Data Security: Where there is data, there should be policy

Posted on 30, Mar | Posted by Russell W. Gilmore, CISSP, CISM, EnCE

locked computerThe recent report by the Wall Street Journal about the Morgan Stanley breach scares me as an employee. Reportedly Galen Marsh, a financial adviser for Morgan Stanley, was fired for allegedly stealing account information from about 350,000 wealth management clients and posting some of it online. The part that concerns me are the reports that federal law enforcement officials are focusing their probe on the possibility that Marsh’s computer was hacked. (Full story here.)

I have not reviewed the full report nor have I looked deeply into the incident. My attention was drawn to the consequences that befell Mr. Marsh and the slim possibility that he did nothing wrong. It seems that in this day of BYOD – Bring Your Own Device – and the use of laptops and mobile devices by employees, it is time for there to be a clear understanding about the company’s responsibilities and the individual employee’s responsibilities. This is not to suggest that an employee’s first question should be “Will I get fired if this laptop is hacked and company data is stolen?” when presented with a company laptop. There should be a clear understanding between the company and the employee what is expected of each as it relates to the security and control of any electronic device that contains company data.

The foundation of this understanding begins with a good company policy. A policy should be specific regarding the proper use of electronic devices. A policy should also indicate who is responsible for areas such as email security, data security, acceptable use, and physical security of the device. A policy should be a living document. An electronic device policy that covers laptops should be reviewed at a minimum once a year. Policies should be flexible. Some employees may take a laptop home and some may not.

Companies should give employees a chance to review policy before they sign it and allow them to ask questions. I suspect Morgan Stanley utilizes policies that cover the use of laptops by employees for work purposes. I doubt the employee thought he would get fired if the laptop was hacked and client data was exposed. What if the employee were a CFO or CEO?

There is most likely a lot more to this story than has been made public, but the heart of the matter is, as an employee, make sure you are fully aware of what the company expects as it relates to the use of company data and company provided electronic devices.

Continue reading

RMA Exhibits at the IACLEA Southeast Regional Conference & the 15th Annual SCCLEA Linda B. Floyd Safety Conference hosted by Furman University

Posted on 2, Mar | Posted by RMA

RMA participated as an exhibitor at the IACLEA Southeast Regional Conference & the SCCLEA Safety Conference hosted by Furman University in Greenville, SC. The conference brought together over 250 campus law enforcement administrators from across the southeastern United States. The Director of University Police, Tom Saccenti and his staff provided all the participants with gracious southern hospitality with the beautiful Furman campus as a backdrop. This framework allowed the attendees to focus on the serious business of Leadership in a Crisis.

“Knowing how to respond quickly and efficiently in a crisis is critical to ensuring the safety of our schools and students. The midst of a crisis is not the time to start figuring out who ought to do what. At that moment, everyone involved – from top to bottom – should know the drill and know each other.”

Margaret Spellings
Secretary of Education, 2005-2009

Chief Michael Kehoe, Newtown, CT began his presentation with this quote which also captured the underlying themes that were a part of all the presentations on the first day of the conference. The IACLEA Southeast Region brought together a powerful group of presenters including:
• Retired Chief Wendell Flinchum, Virginia Tech Police Department 2006-2014
• Dr. Gene Deisinger, Ph.D. Executive officer, Virginia Tech Police Department
• Chief John DiFava , MIT Police Department
• Chief Michael Kehoe, Newtown, Connecticut
• Lt. Col. Dave Grossman

Each of these presenters shared, for the benefit of the audience, the “good, the bad, and the ugly” side of leading their department’s during a significant or a series of significant crisis. They took the audience through the details that they could share that formed the basis of the decisions that were made as the crisis situation unfolded. What they knew, what they didn’t know, lessons that were learned along the way, and changes they made to their response program after the fact. Each of the presenter’s shared common themes that they learned in response to a crisis including the need for a multi-disciplined approach that include but is not limited to:

