Now being a technologist you might answer that it is at the forefront of your activities and that’s great but for the business people at what point does it enter the business discussion?  Chances are it doesn’t.

The reason I raise the question is simple.  Effective security should be core to business operations and culture, not a bolt on application, or a retrofit but rather part of the business process itself.  I think it is in our human nature to look at the upside when discussing anything new whether a business opportunity, investment, or other venture.  Far too often we forget the downside perhaps choosing to ignore it and without consideration we create situations that are emotionally charged and highly reactive when the unforeseen arises.

The same is true for information security.  While organizations and business leaders seek the advantages of implementing technology based solutions to create competitive advantage, the downside and potential risks associated with exposing electronic forms of critical business assets are generally not given appropriate consideration.  Without consideration the threat of electronic asset theft is left unmitigated and the cost of such an event never considered.

Too often information security is seen as a purely technical function that adapts to the needs of the business.   However such an approach leaves huge gaps in business process and procedure for which technology is not an effective stopgap.  Without clearly architected and documented business process, and technology solutions that support the business process, technology solutions have no hope of keeping a check on unwanted activity.

We see repetitive disconnects in organizations that have suffered information compromise, are seeking to become compliant, or in general looking to improve their overall security posture.    Information security is not effective operating as a disconnected organization that builds perimeters of firewalls, intrusion detection systems, log analysis devices and jumps to the call of some alarm.   Too often broken process can be a root cause that reactive security measures will never stop and a security breach goes on unnoticed for months and beyond.  Once identified the organization’s approach to the information breach is emotionally charged and highly reactive.  The lack of preparation can cost the affected organization dearly between brand degradation, costs of cleanup, loss of customers, and legal proceedings.

Effective information security programs are tightly integrated into the businesses they serve across people, process and technology.  Highly effective, high profile organizations get this.  You can see it in the manner in which the organizations themselves are structured, how new ideas are discussed, vetted, and implemented.  Sound risk management principals prevail in the organizations that get it.

A highly integrated approach applies business centric risk management principles that evaluates risk, identifies compensating controls, and implements the appropriate structures to prepare, prevent and respond in protecting sensitive business assets from information compromise.

A well-constructed information security program should bridge the gap between business operations and its processes, to standards based security measures such as those developed by NIST, SANS, ISO or others.

To find out how your information security programs measure up contact us.

FACTA added sections to the Federal Fair Credit Reporting Act intended primarily to help consumers fight the growing crime of identity theft.  In adopting FACTA, Congress recognized that consumers were unable to prevent identity theft and could only react long after the event had occurred.  In order to stop the fraud at its source businesses that offer credit need to address the events that signal a potential fraud.

Six agencies were involved in drafting the red flag rules: the Treasury Department’s Office of Thrift Supervision, Office of Comptroller of the Currency, Federal Deposit Insurance Corp., Federal Trade Commission, National Credit Union Administration and the Federal Reserve System. The Red Flags Rule identifies 26 “ Red Flags” which may be indicators of attempted fraud.

According to FTC statistics nearly 10 million people were victims of identity theft in 2008 in the US.   In the broadest sense identity theft is the act of someone assuming the identity of another individual to gain access to the victim’s personal resources.  Last year over 35 million known data records containing sensitive personally identifiable information (PII) were stolen.

While some perpetrators know their victims, having stolen their wallets, credit cards, checkbooks or other personal items, the vast majority of perpetrators do not.  Identity theft comes in many forms and most victims learn their fate long after the initial event occurs, often months to years after the fact.

Most data theft is primarily due to poor controls surrounding PII.  This can range from sensitive records being thrown in dumpsters to electronic records being improperly secured online and breached by hackers.

Personal resources accessed by data thieves may include use of credit cards, establishment of credit under the victims identity, access to utilities, healthcare benefits, banking, employment, loans, government benefits, and many other acts limited only by the imagination of the perpetrator.  The common element is the use of defrauded individuals persona to gain credit or access to established resources.

The Red Flags Rule applies to both financial institutions and creditors.   The definition of “creditor” is broad and includes businesses or organizations that regularly defer payment for goods or services or provide goods or services and bill customers later.  These companies may not traditionally be thought of as extending credit and include utility companies, health care providers, telecommunications companies, cable and satellite providers, and others, depending on how and when they collect payment for their services.

The Rule also defines a “creditor” as one who regularly grants loans, arranges for loans or the extension of credit, or makes credit decisions. Examples include finance companies, mortgage brokers, real estate agents, automobile dealers, and retailers that offer financing or help consumers get financing from others by processing credit applications.  Additionally, the definition includes anyone who regularly participates in the decision to extend, renew, or continue credit, including setting the terms of credit – for example, a third-party debt collector who regularly renegotiates the terms of a debt.

Organizations that are covered under the Red Flags Rule must create written plans that are reviewed and signed off by the organizations board of directors that:

• Create Policies and Procedures that Identify Red Flags Which Pertain to their Business
• Create Policies and Procedures that Detect the Identified Red Flags
• Create Policies and Procedures that define the Actions to be take when Red Flags are Detected
• Monitor changing Red Flags, Train Employees and Monitor 3rd party contractors

An appropriately designed and managed plan depending on the business may require considerable skill and effort.  Most organizations will do well to reach out to experts in designing their programs.  Is your organization subject to the Red Flags Rule?

Information Defense is prepared to assist in evaluating whether your organization is subject to the FTC ruling and assist in defining and developing the necessary steps to reach compliance.  Contact us here for further information.