IT Compliance and Controls

HITECH and HIPAA Security and Privacy safeguards have been evolving over the past 14 years.  Today a large amount of information has been provided outlining guidance for Medical providers.  Specifically 2 rules outling how to qualify for the federal incentive program for electronic health records was released today (July 13, 2010) (though not in effect until 60 days after publication date 7/28/2010).  They equally touch upon security and privacy concerns.  In total the two documents roll up to 1,092 pages.  After I finish going through these I will post applicable details here and of course here.

Download each from the Federal Register public inspection desk

Alternatively, download the documents (PDF) directly:

1. Medicare and Medicaid Programs: Electronic Health Record Incentive Program
2. Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology

Comments and insights welcomed,

James DeLuccia

A report released this month has identified one single group that is responsible for 2/3 of ALL global phishing attacks.  This is a tremendous task and requires a exceedingly large amount of sophistication.  A telling quote from the report (available here) gives a bit of background:

Central to Avalanche’s success is its use of fast-flux botnets to host phishing sites. The use of peer-to-peer communications makes it impossible for a single ISP or hosting provider to to pull the plug on the infrastructure. The gang also excels at launching attacks from a relatively small number of domain names that often appear confusingly identical to each other, such as 11f1iili.com and 11t1jtiil.com. Those abilities also fuel the success.
There were 126,697 phishing attacks during the second half of 2009, more than double the number in the first half of the year or from July through December of 2008, the APWG report said. Avalanche, which was first identified in December of 2008, was responsible for 24 percent of phishing attacks in the first half of 2009 and for 66 percent in the second half. From July through the end of the year, Avalanche targeted the more than 40 major financial institutions, online services, and job search providers.

In addition, the domains / IP addresses hosting these malicious sites break down in the following manner (demonstrating how important global controls are important):

Of the 28,775 phishing domains, we identified 6,372 that we believe were registered maliciously, by the phishers. Of those, 4,141 (66%) were registered by Avalanche. Virtually all of the other 22,403 domains were hacked or compromised on vulnerable Web hosting. Malicious registrations apparently took place in just 51 TLDs.

The takeaways here are the following (please comment on other perspectives):

1. By centralizing / controlling the Phishing attacks Avalanche is gaining rapid knowledge of target infrastructures; security defenses; and massive amounts of intellectual property that can be re-deployed in future attacks against other parties (or for sale).
2. Expansion of these attacks resulting from the accumulation of such knowledge combined with the 700 million + records of sensitive data on consumers creates the opportunity for a massive spear-phishing campaign
3. The leveraging of dynamic hosts and botnets is introducing a frontier whereby we can no longer have black lists / white lists as a simple solution.  In addition, the idea of perimeter defenses and trusted site-to-site open VPNs is drawn into question.

The evolution of these attacks is expanding, as the evolution of worms demonstrated.  Malware artists generally go from proof of concept -> proof of distribution -> proof of non-detection -> proof of percision.  It is the crossing from distribution to non-detection and then precision that has the highest rewards for attackers.  Safeguards for companies should consider social approaches.  People are the target here, and technology cannot block every attack.  Organizations could consider process and people as their main line of defense.  This in partnership with mature detection and response capabilities will limit the impact of any embedded threat.

Thoughts?

James DeLuccia

A great amount of efficiencies exist in the Cloud solution model, but the savings can be wasted through management waste, lax business support services, and insufficient information technology controls.  Vivek Kundra (United States Government Federal CIO) gave a presentation to the Brookings Institution on how Clouds will be a central focus of all government information systems.  In addition he presented a method of consolidating all certifications within NIST.  This would greatly remove the waste that would exist if every institution was required to certify every vendor.  A couple of interesting points to consider:
Today organizations already rely upon NIST as their accrediting provider for many solutions, and it is foreseeable that this will extend to these cloud certifications.  The certifications will likely encompass all of the risks and required controls demanded by all government agencies, so it is reasonable to conclude these will be adequate certifications for the private sector.  Thus NIST certifications will carry massive weight in the private sector, and will equally reduce the costs of adoption by such businesses.
A repeated theme within the Cloud discussion is the ability to focus on the customer.  Similar to the thinking in how the iphone was not just a phone and the ipad is not just a tablet - Clouds provide a canvas for businesses to serve the customer.  This is achieved by the greatest benefit of Cloud solutions - the ability to fail and correct rapidly.  Extreme unit testing is the greatest opportunity and through prudent information technology controls, such employment shall be with sufficient operational integrity.

