Stop Hoarding! Improve Security, Efficiency and the Bottom Line through an Effective Data Retention Policy

Organizations are accumulating data at a pace that would cause a hoarder to blush.  Just like that old bicycle seat stored in the attic, data is often kept “just in case it may be needed someday.”  This practice, however, comes at a cost.

Some organizations think that it is inexpensive to store data, in particular with the steady decline in hard drive prices.  The fact is, however, data is expensive to keep.  Organizations spend a significant portion of time managing, archiving and securing data.  Data is housed on servers, each of which must be maintained.  Data is also archived regularly according to the organization’s backup schedule, and it is audited and secured against loss.  Each of these activities consumes the time (i.e. increases the cost) for those in information management.

Excessive data retention can also pose a risk to an organization regarding compliance and electronic discovery requirements.  Personally Identifiable Information (PII) that is lost could result in significant fines.  Also, old document drafts that may not provide organizational value could still damage the organization if disclosed.  Data related to litigation is costly to obtain, organize, and produce.  Searching through an organization’s legacy data adds additional complexity and cost.

For the above-stated reasons, it is important to remove unnecessary data.  A structured approach is necessary to avoid the loss of important data and to provide consistency throughout an organization.  The structure can be accomplished through a data retention policy.   A data retention policy should specify how long certain types of data such as emails, documents, drafts, instant message conversations, or even voice mails should be kept and how the data will be properly disposed of.

Contents

At a minimum, a data retention policy should contain a scope section that outlines the types of data covered.  Examples would be tax records, personal information, business records and legal documents. Also, the policy will need to spell out how long and in what form each type of document will be retained.  Some policies may include guidelines on removal of data – or this may be left to a data destruction policy.

Retention Term

One of the most difficult parts of defining a  data retention policy is specifying the length of time to retain certain types of documents.  Compliance requirements may determine the minimum or maximum length of time while business requirements may stipulate other terms.  Both the compliance and business requirements will need to be considered in defining the duration. The following are some best practices and can be used a starting point in the formation of a data retention policy:

  • Audit documentation and associated financial documents will need to be kept for at least seven years if there is a SOX requirement. The IRS requires that tax documents be retained for at least four years after they were due.
  • The list of hazardous chemicals provided by OSHA contains many substances common in the workplace and data retention policies should define how long documentation of hazardous chemical exposure data will be kept.  OSHA requires that such documents be retained for 30 years.
  • The Health Insurance Portability and Accounting Act (HIPAA) requires that information disclosure authorizations, patient requests, business associate contracts and other such covered documents be retained for at least six years from the last transaction or 2 years following the patient’s death.
  • Exceptions may be made to these recommendations when pending litigation or audits require an information freeze or legal hold for specific data.  In these instances, organizations will need to show that they have made reasonable efforts to prevent the destruction of discoverable information.

Businesses have a definite need for data retention policies.  The regulatory requirements mentioned here should be included in business retention requirements for those that fall under such regulations.   An effective data retention policy can go a long way in reducing data clutter, improving organizational efficiency and reducing risk.  However, defining the policy will not be enough.  Employees will need to be aware of the policy and motivated to follow it.

 

 

Information Security Compliance: ISO 27000

ISO 27000 is a set of security standards that organizations can implement to provide an industry-recognized minimum level of security.  ISO 27000 came out of the BS (British Standard) 7799, originally published in 1995 in three parts.  The first part of BS 7799, dealing with the best practices of information security, was incorporated in ISO 17799 and made part of the ISO 27000 series in 2000.  Part two, titled “Information Security Management Systems – Specification with Guidance for Use” became ISO 27001 and dealt with the implementation of an information security management system.  The third part was not incorporated into the ISO 27000 series.  Similar to ISO’s 9000 series, which focuses on quality, ISO 27000 is an optional accreditation that can be used to show that an organization meets a specified level of information security maturity.

Overview of the ISO 27000 sections

The six parts to the 27000 series each deal with a different area of an Information Security Management System (ISMS).  This document will briefly outline each section and then concentrate on ISO 27001, the section that details the requirements for ISMS.  An overview of what the series deals with can be found in the table below.

ISO 27000 Series

ISO27001 ISMS Requirements
ISO27002 ISMS controls
ISO27003 ISMS implementation guidelines
ISO27004 ISMS Measurements
ISO27005 Risk Management
ISO27006 Guidelines for ISO 27000 accreditation bodies

As can be seen in the table above, ISO 27001 details the actual requirements for businesses to comply with the ISO 27000 standard.  ISO 27002 builds on ISO 27001 by providing a description of the various controls that can be utilized to meet the requirements of ISO 27001.  ISO 27003 provides details on the implementation of the standard including project approval, scope, analysis, risk assessment, and ISMS design.  ISO 27004 outlines how an organization can monitor and measure security about the ISO 27000 standards with metrics.  ISO 27005 defines the high-level risk management approach recommended by ISO and ISO 27006 outlines the requirements for organizations that will measure ISO 27000 compliance for certification.

