Low Hanging Fruit for securing your data

I recently met with a small business (SB) owner who was almost hyperventilating over the challenges of becoming PCI Compliant. To him, this was a hardship created by the government to make small business owners’ poorer, while putting more money into the pockets of big business. Initially, we simply talked about the Who and Why around PCI Compliance. Next, we broadened our discussion into his individual business needs and goals. We then translated these into a comprehensive plan for securing his environment in a manner that supported these. He came to understand that this did not have to be a six-figure plan to put some basic pieces into place with a quick turnaround and quick return on investment.

Who and Why of PCI Compliance:

For a SB owner, throwing the whole catalog of 12 steps to securing your environment is overkill. Unless a business processes over 20,000 credit card transactions a year, the requirements published by the PCI-DSS (standards group), are much more simplistic.
·         Don’t store ANY credit card data in your environment,
·         All transmissions should be on PCI-DSS approved devices,  (list available: http://www.cgsolutionsofjax.com/images/approved_pin_transaction_security_PED_Devices.pdf)
·         Fill out and submit Attestation paperwork annually.

Why being just PCI Compliant is not enough:

PCI standards are “minimal”. The interpretation of the requirements is even debatable depending upon the size and complexity of an environment. A seasoned “IT-savvy” Assessor will understand the difference between creating a program that basically just checks items off a list and a program that takes a meaningful and layered approach to security, while providing for PCI Compliance.

Reviewing Individual Business needs:

Whether a business is in a static position, growth mode, or facing the unfortunate position of losing market share, the SB owner needs to take a holistic approach to managing security and the potential liability surrounding a potential data breach.
·         What is the investment?
·         What is the Return on Investment (ROI)?
·         In the event of a breach, what is the business’s potential liability?
·         What is the cost of potential downtime?

Any investment, whether it is for technology, security, or other, should have an established timeline for an expectation on return. For small businesses, there are a number of investments that are necessary in order to insure data protection.

Low Hanging Fruit that will go a LONG way to helping secure your environment:

·         Antivirus/Malware

o   For antivirus, purchase multiple year licenses.

o   Have an individual join groups such as Secunia or the SANS group to receive notifications from antivirus and software vendors on outbreaks or potential vulnerabilities.

·         Desktop management support/warranty

o   Use built-in tools to restrict employee’s access to sensitive data, to questionable websites, to pop3 mail accounts.

o   Disable the ability to capture print screens for those employees who have access to sensitive customer or patient information.

o   Purchase desktops through a reputable partner who will provide desktop support in the event of a hardware failure.

·         Copier security

o   For leased copiers, insure the hard drive has been wiped, in a secure method, approved by the Department of Defense, prior to returning to vendor.

·         Printer security

o   Define who can print to what printers. Allow a limited number of employees to manage print jobs.

·         Paper security

o   Create a clean desk policy and either, purchase a shredder or, lease a shredding bin from a reputable vendor.

·         Social Engineering and Information Security training for employee

·         Mobile Device lock down (to include USB devices)

·         Business Continuity/Disaster Recovery solutions

The SB Owner I was speaking with had a small environment, but the general consensus by desktop support companies is that when a company has more than 10 desktops, the need for professional desktop support becomes pressing; the reason being that automation becomes key to reducing labor costs.

At CGSolutions, we have:

·         A library of sample policies and procedures that will get you started,

·         Templates that can be applied to your desktops to secure your corporate environment,

·         Business partners who have expertise in desktop support, including in regulated industries,

·         Partnerships with internet providers who focus on your current and future business needs, 

·         Partnerships with managed services teams.

Don’t let the fear of what you don’t know get in the way of being successful in your business. CGSolutions can help you bridge the gap between where you are and a secured environment. With over 28 years of experience in technology, we have the expertise to implement meaningful solutions versus those that simply check a box on an audit report. Give us a call, 904-654-7323.

