The federal government and some industries have begun to realize theseverity of database breaches and have begun to institute data privacyregulations. They include best practice requirements and industryguidelines regarding usage and access to customer data. Financialinstitutions are currently regulated by the Gramm-Leach-Bliley Act(GLBA), which requires the protection of nonpublic personal data whilein storage and implements a variety of access and security controls.Payment Card Industry Data Security Standard (PCI DSS) requires thatmerchants who accept credit cards follow certain standards of securityprotection for consumers. The Sarbanes-Oxley Act of 2002 is acongressional response to the Enron and similar accounting scandals andestablishes new and enhanced standards for publicly held companies.Perhaps the best-known privacy effort is the Health InsurancePortability and Accountability Act (HIPAA), which is meant to furtherprotect patient information as more medical records are shared viaelectronic means.
In addition, the IBM Data Governance Council was formed to createbest practices around risk assessment and data governance. The IBM DataGovernance Council is an industry group comprising about 50 membersrepresenting financial companies such as American Express, DeutscheBank, Citibank, MasterCard, and others.
Companies are expected to follow these regulations and are regularlyaudited to make sure they are properly securing their databases.
"IT security is a strategic part of the company, but business peoplehaven’t recognized that yet," explains Steve Adler, chairman of the IBMData Governance Council. "We think that the current methods used forcalculating risk need to be automated and a normal part of business."
He says that every individual in an organization needs to be awareof the security risks, which is not usually the case. "There are manypeople who work in the IT department who are unaware of the securitystrategy," he says. "There needs to be more operational awareness."
Despite the regulations and governance councils, companies are slow torespond to the need for better database auditing. For example, the PCIDSS had a June 30th deadline requiring that web application securitytesting be upgraded from a best practice to mandatory compliance, yetIT security firms helping with this transition say that only a handfulof firms were prepared to meet the requirement, despite being notifiedof this requirement in 2006.
Rick Kam blames the inefficient database auditing on the naturaldisconnect between what the executive teams think they are doing forsecurity and what’s really happening in the IT and privacy offices.
"There’s a tendency to compartmentalize functions," Kam says, "and this has provided easy opportunities to steal information."
Think Like a Thief
One thing Kam recommends is for organizations to think like a badguy when protecting data. "We think very differently from crooks," hesays. "We think, ‘how would a rational person break into the system,’and we invest heavily to protect where we think the vulnerabilitieslie. The problem is, the crooks don’t view it the same way and willfind other ways to access the information they want."
What the company can do instead, Kam says, is bring in a person whocan look at database security from a different perspective, such as anauditor hired to investigate fraud risks.
Good training is another vital step toward database auditing. Toooften, Kam explains, a person may detect potential fraud early on, suchas improper access to certain information, but then not know what stepsto take to stop the breach.
Kam has three tips for putting a database-auditing plan into action:
- Do an information security assessment.
- Have an up-to-date instant response plan. "Most companies haveinformation security plans and disaster recovery plans, but when theyhave to respond to lost or stolen information, they scramble likecrazy," Kam says.
- Have an insurance policy to cover the risk. "You have insurancepolicies to cover employee accidents or other financial loss," he adds.And with nearly half of all companies experiencing a database violationor theft of information, it makes sense to be prepared to cover thecosts involved.
Of course, contrary to popular belief, data theft has been around aslong as there has been data to steal, and criminals still use low-techmethods, such as stealing mail with personal checks inside or recordingcredit card information during a restaurant transaction. Computers andthe internet have simply provided the bad guys with access to moreinformation stored in one place.