The recent Health Net data breach of 1.5 million patient records due to a lost hard drive included unencrypted personal information such as names/addresses, medical records, Social Security numbers and other financial information.  A breach of this magnitude is shocking and what is more astounding is that the breach apparently occurred in May 2009 and was not reported to the Connecticut Attorney General’s office until this month (November, 2009).  The breach may be a gross negligence of HIPAA, FTC “Red Flag” Regulations, Connecticut’s Public Act 08-167, CGS 36a-701(b) and other state regulations/breach laws.  

I am sure that Health Net, like most companies, felt they developed the necessary controls to meet such regulations.  But a breakdown of this magnitude proves a failure of the company to institute “strong enough” information security policies, employee awareness programs and technology across the company to protect against this major corporate risk.   That is why we have been advising our clients to develop a risk-based information protection plan that estimates their potential loss against the cost of securely controlling and protecting their information assets.  The monetary penalties and consequences to Health Net for this breach will far outweigh the “should-have” preventative costs of deploying the right controls for this threat.  If the lost hard drive were encrypted, I wouldn’t even be writing this blog.

In his statement, Attorney General Richard Blumenthal stated that “I will vigorously and aggressively seek damages, penalties and other appropriate remedies, if warranted.”

This is not an option:  *Information security programs that include people, process, technology and partners must be vigorously managed and improved upon over time.*     Comments are welcome.

jay.martin@cppit.com

www.cppit.com

 A huge chink in the armor of end-to-end encryption took a big hit last week when the US-CERT reported that a man-in-the-middle exploit code against SSL and TLS is publicly available.   The exploit allows a malicious attacker to insert themselves into an SSL or TLS conversation during a client or server initiated renegotiation of their security context.  The vulnerability affects pretty much every site we securely connect with including our online banking sites, paypal, etc.  It also affects all operating systems and browsers.

Updates are not available to remediate the exploit, but there appears to be an Internet draft standard dated November 14, 2009 to fix TLS.  The RFC is here if you wish to review.  This means that the committee that wrote the new Internet draft was aware of the vulnerability and was secretly meeting to provide a fix prior to CERT releasing the news.

As you may know, SSL will not be updated as most of us are really using TLS in our browsers when we connect to secure web sites.  We still may call it SSL, but SSL is a fallback protocol to TLS.

I suspect a patch is on its way within the next few weeks, so make it a priority to update your systems through your normal patch update mechanism.

What is a “Service Catalog”?  Ask this question to 10 people and y0u may get 20 answers.  And the answers vary from a documented resume-like list  of IT capabilities to a  list of requestable  items that IT can provide to an end-user.  As IT vendors and consulting organizations, we’ve done nothing but contribute to the overall confusion around the service catalog.  The only thing we’ve been able to convey with any consistency is that if you are an IT service provider (whether internal to an organization or an external third party) it’s important to have one.  That’s were the common theme around service catalog ends, I’m afraid.

So let’s break it down from an ITIL perspective:

Question 1:  What is a Service?

A service is something that provides “value” to customers by facilitating outcomes customers want (an email service that is up and running  24 x 7 with the ability to send and receive messages, filter spam and guarantee deliver – or pick another customer facing service where you can clearly articulate a desired business outome) without the specific ownership of costs or risks (because the customer is not a technology expert, they are a subject matter expert for their business area…this does not mean that they don’t pay for the service…it means that as the technology expert The IT service provider  has a better opportunity to understand and control the costs and risks than they can hope to…therefore they’ve put the ownership of this in your more capable hands).

Question 2:  What is a business service and what is an infrastructure service?

A business service is an IT service that DIRECTLY  supports a business process.  Benefits Administration for example is a business service that allows the a business unit to track and manage corporate benefits, benefit entitlements and the subscription choices of employees.  In a water delivery system, think of the faucet being the business service.  When I turn the cold water faucet on I get cold water.  When I turn the hot water faucet on I get hot water.

An infrastructure service is an IT Service NOT DIRECTLY used by the business, but is required by the IT service provider so that they can provide business services.  For example,  in order for the Benefits Administration Business service to perform it’s required functions it needs to be supported by server administration services, storage services, directory services, or communications services.  Think of the infrastructure services being the plumbing and the water heater in your home and the wells, or reservoirs, pumping stations and the municipal piping that deliver water to your home.

Question 3:  What is a Service Catalog?

A Service Catalog is a database or structured document with information about all Live Service or services planned for delivery.  It is used to support the sales and delivery of IT Services.  The Service Catalog includes information about deliverables of IT Services, contact points, prices, ordering and request processes.   The portion of the service catalog that is visible to business customers are only the Business Services.  Both Business and Infrastructure services are visible to the IT organization.

Question 4: What is a Service Request?

A Service Request is the action of subscribing to a service or turning on, off or altering some underlying aspect or capability of a service.  For example,  if Email is my business service I may be able to make the following requests:

• Add or remove mailbox
• Add or remove a mail user
• Grant or restrict rights to access a mailbox to a user
• Extend the amount of space in a mailbox

Question 5:  What is an Actionable Service Catalog?