• Relationships, build the network of diverse support before the event happens, reach out to your network during the crisis – ask for help from people you trust
• Develop a case management plan that is proactive, integrated, and adaptive
• Training, training, training and awareness are critical
• Prevent and mitigate
• Be prepared to monitor and reassess during the crisis continuously
• Assign scribes and capture as much as possible during the crisis, don’t rely on memory
• Communicate

Continue reading

RMA Awarded South Carolina Federal Credit Union Security Assessment Project

Posted on 24, Feb | Posted by RMA

RMA will perform a physical security assessment, including a threat assessment, of the South Carolina Federal Credit Union (SCFC) Corporate Office and 17 branches. Included in the assessment RMA will review existing security programs, security officer duties, reporting structure, and job descriptions. Members of the RMA Team will be traveling to 18 different sites in South Carolina to become familiar with SCFC security practices. RMA will complete a physical assessment, interviews and review security programs and security officer responsibilities at the corporate office as well as 17 branch offices.

South Carolina Federal is a community-chartered credit union with 17 branches and more than 50 ATMs throughout Charleston, Georgetown and Columbia. South Carolina Federal Credit Union offers a full range of financial services including savings and investments, checking, credit cards and loans.

Continue reading

RMA Awarded DHSS – State Laboratory of Public Health Security Assessment Project

Posted on 17, Feb | Posted by RMA

RMA will conduct a physical security assessment of the North Carolina Department of Public Health State Laboratory of Public Health and Office of the Chief Medical Examiner. The security assessment will include site interviews, physical security and electronic security assessment and a review of the policies and procedures.

The State Laboratory of Public Health provides certain medical and environmental laboratory services to public and private health provider organizations responsible for the promotion, protection and assurance of the health of North Carolina citizens.

Continue reading

RMA Teams with Perkins &Will to Provide a Security Assessment of Piedmont Electrical Membership Corporation

Posted on 12, Feb | Posted by RMA

RMA has teamed with Perkins & Will a global architecture and design firm, to provide a security assessment to Piedmont Electrical Membership Corporation. The security assessment will include a physical security of building exteriors and a review of security systems technology.

Perkins & Will is an interdisciplinary, research-based architecture and design firm established in 1935. Each of the firm’s 24 offices focuses on local, regional and global work in a variety of practice areas. Perkins & Will is recognized as one of the industry’s preeminent sustainable design firms due to its innovative research, design tools, and expertise.

Piedmont Electric Membership Corporation is a Touchstone Energy Cooperative in Hillsborough, North Carolina. Piedmont Electric is a nonprofit electric utility serving 31,000 consumers in parts of Alamance, Caswell, Durham, Granville, Orange and Person counties.

Continue reading

Security Suggestions – The Cloud and Your Data

Posted on 1, Oct | Posted by Russell W. Gilmore, CISSP, CISM, EnCE

The CloudI am often asked to discuss IT and data security as it relates to storing data on the Cloud. Nine out of ten times I am asked two inevitable questions: “What is the Cloud?” and “Where is the Cloud?”. Hopefully I will answer these questions as I discuss ways to keep your data secure on the Cloud.

There are a number of services that allow you to store data on their servers. Examples of these for an individual or a small business are Dropbox, Sharefile, Google Mail, iCloud, Google Drive, Office 365, and many more. These services quite often are automatically connected to you by your smartphone, iPhone, laptop and/or your desktop computer once you initially login. Think about using your phone – you don’t have to type in a password to get your Gmail each time. As long as you can access the email app on your phone, you’re in. This is because you have instructed the app to trust your smartphone as a conduit to get your Gmail. This goes for almost any mail account you access from your device.

Go one step further and consider that you may have an account with Dropbox, Office 365, or Sharefile. The same concept applies – you have instructed the app to trust your smartphone as a conduit. To make matters worse, if you have these accounts available on your laptop or desktop they too are accessible without typing in a password once you have initially logged in. This is most often the case because we have instructed the app to remember our password.

