Course 2 - 204 - Managing Vendor Resources

Question 1

Why is there such a critical need to protect our data? How has that need evolved? What can we expect moving forward?

Answer 1

Critical data no longer rests safely in fortified data centers. Instead, that information is scattered throughout the organization, across remote office networks, and often on employee laptops and hand-held devices. Safeguarding company data has become a formidable challenge. Data is everywhere and must be protected.

Question 2

What is the ultimate goal of Data Security?

Answer 2

“Information security” can carry different meanings for different people, and depending on your position in the company and specific area of responsibility, definitions and objectives can vary substantially.

Question 3

What are the two most critical components of a strong security policy?

Answer 3

1) Corporate management supports the policy; and

2) The policy aligns information security with the core objectives of the business.

Question 4

What are some common subject areas typically found in an information security policy?

Answer 4

Employee/Management Roles and Responsibilities

Guidelines for Acceptable and Unacceptable Use of Company Resources (i.e. Internet and Email)

Acceptable Use of Company Software and Hardware

Non-Compliance Issues

Incident Management

Remote Access and Mobile Computing

Information Classification Guidelines

User ID and Password Standards and Management

Physical Security

Data Archiving (how often each user should copy information to an archive file) and Backup Requirements

A framework and foundation for governance

Question 5

What are the key principles of a sound data security plan?

Answer 5

First, take stock in what you have—know what information you have access to in your files and on your computer. Second, limit access to only the information you need. Limit exposures by managing accessibility (for example, store sensitive information on a company server or other secure location rather than your laptop), and properly secure or dispose of what you no longer need. Next, keep information in your care locked down and protected by controlling access to the “front door” by monitoring and restricting access to your equipment.

Finally, plan ahead. Have a plan to respond to security incidents if they occur. Knowing how to react and respond will help to limit exposures and minimize potential risks and damage. O

Question 6

What are some additional security tips that we should follow on a daily basis?

Answer 6

eep operating systems updated as necessary and appropriate. The most recent version of any operating system is generally the safest. Protect systems by downloading the latest security updates to limit vulnerabilities.

Backup important data on a regular basis, and store it in a separate location to minimize risks of data loss. Any data that hasn’t been backed up is at risk. Audit data storage by periodically conducting trial restores to ensure the data is actually being backed up.

Install firewalls on computer systems. A firewall is a combination of software and/or hardware that provides a protective barrier between a computer or computer network and the public Internet. Essentially firewalls protect your online gateway and block unauthorized access to your computer or computer network.

Use anti-virus software on computers. A computer virus is a program designed to copy itself into other programs stored in a computer, infecting and potentially damaging the files that receive it. Some viruses are mild, while others are very destructive and can wipe out a computer’s memory or even cause more severe damage. Anti-virus software continuously scans your computer looking for viruses, and also checks incoming email and websites for potential threats. Updates must be performed regularly to stay current and effective.

Use spyware protection on computers. Spyware is computer software that is covertly used to gather personal information and monitor user activity and surfing habits, but can also have other potentially harmful consequences such as installing additional software, redirecting Web browser activity, accessing websites blindly, changing computer settings, slowing connection speeds, and otherwise damaging or interfering with user control. Spyware protection must also be updated regularly to remain effective.

Protect passwords! Weak password protocols are a common security flaw that can increase risks. Change passwords frequently and use a “strong” password that is difficult to guess or decipher. Use a combination of letters, numbers, and other characters. Do not share passwords with others, and resist saving passwords when prompted.

Do not open attachments in emails from people or sources you do not know. Filter out unwanted spam email using spam filter programs when possible. Don’t click on anything in a spam email, even to unsubscribe. If possible don’t even open it.

Take precautions when sending sensitive or proprietary information via email. Password protect documents when necessary.

Only allow staff access to the information needed to do their job. For example, as employees move within an organization, access privileges can follow and quickly mount. Ensuring employees only have access to information appropriate for their current position can be an essential step in avoiding manipulation and/or loss of data.

Do not use shared devices (for example, hotel computers) to access information that should be protected.

When possible, encrypt any personal information held electronically if it might cause damage or threat if lost or stolen. Encryption is the changing of data into code, a procedure that renders the content of a message or file unreadable to anyone not authorized to read it.

