Monday, May 27, 2013
Information Security – Security Incident Reporting
So, last week I met with a law firm and discussed information security, what some clients, certification or legislation requires. Often people’s eyes glaze over when talking about information security, because they feel it relates to solely to IT managers. However, for credit and collection professionals, this is an important issue that should be addressed by every company. In the credit industry, we are dealing with sensitive financial information, and often sensitive personal information -- we should protect it, and have a method to report any potential information breaches.
Because I’ve worked with ISO 27001 certification, and I’m enough of an IT person to know that data management is absolutely key to credit and collections, our company has a solid information security policy at our company – but not everyone does.
So, What is A ‘Security Incident’?
A Security Incident can be anything where information is mishandled, or could be mishandled, anywhere from a password being left on a sticky note on someone’s computer to an unauthorized employee walking out of the office with a backup drive.
To give some real-life examples, in our company’s security policies, we define a security incident (“IS”) is the discovery of:
• Any suspected or confirmed event indicating compromise of the security, confidentiality, integrity or availability of client Information (as defined below). Examples of an IS Incident include accidental or intentional damage, modification, destruction, disclosure, loss, misuse or theft of client Information.
• Suspected or confirmed unauthorized use of client technology resources.
Examples of IS incidents in the credit and collections industry might include:
• Accidental third party disclosure of collection or credit information to a non-debtor about a collection account.
• Accidental disclosure of client contact information to a non-privileged party.
• Improper handling or disposal of client or debtor data.
• Sharing or inappropriate use of passwords
• Unauthorized access to systems or information.
• Network intrusions
• Phishing or malware (targeted specifically at client or debtor information).
• Lost or stolen computer equipment, such as laptops, hard drives, or storage devices containing client or debtor information.
• Theft of client corporate technology (hardware, software, intellectual property, etc), property, or information.
So What Should We Do About A Security Breach?
Well, the first thing that should happen is it should be reported – either internally to a security log (just like a computer would do) by the staff member who detects the potential breach. This can be a form, an online log, or what have you. They should log what happened, when it happened, and how they think it happened.
If this potential breach affects a client or an outside source, it must be reported to them. It may look bad to have a breach, but it looks far worse if you aren't forthright -- large, reputable companies like Microsoft (for XBox) or Linkedin have been transparent about security breaches to the public.
Send In The Pros
Once the incident has been reported, evidence should be gathered – either by management if it was a human breach, the IT department if it was a network or computer breach, and so on. Once the matter has been investigated, the actions surrounding the incident can be dissected. This group assigned to the investigation would be your Security Incident Reporting Team (“SIRT”).
So, What Have We Learned?
After the security incident has been logged and investigated, the most important thing is to put controls in place to ensure (or drastically reduce the chances) that it doesn’t happen again.
I’m not talking about unreasonable security requirements – I’ve heard horror stories from staff members who have worked at other companies with security controls in place to the degree that they couldn’t do their job. Taking email accounts away from the staff, or not allowing collection staff to take payment information may be going too far.
I’m talking about reasonable precautions. If you’ve had an attempted network intrusion or hack, make sure your firewalls are robust and you review your security logs. Make sure you don’t have stacks of personal information on desks where any visitor can view them. Use a visitor log and escort your visitors when they are there.
Common Mistakes To Avoid
Because our company is involved with hundreds of companies, we see some of the best practices … and we see some of the worst. Here are a couple of suggestions that will make your security incident reporting a lot easier.
• Does your company require staff to change their passwords at least every 30 days?
• Do you have a greeting area for your company that is free from sensitive information?
• Do you have wireless network access and do you really need it?
• What sort of mobile storage devices are allowed in your secured areas? This can include USB memory keys and mobile phones.
The Key Is Eternal Vigilance
Almost every organization must have a porous structure for data – email access, letters going in and out, staff members coming and going, visitors to your site, and so on. The important thing is to identify what data is sensitive, and put reasonable controls in place to prevent access to that data.
It is possible, in my opinion, to take security too far. Shaded window treatment on the 14th floor to prevent someone with a pair of binoculars reading information on someone’s desk, eliminating all staff email accounts, or including metal conduit on all network cords to prevent someone from climbing a ladder in a public traffic area, patching into a network cord, and intercepting network traffic are some of the more extreme security measures I’ve actually run into over the years.
To have a robust information security policy, it needs to be flexible, and able to adapt with actual or potential threats, and the only way to do that is have open communication with your staff. This is the key of security incident reporting.
If you would like more information about ISO 27001 security standards, here is a useful site that talks about it in detail:
If you are dealing in sensitive information, you want to have a robust security policy. If you are interested in discussing security policies, ISO 27001 standards, PIPEDA, or security as it relates to credit and collections in Canada, by all means contact myself to talk. My office number at Kingston Data and Credit is 226-444-5695.
Kingston Data and Credit
Posted by Blair DeMarco-Wettlaufer