Information Security Policies, Standards and Procedures are essential to the protection of every organization. The Federal Government is aware of this and has legislated standards under both GLBA and HIPAA. These policies, procedures and standards are only of value, however, if the employees are aware of them and follow them, and the organization enforces them.

The Issue

Banks and many other organizations are required to comply with Federal GLBA or HIPAA data privacy and security standards. Employees are the first line of defense in using and protecting confidential company information. Statistically, more privacy and security violations occur from ‘authorized’ staff within an organization, in an ‘unauthorized’ behavior, than from an intruder that compromises the organizations technical security controls. Development of Policies, Staff Education and Training, and Consistent Policy Enforcement are essential to successful Security Controls.

GLBA Law

It is critical for financial institutions to mitigate security threats due to regulations mandated in the Gramm-Leach-Bliley Act (GLBA). GLBA requires financial services institutions to maintain the security and privacy of Nonpublic Personal Information (NPI) about their customers. NPI includes:

• The fact that an individual is the customer of a particular financial institution
• The consumer’s name, address, social security number, or account number
• Any information a consumer provides on an application
• Information from a “cookie” obtained in using a web site

HIPAA Law

The Federal Health Insurance Portability and Accountability Act (HIPAA) has defined Protected Health Information (PHI) as:
“Protected Health Information means any information whether oral, or recorded in any form or medium, that:

• Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearing house and,
• Relates to the past, present, or future, physical or mental health or condition of an individual; or the past, present, or future, payment for the provision of health care to an individual.”

A number of required HIPAA compliance standards relate specifically to individual employee behaviors. These include Unique User Identification (Passwords), workstation security and use, and security incident identification, reporting, and response.

Best Practices:
Secure Passwords

Employees should be required to use secure passwords, and change them frequently. For each user of a computer system the combination of User-ID and Password must be unique. Shared passwords or group “generic” IDs are not permitted. The User-ID is considered public and the name and format is usually known and is based upon a standard within the organization. The password, however, is always private and should be established by the employee and known only by the employee. Passwords should never be written down. Because short, simple, passwords are easily broken by ‘cracking’ software programs Passwords should be at least 15 characters in length and complex. Most secure passwords are based on a phrase that is easy to remember. An example of a good password is (2DisTd2goFishg!) Today is the day to go Fishing! Biometric devices such as finger print readers are often used to authenticate an employee as an alternative to entering long and complex passwords.

Acceptable Use
of the Internet

When Internet access by employees is required to perform their job, employee activities should be guided by a written acceptable use policy, which is enforced by tools. For example, Internet filtering software should be installed to prevent employees from visiting sites that are inappropriate, dangerous, or not related to work. The acceptable use policy and the organization’s information security standards should prohibit and prevent:

• The downloading of unapproved programs, games, and data files. This is often the source of computer virus or worm infections.
• Listening to streaming audio, such as radio, as this practice uses huge amounts of company data communication bandwidth.
• Employee use of the company computer in a private home based business.

Acceptable Use
of Email

Since Email can be easily traced to the source, all organizations should have a policy prohibiting the use of the company Email system for private, illegal, unethical, and unproductive activities by employees. Existence of a written, enforced policy will limit the liability of the company in the event that an employee performs a prohibited behavior. Employees should know that:

• The company Email system is for business use, and messages may be read by authorized company representatives.
• All of the information recorded in the Email system legally belongs to the employer.
• The employee should never write anything in an Email that he/she would not want their boss or their mother to see.
  

Employers, on the other hand, should obtain software that can filter outbound Email content to detect specific terms or combinations of characters that may represent the transmission of confidential, protected information, or potential illegal activity.

Avoid Installing Unauthorized Software

Employees should not install unauthorized software on any company computer. Software that is downloaded from the Internet, or brought to work from home, has the potential to contain dangerous computer code such as a virus, worms or spyware. These can do significant damage to the company network and computer systems. Free software, such as custom screen savers and games, are readily available and are often a prime target to carry these types of infections. In addition to dangerous code infections, employers may be legally liable for any unlicensed copyrighted copies of software the employee has brought from home and installed on the company computer. Employees should never install any computer software on their company computer without prior approval.

Avoid Copying
Company Data to Computers at Home

There may be a number of reasons why it may be important to access confidential company information from home or a remote service location. Telecommuting , ‘after hours support’, and use of portable computers are just a few examples.  Companies, however, should never allow an employee to use a personally owned computer to access their confidential company data, or connect to the company’s computer network. If access to this data is required, the company should always provide a company owned computer, configured with appropriate encryption and secure connectivity controls. This is the only computer that can be allowed to access the company network and this computer can not be used for any personal purposes.

If remote access to company computer facilities is provided (by providing web-based access to company Email, for example), confidential data files may be automatically copied to the remote computer’s RAM or disk. This may be done without the user’s direct knowledge. Having a remote, unprotected copy of confidential data increases the risk of data compromise. Employees should be aware of the organization’s policies related to remote data access, data encryption, and copying of files or Email to portable computers or PDAs. Standards and controls should also apply to portable media such as CDs, external hard disks, or USB flash drives. Employees should be trained in the techniques required to protect this confidential data. Use of portable technologies can greatly improve business productivity and employee satisfaction but appropriate policies, standards and procedures must be in place to protect confidential or protected information.

How Assurity River Group Can Help

Security Risk Review.  Assurity River Group can rapidly help you review your current Email system, Internet controls, employee training standards, and electronic communications policy to determine whether employee security controls are a risk that should be addressed.  We can tell you if your external service provider has secured your Internet and Email services as well.

Policy Creation.  Assurity River Group helps organizations draft effective information security policies and standards to ensure ongoing security with all electronic communication, for both HIPAA and GLBA compliance.

Solutions.  Assurity River Group can provide and implement:

• Digital Persona finger print scanners
• Inexpensive Email content filtering systems
• Secure Email servers on the network, and establish standards for Email security, auditing, and alerts.
• We have experience in implementing systems to enable employees to securely transmit encrypted documents.
• Assurity River Group can also provide a number of remotely managed services to protect your computer systems from pervasive threats on the Internet.

Contact Jeff Olejnik (jolejnik@assurityriver.com) at 651.259.6888 for more information.