Recent breaches highlight the need for increased information security governance:
Target Corporation had a massive data breach on November 15, 2013, when the company’s payment system was hacked, exposing more than 40 million debit and credit cards. The hack occurred as a result of a third-party vendor having access to the Target network. Corporations often allow third-party vendors remote network access to perform periodic maintenance on information systems. It is believed that hackers stole the third-party network credentials which allowed them to gain access to Target’s payment system. Costs related to the breach pushed Target’s 2013 fourth-quarter profit down 46 percent and sales also fell by 5.3 percent. Target suffered reputational damage as well as an impact to their bottom line. In the aftermath of the breach the Chief Information Officer also resigned.
Obviously no entity wants this sort of breach to occur. Increased information security governance can help to mitigate the risk of data breaches, but there is no “silver bullet” to ensure data security. In the face of a constantly changing threat landscape, IT managers and executives have to evolve along with current threats. Effectively managing the security of data is an ongoing process. Earlier this month, David Aucsmith, senior director of Microsoft’s Institute for Advanced Technology in Governments, offered an assessment of the current state of play in information security Tuesday at a conference for federal IT professionals:
“I do not believe you can create secure computer systems, so where does that leave you? Systems have to adapt and change in the presence of your adversaries, and you have to understand your adversary in order to adapt and change those systems.”
Aucsmith’s comment illustrates a concept that many professionals within the information security field are already familiar with. As hackers become more advanced and persistent in their attacks, information security professionals must evolve as well. Information security controls can no longer be designed once and be expected to be sufficient to protect an organization over time. An entity’s policies, procedures, and controls need to evolve along with the changing threats. Also, structuring compliance activities around a once-a-year audit is not enough to mitigate the risk of the changing threat landscape.
Techniques such as continuous monitoring can help to mitigate the risk of control failures over time. The National Institute of Standards and Technology (NIST) defines continuous monitoring as, “maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.” An example of continuous monitoring control that could be used to mitigate the risk of user access issues is an access change report that monitors a system for changes in a user’s access rights. An administrator is notified of access changes in an alert and must record their review and approval.
An ongoing risk assessment process is another tool that can be used to assess risks over time and incorporate new controls as necessary to mitigate the new risks. Incorporating a risk assessment discussion into already scheduled meetings is a good way to ensure that risks are considered over time. An entity’s risk assessment following the Target breach might assess their contractor account handling process and implement additional controls to restrict contractor access or segregate the contractors’ access to another network.
Increased information security governance and an awareness of the changing threat landscape can help reduce the chance of more breaches like the Target incident. While there is no “silver bullet” to ensure data security, more frequent risk assessments and continuous monitoring controls can help identify and remediate issues before large scale breaches occur.
Rob started with Linford & Co., LLP in 2011 and leads the HITRUST practice as well as performs SOC examinations and HIPAA assessments. He has spoken at Data Center World on compliance-related topics and has completed over 200 SOC examinations. He started his career as an IT auditor in 2003 with PwC in the Systems and Process Assurance group, and has worked in a variety of industries in internal audit as well as for the City and County of Denver.