Identity Theft and Compliance with Red Flags Rule Requirements

The following presentation is designed to give an overview on the Fair Information Practices. This presentation was originally used in a class project on the creation of an Omnibus Privacy Law in the United States. The Fair Information Practices were originally developed in the United States, but were not actively enacted through laws and regulations there. However, the concepts took hold in the European Union. You can get an overview on the Fair Information Practices here. This presentation was designed to be presented at a congressional hearing in order to help bring the members of congress upto speed on the topic.

The following presentation was originally part of a class project on the Fair Information Practices.The presentation is designed for companies and other organizations in the private sector to better understand how the passage of an Omnibus Privacy Law would affect their busienss operations and processes. The presentation provides the highlights of action which must be taken to comply with privacy guidelines.

This is the last in a series of three presentations on the Fair Information Practices. This presentation is designed for system developers who create information managment and network systems. If an omnibus privacy law was passed, then busiensses would fall under new requirements. In order to remain competitive, vendors would have to update their products in order to facilitate compliance. Therefore, this presentation explains the types of changes that would need to be implemented in various systems and software in order to meet the privacy guidelines of the FIPs.

Summary

Relation to Enterprise Security

The security team within an enterprise often focuses on discovering and patching security vulnerabilities. While this is often one of the top tasks for the team, it would be better if more time was spent proactively thinking about security. When products are purchased from outside vendors, they should be analyzed and reviewed for their security characteristics. This process would include reviewing NIST/CERT and other reports for the application. Other possibilities include reading product reviews written by security professionals and organizations as opposed to white paper or general commercial reviews. When products are developed internally, it is important to have a quality assurance team which is well versed in secure coding procedures and practices. In addition, the application should be tested with security tools in a sandbox before deployment. By doing the upfront analysis, the costs of later mitigation are reduced because many of the obvious and easily identifiable security vulnerabilities have been eliminated. 

When security is an afterthought, the security team will always be playing catch up to the attackers. As a result, the attacks will be more costly because of time limitations based upon the urgency and criticality of the vulnerability. In addition, the proactive approach will help create security consciousness within the enterprise which will help in anticipating and reacting to the inevitable attacks. 

Discussion

I believe encouraging vendor security consciousness would also be a valuable presentation. I believe that even if this increased the costs of the software or information system, customers would be willing to pay more upfront for a more secure system. Customers could take the word of the vendor; however, it would be more useful if there was some trusted organization which could provide a score on the security or evaluate the security evaluations used internally by the vendor. 

I am sure that every day, many security professional make earn their salary finding the same common vulnerabilities over and over again on their customer’s systems. While this is great for the auditors and penetration testers, it is a waste for the customer. The customer organization could have saved more money up front making security conscious decisions. In addition, this would then allow the penetration testers and security researchers to focus on more intricate and complex vulnerabilities, instead of focusing on the simple exploits that can often be perpetrated with a found script or with “script kiddie” tool kits.

While it is not desirable, it is understandable that many companies continue to use vulnerable software and systems which are known to be insecure. At the time of the initial investment many years ago, security was probably not a hot topic or a major concern. Now, they are stuck with these systems until then next purchasing or upgrade cycle. I believe that today security has become more prominent, and that vendors will work to make their products much more secure. This is not only because of increased awareness, but the new reality of negative publicity and diminished customer retention that can result from being flagged as a vendor of insecure or “easily hacked” products. 
 
 

References

1. Hale, Gregory. Think Network Security First, System Second. Enterprise Security Today. [Online] NewsFactor Network, February 4, 2009. [Cited: February 5, 2009.] http://www.enterprise-security-today.com/story.xhtml?story_id=0110018EEM4R.