JPA / Johnston, Parker & Associates Inc.
Cybersecurity Pop Quiz Click below:
What Is Information Security?
Information security, often referred to as InfoSec, refers to the processes and tools designed and deployed to protect sensitive business information from modification, disruption, destruction, and inspection.
What is the difference between information security and cybersecurity?
Information security protects all forms of information, digital and physical. Cybersecurity protects all forms of digital information, including computers, handheld devices, cloud, and networks, and can be considered a subset of Information Security.
Data Protection Laws in the USA
Despite the introduction of some regulations, there are currently no federal laws governing data privacy in general in the United States. However, some regulations protect certain types or use of data. These include:
-
Federal Trade Commission Act—prohibits organizations from deceiving consumers with regard to privacy policies, failure to adequately protect customer privacy, and misleading advertising.
-
Children’s Online Privacy Protection Act—regulates the collection of data related to minors.
-
Health Insurance Portability and Accounting Act (HIPAA)—regulates the storage, privacy and use of health information.
-
Gramm Leach Bliley Act (GLBA)—regulates personal information collected and stored by financial institutions and banks.
-
Fair Credit Reporting Act—regulates the collection, use, and accessibility of credit records and information.
Additionally, the Federal Trade Commission (FTC) is responsible for protecting users from fraudulent or unfair transactions such as data security and privacy. The FTC can enact regulations, enforce laws, punish violations, and investigate organizational fraud or suspected violations.
Types of Information Security
-
Application security
Application security is a broad topic that covers software vulnerabilities in web and mobile applications and application programming interfaces (APIs). These vulnerabilities may be found in authentication or authorization of users, integrity of code and configurations, and mature policies and procedures. Application vulnerabilities can create entry points for significant InfoSec breaches. Application security is an important part of perimeter defense for InfoSec.
-
Cloud security
Cloud security focuses on building and hosting secure applications in cloud environments and securely consuming third-party cloud applications. “Cloud” simply means that the application is running in a shared environment. Businesses must make sure that there is adequate isolation between different processes in shared environments.
-
Cryptography
Encrypting data in transit and data at rest helps ensure data confidentiality and integrity. Digital signatures are commonly used in cryptography to validate the authenticity of data. Cryptography and encryption has become increasingly important. A good example of cryptography use is the Advanced Encryption Standard (AES). The AES is a symmetric key algorithm used to protect classified government information.
-
Infrastructure security
Infrastructure security deals with the protection of internal and extranet networks, labs, data centers, servers, desktops, and mobile devices.
-
Incident response
Incident response is the function that monitors for and investigates potentially malicious behavior.
In preparation for breaches, IT staff should have an incident response plan for containing the threat and restoring the network. In addition, the plan should create a system to preserve evidence for forensic analysis and potential prosecution. This data can help prevent further breaches and help staff discover the attacker.
-
Vulnerability management
Vulnerability management is the process of scanning an environment for weak points (such as unpatched software) and prioritizing remediation based on risk. In many networks, businesses are constantly adding applications, users, infrastructure, and so on. For this reason, it is important to constantly scan the network for potential vulnerabilities. Finding a vulnerability in advance can save your businesses the catastrophic costs of a breach.
What Is The Biggest Threat To Information Security?
When we think of cybersecurity risks, often the first thing that pops into our heads is the threats we face from hackers. However, based on a survey from the Ponemon Institute the reality is that the most significant threat to information security isn’t from hackers, but from our own employees.
Our employees are our biggest cybersecurity risk
According to their report, “The biggest problem identified in this year’s research is the negligent or careless employee with multiple mobile devices using commercial cloud apps and working outside the office.”
Negligent employees pose an even bigger risk to our data security than external threats. Most of the data breaches identified in this survey were “internal and unintentionally caused by employees who were negligent, careless, or ignored security policies.”
“While external attackers and their evolving methods pose a great threat to companies, the dangers associated with the insider threat can be equally destructive and insidious,” said Larry Ponemon, chairman of the research firm, in a recent interview. “Eight years of research on data breach costs has shown employee behavior to be one of the most pressing issues facing organizations today, up 22% since the first survey.”