Audit data storage for security policy enforcement, access control, and proper destruction of appropriate content on a regular basis. Delete information that is no longer necessary, and disable unneeded functionality. Do not dispose of old computers until all pertinent information has been securely removed (by authorized technology or destroying the hard disk). Ensure that computers and other equipment are appropriately cleansed (of information, software, etc…) before it is allocated to another employee.

Always lock your computer when you are away from it. Log off and shut down your computer prior to leaving for the day.

Develop and implement appropriate security protocols regarding the use of removable storage devices (such as external hard drives, flash drives, etc.). Such devices can hold significant amounts of information, and should be carefully monitored and tightly controlled.

Know how to notify appropriate parties immediately in the event digital devices or assets (phones, laptops, confidential documents, etc.) are lost or stolen. Understand the appropriate policies and practices, and maintain access to an emergency contact number.

Recognize information security is not just about protecting the technology—it’s also about protecting physical assets, communications, access controls, and every aspect of our information networks. This would include the physical security of company premises, proper disposal of confidential paper waste, etc. It is also about ensuring that your staff is adequately trained and responsibilities clearly communicated.

Question 7

What are some important questions that we should consider when constructing our data security systems?

Answer 7

What data is used and stored on the system?

Who uses or otherwise has access to the system?

How do users access the system?

What functions does the system provide, and what is the relative importance of those functions?

Are there other networks, programs or users that share the system? What is the potential connectivity to other networks and/or users?

Where is the system physically located?

How are data backups made, how frequently, and where are they stored? Who has access to them?

Are there any regulatory or statutory requirements that we have to consider?

Question 8

What are the primary components of an access control system?

Answer 8

The primary component of any access control system is the development of criteria by which access levels to both areas and individuals are assigned.

Question 9

In terms of computer security, what are the three essential services of access control?

Answer 9

i) Identification & Authentication
ii) Authorization
iii) Accountability

Question 10

What is authentication? Name some examples of common authenticators…

Answer 10

This determines who can log on to a system. It is the process of verifying a user’s identity for the purposes of using the system, during which time an “authenticator” is established.
Something you know, such as a password or personal identification number (PIN). This assumes only the owner of the account knows the password or PIN necessary to access the account.

Something you have, such as an access card or token. Once again, this assumes only the owner of the account has access to the card or token.

Something you are, which might involve fingerprint identification, voice recognition, retina scans, or other devices.

Where you are, for example whether inside or outside the company firewall.

Question 11

What is authorization?

Answer 11

This determines what you can do once you are in the system.

Question 12

What is a Data Center?

Answer 12

A Data Center is a centralized facility used for the acquisition, storage, processing, analysis, management, and dissemination of data pertaining to a particular business.

Question 13

What are some of the steps that are typically taken to manage the physical environment of the Data Center?

Answer 13

It generally includes redundant/backup power supplies, data communications connections, and special security devices and considerations. The physical environment of a Data Center is rigorously controlled. Facilities typically include air conditioning systems, fire prevention and suppression equipment and systems, uninterruptible power supplies, backup generators, and other equipment intended to protect and maintain a controlled environment.

Question 14

Why is it important to have such strict controls over our Data Centers?

Answer 14

As Data Centers continue to grow in size and importance, the need for physical security at our facilities is every bit as important as the cyber-security of our system networks. Individuals who falsify their identity or intentions and those who otherwise gain unauthorized and mal-intended access to our systems can cause tremendous damage, from physically disabling critical equipment, to launching a software attack at an unsecured keyboard, to theft of sensitive and critical information.

Question 15

The objective of our physical controls should answer what fundamental questions?

Answer 15

Who are you? This question causes most of the difficulty in designing automated security systems. Current technologies all attempt to assess identity one way or another, with varying levels of certainty—and related costs. (For example, card access systems provide a certain level of identity protection, but how do we ensure that the owner of the card is the user of the card? An iris scanner provides a high degree of certainty, but can be very expensive…) Finding an acceptable compromise between certainty and expense lies at the heart of our decision making.

Why are you here? What is the reason you need access to this area and/or information? This question might be implied once we have established an individual’s identity, or can be determined in a variety of different ways.

What do you need to know? How much access do you really need to have to accomplish your objectives? Access to extremely sensitive areas may be granted to specific people for a specific purpose. Determining access requirements may depend on specific purposes or job functions.