Now that we understand – to just a small degree – what the Cloud is as it relates to most users and what as individuals we may have on the Cloud, let’s discuss how to keep it secure. First, don’t store sensitive information in the Cloud. I am not talking about using the online version of TurboTax, for example. I am referring to storing birth certificates, passports, and other scanned documents with sensitive information. There is nothing wrong with a safe deposit box for items like these.

Don’t use the same password for every account and change passwords regularly. I believe that password security is such an important issue I could write an entire topic on it. By using the same password for email, banking, computer login, online purchases, social media sites, and other activities, you jeopardize the security of all of your accounts if just one gets hacked. Hackers are smart enough to know that if your password to “website.com” is 12345678 and your user name to “website.com” is user@gmail.com, they will try and login to the Gmail account with the password they have uncovered. You should choose a random password and change it at least every 90 days if not sooner.

Consider reading the terms of service or user agreements to find out how the service works. This is very important if you intend to take advantage of a free 30-day trial. It is possible you will not have access to the data after 30 days without paying for the service. Think about encrypting your data or utilizing a service that includes encryption with data storage.

These are just a few suggestions for securing your data on the Cloud, and this is only a starting point.
I am not suggesting that no one should use the Cloud for storing data. For the most part, everyone who uses a computer, smartphone, or tablet is using the Cloud already. The Cloud can be an efficient way to centralize and share data with authorized users. I am suggesting you use it wisely, securely, and with the knowledge that you have done everything possible to protect the data you put on the Cloud.

Continue reading

Behind the Scenes of the Recent IHSSF Crime Survey

Posted on 11, Jun | Posted by Dana M. Frentz, CHPA

hospitalIn summer 2013, the International Healthcare Security and Safety Foundation (IHSSF) tasked a small group of members to develop a hospital Crime Survey based on a common metric regardless of the number of participants or size of the facility.

The goal of the Crime Survey was to create measurable and trending data based on three different denominators – bed count, average daily census, and square feet. These indicators, combined with the crime data would then provide a framework in which future Crime Surveys could be conducted with consistency. Since the team was establishing this new framework for the survey with timing permitted, they were able to collect 2012 and 2013 data, which allowed an equivalent foundation upon which to base answers.

Survey results revealed that average daily census was either not completely understood as a metric or was not readily available to respondents. However, bed count and square footage corresponded so consistently that bed count was used for the common denominator.

The team agreed the most valuable and accurate questions would come from the basis of the FBI’s UCR (Uniform Crime Report), since these are national definitions and not based on an individual state’s penal code or a particular organization’s crime classification. Because the organization is international and there is a large contingent of Canadian members, a separate survey was sent to the Canadian membership with questions based on the Canadian Criminal Code. To further assure consistency in the survey, the team provided respondents with the UCR definition, along with a healthcare-related example.

The 10 different types of crime deemed relevant to hospitals included: murder, rape, robbery, aggravated assault, assault (simple), disorderly conduct, burglary, larceny/theft, motor vehicle theft, and vandalism. Both types of assaults were further broken into sub-categories as they are considered workplace violence incidents:

Type 1: Violent acts by criminals, who have no other connection with the workplace, but enter to commit robbery or another crime.
Type 2: Violence directed at employees by customers, clients, patients, students, inmates, or any others for whom an organization provides services.
Type 3: Violence against coworkers, supervisors, or managers by a present or former employee.
Type 4: Violence committed in the workplace by someone who does not work there, but has a personal relationship with an employee – an abusive spouse or domestic partner.

Overall, the survey results showed a significant increase in violent crimes between 2012 and 2013 and a minimal increase in property crimes such as vandalism and burglary during this same time period. The greatest increase fell into the category of disorderly conduct and assaults. Respondents further provided the requested breakdown in types of violence for assaults. The Type 2 category accounted for more than 90% of all assaults.

