IPkey.com
information security
monitoring & management
Information Security Bulletin
June 2003
Feature Story:
Who owns your data?
Of all of the newsletters I have written, this issue is the strangest. Why? In IT, a revolution is underway driven by massive and well publicized failures in consumer privacy, corporate accountability and the US intelligence agencies. Think Experian, Enron and 9/11.
I recently read an excellent book called 'Secrets & Lies' by Bruce Schneier, founder of Counterpane Security. He often states that here in the US, consumer data stored on corporate servers is NOT the property of the individual, but it controlled and owned by the corporation that maintains the data. Now whether you think that's good or bad, it certainly did make it easy for IT because they didn't have to answer to anyone. However, in an amazingly short period of time, this statement has become obsolete. This year, control of consumer data is not only being returned to the consumer, but is also becoming highly controlled by government agencies.
No fewer than 4 major federal and state regulations kick in in this year that dictate to businesses and organizations how their data is to be managed. These new laws are primarily concerned with the privacy of consumer data (HIPAA, SB1386), but also address corporate accountability (Sarbanes-Oxley). Learn more...
However important these new laws may be, they are just part of the overall picture. Like a weather pattern of different air masses coming together, there is also the ominous mass of digital rights management (DRM) issues that will soon affect all data. The third ingredient of this looming storm; the USA Patriot Act. While the new privacy laws restrict the use and dissemination of client and patient data, the Patriot Act demands that we make data immediately available to law enforcement agencies with a court order. If we can't quickly produce records, emails and other data for an FBI request under Section 215, they can simply seize every PC and server in your offices. Due process of law is certainly taking a back seat in the war on terrorism, but it is the law. As you can see, data in almost all organizations is now gripped in the vise-like jaws of these complex regulations. In effect, your data no longer belongs to you, but you are responsible for it. ->
IPkey Hot Links!
Security
Solutions
Evaluation
Remediation
Monitoring
Management
Recovery
New!
InfoSecurity
Center
Welcome
to the
Information Security Bulletin. This is your source for the latest
practical information you can use to protect your organization's critical
information and
network services.
Marcus Clarke
ISB Editor
email me your opinions!
Managed
Monitoring
Start your
free
30 day trial today
Learn more
/
Register
or call
(866) 330-1010
-> Data management has gone from the relative simplicity of backups and disaster recovery, to complex risk management, and now to major compliance challenges. No wonder we're all burned out! These new laws requires very careful planning of information security policies and disclosures. You must act in very specific ways in this complex new regulatory environment.
I have been thinking about all this for some time, and I believe one result will be that we will get in far more trouble for having a document in the wrong place that for losing it. This is a big change for us, so we will have be be much more diligent about permanently deleting old , documents, spreadsheets, emails, etc. We've become very sloppy about having multiple versions of files on local drives, obscure server folders and CD-RWs. I have called this phenomenon 'data sprawl' and it has to stop. Start thinking now about a data retention policy so that only 'official' versions of all documents exist on your systems. Inventory your data, and don't forget about your backup tapes and archives; they can be subpoenaed too!
This ties neatly into Digital Rights Management, an encryption technology which until now has been associated with the draconian efforts of Hollywood to prevent copying of music and video. It is no accident that the new version of Microsoft Office (2003) incorporates DRM at it's heart. It seems to me to be inevitable that DRM will be the vehicle that governs access to ALL forms of data. Now I'm not necessarily opposed to this, but when Microsoft and Hollywood are leading the charge, solutions are not simple, inexpensive or reliable.
Final Thought
I'd like to leave you
with a quote from an essay in CIO Magazine this month by futurist author
Larry Downs called
The Shape of Things to Come In the Security section of his
Seven Pillars of Architecture, he says,
"External threats to
systems security, coupled with growing consumer privacy concerns, will
figure prominently in the design and operation of next-generation systems.
Since next-generation applications will reach much deeper into day-to-day
activities of consumers, businesses and governments, they will require
built-in safeguards far beyond passwords and physical security."
He concludes, " The integrity of data
will become a matter not of engineering but of public policy. The
combination of anxiety over global terrorism, the increasingly open exchange
of data between participants in the supply chain, and the growing unease
among consumers about the collection and use of personal information, will
move security to center stage, where regulatory agencies, legislators,
lobbyists and courts will play a prominent role in design."
Welcome to our Brave New World.
Confusing?
Today,
data has be fully secured, yet portable (HIPAA). It must allow you to
'opt-out' of certain uses of your data (GLB). It also has be
certified as accurate (Sarbanes-Oxley) and available to the FBI if they want
it (US Patriot Act). Finally, if security IS breached &
unauthorized access to consumer data occurs, all affected consumers who are
California residents must be notified (SB 1368), except if it was the
FBI, in which case you can't tell anyone that their records were
turned over.
ISB Takeaway #1:
Check your compliance requirements right now at our
Compliance Center.
Many organizations have no clue about SB 1368 which becomes law on 7/1/2003.
Do you have customers in California?
ISB Takeaway #2:
Start working on a Data Retention Plan to keep only 'official' versions of
email, documents and data.
ISB Takeaway #3:
Learn more about Digital Rights Management - you will be dealing with
it soon.
The ISB is a monthly email newsletter
published by IPkey.com, your source for
affordable information security monitoring and
management.
IPkey.com is part of Meridian Group, a New Mexico based corporation serving
the IT need of it's clients for 14 years. We encourage you to forward ISB to your
co-workers, colleagues and friends. To subscribe or unsubscribe to the
ISB newsletter, email us at isb@ipkey.com.
Past issues of this newsletter are available at IPkey.com
ISB Archive
I invite you to call or email me with your questions and comments. As always we are here to assist you with your Information Security needs.
Next Month:
I'm taking a vacation!
See you in August...
All contents copyright (C) 2003 Meridian Group Inc.