Transcript of Ken Baylor, information security and privacy consultantRICHARD SWART: Hi, this is Richard Swart with Information Security Media Group, publishers of BankInfoSecurity.com and CUInfoSecurity.com. Today weâ€™ll be speaking with Ken Baylor, an information security and privacy consultant to Fortune 500 companies. He was recently the chief information security and privacy officer of Symantec, and before that spent five years working for McAfee. Good afternoon, Ken. How are you doing today?
KEN BAYLOR: Iâ€™m doing well, Richard. How are you?
SWART: Very good. Well, Iâ€™d like to start talking about how organizations can set up compliance and monitoring programs. So, what would be the first step a company should take in setting up a [system] to monitor their compliance with privacy policies?
BAYLOR: Well, the really important first step is actually to get good policies in the first place. To do that you really have to understand the business and all the business units, their concerns and you also then have to look at the legal frameworks and regulatory obligations of the business itself. Now you then have to go up and get the buy-in from all of the business units, and to do that if youâ€™re creating the policy, you really have to understand their concerns, and to get the good policies created you must put together a steering committee and get attendance from all the major departments and especially those that affect revenue because at the end of the day if it comes down to revenue versus one of your rules, guess whoâ€™s going to win? And whatever policy you come up with should be run by an attorney to make sure there is no glaring errors or omissions in them. Now, thatâ€™s the first step.
The next step you have to find meaningful ways to all these compliant with these policies. So youâ€™ve got to start looking at things like awareness training, vulnerability assessments and other automated methods of measuring violations.
SWART: Is there other due diligence a company should perform in setting up a program like this?
BAYLOR: Absolutely. Companies really should understand the flow of data within the company. They should know where the data enters and where it leads, and they should classify the data according to sensitivity. The sensitivity of the data should really be the primary criteria as to where to spend resources. Data which contains personal identifiable information often has non-negotiable standards which should be in force without exception and there weâ€™re looking at information such as PCI or making sure youâ€™ve got a protection mechanism for trade secrets.
SWART: Well, in addition to searching for these data flows outside of the company, what other data flows do banks need to be paying attention to?
Now, for banks they really need to know what sensitive data is, and they need to look at the data life cycle. Thatâ€™s from creation to destruction. They must especially be wary of support staff who will copy maybe excessive chunks of data on some reasonable pre-tax sales protective and then they lose the data. So whether itâ€™s an older stolen laptop or lost USB key ring, the damage itself can be devastating.
SWART: Well, talk a little bit about privacy. Iâ€™d like to return to the issue of international issues. What are some of the essential differences between EU privacy laws and those in the U.S., and what impact do these have on the management of the privacy program for a U.S. company?
BAYLOR: Well, EU laws make a fundamental assumption that a worker has a right to privacy, and all encroachments on the right to privacy are vigorously defended in Europe. However, in the U.S. the assumption is made their worker has little if any right to privacy, and the scope and levels of monitoring are much broader. So, many companies do not even have written expectation policies in this area, and if they do have a policy saying what theyâ€™re monitoring they do it in very vague bank language. In some cases if the employees find out how much monitoring is actually going on, it can destroy morale, and some things we have seen with that in order to avoid actual court cases coming in saying where people got their evidence from, many companies will try to get their ex-employees to sign waivers or if they are threatened with a lawsuit they will settle rather quickly. A lot of this could be fixed by having a good policy clearly stated with a good explanation â€¦ and documented procedure on what happens and how investigations are carried out.
SWART: How much information would an executive need to effectively manage risk related to privacy and compliance programs?
BAYLOR: Well, itâ€™s a tough area to master primarily for historical reasons. Now, quite often you find attorneys running privacy, but then they canâ€™t effectively enforce it as they lack a knowledge of IT and they end up with large gaps in some policy to actual effectiveness or execution of the grounds. Alternatively it can also happen that you add privacy onto an information securities task list, and this also results in badly thought out policies â€¦ Now if you go to the IT person who knows very little about law, or you go to the attorney who knows very little about IT, both scenarios are pretty much deemed to failure. So, what exactly you need to do is either put together a steering committee and foster a strong bond between the info tech person and the legal person, or alternatively they need to seek a candidate to run privacy and understand both the law and the intricacies of information security.
SWART: That might be a tall order in todayâ€™s market, but I understand your point. Letâ€™s switch and talk about what executives need to do. What are some of the best practices for an organization in terms of real time monitoring to ensure information security and privacy?
BAYLOR: Well you really need a two-pronged approach. You need to look at in regard to â€¦ what you own and can manage and each should put a compliance monitoring tool on them, and these can report into a security information manager, which receives an alert in real time, that processes it, evaluates it and then can send alerts either to a dashboard or to a dashboard and a personnel alert mechanism such as a message-left text if you need an emergency response ,so that way you can see whatâ€™s going on globally in your environment for things that you own. However, there is a lot of infrastructure out there that for various reasons you cannot manage with an agent and these would include switches, printers, unix machines and unfortunately accurate machines, and you need really good networking scanning and vulnerability tool which can tell you how vulnerable your devices are. So ,this device would be used for telling you whatâ€™s on your network, whether you own it and can control it with an agent or not and these tools can also let you know when a new note pops up in your network and where physically it is. So where the cable is connected into you should be able to lock it down to the key level and these little devices could be hacking machines or else they could be vectors, which would be used by hackers such as a rogue hacker device which somebody in a smaller department may have just been in without any security and is effectively back to untrue network.
BAYLOR: You hit a nerve there, and whatâ€™s actually happening is the leadership in the infosec and privacy areas, theyâ€™re very much in transition. So, in the past there have been many chief information and security officers who have created these implausible practices and then forced them on the rest of the company. Now, a few of these have been successful, and this has been noted ,but however they do believe they are successful because they have drafted and they posted a basic policy, but when you get into it theyâ€™re not successful because their policies are flaunted and ignored even by the business unit leaders and then their employees who will always emanate whatever their bosses do but also ignore their policies. Now these privacy policies are -- you can describe them as a statement of intention, which is pretty useless, and you can describe them as a wish list or even worse, and this is why if there is a large event a breach can happen (and) will be described as by the other party you can describe them as a misleading set of false promises sense to the business partner conducive to business deal. Now if you want to be truly successful, which is where the market is going to, then you need buy-in at the very start from the key decision makers. You need sensible policies to satisfy both business and regulatory environments. You need the technical ability to work with IT to create, enforce and measure these controls. However, it requires the business savvy to build good quality graphical user implementation dashboard to see the risk profile of the whole enterprise in real time. It requires leadership, vision and execution, and thatâ€™s what weâ€™re starting to see emerge in the market now.
SWART: Thatâ€™s great insight. Well thank you for your information today. Itâ€™s going to be very helpful for our listeners.
BAYLOR: Thank you very much, Richard.
SWART: Thank you for listening to another podcast with Information Security and Media Group. To listen to a selection of other pod casts or find other educational content regarding information security for the banking and finance community you can visit www.bankinfosecurity.com or www.cuinfosecurity.com.