In his job as IT manager at Credit Protection Association Inc., Jerome Quiroga has two relentless worries these days: hackers and public opinion.
Hackers he knows. Dallas-based CPA manages collections for cable companies and other large businesses and, consequently, tracks personal information on millions of consumers. Prying eyes have long nettled Quiroga, and defending against them is routine.
Public opinion is a new and different beast to him. Thanks to a spate of high-profile mass identity thefts in the last year, consumers and lawmakers now clamor for ironclad protection of personal data.
CPA itself has never been the victim of a major data theft, and Quiroga wants to keep that record intact. So when he launched an IT security audit and upgrade last summer, he knew that public concerns would push him to higher standards.
"With everything being upfront now and things in the news," Quiroga said, "we wanted to make sure we were doing the best we could possibly do."
CPA had already made a respectable effort at IT security. All data—Quiroga estimates the size of the companys database to be nearly 3TB—was encrypted using the widely accepted PGP (pretty good privacy) protocols. The companys two dozen outward-facing IP addresses were all shielded behind several firewalls.
It used WebSense Inc.s WebSense to monitor employee Internet surfing and SurfControl plc.s SurfControl Enterprise Protection Suite to filter e-mail; both were integrated into network firewalls to be especially difficult to circumvent. Security audits were done quarterly, if not more often.
Still, by last year, CPA was under pressure to meet more rigorous standards imposed by Visa USA Inc. and MasterCard International Inc. Known as the Cardholder Information Security Program, CISP spelled out expectations that any business had to meet if it wanted to process credit card transactions online.
Visa and MasterCard forced the cable companies to obey CISP standards so that customers could pay bills; the cable companies, in turn, forced partners such as CPA to follow CISP as well.
A central element of CISP is to use a third party to evaluate IT security. To that end, CPA turned to BEW Global Inc., an Englewood, Colo., consulting company and system integrator that specializes in IT security and corporate compliance.
Quiroga considered several companies, but he said he liked BEWs philosophy of putting up formidable technology at the network perimeter while constantly monitoring interior network activity. Whats more, he said BEW knew the routines of meeting CISP standards.
Robert Eggebrecht, senior partner at BEW Global, described CISP as "a very long checklist you have to go through."
Among the requirements are network penetration tests to ensure that all IP addresses are secured, tools to track and monitor access to cardholder data, restrictions on physical access to cardholder data, and encrypted transmission of sensitive data across corporate and public networks.
In all, CISP has dozens of specific criteria grouped under 12 broad categories.
BEW started working with CPA last August. Eggebrecht said he and his staff spent two weeks conducting an "exposure assessment," observing every sort of communication—e-mail, chat, Web postings, peer to peer, instant messaging—to see what data was flowing into and out of CPAs network.
BEW compared that data with 58 categories of sensitive information, from adult content to nonpublic information to encrypted data, and then developed a sense of what improvements CPA should make.