• Here is a link to the nice summation of the presentation at Forrester
• Here is a link to the remarks online
• Here is a link to the slides (pdf):

Thoughts?

James DeLuccia

COBIT 5 exposure draft is out for review, so sharpen those pencils, order that Grande with an add shot, and find someplace quiet and dig into this design document (note this is NOT Cobit 5.0 but instead the plan at which will be employed to create it.  It is critical to review and provide feedback for this document, as it’s influence is extremely broad and far reaching.  The COBIT components are interwoven throughout the world’s Information Technology Control Frameworks, global regulations, and industry best practices.  Therefore ensuring this exposure draft is thoroughly vetted, commented, and improved must be a top priority for all professionals.

Given that - here is the direct link to download the Design Exposure Draft for COBIT 5.0, and here is the questionnaire for you to fill out afterwards.  It is a short 16 pages in length (compared to the hundreds the final iteration will possess), but it is exceptionally important that this document reflect the correct direction.

Best,

James DeLuccia

A web cast by Deloitte accompanied with a poll has provided some interesting data points on the state of data governance within businesses.  On the heels of this web cast and poll results I have also added some insight from my field experience and general personal impressions.  Interesting facts include:

• The definition of Data Governance is often different for different people throughout the organization

Creating a great opportunity to establish relative context and personal ownership across the myriad divisions and geographies of the business

• 36.4% think the chief information officer (CIO) should be the sponsor and accountable for data governance in an organization

Full accountability I accept, but responsibility must be across those that have personal and business concerns directly related to Data Governance

• 15.5% consider data asset specification optimization as a top problem

Reading these findings I cannot help but hear a certain management guru seeking to hear the contrarian position.  This is not to say that Data Governance is bad or good, but perhaps provide supplemental support to a very difficult challenge.
A great challenge of Data Governance is shifting culture and human behavior to instill control around the data in question.  An interesting approach would be to seek to find what is already being done within the business operations that can provide a control and monitor with some form of natural feedback.  This would allow for data governance to occur naturally relative to every organization, while allowing for a broad adoption across the board with low cost impact.

Such controls can be found in the manner in which data is accessed from the databases and file servers.  Controls can be pulled from how the desktop / laptops are deployed and supported.  This approach looks at the entire business as a system, and can allow for controls to be recorded.  In essence, the objective is to (at least partially) establish data governance and spot level controls without labeling a new server / gadget / process as data governance.
Again, this is not an argument against a mature and prudent data governance program across an enterprise, but simply an identification of possible supplemental avenues that can bring those greatly desired early wins.

Other contrary native controls?

Reflectively,

James DeLuccia

The FTC sent out letters to nearly 100 organizations advising that customer and / or employee data that is protected by United States’ laws were widely available online.  The release of such information is not new to most - given the early days of Napster when entire hard drives were shared and Quickbook files and more were available to every person with the curiosity to look for them.

The notice stated that personal health records; financial account information; data protected by PCI DSS, HIPAA, and HITECH; and other PII data records were available and discovered by the FTC to be exposed.

These notifications are a great step however, as they provide business with awareness and guidelines on reducing the threat and provide guidance on how to minimize the impact of these data breaches.  Unfortunately, as these file sharing systems go - the data is likely released permanently and the owners of this information will need to establish monitoring and preventive measures moving forward.

A few things suggested by the FTC on protecting sensitive information from being exposed to P2P networks include:

• Delete sensitive information you don’t need, and restrict where files with sensitive information can be saved.
• Minimize or eliminate the use of P2P file sharing programs on computers used to store or access sensitive information.
• Use appropriate file-naming conventions.
• Monitor your network to detect unapproved P2P file sharing programs.
• Block traffic associated with unapproved P2P file sharing programs at the network perimeter or network firewalls.
• Train employees and others who access your network about the security risks inherent in using P2P file sharing programs.

