken".

The key to an effective information security program is to establish clear and open channels of communication between IT and business operations. Operations needs to have confidence that the information security program is not an obstacle but an opportunity to incorporate methodology that will benefit the credit union and its members. Security concepts need to be broken down in terms the business will understand. The main job function of an effective information security manager is to be a sales person for information security. He/she will need to change the way business executives think and make sure security is integrated into their thought process.

I am proud to say that with the support of its executives, TruMark Financial Credit Union has positioned itself as a Credit Union information security leader. My staff and I have spent the last year and a half identifying risk and evaluating products to mitigate those risks. I would like to share our results with you in hopes it will increase the information security posture of the industry to match or exceed that of the "big banks".

An effective Information security program with mitigating controls does not have to break the bank. Below are 7 common ways data can leak from your organization. I have taken the opportunity to share with you the compensating controls we have implemented which have not only increased out security posture but impressed external auditors and effectively raised the bar across the Credit Union industry.

7 Data Leaks You Can't Ignore

Leak #1
Sensitive information can leave your organization through USB mass storage devices such as thumb drives, IPODs and Digital cameras or other removable media.
Risk Mitigation: Block all USB mass storage devices
Approximate cost for hardware and 300 licenses: $50,000
Implement the Trigeo SIM. Their product comes with USB defender which detaches USB drives when mass storage capability is detected. Their product configuration is very granular so permitting USB license keys or hardware tokens is no problem. The employees also receive a pop-up indicating that the use of USB mass storage devices is prohibited. Trigeo can also be easily configured to send an email notification to any email address you like. This is only one of the many features offered with their product.

Leak #2
Sensitive information can leave your organization when copied to a CD or DVD
Risk Mitigation: disable all burners and removeburning software
COST: $0
The solution is 3 fold:

  • disabling the default windows burning capability through an AD GPO push to all workstations
  • Uninstalling all 3rd party burning software
    • Removing all employees from the PC local admin group and power users group (best standard practice anyway). This prevents anyone from copying info to a CD without submitting a formal request to do so. When a legitimate request comes into your ticketing system, you can RDP to their workstation and install the 3rd party software. The software would then be uninstalled when they were finished. Another more manageable option is to assign the CD burning functionality to a smaller group of users which mitigates risk by requiring a "standard" user to go to a trusted employee such as a supervisor to have information copied.

Leak #3
Sensitive information can leave your organization when a laptop is lost or stolen
Risk Mitigation: enable whole disk encryption on all laptops
Approximate cost per laptop: $200
If you are running disk encryption and a laptop is lost or stolen you can rest easy if you have deployed PGP desktop. It will take more than several lifetimes to crack disk encryption even with the right software and computing power to do so. Make sure the password is complex or the encryption is pointless.

Page:
Latest User Comments
There are no comments yet. Be the first to add one!
More about Panda, Cisco, Leader, Iron Mountain, Financial Institutions, Digital Defense, PGP, Leader Computers

Comments

Post new comment

Login or register to link comments to your user profile, or you may also post a comment without being logged in.
The content of this field is kept private and will not be shown publicly.
Enter the fully qualified URL, eg. http://www.example.com/
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

Add to Google
Related Topics
(Security)
Additional Resources
Executive Guides
Whitepapers
white paper Read up on the latest ideas and technologies from companies that sell hardware, software and services.
Zones
Zone logoZones provide focussed content from CIO and leading technology partners.
Newsletter Subscription
Sign up for our CIO newsletters!
RSS Feeds
Syndicate content

HP Data Center Transformation solutions offer practical ways to overcome the energy and capacity limitations, operational vulnerabilities and technology constraints that can plague your data center. Choosing from a portfolio of solutions matched to your business needs, we can help you transform your data center into a business-driven, process-smart and future-ready asset.