Series contents

The ISO 27000 series provides recommendations for “establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System” (http://www.27000.org).  The standard can be broken down into the following sections:

  • Risk assessment – a quantitative or qualitative approach to determining the risks to organizational assets. The degree of risk is based on the impact to the asset and the likelihood of occurrence.
  • Security policy – formal statements that define the organization’s security expectations.
  • Asset management – inventory and classification of information assets.
  • Human resources security – security aspects for employees joining, moving within or for those leaving an organization.
  • Physical and environmental security – physical/tangible systems used to protect systems and data such as alarm systems, guards, office layout, locked doors, keypads, cameras, etc..
  • Communications and operations management – management of technical security controls in systems and networks.
  • Access control – restriction of access rights to networks, systems, applications, functions and data; maintaining the confidentiality of access credentials and the integrity of access control systems.
  • Information systems acquisition, development, and maintenance – building security into applications when they are designed or purchased.
  • Information security incident management – planning and responding appropriately to information security breaches.
  • Business continuity management – protecting, maintaining and recovering business-critical processes and systems when they become unavailable.

Certification process

Within the ISO 27001 document, there are specifications to which a company’s ISMS can be submitted for potential certification.  The certification process begins after an accredited organization finds that the corporation has met the requirements as outlined in ISO 27001.  Once this body determines that the company has complied with the requirements of ISO 27001, the certification is granted.  Certification must be renewed every three years and is subject to audits.

Benefit to business

Compliance with the ISO standards provides companies with a credential which demonstrates that the business is in conformity with the requirements of this well-recognized standard.  It also gives employees and clients more assurance that their data is safe with the enterprise.  In some cases, companies may require ISO certification to do business.  The ISO 27000 standard contains many useful recommendations and businesses are encouraged to familiarize themselves with the recommendations, even if they do not plan on becoming certified.  The acquisition of the standard does cost money to obtain; however, qualified compliance practitioners can assist with the preparation for the compliance effort.

Summary

ISO 27000 is comprised of six parts outlining the requirements for certification, guidelines for achieving the requirements, and guidelines for accrediting organizations. The standard provides many useful recommendations for companies seeking certification as well as those merely interested in improving their security.  Similar to the ISO 9000 quality standard, ISO 27000 is optional, but it may soon be a business requirement.

Protecting against data breaches and security incidents with cyber insurance

Data breaches and security incidents are a significant risk for organizations and some are using cyber insurance to transfer the risk similar to how many other business risks are transferred.  If you are considering cyber insurance, the first step is to identify the cyber risks you are facing to determine if they fall within you risk tolerance level or if they need to be addressed.  Security controls may need to be implemented to bring risks to an acceptable level.  There may be other risks where it is better to transfer the risk through cyber insurance.

Cyber insurance is still a relatively new concept so the offerings differ greatly between vendors.  Check with your vendor to see what they will cover.  Some of the costs of a data breach or security incident include:

  • Notification expenses such as those required under HIPAA
  • Investigation costs
  • Computer forensic services
  • Data restoration services
  • Public relations costs
  • Loss of business during the interruption
  • Loss of business following the interruption
  • Regulatory fines
  • Credit monitoring for impacted individuals

Insurance providers will want to know how risky a policy is so they will most likely have some questions on your security procedures before issuing a policy.  Cyber insurance is not a solution.  It needs to be pursued as part of the overall security governance of the organization along with security controls and other risk mitigation activities.

Information Security Compliance: PCI-DSS

PCI-DSS applies to a wide range of corporations and companies that deal with credit card transactions, and it can be a useful tool for other organizations as well.  The PCI-DSS specification was created by credit card companies such as Discover, American Express, Visa, and MasterCard to protect the individual from credit card fraud and identity theft through standardization of security controls surrounding the protection of credit card information.  Similar to ISO standards, PCI-DSS is not a government regulation full of fines for non-compliance.  Rather, the rule thrives under positive reinforcement by allowing companies to demonstrate that they have achieved a level of information assurance suitable to protect customer credit card information.  However, it should be mentioned that there can be fines if an organization has a loss of credit card information and they are not PCI-DSS compliant.

Compliance is recommended for all companies that process, store or transmit credit card data.  Some ask why they should expend the time and resources to become compliant if the process is voluntary.  Firstly, PCI-DSS compliance can give customers more confidence in your ability to protect their data.  Second, a company that is compliant with PCI-DSS will be better equipped to comply with other regulations and standards such as HIPAA, COBIT, or ITIL since many of the requirements overlap. Thirdly, the recommendations in PCI-DSS are reasonable and practical for many companies who take information security seriously, and they can bring significant benefit to the organization’s ability to safeguard systems and data.

