A Business Technology Place

The data we see

What we see

When I was an intern in college I worked as a desktop service technician for computer support. I remember an internal financial auditor on the fourth floor of my building that I would occasionally help. Reese was much older than me, but took time to talk to me about life as I fixed his computer. I wish I would have appreciated it more at the time, but I was young and learning my way in a corporate environment.  I thought about him recently because the world of auditing and compliance is changing rapidly in the areas of security and availability of data. While Reese was making sure our company followed GAAP for our financial books I wonder what he would think about compliance controls for information security.

Our news feeds are filled with incidents, thefts, and breaches of company assets involving personal and protected information. A whole new generation of auditors is here to check compliance with controls for how we protect data like credit card numbers, health records, and education records. Identity thieves and hackers have created a gold-rush in recent years to steal data bits that when assembled correctly tell them about you and me. Digital gold.

What we do with it

Today, I have to answer the auditor’s questions about controls in the audit. Unlike my time with Reese, I’m no longer part of the auditor’s day to fill time with a nice break and chit-chat. When I am answering an audit, I often try to really understand the basis of a control or as I as the “spirit” of what the control is trying to achieve (auditors don’t always like this, they’re often a bit stiff).

But here’s my take. The essential question behind the myriad of compliance controls is “what do we do with and how do we protect the data we see in our jobs?”  The intention of the controls is to modify our behaviors to take greater care of the data we see. To do this we have to modify our behavior to treat the data we see like our personal accounts. That means we have to consider who has access to the data. We have to consider the classification of the data we see (confidential, private, restricted, public, etc.) and take action to protect the data in storage and transit.

Thieves rely on our inconveniences to be successful. Restricting access to data in storage and transit is rarely convenient. It requires we think, classify, and take action. It could mean we need to password protect a file, use a secure site for sending a file to a customer, or check to make sure the network folder is only accessible to people in our immediate workgroup. But it doesn’t stop there; sometimes we need to challenge people asking for information.  Tailgating and phishing are made possible because it is uncomfortable for us to challenge people.

Behaviors worth changing

One thing is certain. We are stewards of the data we see each day. Our customers expect us to treat the data with confidentiality and care as if it were own personal data. Forming good habits in data security is worth a little bit of hassle. So here are some practical steps I can offer to help us be better stewards of the data we see each day at work:

  • Take the annual Information and Security Awareness training seriously. Much of the information will repeat each year, but it serves as reinforcement for good habits and the tactics used by thieves.
  • Be cognizant of the data we handle. Classify the data and treat it accordingly. This may mean marking the data classification on documents, storing data in secure places, or using encrypted controls for transferring data to others.
  • Challenge others who ask for access to data. Make sure they truly need access to the data to complete their assigned job function. Make sure they understand the classification of the data.

It’s rarely convenient. But it’s worth the effort.

Onward and upward!

Photo credit: Robert Couse-Baker via creative commons

The Yin and Yang of Security Patching

 

My computer is working, don’t change anything.

As an IT manager I observe this behavior regularly with end-users and product managers of eCommerce applications. It’s understandable. When a computer system is working and doing its job then “updates” are sources for creating failure. Updates change code. Updates rock the boat.

If a computer security update hasn’t bitten you yet, then it’s probably just a matter of time. My experience is the number of system issues related to operating system updates is growing.  It’s hard to test all the dependencies of code updates against every combination of hardware and software that exists on computing equipment. A couple of examples I can point to in 2017 are Microsoft Edge no longer working after installing the Windows 10 Creators Update.  Then there was the issue of Microsoft Outlook unable to open attachments which was later resolved with another hot fix.  

But we all know security updates are necessary. Why would we risk our personal data to thieves? In a business setting, why would put our customer’s data at risk? Why would we put the reputation of our business at risk?

Therein we find the yin and yang of security updates. We don’t want to upset the balance of a stable system, but we need to update the system so that it can remain stable in the future.

In the name of audit controls and security principles.

In the business environment, audit standards require staying up-to-date with security patches. ISO 27001/ISO 27002 and SOC2 have controls specifically addressing vulnerability patch management policies and procedures. To meet the requirements of the controls, a discipline in process and procedure is required.  These standards are there to help nudge all of us to change because we all know we resist change.

Plug those security gaps or face the consequences.

The consequences of not installing security patches can be devastating. In the worst case of cyber theft reported thus far, Equifax was robbed of information for 143 million individuals. The attackers found a weakness because Equifax failed to patch a known security vulnerability in website code they use.

Now hundreds of millions of people are exposed to the whims of criminals. The reputation of a large credit bureau is blown. The two highest ranking security officials within Equifax are out of a job. Patching known security vulnerabilities is serious business.

