The Oops Factor

Don Casson, CEO of Evergreen Systems, explains a big part of what his strategic consulting firm does is to help the IT function of clients to become more compliant with policy. One of the big challenges in security he sees is some threats and weaknesses are caused by actions taken in IT as opposed to a threat from a sophisticated hacker. "The hackers typically are exploiting weaknesses exposed to the market at large," he says.

ID the Threats

What do internal threats look like? Casson indicates threats can come from three areas: the application development department, the infrastructure, and the data center. In applications, companies are leveraging all sorts of open-source code and service-oriented architectures. "These are driving a higher degree of interaction from components of code," he says. There also is an infrastructure level that is expanding rapidly outside the company's firewall. "We have this really synchronistic business network," he continues. "Speed and accuracy are critical. That means those things will be electronically open to us, and there's a possibility it will create more exposure to security issues."

As for the data center, Casson adds there used to be a server for every application, but that's quickly disappearing into a virtual-server environment. "If you think about using multiple operating systems on a rack or server cards and multiple applications in who knows how many integrations, what levels of security are processing through that mass of stuff? And how do we protect it?" he asks. "The server structure is becoming a capacity function. That blurring of the computer power line is one of the biggest risks in the next couple of years."

Internal security issues derive from three concerns, states Nebel: What breaches happen more often? Which are more preventable? How would you prevent them? Just as companies have a control objective that ensures financial reporting is accurate, another control objective might allow only authorized people to update the spreadsheet and make changes to reporting. "You might have specific controls at that level–steps, procedures, or technology put in place to achieve the control objective," he says. Often companies need what are called compensating controls. "If one control is only partially effective, you have an additional control," Nebel suggests. An example of a compensating control is two people having to sign checks for amounts above $50,000. Those controls prevent both malfeasance and error, he adds. "Good hiring practices, training, and checks and balances are your controls against errors," he says.

When Evergreen describes a proactive approach to security, the consultants want clients to put in those policies upfront when work is planned, because as the work is launched and sent down through the organization, some mid-level database administrator or programmer isn't likely to know the security policies or the governance compliance policies. "People just are beginning to think about effective enterprise process when it comes to security compliance," Casson says.

Bountiful Data

User access to too much data often is the problem a business faces. What has changed for GE Insurance Solutions, notes Yeamans, is data access is granted on the basis of a person having a demonstrated need for access to a particular data set or a particular view of the data.

Insurers have customer data to consider and business practices to protect, Yeamans acknowledges. "You can't maintain a competitive edge if your pricing information and your pricing practices are being exposed outside your business, whether it is intentional or unintentional," he says.

However, restricting data is not easy, Yeamans concedes. It starts back with the application design or a data model design phase to understand what data is available within a certain application. "You have to understand data models and whether there is a view into the database," he says. "What kind of information is there to see?"

For example, Yeamans explains, security people need to look into some HR databases, but they don't need to see salary information. "There are certain things you do and don't need to see," he says. The same goes for insurance-type data, he points out. Some business users may need to see policy information, but they may not need to see a policyholder's medical history. Carriers need to understand what data is there and what the business need is.

Access to data was driven by what Yeamans calls look-alikes. "Business users would ask for the same access as someone with a similar job title. We've backed down from that and gone to role-based access," he says. "For each set of data and applications, there has to be a defined set of roles. This is what the job function is, and this is the type of data you will need or be able to manipulate based on your role."

Getting to that role-based model has been difficult, Yeamans admits, but in the long run it's been worthwhile because it has raised the level of controls within the company.

At Selective Insurance, business owners of the data are the ones responsible for issuing access authorization. "They will tell us for this role–say, someone who's a claims management specialist–it's appropriate to allow access to that particular business system," says John Ciccolella, manager of information security. "The profiles are critical to making it manageable. You manage by the profile or the job responsibility, not each employee." In the normal course of events, the business owners are used to this process. "There's good buy-in," reports Ciccolella. "They need their information to be accessible, but they also understand the need to keep it private."

Separating the Data

There is a lot of awareness and education that has to go into separating the data, Yeamans indicates. Users have to be made aware of the implications involved in issues such as data privacy. "We have to get privacy notices in front of people who are doing DBA-type work," he says. Database administrators have a high level of access, and they have to be educated. "We tell them they may be exposed to this kind of data in their daily work, and it's incumbent on them to be cognizant they're being treated as a trusted employee in this position, and there are nondisclosure implications that come with accepting that role," he says.

Some business users may feel the information security people are coming down on them, but that is where education plays a big part. "You show them a few articles and clips on data, and you make them understand there is legislation in place to govern [data security]," he says. "People can be held culpable for these types of things."

