In the threat environment that corporate entities face today, there is no room for ostriches that will bury their heads in the sand and wait for the worst to pass.

What exactly are we talking about?

The Information security Glossary: A breach of security is where a stated organizational policy or legal requirement regarding Information Security has been contravened.

Any incident where the Confidentiality, Integrity and/or Availability of the information has been inappropriately affected can be considered a security incident. A security breach often begins with a security incident, which is then confirmed and attempts are made to contain it, failing which an actual breach occurs.

In other words, acts that bypass existing security policies, procedures and controls of an organization constitute a security breach.

Why should you be concerned about a security breach?

Security breaches focus on the compromise of information assets and can create a reasonable risk of harm. Financial losses from security breaches have increased over the years, monetary gains being the driving factor for the perpetrators.

With newer and more sophisticated security threats emerging, existing technologies, if inadequately protected, are not capable of handling security breaches. Not to forget the development of sophisticated malicious software that serve as easy tools for perpetrators. Add to this the facts and figures of increasing thefts of laptops and mobile devices and increased insider abuse of network system access, and you have enough reasons to be concerned about security breaches.

Choose your stance: Reactive or Proactive
We all hope that no security incident or breach will ever hit our organization but sadly, every network is susceptible to attack. However, we can choose to be prepared instead of just hoping that nothing happens. As a rule of thumb in security, you cannot afford to respond when you are hit. You need to address that on an ongoing basis.
Security breaches can have a devastating effect on your organization’s mission goals and reputation.
Along the lines of the old saying that “you’re better safe than sorry”, a proactive approach to security breaches is the wise way forward in today’s threat environment.

Federal Laws

Today, regulatory oversight surrounding security breaches and their notification is very strong, and compliance is strictly enforced. Almost every Industry has precisely outlined security regulations that need to be followed. Non-compliance penalties, especially in the face of a security breach, are infamously hefty. Listed below are some of the laws applicable to various industries:

Gramm-Leach-Bliley Act (GLBA)
The GLBA applies to “financial institutions” as defined by the law, that is, institutions “significantly engaged” in “financial activities.” This does not mean only banks, but also securities firms, insurance companies, and institutions providing other financial products and services to consumers.

Financial institutions are required to follow standards set forth by the GLBA to protect the security, confidentiality and integrity of non-public customer information through administrative, technical and physical safeguards.

Financial institutions are required to follow standards set forth by the GLBA to protect the security, confidentiality and integrity of non-public customer information through administrative, technical and physical safeguards. Financial institutions are prohibited from sharing any information that is non-public with nonaffiliated third parties. They should have a security program which should address monitoring systems and procedures to detect actual and attempted attacks or intrusions into information systems that contain customer information. The response should include reporting to regulatory and law enforcement agencies.

Health Insurance Portability and Accountability Act (HIPAA)
HIPAA applies to entities that handle confidential medical information, better known today as Electronic Protected Health Information (ePHI).  The law requires the preservation of the security, integrity and privacy of confidential medical information.

HIPAA is enforced by the U.S. Department of Health and Human Services (HHS).  HHS has issued regulations that require covered entities to ensure the protection of patient information through administrative, technical and physical safeguards.

HIPAA regulations provide a framework for how security should be managed for any facility that creates, accesses, shares or disposes of patient information

Fair and Accurate Credit Transaction Act (FACT Act): New Regulations
These new regulations impact financial institutions and creditors such as banks, finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies that offer or maintain one or more covered accounts. The mandatory compliance date for these final rules is November 1, 2008.

The new rules and guidelines require the following primary components:

• Development, implementation and enforcement of an Identity Theft Prevention Program
• Performance of on-going and comprehensive risk assessments
• Development of specific policies, procedures and practices to combat identity theft issues
• Training for entity personnel
• Management and oversight of the Program
• Oversight of service providers

Payment Card Industry Data Security Standard (PCI-DSS)
Visa International, MasterCard Worldwide, American Express, Discover Financial Services, and JCB formed the PCI Security Standards Council. It is an independent industry standards body providing oversight of the development and management of Payment Cards Industry Security Standards on a global basis that ensures cardholder data safeguarding and standardizes protection against fraudulent activities.

State Laws

Thirty-five states, plus the District of Columbia, have now enacted laws (California – 2003, Florida – 2005) requiring businesses to provide notice of security breaches affecting personal information.

Florida Security Breach Notification Law

The Florida Statute § 817.5681 requires organizations to notify clients within 45 days of a security breach, if it is reasonably believed that the unencrypted personal information of a Florida resident has been acquired by an unauthorized person.

Penalty:
Failure to do so can result in a fine from $1,000 per day to a maximum fine of $500,000

Timing of Notice:
The timing of the notice may be delayed upon the request of law enforcement if notification would jeopardize a law enforcement investigation. Organizations will be deemed to be in compliance with the Florida law if they comply with notification procedures under their federal regulatory agency’s guidelines.

Dealing with a Security Breach

Organizations that face a breach are often left puzzled with how to proceed next. The Security Breach handling Methodology can be divided into 5 phases.

Prevention – An understanding of the overall company infrastructure is inevitable; who are the internal and external system users, the operational and business processes, the information systems, the technological and security infrastructure in place, the potential areas of exposure? Is this enough? Of course not. Organizational security is to be tested keeping in mind the above considerations by way of security risk assessments, security audits, vulnerability assessments and penetration tests, on-going security monitoring and application of patches and updates.

Detection – Acceptable and unacceptable behaviors are defined. Employees are made aware and trained to detect, react and report suspicious activities. The use of Intrusion Detection Systems/Intrusion Prevention Systems, routers, operating systems, databases, applications and event log correlation applications is combined. Organizations should keep in mind that reporting  security incidents to regulatory bodies, legal counsel and customers is very important. Also, each activity needs to be documented.

Containment – The goal of this phase lies in limiting the extent of the attack in terms of the potential damage/impact. Organizations need to undertake a series of steps to achieve this including applying changes to systems to control the attack, defining response strategy options, establishing notification escalation procedures, documenting details, conversations and actions related to the breach, reporting to regulatory agencies, customers, etc.

Investigation – This phase seeks the answers to the “who, what, how, when and where” questions surrounding the security breach. The approach has to be a systematic and structured one. Investigation could also involve evidence collection, documentation, conducting forensic investigations and finally determining if the investigation needs to be continued further or not.

Resolution and Reporting – A final report, including a Forensics report (if applicable), is prepared at this point. A very important part of this phase is following up on the breach. This will also enable the type and extent of future training required for the organization’s personnel.

Another aspect which is often ignored, but is possibly one of the most significant, is the establishment of clear lines of responsibility and communications in the event of breach. There also needs to be a list of people to be contacted at such times.

Conclusion

Very often, organizations might be tempted to tighten the part of their, already restricted, IT budget slated for controlling security breaches. You cannot have security for free but the right approach can make considerable differences in cost. Ongoing testing efforts founded on a plan encompassing not just IT but physical security, human resources and even public relations will prove to be a cost effective strategy.