Question 16

The design of the security system for our data centers should include what basic considerations?

Answer 16

Cost of equipment - Budget considerations often limit extensive use of high-confidence identification methods and equipment. The typical approach is to utilize a variety of techniques that are appropriate to the various needs, functionality, and security levels.

Combining technologies - The reliability of our identification methods at any level can be heightened by combining lower cost technologies with the innermost (highest security) levels enjoying the combined protection of all the outer perimeters that contain it.

User acceptance - Ease of use and reliability of identification are important for preventing the system from becoming a source of frustration and a temptation for subversion.

Scalability – Can the design of our system be easily modified to achieve increased functional demands when necessity, funding and confidence in the technology increase?

Question 17

What is Defense in Depth?

Answer 17

Defense in Depth is the coordinated use and strategic layering of multiple security countermeasures in our protection plans

Question 18

What are some of the tools commonly used to help protect our Data Centers?

Answer 18

i) Access Tools
ii) Camera Systems
iii) Security Guards
iv) Sensors & Alarms
v) Visitor Control

Question 19

Why should an active document retention and destruction policy be considered a priority for any business?

Answer 19

The retention of an infinite number of documents may become extremely expensive and impractical. The potential expenses relating to storage and management of these documents alone would be extremely prohibitive. Organizational concerns, categorization, and filing systems also result in control and systemic difficulties.

The premature destruction of certain documents may lead to the loss of valuable information and result in organizational obstacles and inconveniences which impact the operation and success of the business.

Legal and regulatory requirements mandate the retention of certain documents for minimum periods of time, and the destruction of certain documents once their purpose has been fulfilled.

The premature destruction or elimination of certain documents could leave the appearance of impropriety, or may otherwise lead to the eradication of documents that could support or defend the company against legal and/or civil claims (For example, the Sarbanes-Oxley Act addresses the destruction of business records, and has turned the intentional destruction of documents into a process that must be carefully monitored).

As it pertains to electronic records, it is always important to consider the inevitable issue of hardware, software and media obsolescence. There will be incidents when records must either be migrated to new versions, or the old hardware/software must be retained to read the records. System or hardware migration may also cause records to change or lose their format, necessitating quality control procedures to ensure all information retains its original content, context, and structure.

Question 20

What are some important tips for developing and maintaining a Document Retention and Destruction program?

Answer 20

A good starting point is to define what constitutes a “business record” and a means to categorize specific records. Records are created for a variety of reasons, but whatever the reason, whenever a record is created there is a useful life of that record. Having a definition and a means of categorizing documents will make operational record keeping decisions easier and more efficient.

The company’s technology (IT) department should be involved in decisions regarding the policy and methods for enforcement when those policies involve electronic or other related venues and documents.

There should be a clear schedule identifying the minimum and maximum retention periods for all documents covered within the program.

Numerous statutes, regulations, and regulatory instruments impose record keeping requirements on retail organizations and other business entities, generally applicable to specific categories of records. Such requirements may involve what, where, how, and for how long these records must be maintained. All pertinent practices and requirements should be maintained and reviewed on a regular and consistent basis to ensure compliance.

There should be a framework for administration of the program to include training and education, assigning monitoring responsibilities, capability assessments, and a schedule for updating the program so that it reflects current legal requirements and business needs.

Appropriate security and privacy controls must be established to ensure the protection of sensitive/confidential documents. Every company is bound by contract, law, or practice to treat certain information as confidential, and every effort should be made to maintain that trust at all times. This would include security of the storage medium as well as the establishment of stringent procedures and protections when such documents are destroyed. Protection and control should be of paramount concern up to and including document destruction.

The program should be documented, published, and appropriately communicated to enhance understanding, limit confusion, and increase efficiencies.

Clear accountability should be established for enforcement of the program. Involved employees should be properly educated as to the importance of the policies and held accountable for following established guidelines. Routine (scheduled and unscheduled) audits should be conducted to ensure compliance.

There may be instances when the suspension of records destruction is necessary due to incidents such as imminent or current litigation, receipt of subpoenas, government inquiries, audits, or other types of related events that might warrant such action. When such records may be needed beyond the defined retention period, a methodology should be in place which immediately notifies all appropriate personnel of these actions, to include legal counsel, records managers, department managers, IT managers, and operations and loss prevention executives when necessary and appropriate.

