Worst practices: Recognizing the biggest compliance mistakes

And without further ado: The Rip Van Winkle STiBBA goes to TJX. Considering TJX was unaware its systems had been compromised for years, maybe the retailer should be a perpetual STiBBA award winner.

Using WEP to protect stored wireless networks, not monitoring database and log information and having a porous point-of-sale application certainly qualify as compliance worst practices. So TJX takes the cake, and it's hard to see how it will ever be topped in the data breach sweepstakes. But that's the optimist in me talking.

The next STiBBA is for "aiding and abetting a train wreck," and this goes to Visa, which gave TJX a two-year exemption for PCI compliance while the attackers were pilfering TJX's database daily. I'm not sure what the escalation process was to approve that extension, but hopefully it's been eliminated. At this point, there should be no exceptions.

We all should vote with our wallets. We should not do business with companies that can't keep our personal data private. Mike Rothman Contributor

Next on our hit parade is the "paper tiger" STiBBA, which goes to the Department of Health and Human Services. Yes, that's right – HIPAA is officially an empty suit. The sad truth is that from a risk management standpoint, it's more cost effective for healthcare institutions to basically do nothing and wait until they are caught before trying to fix their security issues.

The odds any health organization will get caught in a HIPAA assessment and then fined are virtually nil. Of course, that's exactly the wrong thing to do for their patients, but it's happening out there. Thankfully, many doctors and hospitals take credit cards and, thus, are also forced to comply with PCI. So they are likely making progress, but it's not because of HIPAA.

Now let's get into the user-oriented STiBBAs, starting with the award for "sitting on their hands." And the winner is TD Ameritrade. These folks suffered one of the more high-profile breaches in late 2007, with at least 6.3 million TD Ameritrade customers having their identities stolen. Even worse, the company may have known about it for more than a year. It claims it didn't, but the lawyers suing them for an earlier spam-related suit disagree. We probably won't hear more about this until the class action lawsuits start hitting legal dockets in another 18 months or so.

For more information: Contributor Khalid Kark explains why regulatory compliance spending doesn't mean better security. In this tip, James C. Foster outlines steps to meet certain compliance requirements and shows how to monitor and report on database activity. Peter H. Gregory explains why CISSP training can help practitioners succeed in situations where compliance is driving the corporate information security agenda.

Not disclosing a potential data breach is another compliance worst practice. It's acceptable to a point if the organization is still actively trying to figure out what happened and get the situation is under control before it's disclosed, but waiting for weeks is an exceptionally bad idea. Waiting a year will result in a swift execution in the court of public opinion. If an enterprise doesn't know what's going on within a couple of days, the news isn't going to get better with time.

The "fool me twice, shame on me" STiBBA goes to Pfizer, which had not just one, but two data breaches within two months on separate issues. The first breach resulted from an alleged insider attack that compromised personal information on 17,000 Pfizer employees. And just when you thought lightening wouldn't strike twice, a set of laptops owned by a Pfizer contractor that contained personal financial information was lost. Now that's a double whammy.

So how can organizations avoid this worst practice? If an enterprise experiences a data breach, it should put everyone on high alert. As long as the organization is candid about the issue the first time, it's forgivable. If it happens twice within a short amount of time, all bets are off. Organizations should ensure that employees are scrutinizing everything; verify that contractors understand they need to protect data; and add a few more processes to ensure it doesn't happen again. The enterprise may take a little productivity hit, but what's the brand damage hit if another breach happens?

Finally, the last STiBBA goes to the consumer. On behalf of all of the customers, including myself, who still shop at places like TJX and frequent other organizations that violate our trust and lose our data.

We all should vote with our wallets. We should not do business with companies that can't keep our personal data private. These corporations should learn the hard way that protecting customer data is important. All consumers should resolve to not do business at places that have had a data breach within the past 12 months. Maybe it will be a pyrrhic victory – but it'll be a victory nonetheless.

About the author:
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Rothman is also SearchSecurity.com's expert-in-residence on information security management. Get more information about the Pragmatic CSO at http://www.pragmaticcso.com, read his blog at http://blog.securityincite.com, or reach him via e-mail at mike.rothman (at) securityincite (dot) com.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Compliance Counselor Penetration testing: Helping your compliance efforts E-discovery management: How IT should interact with the legal team E-discovery management: How IT should interact with the legal team Incident response success in five quick steps The forensics mindset: Making life easier for investigators How to apply ISO 27002 to PCI DSS compliance A new twist on PCI DSS: Visa's Payment Application Best Practices Security management in 2008: What's in store Compliance year in review: PCI DSS progress, yet confusion abounds Why you shouldn't wager the house on risk management models Data Security Breach Laws and Notification RSA attendees see data classification, rights management projects stumble Next version of PCI DSS due in September Hannaford breach illustrates dangerous compliance mentality TJX offers $40.9 million breach settlement Data breach costs soar With data breach costs soaring, companies should review data sharing policies Experts: Privacy and security officers living in silos CSI 2007: Disclosing a data breach? Not so fast! PCI DSS Council adding new standard for payment applications IBM to boost security spending, push PCI DSS program Data Security Breach Laws and Notification Research PCI Data Security Standard PCI compliance and Web applications: Code review or firewalls? How to test the security of personal details submitted to a website Verizon issues PCI self-assessment, support docs PCI group addresses assessor issues, vendor challenges Credit card thieves target small merchants, flawed POS systems, study finds PCI forces companies to seek log management help PCI Council issues clarification on Web application security The road to compliance Poll: PCI DSS changes RSA attendees see data classification, rights management projects stumble RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI DSS (Payment Card Industry Data Security Standard )  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.