Happy Holidays! Since many people are still on vacation this week, it seems easy for a significant story to get lost in the clamor of holiday retail spending and how we are securing Time Square for the 2006 festivities. But there is one that I wanted to bring to the forefront because, in my opinion, it is an important security and privacy issue that IT needs to be certain they have a good handle on.
This week, it seems Marriott Vacation Club International, the vacation ownership/timeshare arm of Marriott International misplaced data tapes containing financial, banking, and social security information from more than 200,000 customers. It is still unclear if these tapes got lost or were stolen since there is not a lot of public information on the matter. The only reference I found was from watching ABC World News Tonight. This is not a new phenomenon as other well known companies in industries such as banking and healthcare have recently had similar incidents.
So, the question is--what are executives (CEO/CFO/CIO's) and IT professionals doing to prevent this from happening to their company? What can individuals do to protect themselves?
I have a few ideas of where we should start to address the issue, but this is by no means comprehensive nor prescriptive since every company is unique.
1.) Bring backup and storage to this century. Too many companies have left their key backup, recovery, and data storage systems in 1990's (or worse) technology. It is easy to misplace data tapes and Wall Street would shudder to know the companies where I have seen them just lying around. Companies should be looking at implementing a storage area network (SAN) or similar solution. Vendors such as EMC and HP have great offerings in this area. SANs help companies manage their growing volumes of data and support their disaster recovery plans. Here is a great article on how Greenwich Hospital implemented a SAN that helped improve patient outcomes and manage HIPAA compliance.
2.) Secure your data. A great new feature in SQL Server 2005 is native database encryption for all versions. This is extremely valuable for HIPAA and anyone dealing with Privacy legislation like the California Privacy Act. Encrypt your data. Also review your data management plans. How many people touch customer data? Who are they? What controls are in place to protect from theft, abuse, misplacement, etc? How are external agents/partners monitored (UPS/DHL)? How often are people trained on protecting customer data?
3.) Safeguard your customer systems. Do your systems contain names that would give away their value to anyone who hacks into the system (i.e. a customer database instance is called "Customers" or your Siebel instances are called "Siebel"? If so, get creative. If you are not creative, try a naming convention that is non-intuitive to outsiders such as XST01965AC (doesn't appear to be customer data now does it).
4.) Review your software patch strategy. Review your strategy for keeping up to date on virus signatures, dB patches, etc.
I could probably go on and on about security and privacy, but since I am not an expert in that area-- Check out this resource for IT Pro's--lots of good content. Here are some other resources you might want to check out.
Microsoft-Help Prevent Identity Theft From Phishing Scams
Microsoft-Security at Home: Protect Personal Information
Happy Holidays! I hope you, your families, and your companies have a very safe and SECURE 2006!