It is an electronic version of the Service Catalog described in Question 3, constructed in such a way to allow you to search services, service levels, service contacts,  make requests related to services.  It provides both a communication vehicle (linking realtime service level metrics,  or alerts to service changes, for example) and an automated service request mechanism to allow for self-service.

Six Sigma or ITIL for IT organizations?  We’re often asked this question as if there is a clear choice between the two or that they are mutually exclusive.  While, in fact, both ITIL and Six Sigma have the same goals – to drive process efficiency and effectiveness, they each contribute in a complimentary fashion to achieving these goals. For those IT organizations that have well defined processes in place, Six Sigma tactics can be used to measure the analyze and improve the performance and effectiveness of the process.

But the key is that you have to have something to measure.   For those organizations that have informal or loosely defined processes, this is where ITIL comes in.  ITIL provides a process framework that is accompanied by well-defined inputs, outputs, activities and metrics.  ITIL lays a process foundation that Six Sigma methods can continuously improve upon.  For those organizations who have well-defined, poor performing processes, ITIL, as a recognized leading good practice, can be a place to start in the reengineering effort.

Can you implement ITIL and Six Sigma in tandem?  There should be a well-architected approach to implementing Service Management using ITIL and applying Six Sigma as a continuous improvement methodology.  The process definition needs to come first; but should be defined taking into account current pain points and inefficiencies and supplying concrete measuring points to a Six Sigma program that can continue to assure that it remains or continues to gain efficiency and effectiveness.

Both ITIL and Six Sigma are excellent mechanisms to build an effective, productive, service-oriented IT organization.  The trick is to understand the role that each plays and assure that your implementation approach is designed to produce the maximum benefit.

In CPP’s June Podcast, we discussed a security breach that occurred a few years ago and the steps my team took to detect, respond and remediate the incident.  Here are the five things I learned from that breach.

1).  Planning your response to a disaster or security incident is just as important as the safeguards you put in place
You cannot protect against everything.  The following often delays or prohibits putting the necessary mitigation plans and preventative controls in place:
   -  Residual risk that remains based upon your organization’s tolerance or risk appetite
   -  The cost of mitigating risks and putting necessary controls in place to thwart threats & vulnerabilities
   -  Business strategies and priorities that conflict with your security program
   -  Zero day threats and vulnerabilities
If you agree with at least one of the bullets above, then it is of the upmost importance to have Incident Response Plans and Response Teams in place that you can trust.
2).  Select a team or teams you can trust
Tough times don’t last, tough people do.  Choosing people for your Emergency Response and Incident Response teams should be done on a selective basis.  Having the right people on call at the right time may save your organization from further loss.  Creative people that can think clearly in stressful situations can make all the difference between ending up in the headlines or heading the bad guys off at the pass.
3).  Store your Incident Plans in plain sight (and at multiple sites)
When an incident or disaster occurs you don’t want to leave your response to chance — even if you have selected a great team.  Know exactly where your Continuity, DR and Incident Response Plans are located.   This is achieved through constant awareness and possibly automation.  Both electronic and paper documents should exist in multiple locations.
4).  Monitor, Monitor, Monitor
Our security breach was discovered by a higher-than-normal CPU event that triggered an automated alert to our Service Desk.  Good processes and disciplines (automated and otherwise) must take over from there.  Monitoring for anomalies on your servers, network devices, databases and applications are an important first step in addition to the traditional security monitoring (IDS/IPS, Anti-virus, logging, etc.). 
5).  Embed good processes and practices such as ITIL into your organization’s daily life
I brought ITIL into my previous employer’s organization in 1999.  Good Event, Incident and Problem Management disciplines were vital in detection, notification, “root cause” and escalation of the attack.  Change/Configuration and Release Management disciplines were significant in quickly correcting the incident, the underlying problem and putting the necessary corrective, compensatory and deterrent controls in place.

Comments are welcome.
Jay Martin
jay.martin@cppit.com

As many of you are aware, the new Massachusetts Standards for the Protection of Personal information (201 CMR 17.00) will hit the books on January 1, 2010.  The law establishes protection standards to be met by persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts in both electronic and paper format.  So even if you do not run your business in the Commonwealth you are still affected if you keep personal information about a resident of Massachusetts. 

Personal information (PI) is defined here.