In addition, the use of personal computers and smart devices (PDA, Ipod Touch, Iphone, Android device, iPad, etc…) should be carefully reviewed and their use defined.  The velocity of data creates a need for DLP at multiple points.  As the utility of such devices increases, the need for managing this information and protecting it will also increase.

Thoughts on how to minimize the release to P2P networks?

- James DeLuccia

According to a recent examination by global professionals relating to the failure of risk management controls with respect to financial exposures many of the failures can be attributed to very specific technology failures.  This does not excuse the vast amount of other shortfalls, and apply blame as you see fit arguments.  It does highlight that these did certainly not help the situation any, and in fact exasperated it to some degree.  A few cogent points highlighted in the 36 page report are eerily applicable to all organizations, and should be a flare to all audit, security, risk managers, and compliance personnel.  PDF Report can be downloaded here.

Points that should be carefully considered:

“One challenge to improving risk management systems has been poor integration resulting from multiple mergers and acquisitions”

This is especially dangerous considering that many businesses choose to operate separately initially to insulate interruptions to the business at large.  Information systems are generally incompatible at the beginning of any integration.  This is due to the lack of pre-planning and enterprise M&A integration methodologies within the acquiring firms.  Organizations should take immediate action if they have acquired entities without consolidating these technology systems, or at the very least routing ALL traffic, logs, compliance controls, and processes through the acquiriing entity.  This creates both friction and a need for efficiency - two very powerful forces that will result in immediate transformation of these information technology environments, in the right direction.

“…acquisitions over the years have produced an environment in which static data are largely disaggregated”

This effects the ability to ensure daily consistent delivery of data and information technology services.  In addition, historic activity is just as important in managing current data environments.  Lacking such clarity and statistics requires executives to manage blindly without any context and sensible barometer of delivery and achievable commitments.

“…certain products and lines of business have not been included in data aggregation and analysis processes”

Technology historically has been disconnected from the business delivery objectives, and actual exclusion of specific products and businesses only ensures budgets will be misplaced; service will be inappropriate; and risks will not be addressed properly (if at all)

“…two systems for the same business results in duplication of processes”

This finding simply highlights waste - waste in resources; talent; time; bandwidth; budget, and brainpower.  In an age of interconnected capabilities such requirements for dual systems should becoming sparse and rare.

An interesting message echoes throughout the report was risk managements lack of complete visibility into the firms’ risks.  A point that is both similar in nature and impact to CIO and Technology executives alike.  How well do we professionals truly understand what is happening and has happened within the business information systems?  Is all the data that is pertinent provided and managed?  Peter Drucker would certainly ask - Are you fully aware of the system (not the one computer or the e-transactions, but the technology system as a whole)?  Are you making choices based on all the right information, or based on the information you have (right or wrong)?

The crossovers from professional risk management and technology leadership are clear, striking, and very relevant.  It is prudent that today’s leadership is aware and armed with the skills across many trades - risk management in particular - to truly leverage the centuries of experience that exist within arms reach.

Additional perspective - please leave a comment,

James DeLuccia IV

Check out my other thoughts here on IT Controls and PCI DSS

In the past five years of delivering work that has been focused on aligning and enhancing corporations against contractual agreements, operational requirements, and risks - today officially classified as Governance, Risk and Compliance (or GRC) through technology I have seen real returns for my clients.  While these improvements happen immediately, the real rewards are realized through embedding the efforts over the long haul.  I have been quite pleased with the results of my own GRC activities, and based the book on highlighting these core success criteria.

A recent survey, albeit funded by a GRC vendor, conducted by the Aberdeen Group reinforces the returns corporations receive through adopting GRC into their organizations.  I find these results to be in-line with my own personal experience.  The link to the press release is here.  A quick bit of the numbers they highlight include:

Some of the main results pointed out by the research shows that Best-in-Class companies:

1. estimated that business-critical decisions are made 10% faster, based on improved management visibility into current risks.

2. eliminated redundant risk management activities and processes, with a reduction of 8.5%.

3. improved efficiency of their compliance tracking and reporting processes by 12% and their ability to provide clear, timely communication of risks and compliance status to shareholders and board of directors.

4. increased their flexibility to adjust to new or updated regulatory requirements by 11.5%.