What’s required?

The PCI-DSS requirements are comprised of six categories called control objectives.

Control Objectives

PCI-DSS Requirements

Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software on all systems commonly affected by malware
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a policy that addresses information security

Excerpt from the PCI-DSS 1.2 standard

How does one become certified?

For many companies, the compliance process is a somewhat ambiguous and what little is known of the process is often representative of the outliers rather than the norm.  Compliance seminars and information security speakers often talk of the penalties for non-compliance or the immense costs of compliance initiatives, 111111111111111111111111111111and this can make the activity seem quite frightening.  However, the PCI-DSS process is relatively straight-forward.

After implementing controls to satisfy the objectives above, a company then must complete periodical reports outlining their compliance with PCI-DSS.  Small businesses can complete a self-assessment and then pass a vulnerability scan performed by an approved scanning vendor.  Larger companies go through an audit by qualified security assessors.  An annual review is required to maintain your PCI-DSS standing.

Where to next?

This entry regarding PCI-DSS covered who needs to comply with it, what is required, and how the process works.  As you can see, the process is not as complicated as some believe.  Organizations can improve the security of handling credit card information and provide an increased level of assurance to customers that their credit card information is being protected.

Information Security Compliance: HIPAA

HIPAA is regulation intended to help covered entities and their business associates protect Electronic Protected Health Information (ePHI).  The U.S. Department of Health and Human Services (HHS) outlines who HIPAA applies to in their definition of a covered entity.

Health and Human Services (HHS) lists a covered entity as follows:

A Health Care Provider A Health Plan A Health Care Clearinghouse
This includes providers such as:

  • Doctors
  • Clinics
  • Psychologists
  • Dentists
  • Chiropractors
  • Nursing Homes
  • Pharmacies

…but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.

This includes:

  • Health insurance companies
  • HMOs
  • Company health plans
  • Government programs that pay for healthcare, such as Medicare, Medicaid, and the military and veterans health care programs
This includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.

In addition to those seen in the diagram below, HIPAA applies to companies that provide services that would use e-PHI such as suppliers or outsourced IT providers.

Now that we know who this applies to we can discuss the basics of HIPAA compliance.  The primary goal of HIPAA is to protect ePHI which includes, name, dates such as birth, admission, discharge, death, telephone number, SSN, photographs, address, etc.  Companies under this regulation will need to implement technical and procedural controls to protect this information and perform risk analysis on risk and vulnerabilities to the confidentiality, integrity, and availability of ePHI.   Technical controls include such things as encryption, authentication, password complexity, access auditing, segmentation, etc., and procedural controls include such elements as password policies, incident response plans, contingency plans, and audit procedures.

HIPAA also requires companies to provide patients with information on their privacy practices and they must record acknowledgement that the patient received the information.  You have most likely experienced this at the doctor’s office.

The covered entity or business associate must provide a plan outlining how the company will follow the act and designate someone who is responsible for creating and implementing policies to support the plan.  If a company outsources certain business processes, then the company must make sure that the third party is also in compliance with HIPAA standards.

This article is too short to go into detail on the controls necessary for an organization but each system that houses or transmits ePHI will need to have adequate controls and each person who works with ePHI will have to follow procedures intended to protect this private information.  The scope of HIPAA compliance can be quite broad.  Included under this broad umbrella are doctor’s offices and other medical fields for the protection of patients. Certain businesses are also included.  Any company that gives its employees a degree of healthcare are bound to follow the confidentiality rules as well as the uniformity rules.  HIPAA defines a covered healthcare provider as a person or business that deals with healthcare in the normal course of the business day and does so electronically.

This first installment in a series of blogs about information security compliance dealt with the medically related HIPAA or Health Insurance Portability and Accountability Act of 1996.  We defined it and included a summarization of the applications of HIPAA.  Finally, we included an overview of which companies should be concerned with the application and therefore the implementation of HIPAA.

 

Information Security Compliance: Which regulations relate to me?

Information security is often feared as an amorphous issue that only the IT department has to deal with. The reality is that companies need to be concerned with complying with information security from top to bottom. Regulations are in place that can help a company improve information security while non-compliance can result in severe fines. It may be difficult for a company to understand which laws apply and which ones do not because many different sets of laws can apply to one company and not another.