Latest on Data Centre

  • +

    Inside Internode's data centre 05 June, 2009 14:39:00

    Computerworld gets an exclusive behind the scenes look inside Internode's Adelaide data centre with network guru Mark Newton
    Computerworld gets an exclusive behind the scenes look inside Internode's Adelaide data centre with network guru Mark Newton
  • +

    HP uses outside air, big fans, 12-foot raised floor to cool servers 03 June, 2009 07:44:00

    It's also cutting data center power use by painting server racks white
    Just off the North Sea coast in the United Kingdom, Hewlett-Packard Co.'s EDS unit has built a data center that largely relies on cold sea air to keep servers chilled and -- by doing so -- cut the center's cooling power needs in half.
  • +

    HP targets the cloud with new hardware 12 June, 2009 08:27:00

    HP offers complete cloud computing package for businesses
    HP has designed a new portfolio of hardware, software, and services, aimed at reducing costs and saving resource, particularly for businesses involved in Web 2.0, cloud and high-performance computing.
  • +

    Defence to spend $700m on ICT reform 05 June, 2009 11:13:00

    Strategic Reform Program report reveals only half of defence IT budget visible to CIO
    Less than half of the annual $1.2 billion spent by Defence on its ICT is visible to its chief information officer, Greg Farr, a new report has revealed.
  • +

    Inside Telstra's Virtualisation Strategy 11 May, 2009 14:12:00

    Need to cut infrastructure costs driving the strategy
    Telstra is increasingly turning to virtualisation as its core strategy to both manage the rising costs of, and growth in, its data centres, according the company’s CIO, John McInerney.
  • +

    Defence to Initiate ICT Reform Program, Expand CIO Role 05 May, 2009 11:56:00

    ERP rollout, data centre consolidation, single architecture all on the cards, according to the Department of Defence’s strategic policy white paper
    The Defence department has signaled a raft of changes to its approach to information technology under a new ICT reform program.

Free Resource Library

Data Centre Assessments

The First step to Optimising

Speeding business innovation

Removing barriers to growth, increasing agility and driving out costs

Assessments: Ammunition for Facts-Based Decision Making
by Richard L. Sawyer, Senior Principal, HP Critical Facilities Services
Download Podcast Download Transcript
 

CIO Summit The New World Order Opportunities and Challenges for CIOs

23rd July 2009
The Westin Sydney


A content-rich networking event where CIOs and senior executives collaborate on business and technology issues ranging from the impact of the economic downturn to the most pressing trends affecting IT in the enterprise.

Register Now

  • +

    New scam email uses Australian Federal Police to gain victims' trust 03 July, 2009 10:49:00

    Fake offers of free AFP monitoring service to stop "cybernetic attacks"
    Cyber criminals have changed tack in their ongoing scam campaign against banks, moving to the use of government agencies to gain the trust of unsuspecting email recipients.
  • +

    AFP hits $6 million identity fraud syndicate 03 July, 2009 08:25:00

    $500,000 of goods per week purchased with fake credit cards
    The Australian Federal Police (AFP) claims to have struck a major blow to a multi-million identity fraud syndicate.
  • +

    5 steps to secure a new PC 30 June, 2009 00:19:00

    Just unwrapped a brand-new PC? Security pros share their secrets for making your system Internet-safe.
    A common misconception is that a shiny new computer is more or less secure because it hasn't yet been exposed to the Internet's sinister underbelly. But the truth is, these machines come out of the box needing scores of patches, some basic security software downloads and the disabling or replacing of items security pros don't typically trust.
  • +

    Facebook simplifies privacy settings, calls them too complex 02 July, 2009 05:48:00

    The social-networking site is also getting ready to let members share content with anyone on the Internet
    Facebook will simplify the way in which it offers privacy options to its users, as it gets ready to give its members for the first time the option to make the content they post on their profiles available to anyone on the Internet.
  • +

    DR a growing concern for A/NZ CIOs: Symantec 02 July, 2009 09:16:00

    Mission critical apps and cost of down-time major drivers
    CIOs in Australia and New Zealand are increasingly getting involved in the disaster recovery planning of their organisations, according to a new survey from Symantec.
Most Popular
Media Releases
Most Popular Whitepapers
Upcoming Industry Events
  • CIO SummitNSW - Sydney | 23/07/2009 | Hosted by CIO Magazine, IDC & the CIO Executive Council
more
Whitepaper


Read Whitepaper

Reducing the risk of insider abuse

The potential for insider abuse can never be eliminated completely, but the steps outlined in this white paper can reduce the potential for such abuse. Read on to ensure no one person can alter your operations to their personal advantage or to the detriment of your organisation.


CIO Industry Insight Podcast #4: Kerry Stratton, Managing Director of Healthcare, InterSystems
Listen to the latest edition of CIO Live which is now available for download.
Listen to the podcast
Sign up to the CIO Live email
Videos
Get a job Careerone