Issues in Compliance for Instant Messaging
Compliance is always a large concern, especially with attacks and data breaches increasing. It is important to understand the industry and regulatory requirements that need to be enforced within your corporation and security environment. One area that experts are beginning to see as an issue is instant messaging. This is a communication method that is hard to regulate and record, which could pose problems with industries with strict compliance standards.
In a recent article by Dmitry Shapiro, CTO at Akonix Systems, Inc., “Instant Messaging and Compliance Issues: What You need To Know” the issues that are becoming ever present with IM are discussed. The main issue is the sheer volume of users on these IM systems, totaling in the 100s of millions. This is not to mention what IT managers are most afraid of, which are the public IM systems, such as AOL Instant Messenger and Yahoo Messenger.
Although IM is a functional tool for communication there are key areas with which there is a lot of concern for compliance issues:
- Record Retention
- Information Security
- Theft
- Copyright Infringement
These issues are ever rising with the number of users and amounts of information on these systems. With the public IM services, the control a manager could have with an internal system is taken away. Tasks such as auditing, logging, and deleting records are all issues when the manager cannot oversee the whole system, and the web of IMs being created.
Without compliance and monitoring, the one thing that is apparent is that risk will increase. Shapiro says that the main issues to watch for are:
- Organization of records
- Retention of records
- Tamper Proof Records
- Record Retrieval
- Off-Site Copies
And many more…
With such acts as the Sarbanes-Oxley Act, HIPAA, and GLBA the ability to control, monitor, protect, and delete records is essential. These regulations are going to require IT managers to remain compliant and come up with ways to monitor their users IM behaviors. If this is not done, IMs will be a strong source of theft and cybercrime.
Portable Devices: Be Careful Where You are Storing Your Information
Filed under: Authentication Security, Data Security, General Information, Portable Device Security
160,000 portable devices are misplaced in Chicago taxicabs every year. Although this seems like a random fact, it should be a rude awakening for those of you who have portable devices, which contain almost all of your business and personal information. Just imagine for a minute that you lose your Blackberry in the airport? Would you panic?
Nowadays portable devices are holding an amazing amount of information, and are almost acting like small computers for business professionals, when out of the office. Stored information can include:
- Social Security Numbers
- Emails
- Website Credentials
- Passwords
- Company Planning and Contacts
- Confidential customer and/or company information
With all of this information being stored on these small portable devices it is becoming a big concern. Many businesses have started to implement mobile device security plans, and seem to be less concerned with the cost of the device, and more in tune with the cost of losing and/or recovering the information.
In the following article, “Lost Black Berry? Data Could Open a Security Breach”, there are a few cases of lost devices that caught my attention:
- A device that contained the personal numbers of congress members
- Losing a device in the O’Hare airport
- Having it stolen out of your car
- Selling it on ebay, without remembering to delete all of the data
All of these cases are extremely dangerous to the owner of the device, and the information inside. There are cases as well when laws become involved. For instance, if a doctor loses their Blackberry, which contains client information, it does not only effect the owner of the device. With the healthcare industry, it can violate the Health Insurance Portability and Accountability Act, or with the financial and public companies this could easily violate the Sarbanes-Oxley Act.
In order to combat these issues certain techniques have been created. Such as:
- Biometrics
- Passwords (If enabled by the user)
- Remote Data Deletion (Only works if the phone is turned on)
All of these techniques have their benefits and down sides as well. It is clear that we need to protect the data on these devices as though they are another computer to be protected. It is important to understand what sort of implications loosing the device has, and whether or not the company is ready to handle any such issues.
Data Protection is Now the Top IT Security Concern
The news hit today of further breaches in Visa and MasterCard credit card processing systems. Desperate times generate desperate acts; therefore there’s been a sharp rise in data and identity theft by those exploiting any available opportunity for personal or financial gain.
At a time when companies have enough on their minds with respect to the economy’s impact on business, IT security concerns continue unabated and are one more threat to financial security. An article in January on SearchCIO-Midmarket.com reported that small-to-medium businesses are not only spending more of their IT budgets on security, but they are focusing more on data protection. That’s certainly good news for those who put their faith in organizations that possess their critical financial data!
The article’s information comes from a research report from Forrester entitled, “The State of SMB IT Security: 2008 to 2009.” In the report, Jonathan Penn, Forrester vice president and the report’s author, shares the interesting detail from his study that SMB IT security strategy now more closely reflects that of large enterprises.
With protection of their data assets being the highest priority, both SMBs and enterprise companies are advised to consider several different types of solutions, such as intrusion detection and vulnerability assessment, but also remember that internal data protection is just as critical. This is where access and identity management, as well as authentication solutions, come into play. Penn affirms that data assets must be protected from insiders as well as external intruders, and points out that both authorized and unauthorized users may use information inappropriately. Therefore, a system that controls access, verifies the identity of users and monitors user behavior is indispensable for organizations that want optimal protection for their business and customer data, and especially for those organizations that also must be compliant with SOX, HIPAA and Payment Card Industry regulations.
As this article conveys, companies of all sizes are increasing their awareness that security is a business issue and that not being strategic and proactive about security is a tremendous business risk.