Todd Feinman, chief executive officer of Identity Finder, is a security and privacy expert based in New York, New York, USA. He has more than 15 years of experience in the industry and is an internationally published author and media personality. He wrote Microsoft’s reference book on securing Windows and McGraw Hill’s university textbook on managing the risks of electronic commerce. Feinman spent 10 years at PricewaterhouseCoopers, where he started as an ethical hacker, breaking through the IT security of Fortune 100 companies, and later took the role of director. He founded Identity Finder to help consumers prevent identity theft and to help businesses prevent data leakage. Feinman has a master’s in business administration from Harvard Business School (Massachusetts, USA) and a bachelor’s of science from Lehigh University (Pennsylvania, USA).
What do you see as the biggest risks being addressed by IT auditors and/or security professionals? How can businesses protect themselves?
Every day there is another article about companies leaking sensitive data. Whether it is 10,000 Social Security numbers (SSNs) or 100,000 credit card numbers, almost all major industries are at risk, and the problem is getting harder to solve. Some of the issues increasing the risks are that employees have access to more and more corporate data and personal information is now stored in more locations, such as via backups, e-mails and file servers. Historically, there were no rules to protect personally identifiable information (PII), so most organizations do not even know where it exists. It could be hidden in a spreadsheet that has been zipped as an attachment to an e-mail in a mailbox archive. The risk is that the archive could be sitting on a server accessible by an employee totally unbeknownst to the employee. IT auditors may not be looked at as saviors, but by finding this personal information, no matter where it exists, they are protecting employees from accidentally creating data leakage incidents.
How do you see regulations changing the way we store sensitive data? What are your thoughts on auditing sensitive data?
Governments such as the state of Massachusetts (USA), which recently passed legislation known as 201 CMR 17.00, are helping define how sensitive data should be protected. The legislation is similar to some of the controls required by the US Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, the Payment Card Industry Data Security Standard (PCI DSS), US Red Flag Rules and, to some extent, the US Sarbanes-Oxley Act. One of the keys to the legislation is to have a security program applicable to any records containing personal information. Most organizations have PII that is completely unnecessary, or at least is no longer necessary. Many years ago they might have needed someone’s SSN, but to keep it year after year is creating an unnecessary and costly risk. It is hoped that regulations will convince organizations to get rid of what they do not need and remove all sensitive data from the computers of employees who do not need them. Auditors can help this process with random samples showing where data are stored but not needed.
How do you see the role of governance over PII changing in the next five years?
I think we will start to see more and more corporate governance over PII because no business wants to be that next big data breach headline. Putting aside US and international laws, corporations should minimize their own corporate risk by creating policies to not store PII without proper security controls. This helps ensure no new instances of sensitive information being leaked, allowing businesses to focus their efforts on cleaning up historically saved PII. Technology can help automate finding and protecting anything that slips through the cracks of any new policy and report on what had been stored before these policies were in place. Global corporations with offices in multiple countries will have the added challenge of finding additional national identifiers (e.g., Social Insurance Numbers in Canada, Tax File Numbers in Australia) in the specific countries in which they do business because different countries have various penalties for data leakage. Most of the 50 states in the US, for example, have notification-of-breach laws, and, as a result, there have been court-ordered penalties such as those requiring credit monitoring for affected victims. The European Union has some stringent privacy laws as well, and in the US, I think we will see more legislation from each state, similar to what Massachusetts has done.
How do you see cloud computing changing the way we store sensitive data? What are your thoughts on auditing cloud computing?
The cloud is just one more location on which organizations now store personal information. We have seen entire drives copied to the cloud for sharing among employees, putting the sensitive information of an entire customer list into the hands of hundreds of employees. If they replicate data in the cloud to their machines to work offline, all it takes is one person to lose a laptop or get a system virus that disseminates a document with credit cards, SSNs or other PII. I think the cloud will require a lot more control over how employees access sensitive information. Whether mandated by corporate policy or regulations, it does not matter, as long as customer data and employee information are protected.
What has been your biggest workplace challenge, and how did you face it?
As a software company whose technology helps automate the finding of sensitive data, my organization is used by many auditors, both internal and external. The challenge is that each organization usually has different requirements for the software it uses. Some need high-performance searching, some cannot change systems (i.e., they have a temporary user ID created for the audit), some require very custom reporting capabilities, etc. Trying to be everything to everyone stretches us in many directions. We solved this issue by developing searching algorithms to eliminate false positives and improve accuracy, but chose to still rely on the auditors to manipulate our reports for specific customers’ needs. If we can find all the information they need and provide them with a way to easily extract that information, we have found that they are happy with the software and spend their time customizing reports for their clients.
Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2011 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.