Transcript of Ken Baylor, information security and privacy consultant
RICHARD SWART: Hi, this is Richard Swart with Information Security Media Group, publishers of BankInfoSecurity.com and CUInfoSecurity.com. Today we’ll be speaking with Ken Baylor, an information security and privacy consultant to Fortune 500 companies. He was recently the chief information security and privacy officer of Symantec, and before that spent five years working for McAfee. Good afternoon, Ken. How are you doing today?KEN BAYLOR: I’m doing well, Richard. How are you?
See Also: Using the Netskope HIPAA Mapping Guide
SWART: Very good. Well, I’d like to start talking about how organizations can set up compliance and monitoring programs. So, what would be the first step a company should take in setting up a [system] to monitor their compliance with privacy policies?
BAYLOR: Well, the really important first step is actually to get good policies in the first place. To do that you really have to understand the business and all the business units, their concerns and you also then have to look at the legal frameworks and regulatory obligations of the business itself. Now you then have to go up and get the buy-in from all of the business units, and to do that if you’re creating the policy, you really have to understand their concerns, and to get the good policies created you must put together a steering committee and get attendance from all the major departments and especially those that affect revenue because at the end of the day if it comes down to revenue versus one of your rules, guess who’s going to win? And whatever policy you come up with should be run by an attorney to make sure there is no glaring errors or omissions in them. Now, that’s the first step.
The next step you have to find meaningful ways to all these compliant with these policies. So you’ve got to start looking at things like awareness training, vulnerability assessments and other automated methods of measuring violations.
SWART: Is there other due diligence a company should perform in setting up a program like this?
BAYLOR: Absolutely. Companies really should understand the flow of data within the company. They should know where the data enters and where it leads, and they should classify the data according to sensitivity. The sensitivity of the data should really be the primary criteria as to where to spend resources. Data which contains personal identifiable information often has non-negotiable standards which should be in force without exception and there we’re looking at information such as PCI or making sure you’ve got a protection mechanism for trade secrets.
SWART: Well, in addition to searching for these data flows outside of the company, what other data flows do banks need to be paying attention to?
BAYLOR: Well, there are many studies showing over 50% of attacks emanate from attacks within your firewall, i.e. your employees. Now with privacy breaches -- and by that I mean breaches of privacy policy that number is most likely in excess of 90%. For example we often see developers running with life customer personal identifiable information in test or staging environments. Now these test environments I think are quite open to the internet in many cases, and developers are not exactly known for patching or hardening their servers, and because of this very scenario many external attackers often target development servers once it penetrates inside the perimeter of network, or indeed they use development or test servers as a method to penetrate in the firewall and compromise the whole enterprise.
Now, for banks they really need to know what sensitive data is, and they need to look at the data life cycle. That’s from creation to destruction. They must especially be wary of support staff who will copy maybe excessive chunks of data on some reasonable pre-tax sales protective and then they lose the data. So whether it’s an older stolen laptop or lost USB key ring, the damage itself can be devastating.
SWART: Well, talk a little bit about privacy. I’d like to return to the issue of international issues. What are some of the essential differences between EU privacy laws and those in the U.S., and what impact do these have on the management of the privacy program for a U.S. company?
BAYLOR: Well, EU laws make a fundamental assumption that a worker has a right to privacy, and all encroachments on the right to privacy are vigorously defended in Europe. However, in the U.S. the assumption is made their worker has little if any right to privacy, and the scope and levels of monitoring are much broader. So, many companies do not even have written expectation policies in this area, and if they do have a policy saying what they’re monitoring they do it in very vague bank language. In some cases if the employees find out how much monitoring is actually going on, it can destroy morale, and some things we have seen with that in order to avoid actual court cases coming in saying where people got their evidence from, many companies will try to get their ex-employees to sign waivers or if they are threatened with a lawsuit they will settle rather quickly. A lot of this could be fixed by having a good policy clearly stated with a good explanation … and documented procedure on what happens and how investigations are carried out.
