Wednesday, April 29, 2009

Non-Profits Can Establish an Effective Data Privacy Program

Non-Profits Can Establish an Effective Data Privacy Program

Non-profits must realize that as large corporations and online business better protect their information and systems, data thieves, hackers focus their attention towards institutions with weaker information security practices like non-profits. Non-profits are in possession of an abundance of financial & personal information such bank accounts, credit cards, date of births and social security numbers, which are very valuable in the wrong hands. Additionally, non-profits have the least amount of qualified professionals equipped to manage an effective Information Security program. Washington Post articled reported that data breaches increased a by 69% from 2007 to 2008. It's an alarming statistic that shows no signs of slowing down.

Learn what Defines Personal Information

States like Arizona and Massachusetts have created laws to hold organizations more accountable with personal information. The guidance for declaring just what is personal information is goes like this in the States of MA and AZ; generally great guidance.

It begins with a natural/ human person's First name or First initial and Last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted:

  1. Social Security number,
  2. Driver's license number or identification card number, and
  3. Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person's financial account. Source: Non-profit Times - http://www.nptimes.com/08Nov/npt-081115-3.html

How to Start a Data Privacy Program

So where does a non-profit start? Start at the top!

The first thing that any organization must do to protect the confidentiality of the data they collect is to establish executive governance over it, which flows from the top down in their organization. Create a written data privacy policy that has sponsorship by its executive board that all staff MUST follow. The policy should give clear guidance regarding how all data is handled within that organization, from information that is shared with the general public, to data that must be protected as required by laws and industry regulations. Group the organization's data by classifications levels, from most risky to least risky. The classification of the organizations data will help to determine the appropriate controls to apply to ensure confidentiality, Integrity & Availability of the information. More importantly, it will demonstrate "Due Diligence" & "Due Care" by the organization in protecting the privacy of its clients, donors, members & staff.

According to Non-Profit Technology News, organizations can begin doing the following to lower the risks associated with collected data:

  • Begin with a top-to-bottom review of all sensitive or confidential information that's in-house;
  • Assess what data must be kept, what can be stored in (and easily accessed from) a remote location, and perhaps most important, what can be discarded; Determine who needs access to the data and why, and provide only those people with password-protected access to the data;
  • Make sure that the data you do have is backed up on a regular basis in a secure, remote location;
  • If your organization can afford it, hire an independent security expert to review your data security policies and procedures. ("It never fails to surface things that never really were an issue to anyone," says Hart.)
  • Don't store complete credit card information on site;
  • Limit physical access to servers;
  • Be aware of what confidential and sensitive information is on printed (paper) files, and make sure that all such files are kept secure at all times; Make certain that your Web site complies to fundamental, industry-standard encryption and security measures in the processing of personal information and donation collections.

In addition to the recommendations above, I recommend the following:

  • Create a data destruction policy, which states how long sensitive information should be kept and the manner in which old computers, storage media and paper documents are wiped clean or destroyed, to ensure that the risk of the information being compromised is eliminated.
  • Any data about clients, donors or members that is carried on a laptop or external media MUST be encrypted. Encryption software is not very costly and an organization avoids having to notify individuals of a security breach if an encrypted laptop or encrypted external media is lost or stolen. Incidents like this can be very costly financially and most importantly damaging the reputation of that organization;
  • Don't keep or collect banking account or credit card information after it is no longer needed;
  • Data that is burned or copied to external media must ALWAYS be encrypted to insure safe transport;
  • Don't give more access to an individual than is needed for them to do their job;
  • Incorporate "Separation of Duties" to reduce risks of fraud. Don't allow one person to be the only one responsible for generating and approving financial transactions.
  • Don't allow a single individual to have complete access to an organizations sensitive data;
  • Use certified donation collecting technology by external vendors to reduce the risk unauthorized access to sensitive data or transactions.
  • Conduct an annual data access review of individuals to determine who has access to what, and if their level of access is still needed.
  • If the non-profit can't afford the services of an Information Security professional to review their security needs, then alternative arrangements like bartering may help obtain needed security services. For example, freebies like memberships and waived conference fees may be accepted in return for security services.
  • Create an Incident Response Policy which gives guidance for the organization to follow in the event of a data security breach; this insures that the organization reduces any further liabilities associated with privacy laws or industry regulations, due to a data breach;
  • The best defense against data theft is actually very basic in nature, and it is "Awareness". Organizations should require that individuals who handle sensitive data take Information Security Awareness training every year to stay sharp and alert regarding their responsibility to protect confidential information.