While the number of this year’s survey respondents was higher than in years past, there is still room for improvement. The team believes that by establishing this basis of calculating crime rates on bed count and square footage, it will mitigate issues that can arise from the number of respondents or different hospitals responding year after year.

The 2014 HealthCare Crime Survey Committee was comprised of Lead Author Karim Vellani, CPP, CSC; IHSSF President Steve Nibbelink, CHPA; David Gibbs, CPP; and Dana Frentz, CHPA. For more information about the 2014 IHSSF Crime Survey, please visit http://iahss.org/PDF/crimesurvey2014.pdf.

IHSSF, the International Healthcare Security and Safety Foundation, was founded in 1981 as the philanthropic arm of IAHSS. The International Healthcare Security and Safety Foundation was established to foster and promote the welfare of the public through educational and scientific research and development of healthcare security and safety body of knowledge.

IHSSF promotes and develops educational research into the maintenance and improvement of healthcare security and safety management as well as develops and conducts educational programs for the public.

Continue reading

RMA Presents at CSI Week at Meredith College

Posted on 25, Oct | Posted by RMA

Chris Peterson presented Enemies at the Gate – or Are They Already Inside? as part of CSI Week at Meredith College. CSI Week allows students at Meredith to explore career opportunities in law enforcement and related fields. The event is sponsored by the Sociology and Criminology Programs, and the Sociology & Criminology Club (and with the support of Political Science, Accounting, & Social Work).

Other presenters during the week included:

  • Special Agent Jahaira Torrens spoke about Homeland Security Investigations.
  • Cat Flowers, owner of Cat Eye Detective Agency, presented.
  • Police Officer and Social Worker Renea Lockhart spoke about domestic violence and being both an officer and a social worker.
  • U.S. Marshals talked about the work they do tracking down fugitives and other law enforcement activities.
  • Wake Country Prosecutors spoke about their work.
  • RPD Gang Unit talked about their work with gang prevention and dealing with gangs in Raleigh.
  • Crime Scene Analysis, RPD patrol officer, CCBI investigator (the local CSI) and a detective from Raleigh Police talked about how they work and investigate a crime scene.
  • Cary Police Department crime mapping analyst Elise Pierce spoke about her work in the use of Crime Scene mapping to facilitate the work of police in Cary.

Chartered in 1891, Meredith College is one of the largest independent private women’s colleges in the U.S. Meredith also offers coeducational graduate programs in business, education and nutrition, as well as post-baccalaureate certificate programs in pre-health and business, a dietetic internship program, a didactic program in dietetics and a paralegal program. Meredith’s programs – undergraduate and graduate — challenge each individual student to think deeply, push hard, discover new strengths and grow even stronger. Meredith has been cited as one of the “best colleges” in the region and the country by U.S. News & World Report, The Princeton Review and Forbes.com.

Continue reading

RMA Completes Security Assessment of RTP

Posted on 18, Sep | Posted by RMA

Risk Management Associates, Inc. has completed a security assessment of Research Triangle Park. The Research Triangle Foundation has developed and is in the process of implementing a new master development plan for the Research Triangle Park (RTP) community. As a critical component of that plan, the foundation decided to conduct a security assessment to provide stakeholders with the current security posture of RTP. A security assessment is one of the most cost effective means to assess the current security people, processes, and technology that are in place today and plan for the security needs of the community moving forward.

The Research Triangle Park is home to more than 170 global companies – including IBM, GSK, Syngenta, RTI International, Credit Suisse, and Cisco – that foster a culture of scientific advancement and competitive excellence. RTP is located between three major universities: Duke University in Durham, North Carolina State University in Raleigh, and the University of North Carolina at Chapel Hill.

Through five decades, the Park still holds to its founders’ aspirations: to generate economic activity, engage the talents of local graduates and citizens and carry North Carolina forward to ever-greater prominence and prosperity.

Continue reading

WRAL: Security measures not foolproof, consultant says

Posted on 17, Sep | Posted by RMA

Continue reading