Question 21

What is Caesar’s Cipher?

Answer 21

Caesar used what is now known as Caesar’s cipher, a very simple encryption technique. This was a substitution cipher in which each letter of the text is replaced by a letter a certain fixed number of positions down the alphabet (for example, with a shift of 3, “a” would be replaced with “d”, “b” would be replaced with “e”, and so on).

Question 22

What are some of the primary business objectives that our information security programs should strive to accomplish?

Answer 22

Information Availability - Our systems should address the processes, policies, and controls used to ensure authorized users have prompt access to information. This serves to protect against intentional or accidental attempts to deny appropriate user access to information or systems that are necessary for the legitimate operations of the business.

Integrity of Data Systems - This relates to the processes, policies, and controls used to ensure information has not been altered without legitimate authorization, and that systems are free from unauthorized manipulation that could compromise accuracy, completeness, and reliability.

Data & System Confidentiality - This involves the processes, policies, and controls employed to protect both company and customer information against unauthorized access or use.

Accountability - This entails the processes, policies, and controls necessary to trace actions back to their source. Accountability directly supports legitimate access while deterring unauthorized intrusion, providing for better security monitoring, assisting recovery efforts, and enhancing the legal admissibility of data records.

Confidence - This addresses the processes, policies, and controls used to ensure technical and operational security measures work as intended. As part of the system design, this would support availability, integrity, confidentiality, and accountability, and highlights the notion that secure systems provide intended functions while preventing undesired actions.

Question 23

What can cause security measures to lag behind advancements in technology?

Answer 23

Technology has opened the doors to vast informational resources, and retailers are responding aggressively to maintain a competitive edge. But in our push to get ahead in the highly competitive world of business, information technologies must reap immediate benefits.

Question 24

Network security tasks can typically be broken down into what three basic categories?

Answer 24

Protection - Building and maintaining systems and networks to maximize both security and efficiency

Detection - Thoroughly and expeditiously identifying any and every compromise to systems and networks as they occur

Reaction - Responding to any and every incident and returning systems and networks to a safe and viable state as quickly as possible.

Question 25

What is a data breach?

Answer 25

A data breach is a security incident in which sensitive, protected, or confidential data has been copied, transmitted, viewed, stolen, or used by an individual unauthorized to do so.

Question 26

Why is social media considered a primary point of vulnerability to our Network Security efforts?

Answer 26

A company’s number one asset is its people. This is a common thread, and a prime opportunity for access. Ninety percent or more of the malware is getting in through social media. By using web-based and mobile technologies to turn communication into interactive dialogue, social media creates an effective channel for individuals and groups of people to connect, interact, create, and share.

Question 27

What is a Denial of Service attack? How can they impact a retail operation?

Answer 27

A denial of service (DoS) attack is an incident in which a user or organization is deprived of some or all network connectivity or services (for example, email services).

Question 28

What is a virus?

Answer 28

The term “Virus” has long been used to generally describe any computer threat, but actually refers to a specific type of malware that inserts malicious code into existing documents or programs.

Question 29

What is a worm?

Answer 29

A “Worm” is similar to a virus. It can do damage by sheer replication, consuming internal disk and memory resources within a single computer or by exhausting network bandwidth.

Question 30

What is spam?

Answer 30

“Spam” is unsolicited e-mail, often of a commercial nature, sent indiscriminately to multiple mailing lists, individuals, or newsgroups.

Question 31

What is an Unauthorized Access attack?

Answer 31

The goal of these attacks is to access some resource that your network should not provide the attacker.

Question 32

What is a Trojan Horse?

Answer 32

A “Trojan Horse”, or simply “Trojan” is a program that installs malicious software while under the guise of doing something else.

Question 33

What is Phishing?

Answer 33

“Phishing” is a method of using deceptive e-mails and websites designed to trick the recipient into clicking on a link to an insecure website and revealing credit card, passwords, social security numbers and other sensitive and confidential information to those who intend to use them for fraudulent purposes.

Question 34

What is a Packet Sniffer?

Answer 34

A “Packet Sniffer” is computer software or hardware that has the capability of capturing data streams over a digital network.

Question 35

As more and different types of information has migrated to electronic formats, how has this impacted our data security programs?

