I was semi-impressed yesterday when I visited a global retail chain, signed up for a new credit card and they handed me back the application form for me to destroy.  Retail stores that manage payment card information must abide by strict rules governed by PCI — the Payment Card Industry standard developed to protect card information.

The form that I filled out had Personal Information (PI) and not payment card information, so therefore would not fall under the PCI purview.

I asked the retail clerk processing my information what would happened if I left the form behind – in an attempt to better understand the security process.  The retail clerk told me that they place remaining forms in the bin behind her and that a disposition company destroys everything in the bin.  They receive a certificate from the said company once the data is destroyed for proof.

Good start.  The company could have taken this protection process a step further by having a more secure bin with a cover and a lock instead of using a standard looking waste paper basket.  Still, one giant leap for better InfoSec Data Protection.

201 CMR is here to stay, at least until H.R. 2221 gets passed

How is your company doing so far with meeting the Massachusetts regulation for the protection for PI?  If you are outside the Commonwealth and do not store Mass. residence PI, are you doing anything to protect your state’s residents PI?

jay.martin@cppit.com – ITIL, CISM, ISMAS – www.cppit.com

The recent Health Net data breach of 1.5 million patient records due to a lost hard drive included unencrypted personal information such as names/addresses, medical records, Social Security numbers and other financial information.  A breach of this magnitude is shocking and what is more astounding is that the breach apparently occurred in May 2009 and was not reported to the Connecticut Attorney General’s office until this month (November, 2009).  The breach may be a gross negligence of HIPAA, FTC “Red Flag” Regulations, Connecticut’s Public Act 08-167, CGS 36a-701(b) and other state regulations/breach laws.  

I am sure that Health Net, like most companies, felt they developed the necessary controls to meet such regulations.  But a breakdown of this magnitude proves a failure of the company to institute “strong enough” information security policies, employee awareness programs and technology across the company to protect against this major corporate risk.   That is why we have been advising our clients to develop a risk-based information protection plan that estimates their potential loss against the cost of securely controlling and protecting their information assets.  The monetary penalties and consequences to Health Net for this breach will far outweigh the “should-have” preventative costs of deploying the right controls for this threat.  If the lost hard drive were encrypted, I wouldn’t even be writing this blog.

In his statement, Attorney General Richard Blumenthal stated that “I will vigorously and aggressively seek damages, penalties and other appropriate remedies, if warranted.”

This is not an option:  *Information security programs that include people, process, technology and partners must be vigorously managed and improved upon over time.*     Comments are welcome.

jay.martin@cppit.com

www.cppit.com

201 CMR 17.00 — Massachusetts’ New Privacy Law Sets Strict Standards for the Protection of Personal Information

In the attached article I provide some sound advice in order for you organization to be better prepared for a disaster and for you to sleep more soundly at night.

Clear Desk Policy – Where Security and IT Service Continuity Meet – Part 1

Would your company be prepared if faced with a catastrophic event like the one below? This my true story…

In May 2008, while visiting one of my clients in Greeley, Colorado, their headquarters and primary computing site was struck by a massive tornado (click here to see the youtube clip of the actual tornado). I was in a conference room on the top floor of the building when we were abruptly interrupted and instructed to immediately head for the stairwell located in the center of the building wing. As I left the conference room, I viewed the outline of the tornado which appeared in the distance. Born and raised in the Boston area, the only Tornados I’ve witnessed are on T.V. or youtube, so I wasn’t too hard on myself when I was called from my trance-like state, “Jay, this way” (i.e. deer in headlights). Cramming into the stairwell, the next 20 to 30 minutes were nothing short of intense, if not down-right horrific as the building walls and stairs shook violently and sounded as if a large locomotive had hit the building. People were crying, shaking and wondering if they would ever see their loved ones again.

Then we felt it, a strange stream of cool air blowing down the stairwell. We’d later come to realize that the cool air was due to a section of the roof being blown off and settling some 300 feet away from the building. When the “all clear” sounded, we were instructed to return to the top floor, collect our belongings and evacuate the building due to a gas leak caused by the tornado. Windows were blown out and chairs, file cabinets and papers were strewn all over the office. Papers were not just contained within the building but thrown all over the parking lot and adjacent property owned by an insurance company that was also in the direct patch of the tornado.

I heard a story that during the 1992 London Bombings, sensitive and confidential financial documents were found miles away from the blast site. Seeing that this tornado picked automobiles up and tossed them 15 feet away, I wondered how far my client’s paper trail would go.

A Clear Desk Policy dictates that all personnel clear their desks and file documents appropriately based on their Information Sensitivity Policy. The Clear Desk Policy is typically written for a companies security program, but concerns about critical documents not having a copy (digital equivalent or otherwise) should be a concern for business continuity as well.

So, would your company be prepared? Do you have a clear desk policy? If so, does it only mandate that documents be cleared at the end of the day?

In my next blog, I’ll give you some practical ways to insure that your documents don’t end up in China (unless of course you are reading this from China).

Posted by: Jay Martin

Compliance Process Partners — www.cppit.com

jay.martin@cppit.com