Improve your FFIEC Exam Scores

The Office of the Comptroller of the Currency (OCC) takes a risk-based approach to bank operations. As a bank’s deposits go up, so does the risk associated with their operations. No one wants to get a bad score on their annual OCC exam and there are definite ways to avoid it. After all, the purpose of these exams is to protect consumers and consumers’ assets.

When I prepared for my first OTS (since then responsibilities rolled to OCC), I went to the FFIEC website to go over the IT booklet. I had actually worked on a remediation project prior to my managing an OTS audit so I was familiar with the power of the scores.  If you’re not familiar with the individual scoring process, the scale is 1-5 with 1 being the best and 5 being the worst.

The exam covers the following areas:

·         Capital Adequacy
·         Asset Quality
·         Management Competence
·         Earnings
·         Liquidity Risk
And Composite

I am not a banker nor am I an OCC employee. I am a technologist who has been responsible for the areas Operations, Business Continuity Planning, Management, Outsourcing Technology Services and Information Security (OTS wording) which fall under Management Competence and Composite. These are the areas I can provide expertise in.

To start, you should review your last report with a focus on:
·         Where do you need the biggest improvement?
·         What can YOU have an impact on?
·         Be aware of the bank’s asset balances and what that means to the OCC. If your bank is in growth mode, the last thing you want is for your areas of responsibility to be the causation of disapproval for expansion from the OCC.

The OCC relies on several Standards Setting organizations for their guidelines so if you are focused on Best Practices, the chances are good you’re on the right path. You may just need some formalization.

What were the documented Management Responses in the last report? Pay close attention to the management responses. Regulators do not like repeat items that have had no or insignificant progress made toward resolving open issues.

Next, download or designate someone to download the FFIEC IT handbook. The guidelines provide an excellent source for what policies and procedures you should have in place as well as where financial institutions should be focusing their security resources. A few things to keep in mind, regulators prefer to see formal plans with commitment dates and approvals from Executives to meet those dates. I really suggest you designate a specific person to oversee the remediation focus. This person should be aware of who is the assigned go-to person for each of the areas of responsibility documented in the handbook.

To further the progress,

·         Create a matrix that includes each line item, the potential cost, required effort and resources required. Also, include the potential risk of NOT remediating the item. The bank may choose to accept or transfer the risk associated with the line item versus attempting to remediate.
·         Get executive acceptance and sign-off.

To get ahead of a potentially poor Audit score, review your policies and procedures, Service Level Agreements, Operating Level Agreements. At a minimum, you need to have:
·         Employee acceptable use policy for technology systems and devices
·         Documented existence, adherence and review of technology policies and procedures

o   Change Control policy,

o   Incident response,

o   Privileged Account use,

o   Patch Management process,

o   Data access report reviews,

§  Focus on your key control points

§  Are there designated Information Owners who review data access?

o   Exception review procedure,

o   System Availability Reports

§  Problem Management Action statements and reviews

o   Software Architectural framework

o   Standard architectural review documentation

§  Are security and risk protocols a regular part of the architectural process? If not, this should be a high priority.

§  Have standards been implemented to reduce human error and silo’d decision-making? If so, this should be a high priority.

·         Technology Risk educational program for both business and IT employees.
·         Documented reviews of roles and responsibilities
·         Reports for new hires and terminations
·         Secured system access reviews
·         Have you had an outside firm perform a Penetration Test? There are multiple layers to pen testing but they really are the best way to ascertain if you have any open holes that need to be plugged.
·         There need to be documented and tested business continuity plans. There needs to be two types of plans. 1) Business Continuity, 2) Disaster Recovery. While the business is responsible for collaborating with IT through these tests, it has to be the IT team that drives these areas. While the business may know what to restore, the IT team knows the “how”.

If you can create a Risk Management framework or program in your bank, you can turn your 3’s into 2’s and perhaps even a 1. The unspoken benefit of a Risk Management program is an awareness of potential risks that sit in the back of an employee’s mind and hopefully will deter security risks.