Blog: Information Security: 7 Data Leaks You Can't Ignore
- 30 August, 2007 10:08
- Comments
Information security controls are an essential part of operations for all financial institutions. Members expect that their local Credit Union is just as secure as the "big bank" located a few hundred feet away in the same parking lot at the mall. The only difference is that the local Credit Union information security budget pales in comparison to the multi million that the big bank will spend.
When a limited budget is combined with a lack of understanding proper security controls, many Credit Unions turn to local consulting companies who often times roll out ineffective "security programs" that can be costly and don't add much value to increasing their security posture.
Paying a vendor to monitor your IDS and firewall may get you a check mark on this year's audit (at least for now) but I challenge the fact that it is an effective solution. Every credit union needs an employee on staff that has a deep understanding of information security or at a minimum a vendor or consultant that can steer them in the right direction. If you completely outsource you information security program the balance between operations and security is "broken".
The key to an effective information security program is to establish clear and open channels of communication between IT and business operations. Operations needs to have confidence that the information security program is not an obstacle but an opportunity to incorporate methodology that will benefit the credit union and its members. Security concepts need to be broken down in terms the business will understand. The main job function of an effective information security manager is to be a sales person for information security. He/she will need to change the way business executives think and make sure security is integrated into their thought process.
I am proud to say that with the support of its executives, TruMark Financial Credit Union has positioned itself as a Credit Union information security leader. My staff and I have spent the last year and a half identifying risk and evaluating products to mitigate those risks. I would like to share our results with you in hopes it will increase the information security posture of the industry to match or exceed that of the "big banks".
An effective Information security program with mitigating controls does not have to break the bank. Below are 7 common ways data can leak from your organization. I have taken the opportunity to share with you the compensating controls we have implemented which have not only increased out security posture but impressed external auditors and effectively raised the bar across the Credit Union industry.
7 Data Leaks You Can't Ignore
Leak #1
Sensitive information can leave your organization through USB mass storage devices such as thumb drives, IPODs and Digital cameras or other removable media.
Risk Mitigation: Block all USB mass storage devices
Approximate cost for hardware and 300 licenses: $50,000
Implement the Trigeo SIM. Their product comes with USB defender which detaches USB drives when mass storage capability is detected. Their product configuration is very granular so permitting USB license keys or hardware tokens is no problem. The employees also receive a pop-up indicating that the use of USB mass storage devices is prohibited. Trigeo can also be easily configured to send an email notification to any email address you like. This is only one of the many features offered with their product.
Leak #2
Sensitive information can leave your organization when copied to a CD or DVD
Risk Mitigation: disable all burners and removeburning software
COST: $0
The solution is 3 fold:
- disabling the default windows burning capability through an AD GPO push to all workstations
- Uninstalling all 3rd party burning software Removing all employees from the PC local admin group and power users group (best standard practice anyway). This prevents anyone from copying info to a CD without submitting a formal request to do so. When a legitimate request comes into your ticketing system, you can RDP to their workstation and install the 3rd party software. The software would then be uninstalled when they were finished. Another more manageable option is to assign the CD burning functionality to a smaller group of users which mitigates risk by requiring a "standard" user to go to a trusted employee such as a supervisor to have information copied.
Leak #3
Sensitive information can leave your organization when a laptop is lost or stolen
Risk Mitigation: enable whole disk encryption on all laptops
Approximate cost per laptop: $200
If you are running disk encryption and a laptop is lost or stolen you can rest easy if you have deployed PGP desktop.
It will take more than several lifetimes to crack disk encryption even with the right software and computing power to do so. Make sure the password is complex or the encryption is pointless.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
- Bookmark this page
- Share this article
- Got more on this story? Email CIO
- Follow CIO on twitter
-
Monash Uni reduces IT teams after consolidation project
-
FTC warns makers of background checking apps
-
Time to get Agile
-
QLD govt demands answers after pay glitch
-
Monash Uni reduces IT teams after consolidation project
-
The Need for DLP (data leak prevention) now
When it comes to the terabytes of confidential and proprietary data on corporate networks, companies often use kid gloves to secure the data. This begs the question, why are office supplies subject to a higher level of security than the data? Many organisations are turning to a DLP solution to help them in gaining control over their seemingly uncontrolled data stores. -
Disciplined Agile Delivery: An Introduction
This evaluation guide is designed to help you choose the best tool to support your current Agile projects, while protecting your investment as your team, needs and agile maturity grow. -
Increasing Uptime and Efficiency with Switched PDUs - Two ways to use rack PDUs for more than just distributing power
Power distribution units (PDUs) play an essential role in delivering power safely and at appropriate voltages to servers and other network resources. A particular class of power distribution units known as rack Switched PDUs, however, is capable of performing additional functions that can help data center managers improve the efficiency and reliability of their IT infrastructure. This paper provides a brief introduction to rack Switched PDUs and describes two underappreciated yet powerful ways to take advantage of their advanced functionality.
-
Mastering Mental Ray
-
Photoshop®elements 2 Bible
-
Eclipse 2 for Java Developers
-
Skillpath 06 CD Project (Spreadsheet Solutions)
-
Nanosystems Molecular Machinery Manufacturing and Computation
-
Managing and Maintaining a Microsoft Windows Server 2003 Environment for an MCSE Certified on Windo Ws 2000 (70-296)
-
Cocoa Programming for Mac OS X for Dummies®
-
Professional Microsoft SQL Server 2008 Integration Services
-
HTML in 10 Simple Steps Or Less











Comments
Post new comment