Regulatory requirements and increasing consumer concerns about the exposure of personal information are making the addition of data-level security controls a top priority for ICT managers, according to executives attending the US Computer Security Institute’s annual conference.
Executives from companies and government agencies say that after focusing for years on installing technologies such as firewalls and intrusion-detection systems to better secure their networks, they are rushing to provide stronger protections for the data in their systems.
“The data now matters above everything else,” says John Ceraolo, director of information security at JM Family Enterprises, a car distribution and financing company based in Florida with annual revenues of US$9.4 billion (NZ$14 billion).
Non-public information of all sorts needs to be protected, whether it is being stored on a system or actively used, says Ceraolo. That requires an increased focus within IT on security measures such as data classification and encryption, end-user access and authentication, as well as usage monitoring and auditing, he says.
At Gaylord Entertainment, most of the “blocking and tackling” that was needed to address network threats has already been accomplished, says Mark Burnett, director of IT security and compliance at the Nashville-based hospitality company. Now the goal is to put multi-layered defences around data as well, he says.
“We’re layering technology controls to make sure we can identify where the information is passing across our network,” Burnett says.
The driving force behind the data protection effort and the company’s overall IT security programme is “reputation management,” he says. “We’ve worked hard to build the Gaylord brand,” Burnett says. “Any one incident could ruin all that work.”
Also contributing to the stronger focus on data security is the need for Gaylord to comply with regulations such as the Sarbanes-Oxley Act and the Payment Card Industry security standard, which was established by the major credit card companies. “We absolutely recognise the need to protect sensitive information and are working hard to fulfil that obligation,” says Burnett.
Ann Garrett, chief information security officer at the North Carolina Office of Information Technology Services (OITS) says a new state law that governs the use of personally identifiable information is elevating the need for security controls at the data level. The law went into effect for the private sector on October 1 and will start applying to state agencies next October.
North Carolina’s government has “a strong network firewall, intrusion-detection system and intrusion-prevention system,” says Garrett. What’s lacking are controls for mitigating against user errors at the end-points of networks, she says.
As a result, there’s an increased focus within the OITS on encrypting data and providing the ability to log and audit user transactions. “We have to add accountability and auditability,” Garrett says.
Within the US federal government, high-profile breaches such as the one at the Department of Veterans Affairs earlier this year have resulted in a intense scrutiny of data security practices, according to Patrick Howard, CISO at the Department of Housing and Urban Development.
During a panel discussion at the conference, Howard said that Congress, the White House Office of Management and Budget and HUD’s inspector general “are looking over our shoulders closely” on data security.
In July, HUD disclosed that it had lost a backup disk containing sensitive information on 757 current and former employees. “We pulled back the sheet and discovered there is a lot to do [to protect personal data]”, Howard says.
By the end of the year, the agency expects to have an implementation plan in place for addressing the security issues it has identified thus far. Howard says the planned measures include data encryption, two-factor authentication of users and closer monitoring of user activity. He didn’t disclose a timetable for completing the implementation work.
“There are so many vulnerabilities out there that there aren’t enough hackers to take advantage of all of them,” Howard says. What’s really important, he says, is taking a holistic, risk-based approach to securing data and understanding that it involves “people, process and technology.”