It helps when compliance is being pushed down from the very top of the organization. "Once you get that, it makes your job easier," says Yeamans. "The important thing I try to get across to people is even if we were not a publicly traded organization and were not subject to Sarbanes-Oxley-type legislation, the controls those laws imply are good controls. They make good business sense."

Inadvertent Mistakes

Companies need to review controls involving systems access on a monthly basis, advises Yeamans. A situation companies struggle with is when employees transfer to new positions. "When people move from one area of the company to another, their responsibilities change, and [companies] often grant them new access to be able to do their new responsibilities without addressing their old access," he says. "It's difficult because there's usually a transition period where they'll remain somewhat responsible for old responsibilities. But once they move on and still retain that old access, you have an exposure where that user potentially has inappropriate access."

This is the point where companies need periodic reviews from the applications side. "We need to see they've reviewed it and checked on every person who has access," says Yeamans. "That's why it was so important for us to get to that role-based model."

One other issue carriers deal with is what Ciccolella refers to as "the finger fudge." If an employee has legitimate access to the data and presses the wrong keys, the data can disappear. "We keep a safety net under the data, either for a user failure or a hardware failure," he says. "We have daily backups and routine testing of the restoration so we can get a record back or put data back from an error or from lost hardware."

Backups of data occur daily, Ciccolella notes, and they need to be a routine part of the operation. Selective's business application owners stipulate to IT what they require should a failure occur, and it is up to the security staff to comply. "Different service levels have different prices surrounding them," he says. "If a server broke, the data went away, and we have to have that data back in X number of hours, then that's what we do. The only way we're sure all that happens is through religious testing."

Selective has a formal business continuity plan that tries to identify anything that could possibly interfere with ongoing business. This includes twice-a-year visits by company officials to the carrier's hot site location, Ciccolella says, where they walk through a scenario that's meant to appear as if the carrier had lost access to its headquarters. "The testing gets down to a thing as small as an inadvertent deletion of a record that needs to be recovered," he says. "In the business continuity plan, you have to think of the small things that happen on a routine basis and the large things that hopefully never happen."

There is no way a company can be protected completely against inadvertent attacks on its systems, Casson admits, but he adds a lot of mistakes come from poor planning and poor review before activities occur. "It's not the actual activity done at one level that creates the problem, it's conflicting activity done at another level or a lack of awareness of that activity at a third level," he says. "If you look at the system outages IT organizations suffer–and that could be the ultimate proof of a mistake–I'd say 90 percent of those are caused by their own haste."

It is rare for a system to break on its own, Casson points out. Once a system is operating, it tends to maintain that state of operation, but changes made to the system often are what cause breakdowns, he believes, and it's usually the impact of those changes on other processes that cause the failure. "It's all these 'we didn't realize' or 'we didn't know' statements that really drive the problem," he says. "The other thing about making mistakes is even though you can't prevent them, if there are checkpoints, depending upon criticality, you can prevent them from becoming a systems failure."

Pick Your Poison

There are two ways, according to Casson, to look at security: a proactive approach and a reactive view. A great deal of the time and energy spent managing security has targeted the reactive strategies, whether firewalls, passwords, or virus protection. "There hasn't been a terrific amount of focus on security policy and bringing that policy to life," he asserts. Security as a proactive process is a critical focus, Casson believes. Studies have shown companies that exercise effective or proactive control over their security have 90 percent fewer security incidents than those that don't. "It comes from that point of exposing themselves or not exposing themselves," says Casson. "When we work with a client, the first point we make is security is a process, and all of the IT staff are part of the security organization. Security is not a line function for IT."

GE Insurance Solutions reviews its controls monthly, reports Yeamans. The reason for the frequency is so the company can maintain what it refers to as continuous compliance. "A lot of companies will tell you Sarbanes-Oxley certification gives you a snapshot of a point in time," he says. "A lot of companies also will tell you they have a large scale of remediation efforts that occur during the time of year prior to certification. That gets you the stamp, but in order to get to a continuous compliance model, you've got to monitor things." Yeamans advises companies must know when the controls change and why the controls change. "You need to be able to track those changes to authorize requests," he says.

GE Insurance Solutions has moved to a model where security people are in continuous communication with the functional owners of the applications, Yeamans states. These business users need to be involved in the controls that govern access to the data and systems changes. "They have to accept the responsibility as the owner of the application and the owner of the data that the people who apply the controls–the security function–are doing it at [the business owners'] direction," he says. "We'll help them monitor those controls, but at the end of the day when the outside auditors come in and take a look, [the auditors] are holding that data owner responsible for whatever the data is exposed to. [Business owners] need to be aware of what the controls look like, how they're changed, and when they're changed."