Therefore JPA Information Security Policy requires an effective workforce education strategy to equip our staff to become human firewalls.
Endpoint security threats
The biggest threats to endpoint security identified in the Ponemon survey were:
-
Negligent or careless employees who do not follow security policies – 78%
-
Personal devices connected to the network (BYOD) – 68%
-
Employees’ use of commercial cloud applications in the workplace – 66%
Other findings in the survey that are of interest:
-
The number of employees and others using multiple mobile devices in the workplace has
increased – 65%
-
The number of insecure mobile devices used in the workplace has increased significantly – 45%
-
Malware infections are more stealthy and difficult to detect – 45%
-
More employees are working offsite and using insecure WiFi connections – 38%
Unfortunately, an information security team can’t simply install an appliance to solve this behavior. However, we can educate staff with regular reviews and testing to raise awareness of security policies and the associated risks if they’re ignored.
Preventing an employee-caused data breach can be incredibly difficult. But there are several ways to get a better handle on the issue:
Raise Awareness
Routine reminders and training can go a long way to assure that everyone understands that information security is everybody’s responsibility. Make sure everyone is familiar with the basics.
-
What are the established security policies, and that
-
Removable storage devices (USBs, disks, etc.) are easily lost or stolen.
-
Emails containing sensitive data should be encrypted so if they’re sent to the wrong person they remain protected, and
-
Third-party file-sharing and storage websites (Dropbox, Google Drive, etc.) are not secure.
Assess the risk
Identifying data storage and distribution practices is the first step to uncovering any vulnerabilities that could exist.
-
Have there been any breaches in the past? If so, what were the causes?
-
How confidential files are typically transferred and stored?
-
What are the common practices for accessing mobile information?
Regularly review regulatory compliance requirements
Many organizations are required to audit and report on their data security initiatives to remain compliant. As security tools mature there is the opportunity to implement routine security health checks on people, processes, and technologies.
JPA Information Security Policy
Purpose
The purpose of the Information Security Policy is to protect sensitive, confidential and/or proprietary information belonging to consumers, clients and to the Company and to ensure compliance with our Gramm-Leach-Bliley Act (“GLBA”) and Red Flag Policies.
Applicability
The Policy applies to all individuals who have access to the Company’s information and resources.
Definitions
Non Public Personal Information (NPPI) includes the following, whether contained in printed or electronic format:
• Bank account information, including:
• Date of Birth
• Bank account numbers, including checking, savings and trust
accounts, loan accounts, medical savings account or any other account
numbers held in a financial institution, etc.
• Certificate of Citizenship
• Copies Passports
• Non-Public phone numbers or phone records
• Credit Card information including:
Credit Card Number (in part or whole)
Credit Card Expiration Date
Cardholder Name
Cardholder Address
• Payroll information, including:
Paychecks
Pay stubs
Pay rates
• Child Support information
• Credit Information, including copies of credit reports
• Drivers license number or photo copies of drivers license and/or abstract
• Taxpayer ID numbers, including:
Social Security Number
Social Insurance Number
Business Identification Number
Employer Identification Numbers
• Unemployment information
• Medical information, including but not limited to: doctor name(s) and medical claims, insurance
claims, prescriptions, treatment(s) or diagnoses, and any related personal medical information.
• Bankruptcy information.
• Financial information, including bank balances, payment amounts, past due amounts, etc.
Procedures: Physical Documents
All documents containing Personal Identifiable Information, sensitive, confidential or proprietary information must be stored in a secure location on Company property such as a securely locked drawer or cabinet. In accordance with the records retention policy, information no longer needed must be shredded by an authorized vendor or in-house approved shredding device.
Electronic Information
Password Policies
All Company electronic devices must be password protected. Company passwords must be single user, non-trivial, hard-to-guess, and non-repetitive passwords that have no direct relationship to the password user and/or creator.
Initial passwords will be unique and must require a password change upon first login. Passwords used will be of sufficient complexity that they are not easily guessed. This includes such characteristics as:
Passwords will use at least eight alphanumeric characters, articulating a semi-pronounceable string where possible.