Basics of Information Security Protection - Practice with Consistency!

Bmighty.com reports that in 2008, over 285 million records were compromised and 90% of the breaches reported would have not occurred if the most BASIC security fundamentals were followed:

  • Change default credentials – This means out of the box/ gate administrative accounts and passwords;
  • Don't share credentials;
  • Patch immediately and comprehensively upon patch availability;
  • Review user accounts regularly;
  • Terminate IT access thoroughly when employees are terminated;
  • Log and monitor Web and application access.

Helping Non-Profits get compliant with PCI DSS (Payment Card Industry Data Security Standard)

Beginning in July 2010, all organizations that process credit card transactions must adhere to the Payment Card Industry Data Security Standard (PCI DSS,) or face costly fines or revoking of credit card transaction privileges.

The following PCI Standard consists of 12 key security controls/ requirements that if followed reduces an organizations exposure to unauthorized access of sensitive data:

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security

Source: PCI Standard Council - https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

Don't be a non-profit leader who avoids talking about the issue of protecting sensitive personal information and who won't make it a priority. Put it along side with other critical business concerns, it's the natural human condition to hope for the better, and that a data breach has not occurred in your mind. At my Master's graduation ceremony from the University of Fairfax, our keynote speaker, an expert on data breaches stated the following: "It's not if a data breach occurs, it's when it will occur…all databases will have a breach at some point".

Julius Clark, MBA, CISSP, CISA

Information Security Professional

Charlotte, NC


2008 Data Breach Report - http://www.washingtonpost.com/wp-dyn/content/article/2008/06/30/AR2008063002123.html?nav=rss_technology

Increasing Data Security In an Insecure World - http://www.nptechnews.com/management-features/increasing-data-security-in-an-increasingly-insecure-world.html

Data Breaches - www.bmighty.com/blog/main/archives/2009/04/data_breaches_w.html

States Push to Encrypt Personal Data - http://www.nptimes.com/08Nov/npt-081115-3.html

Tuesday, April 28, 2009

Using Information Security Detection Technology to stave off a Possible Pandemic

Using Information Security Detection Technology to Stave Off a Possible Flu Pandemic

You may have heard of Intrusion Prevention/ Intrusion detection Systems (IDS/IPS) used to detect or prevent unwanted hacker activities or viruses from entering into a corporate network. Airports in major cities around the globe have started using infra-red thermal scanning systems to detect foreigners arriving who have higher than normal body temperatures, which could be a sign of the contagious swine flu. The average human generates 37 degrees Celsius of heat, any foreigner passing through the thermal scanner who has a body temperature higher than normal is pulled to the side, tested and if diagnosed with the flu quarantined. The Swine Flu cases that are appearing around the world have cities in Thailand and Bangkok installing thermal scanners in an attempt to stop the swine flu from spreading and becoming a pandemic.

What the thermal scanner can’t do.

  • The Swine Flu is most contagious when a person is not showing any symptoms, making the thermal scanner useless.

  • Most people take over the counter medication which helps to temporarily reduce a persons fever.
  • The thermal scanner is more accurate by being able to scan the tear ducts of a person’s face, if glasses are being worn the scanner may not detect someone with a fever.
  • The price tag for such a device is around $20,000 per installation, which would need to be in place at every ticketing gate of an airport; not very cost efficient for the rate of Swine Flu detection.

Imagine if your mother had one of these thermal scanners back when you played sick in order to stay out of school for the day?

Julius Clark, MBA, CISSP, CISA

Thursday, April 23, 2009

The Boston Craigslist Killer: How Information Security techniques were used to track & catch the suspect Phillip Markoff.

The Boston Craigslist Killer: How Information Security techniques were used to track & catch the suspect Phillip Markoff.

Physical Security

  • Closed Circuit Television (CCTV) monitoring in key locations at the hotels were the suspect attacked his victims, record and timestamp video 24 hours a day. The timestamps from the hotels' security video will be used in conjunction with computer record to correlate tie the suspect to the scene of the crimes.