Answer 35

However, it is becoming more and more prevalent that our greatest potential threats may be coming from inside our firewalls. Many of today’s threats are introduced from inside the network. With such threats becoming increasingly common, companies are realizing that they must provide strong defenses within their internal network as well.

Question 36

What are some of the primary internal information security threats that we deal with in retail loss prevention?

Answer 36

The primary internal information security threats include the leaking of confidential information, the distortion of sensitive information, hardware theft, fraud, data loss, information system failures, sabotage, and other related risks.

Question 37

What are some common practices that can help enhance our internal security efforts?

Answer 37

Establishing strong physical security for the entire infrastructure. Change locks and passcodes when employees leave. Change passwords to any shared accounts. Erase hard drives, flash drives, and similar tools when taken out of service. Use a paper shredder. Simple steps can also be the most important.

Network security should be built into the hiring process. Practice due diligence and proper background checks—particularly for employees that will be involved in any level of IT. Establish an “Acceptable Use” policy and integrate it into the employment process.

Explicitly forbid bypassing security checkpoints (firewalls, etc.) as part of your Acceptable Use policy. Establish desktop management policies to include virus protection. Virus protection is a mandatory component of desktop management and should be second nature to all employees that spend any part of their workday on a computer.

Install programs that check and monitor network traffic, and employ intrusion detection systems. Audit systems and procedures periodically.

Maintain up-to-date operating systems and applications. Keeping software current is a basic component of any data security program.

Restrict content. One of the greatest risks to the organization is unauthorized disclosure of content.

Manage and enforce guidelines regarding peer-to-peer file sharing. Unauthorized software can be a primary path for information leaks.

Develop and enforce policies regarding USB devices. Flash drives and similar devices are extremely compact and can hold a significant amount of information. Access to critical systems can cause tremendous vulnerabilities without effective controls.

Question 38

Security in a wireless network must address two separate but related and complimentary issues. What are they?

Answer 38

we must protect the network and its resources from unauthorized access, and we must protect data as it travels over the air between the user and the network.

Question 39

In the wireless world where network traffic travels through the airwaves what are some of the primary concerns that exist due to the potential for intercepting the traffic stream?

Answer 39

Unauthorized access to a company’s computer network may be accomplished through wireless connections, bypassing any firewall protections.

Sensitive information that is not encrypted (or is poorly encrypted) and is transmitted between wireless devices may be intercepted and disclosed.

Denial of Service attacks may be intensified.

The identities of legitimate users may be stolen, with malicious parties masquerading as those users to gain access to corporate networks.

Malicious parties may be able to track the movements of legitimate users, deploying unauthorized devices and other means to surreptitiously gain access and steal sensitive information.

Intruders may be able to gain connectivity to network management controls and disable or disrupt operations.

Question 40

What are some of the key principles that can help us protect our information and information systems?

Answer 40

Know what you have. What types of information do we have available in our files and on our systems? Different types of information have different types of risks. We should have a full understanding of all the different types of sensitive and confidential information that we maintain as a business so that we can assess and prioritize our needs.

Know how and where it’s stored. A complete inventory should be maintained that identifies where and how all sensitive company information is stored. This not only involves resources directly associated with our data centers and websites, but all pertinent resources up to and including all computers, laptops, flash drives, cell phones, home computers, and any and all other relevant equipment. This inventory should be continuously updated and revised accordingly as resources are added, removed, change locations, or change hands.

Know how it flows. We can only determine the best methods to secure information once we’ve established where it’s coming from, and where it’s going to as part of our business operations. Understand how information moves into, through, and out of the company.

Know who has access to it. Identifying who has—or could have—access to our information is essential to assessing security vulnerabilities. Effective access controls and user authorization practices is critical to any successful program.

Keep only what is needed for the business. If there isn’t a legitimate business need for sensitive information—particularly personally identifying information such as social security numbers, personal accounts, etc.—don’t keep it. If there is a legitimate business need for that information, use it only for required and lawful purposes, and retain it only as long as necessary. Develop a written Records Retention Policy that clearly identifies what information must be kept, how to secure it, how long to keep it, and how to properly and securely dispose of it once it is no longer needed.

Protect the information in your care. Once you’ve established what information is most vital, determine the best and most effective ways to protect that sensitive and confidential information, encompassing physical security measures, electronic/network security, administrative controls and employee training. A well-trained workforce is the best defense again information theft and data breaches.

