Experts: Privacy and security officers living in silos

By Bill Brenner, Senior News Writer 20 Nov 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

In the past, a company's privacy and security officers worked within their own confined orbits, oblivious to the common risks each department faced. But with corporate data breaches compromising nearly 216 million private records, the two sides can no longer afford to ignore each other.

With the growing data breach threat, privacy and security officers must work closer than ever before and accept the fact that they are partners. Peter Kosmala, assistant director, International Association of Privacy Professionals (IAPP)

Industry experts delivered that message during the recent (ISC)2 SecureBoston conference in Quincy, Mass. Privacy and security teams should communicate regularly on each others' challenges and activities, and should work together on an effective response plan in the event of a data breach, the experts said.

"With the growing data breach threat, privacy and security officers must work closer than ever before and accept the fact that they are partners," said Peter Kosmala, assistant director of the York, Maine-based International Association of Privacy Professionals (IAPP).

Kosmala focused his talk on ways for security and privacy officers to build a better dialogue. In particular, he said the two sides can find plenty of common ground on a data breach response plan and that the better the plan, the easier it will be for the company to survive a breach. While the privacy department tends to focus on legal and practical matters and the security department on procedural and technical concerns, each side is responsible for such common challenges as data breach response and notification, information outsourcing and vendor management, identity management, exploits and emerging threats.

By sharing insights and resources, he said, the two camps can do much to make their company more secure and in lockstep with all the latest industry and government security requirements.

Examining the breach: As data breaches snowball, IT pros look for answers: The Privacy Rights Clearinghouse says more than 166 million IDs have been compromised to date. IT professionals are seeking ways to ensure their companies don't add to the tally. Don't blame PCI DSS for TJX troubles, IT pros say: Data breaches at TJX and elsewhere have some questioning the effectiveness of PCI DSS, but others say the real problem is how companies approach the guidelines. Banks neglect responsibility for data breaches, some say: TJX has become the poster child for bad data behavior, but some believe the bank and credit card companies aren't accepting enough responsibility for the data breach epidemic.

Kosmala used Marriott International as a case study on how privacy and security officers can team up on a more effective defense, based on how it was explained to him by Chris Zoladtz, the hotel chain's vice president of information protection and privacy. According to Zoladtz, there are daily interactions between the privacy and security teams. The chief privacy officer is considered the "business owner" of privacy needs, including gap analysis, risk assessment, policy development and communication. The chief information security officer, meanwhile, develops and manages the mechanisms to address those needs as well as the broader needs of IT. Along the way, Kosmala said, there's plenty of cross-pollenization of ideas, skills and credentials.

For Kosmala and other experts at the conference, one of the overriding issues is the need for companies to draw up detailed data breach response plans. No matter how seriously a company takes security, they said, everyone is vulnerable to a successful attack and must plan as if it's eventually going to happen. This has been a major theme at a number of recent security conferences, including the recent Computer Security Institute (CSI) 2007 conference in Arlington, Va., and a data breach panel discussion held last month at the Harvard Club in Boston. As with these other gatherings, experts at the (ISC)2 event used the TJX data breach response as an example of how not to do things.

When TJX first disclosed its data breach in January, the retailer came under heavy criticism for what many considered a sloppy response. The company didn't disclose the breach until a month after it was first discovered, and few accepted its explanation that investigators recommended the period of silence. TJX also seemed to have trouble getting an accurate assessment of the damage. For example, the company initially said that attackers had access to its network between May 2006 and January 2007. Later it admitted that thieves were inside the network several other times, beginning in July 2005. The came word that the stolen data covered transactions dating all the way back to December 2002.

TJX has also come under fire for failing nine of the 12 requirements under the Payment Card Industry's Data Security Standard (PCI DSS). Michael Gavin, a former Forrester Research analyst who now works for Wilmington, Mass.-based Security Innovation, said he can see a scenario where a company can come close to meeting PCI DSS but end up getting slapped for coming up short on more obscure provisions.

"Failing nine of the 12 requirements is quite bad, but each requirement consists of many sub-requirements, and furthermore some of those have sub-requirements," he said in an email exchange. "While unlikely, especially from what I have heard and read about the TJX situation, it is possible to be quite close to passing all 12 requirements, but actually fail nine of the 12 for one relatively minor sub-requirement in each of the nine failed requirements."

It's possible TJX could have achieved better PCI compliance had the privacy and security teams been working more closely together. But even if that wouldn't have made the difference, experts at the (ISC)2 event said better communication between both camps could have meant a better data breach response.

Seth Berman, managing director and deputy general counsel at Stroz Friedberg LLC, a consulting and technical services firm specializing in such things as computer forensics, cyber-crime response and private investigations, said companies can't always prevent a data breach and that the right response plan is key. "It's better to get to the bottom of what happened as quickly as possible," he said.

The experts noted that privacy and security teams can work more effectively together on determining if an incident truly fits the definition of a data breach and, if so, who needs to be notified.

Berman noted that a better response plan on the part of the U.S. Department of Veterans Affairs (VA) might have softened the public outcry. The VA made headlines for months after computer hardware containing the personal data of 26.5 million veterans and about 2.2 million active duty personnel was stolen from the home of an agency employee. But after the stolen laptop was recovered and picked apart by forensics specialists, the VA was able to show that the identities were never used for fraudulent purposes.

He also mentioned the case of a bank that notified customers of a data compromise that, as it turned out, never happened. The bank spent a lot of money to notify customers that a backup tape housing their data had gone missing, but the tape was later found on site.

Tags: Identity Theft and Data Security Breaches,  Identity Theft and Data Security Breaches,  PCI Data Security Standard,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Theft and Data Security Breaches Researchers predict SSNs, crack algorithm putting identities at risk TJX to pay $9.75 million for data breach investigations Man pleads guilty in online banking hacking scam White House cybersecurity czar faces major hurdles Heartland breach cost $12.6 million, CEO says An inside look at security log management forensics investigations LexisNexis investigates breach, notifies thousands Senators hear call for federal cybersecurity restructuring Former Federal Reserve Bank employee arrested Attackers cash in on fundamental data handling mistakes, Verizon finds Identity Theft and Data Security Breaches How to prevent and build protection against online identity theft Heartland breach highlights PCI limitations FBI investigates coordinated ATM scam Encrypt now to meet new Mass. data protection law Recovery plans essential for preventing data loss disasters Internal auditors and CISOs mitigate similar risks Cybersecurity expert sees PCI DSS problems ahead for retailers PCI is about eliminating data, not securing it, former QSA says Data breach discovery, disclosure outpaces 2007 PCI groups to focus on wireless, pre-authorization changes Identity Theft and Data Security Breaches Research PCI Data Security Standard PCI management: The case for Web application firewalls MasterCard increases PCI compliance requirements for some merchants PCI compliance requirement 1: Firewalls PCI compliance requirement 2: Defaults PCI compliance requirement 5: Antivirus PCI compliance requirement 4: Encrypt transmissions PCI compliance requirement 3: Protect data PCI compliance requirement 6: Systems and applications PCI compliance requirement 8: Unique IDs PCI compliance requirement 10: Auditing

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) CISP-PCI  (SearchFinancialSecurity.com) cookie poisoning  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) extrusion prevention  (SearchSecurity.com) identity theft  (SearchSecurity.com) parameter tampering  (SearchSecurity.com) pretexting  (SearchCIO.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary