You’ve Passed your Audit…!!! But, is your Data Secure?

November 2, 2010:  Does passing an Information Technology (IT) audit give you a sense of security?  If you said yes, you may want to think again!  Being compliant with some federal regulations and industry standards does not protect your data from many threat vectors and attack measures.  These attacks can come from internal threats such as: employees, consultants, and unintentional misconfigurations and external threats such as:  hackers, attackers, and competitors.  So many regulations focus on the external threats posed against organizations, but provide “light” requirements when it comes to internal threats and access controls.   It is great to have a Firewall and a Network IPS in place to protect against remote attacks from public networks, however, these controls will NOT protect your sensitive data from attacks originating from your internal trusted network, where a system administrator with elevated privileges on the network has access to all network shares where employees personal identifiable information (PII) (i.e. social security numbers and date of birth) may be stored in a flat file.  What is stopping these employees from accessing this data or taking a snapshot of the screen and emailing the data outside the network or better yet copying to a USB storage device?  For some large companies, there may be Data Loss Prevention (DLP) tools or Group Policy Objects (GPO) in place to prevent these activities, but it is not the norm across all companies.  There are industry standards and regulations that state in “general”, you must protect sensitive data from unauthorized persons, however, the requirement is very vague and does not define what sensitive data is or what is an unauthorized person, which leaves it up to interpretation by the person auditing your company.  I see sensitive data as an intellectual property associated with your company and it’s operations, which includes:  customer personal data, employee personal data, payment transaction details, financial records, infrastructure documentation, and trade secrets.   I would consider ALL persons without a need-to-know to view/execute/change sensitive data within an application and/or network share to be unauthorized persons.
I say all this to say… be diligent when it comes to protecting your company’s data assets.  When considering security controls always start with the data you are trying to safeguard and then identify the technical and administrative solutions needed to be compliant AND secure.  Being compliant is the minimum requirements needed, but it is NOT enough.  Attackers are becoming much savvier, while exploits are becoming much easier to execute; so you MUST become much more AWARE and PROACTIVE!
c~Sharpe Security Consulting