Support through backup and recovery processes. Effective backup and recovery processes are intended to minimize the impact that potential information losses and related incidents have on the business.

Properly dispose of what is no longer needed. Information disposal practices that are reasonable and appropriate must be utilized to ensure information cannot be read, deciphered or reconstructed once it has been disposed of. Reasonable measures should be established based on the type and sensitivity of the information, the costs and benefits of different disposal methods, and the related changes in technology.

Create a plan to respond to potential incidents. Having a proactive plan in place can expedite recovery time, minimize the potential impact on the business, and enhance investigative efforts. Many states and federal regulatory agencies also have specific guidelines addressing certain data breaches that must be followed.

Invest in talent. Automated tools and policies can’t be our only defense against these attacks. There needs to be a dedicated focus on developing talent to help interpret all of the information that’s being produced, and how to respond to it. Too many organizations place too much emphasis on the tools, and not enough on the people. Invest in leadership and developing your team.

Question 41

When it comes to the security of sensitive and confidential information, what are some of the common objectives and requirements?

Answer 41

Protecting sensitive data when necessary and appropriate through strong encryption and encryption management.

Segregating duties between database administrators and security administrators. Management of security policy should be separated from database functions to provide a “checks and balances” approach to the process.

Reporting and monitoring security policies and access to sensitive and confidential information through detailed audit trails. Such processes should document who has accessed data (or who attempted to access data), what specific database was accessed, what action was performed, and when it occurred.

Controlling access to sensitive information by assigning unique access IDs and access privileges, and defining user access rights based on the organization’s specific security policies.

Question 42

What are some of the more common practices, systems and software that can increase the security of our information networks?

Answer 42

Strong Firewall Protections at all Network Transit Points. A firewall provides a controlled barrier that has the ability to block network traffic into and out of certain destinations, and can tightly control what is allowed to move from one side to the other. Firewalls can range from being fairly simple to very complex.

Strong Antivirus Software and other Internet Security Software. Antivirus software attempts to identify, neutralize, or eliminate malicious insults by looking for irregularities in a computer system and then comparing its findings to a database of virus information. Note: It is important to update virus definitions regularly and upgrade software periodically to protect against newly created viruses.

Strong Authentication, Username and Password Management Practices. Authentication is the process of determining user identity, commonly achieved through the use of passwords. Authentication is used to determine the identity of the user as well as manage what they are authorized to access. Poor username and password management is a typical problem in many company networks. Following basic practices can significantly improve network management.

Securing Confidential and other Sensitive Network Data with Encryption. Encryption is the conversion of information into a form (known as ciphertext) that cannot be easily understood by unauthorized individuals (Decryption is the process of converting that information back into its original form so that it can be understood). Encryption of data is typically accomplished by combining plain text data with a secret “key” using a particular encryption algorithm. Unless the secret key is known, the information cannot be decrypted back into plain text so that it can be understood (refer to our Caesar’s Cypher example).

Strong Physical Security Measures for Company Facilities. As previously discussed within this chapter.

Network Audits. The institution of frequent network audits and other appropriate checks and balances that can further increase the overall protection of the network.

Network Monitoring and Analysis. Proactive measures instituted to scan for new hosts and out-of-date systems, as well as monitoring for suspicious activity throughout the network. This should also involve updating systems and protocols when necessary and appropriate to maintain network security.

Effective Incident Response Mechanisms. Policies and guidelines should be developed, accessible, understood, and when necessary appropriately executed to allow for quick and effective response to any incidents that should occur to minimize damage and related impact of the potential compromise; and reduce business disruption.

Question 43

What should be the principle focus of an effective Backup and Recovery plan?

Answer 43

we should first and foremost protect the data that is necessary to perform mission-critical functions within the organization—data that supports key business operations and will potentially have the greatest impact on the company.

Question 44

What are some key considerations of the Backup and Recovery process?

Answer 44

Assigning Responsibility - Determining who will be responsible for backup tasks, and whether they have the necessary skills to carry out this function. Some processes can be fairly simple (backing up files on desktop or laptop computers, for example) while others may be much more complicated (for example, protecting the information bank at our data centers). Plans should further identify who will be assigned this responsibility should the primary individuals be absent or unavailable.