I strongly encourage organizations to develop a culturally correct IT Governance process and create an ongoing GRC initiative.  Only when technology, business risk, and innovation are moved together can organizations truly capitalize on the benefits of their existing assets.

A separate report, Managing Risk, Improving Visibility, and Reducing Operating Costs was released in May 2009 which is also quite good and highlights the IT GRC benefits.  As with any industry report, be aware of the samples, scope, sources, funding for report, and how your organization differs and is similar in nature.

Other considerations?

James DeLuccia IV

(Please note, I was unable to locate the actual report beyond the broken link in the press releases.  I will check periodically and see if I can locate it when it becomes available.  If you find it, please post a comment and I will update here)

An incredible trend is happening in the “for contract” market  - specifically the for hire programmers.  oDesk and eLance both show dramatic upticks in the amount of work being posted and delivered on the site (nice article here on the growth).  oDesk alone is tracking about 100,000 hours a week of work, or nearly $65 million dollars worth.  This massive increase in outsourced projects to independents and for hire groups is an indicator of the need for businesses to find affordable development, but at what cost?
The trend is perfect for highlighting how businesses can shift to deliver services required - in any economy.  The trend also equally shows that the practices and methods equally shift.  The challenge is making this shift securely and with the correct safeguards.  (This is highlighted nicely from a macro risk perspective by Mike Nolan here in The Need for Alignment.)  Leveraging contractors has always required specific validation techniques:

• Right to Audit clauses to ensure operations meet marketing materials
• Background check summaries on contractors
• AV and Malware running on contractor systems (or in the U.S. government, no p2p)
• Vendor management procurement procedures

Awareness is necessary for when these jobs begin to be sourced through open market places.  The fidelity of the business providing the services, protection of intellectual property, and the proper review of software against best practices is only the beginning of the new and expanded risks that must be considered.
Businesses and leaders should certainly embrace these open markets that allow greater access and better price transparency, but it must be done in a manner that reflects the risk capability of the business to ensure a balanced operating environment.

Additional thoughts and ideas on best practices for vetting outsourcing vendors?

James DeLuccia IV

As the economies around the world remain challenged by the economic environment, the propensity for fraud is significantly higher.  One may speculate that fraud is consistent but only our sensitivity shifts between good and bad times.  Whichever school of thought you support is a matter of risk perspective, and quite irrelevant today.

Fraud is up on a worldwide basis.  The attacks and scams are increasing, and it is occurring across all sectors.  An excellent breakdown the “KPMG Forensic Fraud Barometer” states that fraud for the UK and areas that over 1.1 billion Pounds of fraud have come to court in 2008.

The Association of Certified Fraud Examiners (ACFE) has a great amount of detailed statistics here, a nice simple guide for small businesses seeking to minimize/prevent fraud, and a nice bit of information on the past ACFE fraud conference (highly recommended)

We are definitely seeing these frauds perpetrated in common channels - such as in Las Vegas at Conferences (below are several links to articles referring to two ATMs found during the DefCon 17 Conference - very interesting read):

• Hack a Day Article
• Engadget Article
• Slashdot Article
• Computerworld Article
• Wired Article

In addition organized crime groups are also leveraging the technologies of today (Facebook, twitter, SMS) - and the attack vectors (i.e., phishing).

Protection; Prevention; Detection:

1. Being aware of trends is vital to erecting current and appropriate (even if temporary) safeguards - such as required by the FTC Red Flag
2. Communicate with peers and collaborate - that may be accomplished by being a part of message boards; Twitter Groups, and attending Conferences.
3. Evaluate your fraud programs and determine the current success rate, and implement corrections.

These are simply single high level areas to consider - review your fraud programs seriously and consider the resources available by the above referenced parties.

As mentioned by Vivien Osborne of KPMG UK in the KPMG Forensic Fraud Report:

“In these harsh economic times, internal fraud could become the tipping point between the survival and demise of an organisation.  Companies need to be rigorous about re-enforcing their anti-fraud measures.  By reviewing their high risk and key operations, having effective reporting channels and deploying detection mechanisms such as data analytics they may give themselves a better chance to fight fraud.”

Additional Fraud Resources, please add below in comments.

Best,

James DeLuccia IV