|
|
|
Features
< Back
Sarbanes Oxley : Technology : Identity Management
What?s on Your Customers? Minds These Days? Identity Theft!
By
Dave Tilkin
|
|
Dave Tilkin
President
ProcessUnity
|
The television credit card ads may be humorous, but the message is serious. Identity theft is a problem. And it?s a big one: recent data suggests that losses relative to identify theft top $50B per year ? and that figure doesn?t account for the personal costs in time and reputation that?s expended as people attempt to repair their stolen and damaged financial lives. Identity theft is not just on the minds of individual consumers, it?s on the minds of all organizations that maintain confidential data on individuals: social security numbers, credit card numbers, personal and family information, financial data.
Concern about identity theft weighs especially heavy on both the minds of the organizations that outsource processes and on those organizations that manage outsourced processes (financial services companies, business process outsourcers, and other service providers). These firms are finding increasing levels of customer concern, and along with that concern, increased scrutiny of their operations. This translates into increased demands for information, increased requests to fill out lengthy and very detailed questionnaires, and even time- and resource-consuming customer audit visits. (Even if an organization has cleared exacting industry and governmental requirements, they may still face heightened custom demands.)
Information security has thus become one of the major drivers behind the increased use of SAS 70 attestations on the part of all types of service providers. SAS 70 is now widely used to demonstrate to customers that the corporation maintains the processes, procedures, and controls ? not to mention creates a rigorous corporate culture through the ?tone at the top? - that will help ensure that sensitive data stays both safe and secure and that the company has undergone a formal process by an independent third party who has examined them in accordance with pre-defined criteria. Data security is already a major component of your SAS 70. Many of the controls already in place can be used to assuage the fears your customers have about identity theft, even if ID theft is not explicitly addressed in your SAS 70. Or you may wish to specifically address identity theft in your SAS 70?sSection ll narrative. Another option is augmenting your control set with additional security checks.
Relating Your SAS 70 Controls to ID Theft: Start with the Basics
Many of us have the tendency to associate identity theft with phone scams, with the use of credit cards in less than reputable establishments (or those with less than reputable employees), or with the unsecured transmission of sensitive data over the Internet. But identity thieves may actually break-in to your building to get the information they want. As a service provider, you need to make sure that your SAS 70 adequately addresses the physical security of computer and paper files ? not just the logical security (access control).
Data center security should be addressed in your SAS 70, in the narrative contained in Section II of your report as well as in the actual control objectives and activities. You should be able to demonstrate how your data centers are staffed and/or monitored 24/7, and include information on personnel, visitor and vendor access policies and programs. You should also indicate the employee termination and transfer policies that govern access to the physical site.
Customers need and want to hear about the physical access protections in force in your data centers and any offices where sensitive files are stored. Are there security guards and guard stations? Mechanical keys? Card readers? Biometrics? Remote cameras? Are the interior walls reinforced, or sheetrock? Can someone gain physical entry to an otherwise secure data center through the HVAC ducts? In your SAS 70, you should reference the physical security protections that you do use ? and consider adding new ones in areas where you may be vulnerable.
Physical files (paper or media backup) should be kept in locked cabinets, with policies in place on who holds the keys. File rooms should be secure. (And don?t forget that you need policies and facilities for the disposal of confidential data ? secure containers in a secure, monitored environment.) All of this can be covered in your SAS 70, and used to reassure your customers about the whereabouts of their sensitive information. Many companies now have extensive policies and procedures in place to cover the storage, transfer, and destruction of confidential or proprietary data. A company with this in place, might want to mention the program in their SAS 70 narrative, and even consider carving these controls out of the broader data center controls in the control activities.
People Matter
Personnel controls are critical to ensure against identity theft. Even the savviest employee can get conned out of information if they?re rushed or distracted. Service providers should have employee education and awareness programs in place that keep personnel up to date on information security policies. Awareness around security breaches is also a two-way street. Employees must know what types of situations should be reported (suspicious phone calls, open doors), and to whom. Employees should be monitored to make sure they?re following procedures for disclosing personal and corporate financial information. Employees with access to sensitive information should be bonded. If your company performs background checks (criminal, credit, education), this can be noted in your SAS 70. (Many customers now demand that their service providers do extensive employee background checking.)
Service providers need strong policies and procedures for restricting systems access by terminated or transferred employees, not just physical access to buildings via badge or key. These policies need to be tested regularly.
Most companies place great emphasis on network security, but you shouldn?t neglect the need for safeguards that ensure that employee desktops aren?t infected with spyware or loaded with unauthorized or unlicensed applications. There should be company policies on the use of Instant Messaging, e-mails, and web surfing. For most employees, use of IM and e-mail, and lunch-time surfing are innocent endeavors, but unrestricted and unmonitored usage can cause you problems. Customers will want to know that their data is not going to be inadvertently caught up in IM chat, or that a cookie downloaded from an unauthorized web site is wreaking havoc throughout your organization. Anti-virus programs need to be in place. (If you have one, it should probably be expanded. If you don?t have one, you should get one.) Controls around personal computer use are an essential weapon in the fight against identity theft. (And one control around computers should be cable locks that tether laptops to their owners docking stations.) Most companies have such policies in place, but rarely mention them outright in their SAS 70.
Data access and security and their corresponding controls will be a cornerstone of your SAS 70, and are a necessary safeguard when it comes to identity theft. Limit access to and use of confidential data, and make sure that users have access only to data they need. As all the laptops thefts of late have highlighted, for purposes of business analysis, no one needs to know someone?s social security number. These types of data should not be included in the data set that can be downloaded. Data encryption policies ? including policies specific to laptop encryption ? are no longer nice to haves, they?re compulsory. Your customers will want to know that you have them in place, and in force. There is zero customer tolerance these days for laptops disappearing that hold sensitive data.
Access control software should be configured to protect critical system resources.
Passwords should be changed frequently, in accordance with a formal corporate password program. Employees may be irked by having to change their passwords frequently, especially if the passwords must be complex and not lend themselves easily to mnemonic devices, but sound security practice dictates it. Remote access policies also should be laid out and enforced. How secure is the access for employees working remotely? Are employees who work from home fully access corporate files or just check e-mails? Is there a difference if they?re working on their home computers than if they?re using a company laptop. Policies need to be spelled out here.
Networks, servers, and other devices should be monitored for attempted break-ins. There must be strong firewall policies and procedures in place. There also need to be policies on what services are used on which servers, and how you go about hardening your server operating systems to ward off potential problems.
With each newly publicized ?missing laptop crisis?, with each new television ad on ID theft (no matter how laugh-out-loud funny it is), you can count on one of your customers to call on you to explain how you are guarding against identity theft. The above list is by no means exhaustive, but a strong SAS 70 that specifically describes these issues and steps taken to eliminate or mitigate risks, can be used to assure your customers that the identity of their employees and customers is secure in your hands. And knowing that your controls, policies, and programs are in place and working as designed will also assure you that you?re not only safeguarding your customers? security, but your firm?s assets and reputation as well.
Dave Tilkin
President
ProcessUnity
Dave Tilkin is President of Compliance Solutions/ProcessUnity, Inc.
|
|
|
|
|
