Thursday, August 7, 2008

Data Classification - Time to catch up

After 12 years of protecting U.S. Government’s most sensitive and classified resources, data, personnel, and facilities, I have learned a great number of things. The television show 60 Minutes can do a year's worth of episodes purely on the mismanagement of funding alone at one unnamed facility that I worked at. Argue what you may about the U.S. Government, its spending habits, its leaders, its policies, its “big brother” mentality, or whatever else irks you, but know this: The U.S. Government is the king of data classification. It is better than everyone, including every business you have ever worked for: Fortune 500 companies, financial institutions, manufacturing businesses, utility companies, healthcare facilities, and retail industries.

How does one begin to protect information? Classify it. In order to determine necessary controls and measures that are required to protect information, we must first understand the value of that information. Once the value is understood, we can then determine the impact it will have if it becomes lost or compromised. Will its loss bankrupt our business? Will its compromise put us on the front page of the newspaper? This impact, in turn, determines how it must be protected.

There are dozens of different classifications used in the government. They include Top Secret, Secret, Confidential, Sensitive But Unclassified, , Export Controlled, Limited Distribution, and Restricted Data just to name a few. To take it one step further, the U.S. Government applies handling instructions (like NOFORN or ORCON) and a “Need-To-Know” philosophy to all of its information, meaning that even if I have a Top Secret clearance, I only have access to information that is required for me to fulfill the duties and responsibilities of my position.

Each of these classifications is assigned based on the value of the information and each different classification has it own individual set of instructions for proper handling and safeguarding the information. The higher the value of the data, the more stringent the controls are to protect it.

If your organization doesn’t classify its data, you are most likely not protecting it at a level commensurate to its value, and therefore make it vulnerable to loss or compromise. In data classification, the government reigns. Everyone else, including you, can’t keep up.

Read more!

Tuesday, August 5, 2008

Preparing for HIPAA: Round Two - The Audit

The big buzz this year around security assessments and audits is all about HIPAA. This was #6 in SecureState's Top 8 of 08 and, to say the least, there’s quite a bit of tension in the air as organizations hold their breath. While PCI is still the most active, all of our clients with HIPAA concerns – which is many – are on constant watch to see what HIPAA is really going to mean. To date, HIPAA has been a little weak as organizations have been left to their own devices to operate around a risk-based approach for HIPAA. But that approach has time and time again proven to not be diligent enough and/or favors the business over security. But now, the audits are happening, HIPAA is getting some teeth, and most organizations are scrambling to figure out what ‘their’ interpretation is and if what they did is enough. Everyone knows that the first audit was done last year at a hospital and have seen the list of‘42 questions’ that were asked. But those hardly helped as they really didn’t indicate what the expectations were. Now other HIPAA organizations are being audited including retailers and insurers. The results are supposed to be posted on the CMS/HHS site, but so far nothing is out there. But hope is not lost as the details emerge from our clients and other information.

First of all, it is important to realize who is doing the audits. It is KPMG’s government practice and working for a government agency. As such, it should be expected that they would leveraging NIST standards. The second indicator is from NIST itself. The CMS/HHS first worked with NIST to develop the 800-66 publication for understanding and implementing the HIPAA Security Rule. But that proved to be fairly vague and mainly referencing a bunch of other NIST standards but not providing a lot of ‘how’. Based on that type of feedback, they have issued a draft version ( ) that has finally provided a solid understanding of how to implement the Security Rule – by mapping it to NIST 800-53 that outlines ‘recommended controls’, not unlike ISO 27002 (formerly 17799). Ultimately, this has been further confirmed in reviewing some of the HIPAA audit draft reports that NIST 800-53 is the core of the KPMG audit framework.

So now you know what they are looking for and what to expect. If you were looking for a solid ‘checklist’ for gapping your HIPAA program, look no further than NIST 800-53, or even better, the draft of NIST 800-66. The draft is great as it also has sample questions that the auditor might be asking as well – hint hint. The other referenced NIST standards can also be helpful, especially if your organization uses a particular technology extensively e.g. 800-124 draft on cell/PDA security. Regardless of what the checklist is, the bottom line is HIPAA has not had a strong enough impact for organizations, much like SOX. As a result, companies aren’t really getting secure as originally intended. Every hospital or insurance company we have reviewed has failed system audits and penetration testing - and we're the good guys. Getting compliant, even to a higher level, isn’t getting secure. And odds are, your organization has more than HIPAA data out there.

So do the right thing, do due diligence, do it soon, and get your organization to a defensible position before the audit. Base your decisions on the intent of the controls outlined in 800-53/66, not the wording or sample interpretation. Don't wait for the audit, findings and fines - or even worse - the breach. It's a lot more expensive to implement security after the fact than before.

Read more!