Bloomberg BNA’s Corporate Law & Accountability Report is available on the Corporate Law Resource Center. This news service keeps corporate practitioners informed of legal developments of...
By Yin Wilczek
March 5 — In an era of prevalent cyber breaches, panelists at a March 5 privacy conference pointed to the top 10 categories of controls and security operations they said companies should implement to help them discover hacking incidents and control data leakage.
Environmental differences within organizations—including the types of contractors, consultants and users they have and whether their code repositories are kept in-house or externally—greatly impact what sorts of controls are appropriate, said James Shreve, an associate at BuckleySandler LLP in Washington. Christopher Pierson, executive vice president, general counsel and chief security officer of Viewpost LLC, also said that systems well-designed at the front end will help companies maintain a “cleaner house.”
They spoke at the International Association of Privacy Professionals' Global Privacy Summit in Washington.
The top 10 security controls are:
• access-based controls, such as network segregation and system movement restrictions;
• signature-based controls, such as firewalls, intrusion detection and prevention and data leakage protection;
• setting baselines for what is considered “normal”;
• white listing technology in which data on the white list is protected;
• indicators of compromise that seek to block connections to questionable Internet Protocol (IP) addresses;
• file integrity monitoring, where key files are monitored for modifications;
• access controls for users;
• network flows; and
Among other observations, the panelists noted that signature-based controls remain necessary, especially from the standpoint of reducing legal liability. However, baselines and white listing technology are gaining in popularity and increasingly the direction in which organizations are heading, they said.
Shreve added that the more granular the baselines, the better companies can detect when something abnormal—such as access at strange times of the day—is occurring. In addition, the baselines must be constantly refined, he said.
Pierson also noted that while file integrity monitoring can be human resource-intensive, it may be worthwhile in certain segments of the business when carried out “with precision.” File integrity monitoring “can be an incredibly powerful tool” to detect file changes but must be performed “very carefully,” he said. “You must be careful how you wield this.”
Businesses more likely to use file integrity monitoring are those with well-thought out security systems and “good management,” Pierson said.
Meanwhile, companies should regularly monitor their access controls for users, Shreve said. He also noted that in certain parts of their business, companies may need to be more granular with respect to access controls. At the same time, they can borrow ideas from the financial sector, where regulators such as the Securities and Exchange Commission and the Federal Deposit Insurance Corporation have actively encouraged firms to pursue better cyber practices, Shreve said.
Moreover, Shreve warned that “not all encryption is created equal.” Some forms of encryption are more secure than others, he said. He also noted that encryption can interfere with the usability of data and with other controls, such as data loss prevention.
Shreve further warned that encryption may be mandated in some instances, and he urged companies to review their legal, regulatory and contractual requirements.
As for intelligence, Shreve observed that threat information-sharing now is a favorite cybersecurity topic for lawmakers. In addition to formal information sharing—such as with industry Information Sharing and Analysis Centers (ISACs), regulators and law enforcement—companies shouldn't forget “informal” information sharing, he said.
Shreve added that companies should develop procedures for what information they will share and when and how they will share it. This is not something that should be performed on an “ad hoc basis,” he said.
To contact the reporter on this story: Yin Wilczek in Washington at email@example.com
To contact the editor responsible for this story: Kristyn Hyland at firstname.lastname@example.org
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)