People, Processes, and Computer Technology: Three Essential Parts of Your Security Program to Protect Non-Public Personal Information.
Introduction: Information Security is a Program, Not a Product
“If you think security is a technology problem, then you don’t understand the problem, and you don’t understand technology.”– Bruce Schneier, Computer Security Professional.
Every “financial institution” (including third-party debt collectors and collection agencies) must maintain, pursuant to the GLB Safeguards Rule (“Safeguards Rule”) a comprehensive information security program to protect “non-public personal information” (“NPPI”) of consumers.
Technology makes protecting NPPI more challenging. While computing power, practically unlimited storage capability, and broadband networks all offer substantial potential benefits to financial institutions and their customers alike, interconnected computer networks also present significant and evolving risks to the security of NPPI.
A seemingly reasonable reaction might be to look for the computer technology tools that will “solve” all potential security problems. But no computer technology product or service alone will satisfy the Safeguards Rule or protect NPPI. Put another way, using appropriate tools like firewalls, encryption, and anti-malware software is necessary, but not sufficient.
Recognizing that technology is not a cure-all, the Safeguards Rule requires that an effective security program combine people, processes (usually written down as policies), and appropriate computer technology. No financial institution will protect NPPI properly unless the security program is strong (and stays strong) in all three areas.
1 – People: Authority and Oversight
To underscore the importance of people in protecting NPPI, consider the consequences of human error in connection with breaches of sensitive information:
Target (credit card and personal data of more than 110 million customers):
“The breach . . . appears to have begun with a malware-laced email phishing attack sent to employees at an HVAC firm that did business with the nationwide retailer, according to sources close to the investigation.”
South Carolina Department of Revenue (3.9 million tax returns and 387,000 credit and debit card numbers exposed):
“A malicious (phishing) email was sent to multiple Department of Revenue employees. At least one Department of Revenue user clicked on the embedded link, unwittingly executed malware, and became compromised.”
Given that people are often the weak link in the security chain, the Safeguards Rule emphasizes the importance of human oversight of and involvement in, an information security program.
Designate an employee or employees to coordinate your information security program. (16 CFR Section 3.14.4(a)).
The person or people dedicated to coordinating the program must have the authority, the funding, and the trust of management. Promoting a culture of security starts at the top, not just in the message from the CEO or the Board of Directors communicating the importance of protecting NPPI, (the talk), but also in the resources (in personnel and otherwise) devoted to building and maintaining that culture (the walk).
The program coordinator(s) must oversee the implementation of clear, well-documented policies (described below), make sure those policies are followed, and administer appropriate discipline when those policies are violated. This security professional also quarterbacks regular training for employees, especially those who will handle NPPI, and makes sure that the security program is reviewed periodically and updated.
The increasing complexity of all these technology tools makes oversight seem very difficult at best. When feeling overwhelmed by the pace of change, shift focus from the technology itself and to the likely risks associated with NPPI and how to minimize those risks. The leadership of a financial institution cannot be expected to understand in minute detail how encryption works, the way a server backup takes place, or how to create the software code that runs on its computers.
But that does not mean that leadership gets a pass from asking tough questions and evaluating risk in the same way it does in other parts of the business. That means 1) be actively engaged; 2) ask thoughtful questions; and 3) exercise independent judgment. This also means having a process whereby significant security incidents are escalated to leadership, holding employees accountable for managing IT risks, and making sure that the appropriate amount of independent audit and oversight takes place.
Assure that contractors or service providers are capable of maintaining appropriate safeguards for NPPI, and require all such third parties, by contract, to implement and maintain an information security program. (16 C.F.R. Section 314.4(d)).
If a financial institution is putting NPPI into the hands of third parties, the financial institution must exercise risk management over the third-party vendor contract “lifecycle”: to include planning, vendor selection, contract negotiation, and ongoing oversight. As cited often, you can outsource the technology services, but you cannot outsource the risk.
2 – Processes: Standardize and Implement
“If you can’t describe what you are doing as a process you don’t know what you are doing.”– W. Edwards Deming
Develop an appropriate program that is written in one or more readily accessible parts. (16 C.F.R. Section 314.3(a)).
Put bluntly, even the most sophisticated computer technology is useless (or worse) if a financial institution doesn’t have processes in place to make sure hardware and software (and your physical facilities too) are managed properly to protect NPPI.
As a result, policy implementation will most certainly require the adoption and use of checklists, training, and enforcement to turn policy documents into actual compliance and effective security. As an example, a policy prohibiting employees from “taking work home” on their laptop computers is important (especially when NPPI is involved), but meaningless unless the financial institution has considered how to make sure that policy is communicated, followed and enforced.
In other words, can you achieve a “culture of compliance and security” that matches the compliance and protection you describe in your policies? For more on this (admittedly broad) topic, I highly recommend Atul Gawande’s The Checklist Manifesto: How to Get Things Right.
Some of the crucial processes/policies for protecting NPPI include:
- Controlling Access/Privileges
- Configuring, Hardening, Updating/Patching, and Monitoring All Software, Hardware and Services
- Incident Response
- Business Continuity/Disaster Recovery
- Encryption/Secure Transmission
- Remote Access (Employees and Customers)
- Acceptable Use
- Mobile Device
- Social Media
- Information and Device Retention and Destruction
Do not assume these are all “technology” policies beyond the reach of your understanding or solely within the province of IT. Part of the oversight responsibility involves making sure that these policies are understood and followed. If you can’t make a process part of your routine, then how can you expect your employees to follow that same directive?
Effectively communicated policies also help narrow the “expectation gap” between employees who believe that they can use workplace facilities (for example, email) for personal communications, and a financial institution that expects company computers and networks to be used solely for business purposes. As the United States Supreme Court observed, “employer policies concerning communication will of course shape the reasonable expectations of their employees, especially to the extent such policies are clearly communicated.” City of Ontario v. Quon, 130 S.Ct. 2619 (2010).
3 – Use Appropriate Technology, Too
Of course, capable and informed people who implement maintain, and update appropriate processes will require various computer technologies to protect NPPI. Some tools that may be part of your program include:
- Encryption of NPPI at rest (while it is being stored). Hard drives, data storage areas, mobile devices, removable media (USBs);
- Encryption of NPPI in transit (when it leaves your network), especially when sent over public networks.
- Boundary defense (securing the “house”—your network– from “the neighborhood”- bad actors on the internets);
- Endpoint protection
- Intrusion Protection and Detection (secure the “house and its rooms”– of your network– in case the bad guys are already inside)
- Data Loss Prevention (tools that can detect when NPPI is being sent out of your network without authorization).
- Access Controls (limit access to NPPI to only those with a business need to use it).
- Password and Login Settings (strength, required changes, access attempts and automatic locking)
- Multi-factor authentication as appropriate, especially for remote access.
Conclusion: Update and Adapt (All Three)
Your information security program must adapt as new risks arise, technologies change, employees move in and out, and laws and regulations evolve. The Safeguards Rule embodies the “constancy of change”:
Evaluate and adjust the information security program in light of developments that may materially affect the safeguards you’ve put in place. (16 CFR Section 3.14.4(e)).
In other words, you must regularly examine how you are protecting NPPI, and make adjustments based upon what you find.
 “Email Attack on Vendor Set Up Breach at Target”, KrebsOnSecurity, February 14, 2013, http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/
 SCDOR Public Incident Response Report, November 20, 2012, Mandiant http://governor.sc.gov/Documents/MANDIANT%20Public%20IR%20Report%20-%20Department%20of%20Revenue%20-%2011%2020%202012.pdf