SWART: How much information would an executive need to effectively manage risk related to privacy and compliance programs?
BAYLOR: Well, it’s a tough area to master primarily for historical reasons. Now, quite often you find attorneys running privacy, but then they can’t effectively enforce it as they lack a knowledge of IT and they end up with large gaps in some policy to actual effectiveness or execution of the grounds. Alternatively it can also happen that you add privacy onto an information securities task list, and this also results in badly thought out policies … Now if you go to the IT person who knows very little about law, or you go to the attorney who knows very little about IT, both scenarios are pretty much deemed to failure. So, what exactly you need to do is either put together a steering committee and foster a strong bond between the info tech person and the legal person, or alternatively they need to seek a candidate to run privacy and understand both the law and the intricacies of information security.
SWART: That might be a tall order in today’s market, but I understand your point. Let’s switch and talk about what executives need to do. What are some of the best practices for an organization in terms of real time monitoring to ensure information security and privacy?
BAYLOR: Well you really need a two-pronged approach. You need to look at in regard to … what you own and can manage and each should put a compliance monitoring tool on them, and these can report into a security information manager, which receives an alert in real time, that processes it, evaluates it and then can send alerts either to a dashboard or to a dashboard and a personnel alert mechanism such as a message-left text if you need an emergency response ,so that way you can see what’s going on globally in your environment for things that you own. However, there is a lot of infrastructure out there that for various reasons you cannot manage with an agent and these would include switches, printers, unix machines and unfortunately accurate machines, and you need really good networking scanning and vulnerability tool which can tell you how vulnerable your devices are. So ,this device would be used for telling you what’s on your network, whether you own it and can control it with an agent or not and these tools can also let you know when a new note pops up in your network and where physically it is. So where the cable is connected into you should be able to lock it down to the key level and these little devices could be hacking machines or else they could be vectors, which would be used by hackers such as a rogue hacker device which somebody in a smaller department may have just been in without any security and is effectively back to untrue network.
SWART: Well, aside from rogue devices like you’re talking about, we know there’re a lot of privacy violations and privacy incidents occurring in industry. In reviewing these privacy incidents it often is noted that an organization will have a good privacy policy in place, but these incidents are still occurring. What’s not working in the system, or what skills or CIS is lacking that are allowing these incidents to keep occurring?
BAYLOR: You hit a nerve there, and what’s actually happening is the leadership in the infosec and privacy areas, they’re very much in transition. So, in the past there have been many chief information and security officers who have created these implausible practices and then forced them on the rest of the company. Now, a few of these have been successful, and this has been noted ,but however they do believe they are successful because they have drafted and they posted a basic policy, but when you get into it they’re not successful because their policies are flaunted and ignored even by the business unit leaders and then their employees who will always emanate whatever their bosses do but also ignore their policies. Now these privacy policies are -- you can describe them as a statement of intention, which is pretty useless, and you can describe them as a wish list or even worse, and this is why if there is a large event a breach can happen (and) will be described as by the other party you can describe them as a misleading set of false promises sense to the business partner conducive to business deal. Now if you want to be truly successful, which is where the market is going to, then you need buy-in at the very start from the key decision makers. You need sensible policies to satisfy both business and regulatory environments. You need the technical ability to work with IT to create, enforce and measure these controls. However, it requires the business savvy to build good quality graphical user implementation dashboard to see the risk profile of the whole enterprise in real time. It requires leadership, vision and execution, and that’s what we’re starting to see emerge in the market now.
SWART: That’s great insight. Well thank you for your information today. It’s going to be very helpful for our listeners.
BAYLOR: Thank you very much, Richard.
SWART: Thank you for listening to another podcast with Information Security and Media Group. To listen to a selection of other pod casts or find other educational content regarding information security for the banking and finance community you can visit www.bankinfosecurity.com or www.cuinfosecurity.com.