Passwords must contain at least 3 of the 4 following characters: Number, special character, upper
case and lower case letters. Passwords should not be obviously related to the user. This includes such
items as spouse, children, or pet names or nicknames, license numbers, or phone numbers.
Passwords will not be shared across multiple users, or across multiple computer systems.
Passwords will be changed periodically as determined by the password policy for each system--in general this will be every 60 days. On automated systems with the capability, users should receive prior notice that their password is about to expire so that they are provided ample opportunity to change their password.
Administrator passwords will not be shared.
Training in proper password selection, protection, and in administration password
policies should be conducted with all new employees and reviewed annually as
part of the Company’s annual Security Awareness Training.
Company users will protect their passwords from any and all other individuals, and users should also respect this requirement of co-workers. This guideline is intended to include such items as:
• Disclosure of a Company user's password to any person other than the password’s owner is prohibited
• A Company user should not enter his or her password if someone else is watching.
Respect personal privacy zones.
• Company users should not watch any other Company user enter their password.
• Passwords will not be written down in any readable form, or programmed into any computer system or key for automatic login, recall, display or other use.
• Passwords created for training purposes will be unique and changed regularly and will be restricted to access from systems designated as training resources. All training systems will have passwords. Training
passwords will be activated only when training is in session.
Unattended User Equipment
• Company equipment will be kept in controlled Company spaces.
• Mobile devices will not be left unattended unless they are logged off and kept in a secure area such as a hotel room or home.
• Unattended systems will automatically lock after 10 minutes of no activity.
• Sessions will automatically terminate on systems that have not been accessed for 30 minutes or more.
Firewalls
• A firewall shall be used to protect computers from hackers while connected to the Internet.
• The computer network shall have a “border” where it connects to the Internet.
• Additional firewalls shall be used to protect computers containing Personally Identifiable Information.
• Firewalls shall be reviewed periodically.
Laptop Security
• Laptop use is restricted to employees who need them to perform their job responsibilities.
• Laptops shall be stored in a secured area.
• Authorized laptop users will have access to Personally Identifiable Information but shall not store such information on laptops.
• Employees must not leave a laptop visible in an automobile, residence or hotel luggage stand or in “checked” luggage at an airport unless directed to do so by airport security.
• If a laptop must be left in a vehicle, it must be locked in the trunk.
Remote Access (Computers & Laptops)
This policy applies to all Company employees, contractors and vendors that are required to connect to the Company network from outside sources. Any outside access to all or any part of the Company networks are to be done through secure, hardened & verified electronic equipment. Secure equipment is
limited to computers, laptops, and mobile devices that must meet the following
requirements:
• Updated and current Anti-virus software.
• Locally installed firewall software.
• Remote manage software.
• Updated OS and application patches.
• Authorized VPN or Citrix client software.
Storing or printing Company or Client information from remote devices is strictly prohibited.
General access to the Internet for recreational use by employees and their immediate household members on firm provided computers is not permitted.
Sharing passwords, access codes or any other identification for purposes of gaining access to the Company network is strictly prohibited.
Work From Home - wireless networks must use acceptable security measures to include WPA/WPA2 encryption and access lists. Proof of acceptable measures is to be provided.
These home networks are the sole personal responsibility of the owner and will not be supported by the Company.
Company employees with remote access privileges to the Company’s network must not use non Company email accounts (i.e., Hotmail, G mail, Yahoo, AOL, Blackberry Internet Server), or other external resources to conduct Company business, thereby private data is not shared across public
networks and official business is never confused with personal business.
Static entry of a user ID and/or password to permit mobile device synchronization is explicitly prohibited.
Re-configurations of provided equipment is strictly prohibited.
Non-standard hardware configurations must be reviewed and approved by security and network managers prior to connection to any and all parts of the Company’s network.
Remote Access (iPhones, PDA’s & Smartphones)
Portable communications devices have become an essential part of business operations. The following guidelines apply:
• Only Company owned devices will be permitted to connect to the network.
• Communication paths must be secured and/or encrypted using a minimum of 128 bit encryption.
• Personal devices will not be tethered to Company computers or laptops for sharing/synchronizing outlook information.
-
Additional Information
-
Cybersecurity Pop Quiz by with CYBERCRIME MAGAZINE