[ISN] Defending the data will be a focus for 2007

From: InfoSec News (alerts@private)
Date: Wed Nov 08 2006 - 22:12:33 PST


http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9004914

By Jaikumar Vijayan
November 08, 2006 
Computerworld

ORLANDO -- Regulatory requirements and increasing consumer concerns 
about information security breaches are making data-level security 
controls a top priority for 2007, according to IT managers at the 
Computer Security Institute trade show held here this week.

After years of implementing technologies such as firewalls and 
intrusion-detection systems to keep network perimeters safe, companies 
now must move similar controls down to the data level, they said.

"The data now matters above everything else," said John Ceraolo, 
director of information security at JM Family Enterprises Inc., a $9.4 
billion auto distribution and financing company based in Deerfield 
Beach, Fla.

Nonpublic information of all sorts needs to be protected, whether it is 
at rest or in transit, he said. And that requires an increasing focus on 
measures such as data classification and encryption, stronger user 
access and authentication and usage monitoring and auditing, Ceraolo 
said.

Most of the "blocking and tackling" that was needed to handle network 
threats has, to a large extent, already been accomplished via 
technologies such as firewalls and intrusion-detection and -prevention 
systems, said Mark Burnett, director of IT security and compliance at 
Gaylord Entertainment Co. in Nashville.

The goal now is to put multilayered defenses around the data as well, he 
said. "We are layering technology controls to make sure we can identify 
where the information is passing across our network" and protect it.

"The overall driving force behind our [security] program is reputation 
management. We have worked hard to build the Gaylord brand," he said. 
"Any one incident could ruin all that work."

Also driving the focus are regulations that Gaylord is required to 
comply with, such as the Sarbanes-Oxley Act and the Payment Card 
Industry (PCI) data security standard, which is mandated by the major 
credit card companies, he said. "We absolutely recognize the need to 
protect sensitive information and are working hard to fulfill that 
obligation," he said.

Ann Garrett, the chief information security officer at the North 
Carolina state office of information technology in Raleigh, said that a 
new state law governing the use of personally identifiable information 
has elevated the need for security controls at the data level. The law 
went into effect for private industry on Oct. 1 and will apply to state 
agencies on Oct. 1, 2007.

"We have a strong network firewall, intrusion-detection system and 
intrusion-prevention system," Garrett said. What's lacking are controls 
for mitigating user errors at the end point, she said. As a result, 
there's an increased focus on data encryption -- and on ways to log and 
audit user transactions. "We have to add accountability and 
auditability" at the end point, she said.

"There is a whole lot of emphasis on protecting personally identifiable 
information right now," Howard said during a panel discussion. 
"Congress, the Office of Management and Budget and inspectors general 
are looking over our shoulders closely."

Howard's agency earlier this year disclosed that it had lost a backup 
disk containing sensitive data on 757 current and former HUD employees. 
"We pulled back the sheet and discovered there is a lot to do" to 
protect personally identifiable data, Howard said.

HUD plans to have an implementation plan in place by the end of the year 
to address issues identified so far, he said. Among the planned measures 
are data encryption, two-factor authentication of users and the ability 
to more closely monitor user activity.

"There are so many vulnerabilities out there, there aren't enough 
hackers to take advantage of all of them," Howard said. So it's 
important to take a holistic risk-based approach to securing data and to 
understand that it's about "people, process and technology," he said.


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org 



This archive was generated by hypermail 2.1.3 : Wed Nov 08 2006 - 22:35:12 PST