A large organization might have a head of internal audit, a head of security, and a head of compliance, and they all work together, Nebel reports. "Security people can maintain their independence by advising, measuring, and reporting, but they generally shouldn't design or implement," he says. "The traditional security function–firewalls, intrusion detection, access control–is staying in IT and becoming an IT function, but the CISO job is becoming more of a compliance or internal audit function."

The Security Compliance Council did a study of 244 companies, according to Nebel, and concluded the information security job in a company needs to evolve into a risk management function. "A CISO generally has a substantial compliance role conducting risk assessments and doing risk management and control effectiveness and measurement," he says. "Internal audit can't do that."

The job of internal auditors is to assess whether controls are effective, but the security person is emerging in savvy organizations as the person to lead that effort, especially in smaller companies because they have fewer people with fewer specialties, Nebel explains.

SOX Appeal

Is Sarbanes-Oxley making security easier for companies today? "I think it is for those embracing it as an opportunity to improve," says Casson. "It depends on your attitude. Those that have embraced [SOX] have seen terrific gains."

Legislative changes, particularly SOX, have been beneficial to information security leaders, Yeamans agrees. "It heightens the awareness our directors and our chief operating officers have around internal controls," he says.

The fact SOX certification directly impacts a company's CEO, CFO, or COO gives information security people a huge amount of traction, adds Yeamans. "It opens up doors for us that weren't open before," he says.

Nebel reports the biggest thing he sees in information security right now is the impact Sarbanes-Oxley is having on corporate America, specifically Section 404, where companies are required to document and assess the effectiveness of internal controls. "Sarbanes-Oxley says you should document the effectiveness of internal controls, but it doesn't prescribe how to do that," he says.

What it boils down to, Nebel points out, is every public organization over the last two years has had to document all its internal controls, particularly anything that could affect financial statements. "Eventually the CEO and the CFO have to certify their controls are in place, they're effective, and the financial statements are correct either to avoid a restatement or, if there is a restatement, to know whom to go after," he says. "That's had a tremendous effect on organizations in terms of addressing the internal threat."

Ciccolella doesn't believe internal security is any different today than it was prior to the enactment of SOX and other privacy legislation. "Because we're insurance, security always has surrounded who has access to the information in the employee base," he says, adding Selective uses what it calls the principle of least access. Simply put, if employees' jobs require access to data, they have it. "That enables us to do business," he says. But if employees' duties don't require access, they are restricted from that access.

Send a Message

Sometimes it's more difficult to detect internal attacks than those from the outside because the users don't understand the problem. "It's almost as if [users] are being treated as suspects, and that's certainly not the message we want to send," says Yeamans. "We're really not suspicious of anybody. There was a time when security professionals would joke if they really were doing a good job, the other employees in the company couldn't handle their jobs because [security] blocked everything out."

The job of information security professionals, Yeamans contends, is to protect people from themselves and to protect the company from external threats. "We have to do that as we enable business to occur the way our leaders have outlined it," he says. "That's the thing sometimes IT can be guilty of. We take our role in IT for granted. If it were not for the business we need to transact on a day-to-day basis, there would not be a need for IT. Insurance is data driven. It's an information-driven business. It's important to remember that's why we're here."

Tech Guide: E-systems, E-commerce, Web Services, and Security Tools

Accenture

Palo Alto, Calif.

312-737-8842

www.accenture.com

AdminForce Remote

Boulder, Colo.

877-905-0777

www.adminforce.net

AdminServer

Chester, Pa.

610-619-3100

www.adminserver.com

AgencyPort Insurance Services

Boston, Mass.

617-646-4550

www.agencyport.com

Aladdin Knowledge Systems

Arlington Heights, Ill.

800-562-2543

www.ealaddin.com

Allegient Systems

Wilton, Conn.

203-761-1289

www.allegientsystems.com

Allenbrook

Portland, Maine

877-764-6452

www.allenbrook.com

Allfinanz

New York, N.Y.

888-824-2929

www.allfinanz.com

BMC Software

Houston, Tex.

800-841-2031

www.bmc.com

Burstek

Bonita Springs, Fla.

800-709-2551

www.burstek.com

CA

Islandia, N.Y.

800-225-5224

www.ca.com/security

CGI Group

Montreal, Quebec, Canada

541-841-3200

www.cgi.com

CMS Products

Costa Mesa, Calif.

714-424-5520

www.cmsperipheralsinc.com

Connective Technologies

Houston, Tex.