Data Capture - Ensuring that all files and information are captured reliably and accurately, and that the quality of the data capturing process is verified on a regular and consistent basis. Is the software configured properly? Is all related equipment well maintained? Are involved employees reliable and properly trained? Is data being captured often enough to meet our business and operational needs?

Removal and Storage – Backup data that is left on-site may be exposed to the same physical and security risks as the original data. What is our medium for storing backup materials? All backups should be properly handled and stored, to include labeling, placement, and protection from sun exposure, magnetic fields, liquids, and any and all other exposures that may damage the media. If data is removed electronically, sufficient encryption and security protocols must be maintained. The storage location should be protected from intrusion and environmental damage. Additionally, backup data should be stored in a place that is quickly and easily accessible so as to enhance efficiencies.

Recovery - How long would it take to recover a lost file? The cost of downtime can be substantial—the longer it takes to restore the data, the more the company stands to lose as a result. Ensure that data can be recovered within the timeframe that is necessary to meet our business needs.

Question 45

What are some of the common objectives of our data protection audits?

Answer 45

Procedures and responsibilities for all key personnel, to include familiarity with company policies and practices, training and awareness initiatives, change management processes, sign-off on new applications, etc.

All policies and procedures should be readily known and physically available to all key personnel. Important documented procedures should include: job responsibilities, back up policies, security policies, employee termination policies, system operating procedures and an overview of operating systems.

Appropriate back-up procedures are in place—and understood—to prevent loss of important data, expedite system recovery and minimize downtime in the event of system failure or compromise. Properly trained and adequately skilled personnel are readily available in the event of any potential threat, failure or compromise.

The data center and other key facilities have adequate physical security controls to prevent unauthorized access. This would include guard functions, locked/secure area, entrance security, equipment security (bolted down, etc.), computer monitoring systems and other critical security controls.

Adequate environmental controls are in place to ensure equipment is protected from overheating, fire, water damage and other potential issues. This would include but not limited to: air conditioning units, raised floors, humidifiers, uninterruptible power supplies, etc.

Accessibility (key cards, login ID’s, secure passwords, etc.), authentication, and authorization controls are followed. Access rights are appropriate to assigned users and properly controlled. Duties are appropriately segregated. Vendor service personnel are supervised when doing work on data center equipment.

All equipment is working properly and effectively. Employees are adequately educated about equipment and properly perform their jobs. Equipment utilization reports, equipment inspection for damage and functionality, system downtime records and equipment performance measurements all help to determine the state of this equipment. Employee interviews should be conducted to determine if preventative maintenance policies are in place and performed on schedule.

Network controls and potential vulnerabilities are inspected to ensure compliance. Virus definitions are up-to-date, software and other upgrades are installed with adequate attention to default configurations, etc.

Question 46

What are the key components of a data privacy program?

Answer 46

Data privacy involves the relationship between the collection and dissemination of information, the public’s expectation of privacy, and the legal issues that surround the subject.

Question 47

What is HIPAA?

Answer 47

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted by Congress to create a national standard for the protection of employee health care (specifically the protection of health insurance coverage for workers and their families when they change or lose jobs), the development and implementation of national standards for healthcare transactions, and protection of the integrity, confidentiality, and availability of personal health information.

Question 48

Why were HIPAA standards established?

Answer 48

HIPAA statutes establish regulations for the use and disclosure of protected health information, which is any information related to health status, health care provisions, or payment for health care that is associated with an individual.

Question 49

When was the first bank issued charge card introduced? What was the name of the card?

Answer 49

The first bank card, “Charg-It,” was introduced by John Biggins, a Brooklyn banker, in 1946.

Question 50

What five programs created the primary foundation for security standards for how to process, store and transmit cardholder information?

Answer 50

American Express (Data Security Operating Policy, or DSOP); Discover (Discover Information Security and Compliance, or DISC); MasterCard (MasterCard Site Data Protection, or SDP); JCB International (Data Security Program); and Visa (Cardholder Information Security Program, or CISP)

Question 51

What is the Payment Card Industry Data Security Standard?

Answer 51

Build and Maintain a Secure Network. A firewall configuration must be installed and maintained that is designed to protect cardholder information. Vendor-supplied defaults for system passwords and other security parameters cannot be used.

Protect Cardholder Data. Stored cardholder data must be protected. Any transmissions of cardholder data across open, public networks must be encrypted.