Many major companies within the United States are subject to some security regulation.  Regulations that contain information security requirements are intended to improve the information security level of organizations within that industry, and many organizations would welcome such information.  The difficulty comes in determining which regulations apply and in interpreting the requirements of the regulation.  The regulations are not written in a way that is easily understood by the average business person so many times a security professional is needed to understand the requirements and how to implement them.  Professionals have experience implementing systems, policies, and procedures to satisfy the requirements of the regulation and enhance the security of your organization and some have obtained credentials such as the HISP (Holistic Information Security Practitioner) that signify their understanding of the regulations.  Often the requirements are given in general terms leaving the company to determine how to best satisfy the requirements.

First, companies need to assess which of the laws and acts apply to them. Then they need to organize their information security to address the boundaries put in place by the acts. This requires a set plan that outlines a consistent and effective way of alerting and dealing with threats.

But how do we assess which laws apply to which company

Talking about the particular bills and which companies they apply to is slightly vague. Therefore, take for example your local hospital. This local hospital is publicly traded and not a federal agency. Therefore, it is not subject to the FISMA bill. However, since the company deals with healthcare patients, it is subject to HIPAA. Now it must look carefully at what sort of protections it must offer patients and place safeguards in affect to prevent a breach of security. On the ground level, it cannot give away patient information without the express consent of the patient. From a more technological perspective, the hospital cannot allow any system that handles patient information to be compromised.  This means that controls need to be in place for those systems and the equipment that allows access to the systems. Policies and procedures need to be in place to govern the activities of persons who interact with the systems and training need to take place so that users of the systems perform their duties properly and do not intentionally or unintentionally misuse the system.

Some companies may have to comply with multiple regulations.  In such cases, it is best to outline all the regulations that impact the company first and then a determination can be made for which security controls to implement that satisfy the requirements of all the regulations they need to comply with.  This process can reduce the amount of money the organization spends on compliance efforts because it reduces duplication of effort and the likelihood that competing systems would be put in place to satisfy the same regulatory requirement.

This table shows the different regulations and which corporations would be subject to the scope of the act.

 

The ACT

What it regulates

Company affected

HIPAA (Health Insurance Portability and Accountability Act) This act is a two-part bill

Title I: protects the health care of people who are transitioning between jobs or are laid off.

Title II: meant to simplify the healthcare process by shifting to electronic data. Also, it protects the privacy of individual patients.

The sort of company affected by this bill is any company or office that deals with healthcare. That includes but is not limited to doctor’s offices, insurance companies, and employers.
Sarbanes-Oxley Act This act requires companies to maintain financial records for seven years. It was implemented to prevent another Enron scandal. U.S. public company boards, Management and public accounting firms
Federal Information Security Management Act of 2002 (FISMA) This act recognized the information security as matters of national security. Thus, it mandates that all federal agencies develop a method of protecting the information systems. All Federal agencies fall under the range of this bill.
Gramm Leach Bliley Act (GLBA) This act allowed insurance companies, commercial banks, and investment banks to be within the same company. As for security, it mandates that companies secure the private information of clients and customers This Act defines “financial institutions” as: “…companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance.”
Family Educational Rights and Privacy Act (FERPA) Section 3.1 of the Act is concerned with protecting student educational records. Any postsecondary institution including universities, academies, colleges, seminaries, technical schools, and vocational schools.
Payment Card Industry Data Security Standard (PCI-DSS)  A set of 12 regulations designed to reduce fraud and protect customer credit card information.  Companies are handling credit card information.

There is an abundance of laws and bills on the books designed to protect information. However, it is not always clear to the average business decision maker which regulations apply to their company. That is where a security professional can significantly help a business make sense of such an area that grows more complex with each new regulation.  Compliance is critical, and it begins by understanding which regulations affect your company and then outlining the steps to bring you into compliance.

Reducing privacy and compliance risk with data minimization

Companies collect millions of gigabytes of information, all of which has to be stored, maintained, and secured. There is a general fear of removing data lest it be needed some day but this practice is quickly becoming a problem that creates privacy and compliance risk. Some call it “data hoarding” and I am here to help you clean your closet of unnecessary bits and bytes.

The news is full of examples of companies losing data. These companies incur significant cost to shore up their information security and their reputations. In a study by the Ponemon Institute, the estimated cost per record for a data breach in 2009 was $204. Based on this, losing 100,000 records would cost a company over twenty million dollars. It is no wonder that companies are concerned. Those that are not in the news are spending a great deal of money to protect the information they collect.

So why are we collecting this information in the first place? Like abstinence campaigns, the best way to avoid a data breach is to not store the data in the first place. This is where data minimization steps in to reduce such risk. As part of the data minimization effort, organizations need to ask themselves three questions:

  1. Do I really need to keep this data?
  2. Would a part of the data be as useful as the whole for my purposes?
  3. Could less sensitive data be used in place of this data?