Art Coviello, CEO and president of RSA Security Inc., told seminar attendees that only about 20 percent of businesses in the United States actually have formulated IT security policies and have communicated them clearly to their employees.
About 40 percent of companies are in the process of developing such policies, he said.
Best-practice IT security policies involve "reasonable and appropriate" controls, Coviello said, over online and internal data access and storage; logging and reporting; employee authentication and levels of permission access; business partner/customer access to company data; and compliance with Sarbanes-Oxley and HIPAA regulations.
"And dont forget one of the most common security problems we see: properly removing data access to former employees," Coviello said.
"Deleting but not de-registering a former employee completely from the companys IT system is one of the biggest headaches there is."
Secure data is a "business enabler," Coviello said, in that it gives customers confidence that their own personal information—if given through an Internet sales transaction, for example—wont be inadvertently made available to outside sources.
"Customers must have the confidence that companies that possess their personal information will handle it with due care and appropriately provide for its security," Coviello quoted Federal Trade Commission Chairwoman Deborah Majorus as saying recently.
Organizations need to come up with a "risk management profile" as a first step in gaining control over security issues and unforeseen problems, Coviello said.
"They need to assess the risks they now have, set some policies, develop a plan, and then implement and evaluate controls [on a daily basis]," he said.
This profile would include assessments of a companys Internet access (both wired and wireless), logging and reporting procedures, data storage and protection, access control of company data and other assets, and employee authentication procedures, Coviello said.
Risk profiles should be updated annually, Coviello said.
"The penalties for not having this kind of full profile are potentially harsh," Coviello said. "The stakes are being raised all the time. The loss of a companys reputation to security concerns can be absolutely fatal."
Coviello suggested that companies enact best practice policies in the following general areas:
- Classify data by sensitivity and criticality
- Implement appropriate information security controls
- Monitor/evaluate controls on an ongoing basis
- Implement appropriate authentication techniques
- Keep authentication mechanisms effective
- Protect storage & transmission of authentication information
- Control authentication for access to external systems
- Develop & enforce a strong password policy
- Use multi-factor authentication when strong passwords fail
- Use multi-factor authentication for remote access
- Use multi-factor authentication for system administrators
- Implement single sign-on systems
- Control display of information in the log-on procedure
- Set up emergency access procedures
- Integrate access control with effective authentication
- Restrict users knowledge of unauthorized functions
- Separate security administration functions
- Assign individual users unique credentials
- Ensure timely user life cycle management
- Remove inactive or redundant user accounts
- Monitor guest/anonymous user accounts
- Grant access rights based on least privilege
- Conduct regular reviews of access rights
- Use appropriate cryptographic techniques
- Employ effective key management procedures
- Use stringent root key protection measures
- Ensure applications developed with appropriate security controls
Logging and Reporting
- Protect logging mechanisms from reactivation or compromise
- Ensure logged data is accessible for review
- Capture user & event information
- Utilize centralized logging
- Record significant key events
Coviello currently serves as co-chair of TechNet New England and is a member of TechNets CEO Cyber Security Task Force.
He is also a founding board member of the CSIA (Cyber Security Industry Alliance) and was appointed to co-chair of the National Cyber Security Summits Corporate Governance Task Force, a public-private initiative co-organized by the U.S. Department of Homeland Security and leading industry associations.