Maintain a Vulnerability Management Program. Anti-virus software must be utilized and regularly updated. Secure systems and applications must be developed and maintained.

Implement Strong Access Control Measures. Access to cardholder data must be restricted to a business need-to-know basis. Each person with computer access must be assigned a unique ID. Physical access to cardholder data must be restricted.

Regularly Monitor and Test Networks. All access to network resources and cardholder data must be tracked and monitored. Security systems and processes must be regularly tested.

Maintain an Information Security Policy. Such a policy must address the different aspects of information security.

Question 52

Due to the need to safeguard the privacy of our employees, what are some of the standards that every company should follow?

Answer 52

While there are employees who have a legitimate need to view the information in a personnel file (For example, a supervisor may need to review performance evaluations to decide whether to promote an employee), companies must establish procedures that will assure that confidential information is available only to those persons whose work requires access to such information.

The information in an employee personnel file is not to be released to anyone other than users whose duties require access. Employees with access to confidential employee data should sign a confidentiality agreement acknowledging that the employee understands requirements for protecting confidential employee data.

Reasonable precautions must be taken to prevent unauthorized persons from casually observing confidential information. Information should be maintained in locked files and/or secure databases unless being used for authorized purposes.

Confidential employee information should not be shared outside of the company unless it is for legitimate company/employee purposes. The only exceptions are by written permission of the employee whose information is being requested, or pursuant to a valid subpoena or other legal order. Recipients must be informed that the information provided is confidential and is provided for the sole purpose of the specific business need. Also, recipients must be informed that they are responsible for the protection of the information and the destruction of all files after the intended use is satisfied.

In most states, employees have the right to examine the contents of their own personnel files. This allows individuals the opportunity to confirm information in the file and identify any specific information which is believed to be incorrect. Procedures should be established that enable the employee to correct inaccurate information discovered in the files, as well as remove or otherwise explain certain content contained in these records with which the employee disagrees. The objective should be to ensure the accuracy of information regarding each individual.

Certain kinds of information should not be maintained in an employee’s personnel records. An employer should not keep records of an employee’s activities or associations that do not directly relate to an employee’s performance and job qualifications. This would include but is not limited to political activities and communications, religious and civic affiliations, and the like. Some jurisdictions further protect against identifying marital status, living arrangements, arrest records, or other personal characteristics.

Medical records should be maintained separately from an employee’s personnel file. If an employee has a disability or other specific medical condition the Americans with Disabilities Act requires that those records be kept confidential and maintained in a separate file with access restricted to a limited number of people.

Form I-9 should not be maintained in an employees’ personnel file (Form I-9 is a form from U.S. Citizenship and Immigration Services (USCIS), formerly the INS). While form I-9 must be completed for all employees verifying that they are legally authorized to work in the United States, these documents should be maintained in a separate file.

An employee’s personnel file should not contain records of the employee that relate to the investigation of a possible criminal offense, letters of reference, documents which are being developed or prepared for use in civil, criminal, or grievance procedures; materials which are used by the employer to plan for future operations, or information available to the employee under the Fair Credit Reporting Act.

Question 53

QUIZ: Commonly residing in computer memory, this type of computer malware can do damage by sheer replication without user action, consuming internal disk and memory resources within a single computer or by exhausting network bandwidth, but does not actually alter files:

Answer 53

Worm

Question 54

QUIZ: In an attempt to disrupt company business, a disgruntled former employee sends an email disguised as a “joke” to several of his former coworkers with a photo attachment as part of the file. However, the employee has embedded a virus into the photo file that spreads throughout the company computer systems as the email is passed on, causing significant damage to the network connectivity. This would be an example of what type of network threat?

Answer 54

Denial of Service Attack

Question 55

QUIZ:The ability to read information found in the file contents of a computer system, write or modify the contents of a file, or execute the file if it is a program are all examples of what type of access control process?

Answer 55

Authorization

Question 56

QUIZ: The goal of this type of network threat is to access some resource that your network should not provide the attacker, such as a data breach. This may ultimately involve executing system commands illicitly and making configuration changes to the system, manipulating/changing data, data destruction, and data theft:

Answer 56

Unauthorized Access Attack

Question 57

QUIZ: This is the process of using system components to track and document what the user did and where they visited while using a computer operating system:

Answer 57

Accountability