Every Insurers Responsibility

The goal of the regulation is to establish standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of consumer information; mandating any business subject to regulation by the Department of Insurance in that state to establish and maintain an Information Security Program. And each states regulation is slightly different. More detailed information is available on achieving and maintaining compliance. (Visit http:// StateRegs.e-sure.us to get information on current state and federal rules and regulations.)

In the end, this regulation translates to the requirement to have a written information security (IS) program in place to address the potential exposures specific to the information with which you are entrusted and relevant to your insurance business.

Creating Your IS Program

Information security compliance is a critical business issue, not merely a technical one. The loss of information entrusted to your business can have a huge impact on the financial lives of both your customers and your business. Therefore, management needs to understand and bear the ultimate responsibility for compliance to regulations and be prepared to marshal the resources necessary to create and maintain an effective IS program, including:

Step 1Gain support and build a team. With management sponsorship and support, build a team of internal and, if necessary, external human and technical resources to assess, build, and/or test the organizations IS posture. The team should include at least one representative from each department that has access to the companys information resources.

Step 2Begin the assessment process. To make the best possible decisions, assessment must begin by building a prioritized list of information assets of the company. The list should include computer hardware and software as well as network and telecommunications infrastructure. Catalog, at a high level, the information contained in both the systems (electronic information) and the filing cabinets (hard-copy information). These are the assets an information thief would breach to find value.

Step 3Assign value to the information assets. Once a thorough list has been compiled, youll want to assign a value to each of the assets. The need for a multidisciplinary team now begins to become apparent.

Accounting professionals in the firm can assist by helping to define approximate values of hard assets.
IT can add the human costs of configuration and maintenance of the systems.
Marketing, together with others, will define the costs of acquisition, maintenance, and replacement of the data the systems contain.

The resulting assigned values will help prioritize the risk-mitigation efforts later.

Step 4Identify the threats, evaluate the defenses. Charged by statute to protect against reasonably foreseeable internal and/or external threats to the information in the organizations care, the solution to this portion of the responsibility is not as simple or obvious as it sounds. Consider not only technical attacks like those of hackers, but physical loss, such as a janitor removing unshredded papers, and administrative losses due to employees misusing data to which they are allowed access as a part of their duties.

Based on all the information collected, begin to evaluate the defenses meant to protect the information assets.

Recruit HR and Legal to help review the written IS policies and procedures to determine if they adequately address potential threats.
Test existing physical and electronic security measures. Are they sufficient and up to date? Do they provide an adequate level of protection given the type of information you have on hand?
Does your IS posture satisfy the due care requirement of the regulations?

Step 5Compile the confidential report. Compile all findings into a single written confidential report outlining the current status and necessary measures to reasonably protect the information with which your organization is entrusted. With this information, the insurance organizations management can make informed decisions about IS program needs. In the wrong hands, the report can make the company vulnerable to serious damage.

Keep in mind at this stage in the IS program you are focusing on developing an information security program and assessing risksnot yet at the point of implementing necessary security-related technologies. Throughout this process, it may be beneficial to seek guidance from an outside resource. However, when engaging external security professionals, require security industry certifications (not just vendor certifications) and carefully evaluate the company they represent.

Striving for Compliance

The IS program doesnt end at assessment. Once the current state of your organizations information security posture is understood, a plan to become compliant with appropriate regulations needs to be developed and deployed. Given each state may modify the regulation, your plan may need to consider compliance with more than one standard. In a properly constructed report there is a defined listing of risks, ranked in order of vulnerability and value to the business, the assets, and the privacy of customer information.

General steps to put the plan into action and satisfy the regulation(s) include:

1. Add policies and procedures found missing, and modify those identified as inadequate.
2. Communicate all policies, guidelines, and procedures to em-ployees. Ensure employees understanding of the importance of adherence to the standards and that they are personally an integral component of the IS solution. In fact, consider making adherence a condition of employment.
3. Add the appropriate technologies (software, systems, routers, and firewalls) and update existing systems with security patches provided by the manufacturers.
4. As defined in Sections 7 and 8 of the regulation, plan and budget for ongoing internal or external vulnerability assessments. A good provider or system will alert you when a new vulnerability is found or a manufacturers update is available, and ensure any newly installed software or equipment meets the requirements laid out in your IS policies.
5. Periodically, have the internal IS team test for compliance using the physical requirements of the IS program as the guideline.

Going ForwardContinued Compliance

To ensure continued compliance, conduct a periodic risk analysis (annually, at an absolute minimum). It also is a generally accepted best practice to validate your results with an external, unbiased IS resource. From the results of the original analysis and each new vulnerability assessment, the final requirement of the regulation can be met; that is, Adjust the program. New risks frequently are introduced, so plan to make continual adjustments to the written IS program. As stated in Section 9 of the Model Regulation, modify your program in light of any relevant changes in technology, the sensitivity of its customer information, internal or external threats to information, and the licensees own changing business arrangements.

Security concerns are here to stay and will only increase, especially given these times of increased identity theft and threats to our national security. The burden of protecting the customer information entrusted to your insurance organization is your responsibility and is nontransferable. While these regulations put an added burden on an already-strained insurance industry, the push for these regulations and information protection is coming from those very customers you serve.

Deploying information security best practices strengthens your business posture, allows for compliance, and satisfies your customers concerns. Re-member, a thief generally will go for the easiest score. Make your business secure, and the information thief most likely will look for a more vulnerable target. Getting ahead of the information security issues, completing your assessment, and putting the compliance plan in place will have your organization well prepared as states continue to adopt the new regulation and refine their requirements.

John Ford is a senior information security consultant with e-SURE, Inc. (www.e-sure.us). His credentials include the Certified Information Systems Security Professional (CISSP) from ISC2. He currently is a board member and has served as chairman of the SANS Institute Information Security Officer Advisory Board.

The content of Inside Track is the responsibility of each columns author. The views and opinions are those of the author and do not necessarily represent those of Tech Decisions.

We welcome contributions to Inside Track from industry consultants. Articles should deal with industry issues only (no product pitches please) and offer advice on solving insurance IT challenges. E-mail contributions to insidetrack@tdmag.com. You will receive a reply only if your submission is chosen for publication. The editors reserve the right to edit for space and clarity.