IP Address tracking

  • Investigators used the IP Address information obtained from computer and Blackberry communications between the suspect and his victims. Investigators were then able to identify and track down the suspect and placed him under surveillance. The IP Address information between suspect and victims will later be used to connect the suspect to his victims. Every computer on the internet as an IP Address and it leaves behind a trail of every place you go.

Forensic Imaging

  • The first thing a Certified Computer Investigator would perform is to make an exact image of the victim(s) and or suspect(s) computer called a gold image, so that the original evidence is not altered in any way. The investigator must preserve what's called the Chain of Custody of the evidence, if not protected, the evidence can challenged as contaminated and be tossed out by a judge. After the gold image is made, a unique mathematical formula (algorithm) called a hash is created from it, which will produce a unique identifier "digital finger print", similar to how DNA is unique to every living thing, which will be highly unlikely to match any other data image hash value. A copy of the gold image will be used to conduct all investigations for evidence and the original gold image is locked away for protection and to be used as evidence in court .Additionally, the same process would be used to image mobile phones for inspection of evidence. The two most common hashing algorithms is use today are MD5 & SHA.
  • Investigators will use the forensic image to search for key word searches, email records, graphic files, website visits, documents, etc.

Connecting the Dots with Audit Trails

  • Using the time stamped logs files of the suspect's and victims' computers, mobile phones, Internet Service Providers (including Criagslist) records, and the hotels' security video, Investigators were able to place the suspect at the location of the crimes.

Case solved

The irony here is that the same technology the suspect used to setup his victims ultimately was used to track and apprehend him. No foot prints needed just high tech trails.



Julius Clark, MBA, MSIS, CISSP, CISA

Information Security Professional

Wednesday, April 22, 2009

Great Black Speakers Bureau

I stumbled upon www.GreatBlackSpeakers.com (GBS) while looking for some images relating to "corporate change". What a great find this was! Many of the speakers registered on this site I had the opportunity of seeing in person at BDPA conferences:

  • Willi Jolley - Willie Jolley is America' s Premier Celebrity Speaker- Singer- Author...Inspiring Millions with Music & Motivation!
  • Ephren Taylor - Ephren W. Taylor II is the youngest African-American CEO of any publicly traded company ever
  • Randal Pinkett - Dr. Randal Pinkett has established himself as an entrepreneur and speaker. Dr. Pinkett was also named the winner of NBC's hit reality television show, The Apprentice, with Donald Trump.

GBS Motto: "Shaping Minds One Speech at a Time"


From website

Great Black Speakers was founded in January 2007 by Lawrence Watkins, a 24 year old, successful entrepreneur. Great Black speaker's bureau is committed to providing excellence, reliability, and an elevated measure of integrity on a daily basis.


Great Black Speakers Bureau is a new speakers' bureau that helps universities, corporations, and high schools find high quality, African-American speakers for different events.

GBS has a good search feature that lets you search speakers by Topic or Industry.

GBS also assists African American speakers with the opportunity to increase their exposure. We offer services to help speakers advance, promote and manage their speaking career to achieve future success.

You can get started with a one-time-fee of only $125. GBS will handle the marketing of your services for you.

Want to become a motivational speaker?
To be considered as a speaker for GBS, please email the following info to speakers@greatblackspeakers.com:

  • Biography and Picture (Example here)
  • Speech Topics and Categories (i.e. Motivation, Health, Personal Finance)
  • Recent Video of a speech given in the last 18 months.
  • Current Fee information
  • How many speeches you give per year and how many you would like to give.
  • Your Website URL

In closing

Great Black Speakers is an excellent concept and resource for any company or organization looking to book up and coming to award winning African American speakers. I noticed that there are not many Information Technology speakers listed on the GBS site, perhaps some of the BDPA' s outstanding IT Thought Leaders can fill that Gap? Additionally, I did not see any African American Information Security speakers registered with GBS; I think I can possible build up my work to at least be considered as a featured speaker.

This gives me motivation to build my Though Leadership brand on Information Security & Technology and solving community issues. Stay tuned….

Get Expert Advice!