713-690-6789

www.connective-edi.com

Connextions

Orlando, Fla.

877-772-6868

www.connextions.net

COSS Development

Milwaukee, Wis.

262-241-8989

www.cossdev.com

CSC Financial Services

Austin, Tex.

800-345-7672

www.csc-fs.com

DRC

Honolulu, Hawaii

800-836-6057

www.decisionresearch.com

Digital Sandbox

Reston, Va.

703-390-9770

www.dsbox.com

Duck Creek Technologies

Bolivar, Mo.

800-889-8401

www.duckcreektech.com

DynTek

Irvine, Calif.

877-297-3723

www.dyntek.com

Eagle Technology Management

Marion, Iowa

800-975-3245

www.eagletm.com

EDS

Plano, Tex.

972-605-6000

www.eds.com

eHealthSystems

Sunnyvale, Calif.

408-542-4800

www.ehealthsystems.com

Engedi Technologies

Bumpass, Va.

540-894-0100

www.engedi.net

ePolicy Solutions

Torrance, Calif.

310-819-3200

www.epolicysolutions.com

Ernst & Young

Security & Technology

Solutions Practice

New York, N.Y.

212-773-3000

www.ey.com

Evergreen Systems

Sterling, Va.

571-262-0980

www.evergreensys.com

Examen

Sacramento, Calif.

866-239-2636

www.examen.com

Fair Isaac

Minneapolis, Minn.

612-758-5200

www.fairisaac.com

FileNet

Costa Mesa, Calif.

800-345-3638

www.filenet.com

Financial Services ISAC

Reston, Va.

888-732-2812

www.fsisac.com

First Notice Systems

Boston, Mass.

800-310-4367

www.firstnotice.com

Fiserv Insurance Solutions

Cedar Rapids, Iowa

800-943-2851

www.fiservinsurance.com

Forsythe Technology

Skokie, Ill.

800-843-4488

www.forsythe.com

Genelco Software Solutions

St. Louis, Mo.

800-983-8114

www.genelco.com

Global Technologies Group

Arlington, Va.

703-486-0500

www.gtgi.com

Group Technologies

Milford, Mass.

877-476-8755

www.grouptechnologies.com

Guidewire Software

San Mateo, Calif.

860-217-0215

www.guidewire.com

I-Alliance

Indian Head, Pa.

800-997-5871

www.iallianceonline.com

InsureWorx

Emeryville, Calif.

800-785-4526

www.insureworx.com

Insurity

Hartford, Conn.

860-616-7721

www.insurity.com

InsurSys

San Francisco, Calif.

415-975-0966

www.insursys.com

ISO Insurance Technology Solutions

Nashua, N.H.

603-598-5427

www.iso-its.com

MFX

Parsippany, N.J.

866-639-6399

www.mfxfairfax.com

NaviSys

Edison, N.J.

800-775-3592

www.navisys.com

NetManage

Cupertino, Calif.

800-558-7656

www.netmanage.com

Network Automation

Los Angeles, Calif.

888-786-4796

www.networkautomation.com

onClick

Houston, Tex.

713-784-7600

www.onclickcorp.com

Ovum

Boston, Mass.

800-642-6886

www.ovum.com

Parasoft

Monrovia, Calif.

888-305-0041

www.parasoft.com

PilotFish Technology

Middletown, Conn.

860-632-9900

www.pilotfishtechnology.com

RedSiren

Reston, Va.

703-788-9800

www.redsiren.com

Results International Systems

Worthington, Ohio

800-875-2126

www.resultscorp.com

S1

Atlanta, Ga.

888-457-2237

www.s1.com

Safend

Philadelphia, Pa.

215-496-9646

www.safend.com

SANS Institute

Bethesda, Md.

301-654-7267

www.sans.org

Seagull Software

Atlanta, Ga.

404-760-1560

www.seagullsw.com

SecureWave

Herndon, Va.

703-788-6760

www.securewave.com

Steel Card

Santa Barbara, Calif.

800-553-9961

www.steelcard.com

Symantec

Cupertino, Calif.

800-813-5869

www.symantec.com

Tumbleweed Communications

Redwood City, Calif.

877-988-6253

www.tumbleweed.com

Value One

Morrisville, N.C.

800-565-9598

www.e11online.com

Verian Technologies

Charlotte, N.C.

800-672-8776

www.verian.com

Webmethods

Fairfax, Va.

703-460-2500

www.webmethods.com

Whale Communications

Fort Lee, N.J.

877-659-4253

www.whalecommunications.com

Whitehill Technologies

Moncton, N.B., Canada

888-944-8344

www.whitehilltech.com