Complementary forces at play.

The next time someone schedules a security update for a system or application, understand the potential consequences fully. Intruders are at the gates. They make a living on our resistance to change.  But if we support the change and work with administrators to report any malfunctions, we can all help to build a safer tomorrow.  That’s how another yin and yang can make a more complete whole.

Onward and upward!

How to use SharePoint to create audit trails

Show me the evidence.

I think auditors chuckle inside when they say “show me the evidence.” It’s part of their craft to seek and inspect. Over the past several years I’ve been giving documentation and evidence to auditors for various IT controls. With regard to policies, procedures, and standard practices auditors want to see more than a one-time pieces of evidence. They want to see proof that the behavior is happening on a regular basis. It’s the classic audit trail.

SharePoint – Love it. Hate it.

I’ve had my moments with SharePoint on a few items related to workflow. But one valuable attribute I’ve found with the tool is the ability to version documents and lists. This capability creates the perfect audit trail and evidence proof.

Example 1 – Annual Policy Updates

I keep version information in two places for policy documents. The first is in the document header. This shows the date of the policy, the last review date, and a version number. You can do this part without SharePoint.

 

 

The second place is in the version of the SharePoint document. First make sure that versioning is turned on for the document repository (one-time setup). Go to the library settings and select versioning settings. Then fill-in the specifics for how you want the versions to be incremented and how many versions to keep.

 

 

Each time I edit a document I use the check-out for editing feature. Then I apply my changes and when I check the document back-in SharePoint prompts for a summary of the updates. Each time this happens a new version of the document is created and logged.

 

To see the previous versions and comments select the version history from the document selection menu.

 

Example 2 – Production Change Updates

I use a SharePoint list to track requests and approvals for production change updates. As with documents, make sure the list has version control turned on by going to the list settings and enabling versioning.

 

The version history for a list shows the dates of the field updates and which specific fields were updated. It also keeps the name of the person who updated the fields (redacted in my example).

 

 

This is a simple way to keep history of policies, procedures, and updates. Having this available and ready to show an auditor makes the audit process a little easier.

Onward and upward!

 

Becoming desensitized to security breaches

Are you there yet?

Does news of the latest corporate data breach resulting in thousands of stolen identity records no longer shock or distress you? Today when I looked my news feed I found not one, not two, but three reports of hackers breaking through corporate firewalls to steal data. No offense to Scottrade, Patreon, and Experian, but when I glanced through the list of breaches my first thought was that this was just a normal week. It wasn’t too long ago that I felt both outrage and worry after personal information was stolen from Target, Home Depot, and Anthem. But now it feels like this is the new norm. I don’t like the new normal. Why can’t all these thieves channel their energy and intelligence to do good for the world?

Invisible theft.

Stealing data is not your father’s crime drama. It’s invisible theft. Maybe that’s the paradox of cyber-theft. Data that is stolen still resides where it was stolen from. The game is played by looking for evidence that someone was in data store room. Combine this with the fact that most high tech theft takes place through methods and procedures that the vast majority of people don’t understand (and don’t care to understand). In a word, it’s highly sophisticated and complicated. Breaches often involve complex mathematical calculations used in cryptography and coding algorithms. Intelligent criminals, but not smart criminals.

The data breach economy.

Look around. An entire economy exists to establish, audit, monitor, and teach security standards and best practices. In 2013 Forbes reported that the IT security industry traded around $60 billion dollars in products and services. It was expected to grow tenfold in ten years. I see the effect of this industry every day in my seat managing an IT group. We are expected to comply with a dizzying-array of security controls. We buy software and hardware appliances that will protect us from theft or at least make it more difficult. Salesmen cold call me each week selling security products. “The cloud” is touted by marketers as the safest place to put data (really??). People are employed full time to audit security controls and force compliance. It’s a lucrative business riding the coat-tails of criminals! For the rest of us we have no choice. Non-compliance with security controls means you lose a seat at the table to compete for customer contracts and business.

Yet here we are.

Despite all the people and investment thrown at making us more secure, it feels like our data and personal information has never been more unsecure. The bad guys have access to see all the controls and best practices too. Some of them prey on that list by taking advantage of those of us who fail to do the basics. Other more sophisticated criminals invent new ways to go around our defenses. We know the merchants that we shop, the financial institutions that hold our money, and the medical providers that keep us healthy are not 100% secure. But we shop, bank, and receive medical services anyway.

Like I said. I’ve noticed that I’ve become desensitized to all this theft. But I don’t like it. Discipline and vigilance are necessary actions. Keep your guard.