Here are the 5 things you need to do today to begin the process for compliance:

1.  Read the Regulation (http://snipurl.com/ipfwi) and the 201 CMR 17 checklist (http://snipurl.com/201_cmr_checklist)
2.  Roles and Responsibilities – Assign ownership for the overall security program within your organization.  Next, elect a Security Council comprised of senior staff or management that are stakeholders in protecting personal (and other sensitive corporate) information.  The Security Council facilitates consensus relative to the risks, impacts and priorities for compliance and will help with achieving (or changing) the security culture for your organization
3.  Find the Personal Information (PI) – Through interviews with Business Managers, Data Owners and Subject Matter Experts.  Additionally, the use of technology such as IdentityFinder can facilitate speedier PI discovery. Once discovered:

• Determine whether this data is still required and needed in the discovered location
• Do you need all the PI data or can you do without (do you still need your old customer’s credit card number)?
• Determine who requires mandatory access to the information and plan for the modification of your access lists to comply
• Ensure other safeguards are in place to protect this information (Physical access, firewalls, strong authentication/passwords, encryption).  If not, budget and plan accordingly

4.  Review your current Written Information Security Policies, if they exist, and plan for their update to include compliance.  If they do not exist, develop a project plan to begin the development process.  The larger the organization, the longer this will take for development and approval.
5.  Determine if your Third-Parties, partners, consultants, etc. have access to PI and begin the process of discovering their protection mechanisms

Compliance doesn’t happen overnight.  The sooner your company develops a strategy for 201 CMR 17.00 compliance the better your organization’s chances to meet the January 1, 2010 mandate.  These safeguards not only make good business sense, they will soon be the law.

Finally….

It usually takes a compelling event to get people to act on intiatives that otherwise make perfect sense; but when there is no proverbial “kick in the pants” these good ideas sit on the sideline until people are forced to look at them and realize their value.  I am talking about getting our act together around implementing good, consistent, repeatable IT process and implementing enterprise architecture.  The “kick in the pants” this time is the economy.  Lean budgets, hiring freezes and staff downsizing has caused IT organizations to look to process improvement as a way of becoming more efficient.  I wrote about this at the beginning of the year on ITSMWATCH.COM as the year of doing more with less (http://www.itsmwatch.com/itil/article.php/3796936) …with ITIL and ITSM as a way of facilitating more efficiency within IT. 

A 2009 study conducted by a research organization that follows trends in IT industry skill demand and pay scale indicates that in general pay for IT professionals has declined for the first time since 2004, but salaries have increased for individuals with skills and certification in IT architecture and methodology/process.   This is the first time there has been a such a counter-trend in specific areas within IT while the rest of the skill set is experiencing a correction.  This is very telling!!!  The study specifically sites skills and certification in ITIL as being in high demand to increase the efficiency of IT through process improvement.  It indicates that IT departments look at this as a good investment (in a time when investing in anything is truly scrutinized) as both a skill that can affect short term results but have long term application. 

Having been practicing, consulting and training in this area for many years, I am truly happy to hear that there is finally a recognition of value to IT process improvement.  The fact that it’s helping to affect a sharp increase the salaries of those who have these skills is just icing on the cake.  Having said this, please jump into the IT process improvement pool wisely.  Don’t let the slash of haphazard “diving” through thoughtless adoption of ITIL put a damper on those of us who would like to see these practices truly change how we manage services in the long run.

Posted by: Valerie Arraj (valerie@cppit.com)

Scenario 1: A contract with your software provider is written so that it automatically renews on a yearly basis.  You have no Supplier and Contract Database to trigger a reminder of the contract expiration.  The expiration date passes and you are locked in for another year with a penalty to terminate and you no longer need the service.

Scenario 2: You have no time to evaluate the contract perfomance on an ongoing basis to understand if you are getting the value for the money you are spending.  You feel that your supplier has not always been meeting their commitments to you but you have not been actively measuring their performance, thus cannot recoup penalties as a result.

Scenario 3: Multiple groups within the enterprise are negotiating service agreements with the same vendor.  You have no centralized visability and are missing an opportunity to negotiate better pricing based on volume.

IT organizations rely upon third party suppliers across the value chain, from commodities such as consumables to operational services such as internet access to strategic iniatives that leverage management consulting or the oversight of critical service implementation.  Managing suppliers and supplier contracts can be an important source of cost savings for your IT organization.  In many cases it is also a critical success factor in assuring that your service levels can be maintained.    A supplier and contract database and a supplier management process/program, whether managed in-house or through a third party provider, can make a big difference in providing cost-effective services to meet the business need.

With such a strong vendor dependency supplier management (beyond the initial negotiation and purchase) should be a core compentancy within the IT organization, yet it is more often not the case.  Don’t let the scenarios above be a common occurence in your organization.

In regards to cost reduction, Gartner research suggests that many CIOs turn to ITIL standardization to hold the line.  While new technology purchases and hiring may be on hold (or shrinking), what  do you do to improve IT efficiencies and to stay ahead of the compliance curve?

Do me a favor, go to www.youtube.com and do a search on “Peter Schiff was right”.  Here’s a guy who was (and still is) a counterculture voice amongst the mainstream financial thinking.  You may be asking, “But Jay, what does this have to do with me running my IT organization more efficiently, maintaining Service Levels and cutting costs in these tough economic times?”  Besides melting down your old scrap PCs for the gold, that’s a good question.

An IT Manager recently told me that his company’s virtualization environment has brought them lots of freedom, but lots of headaches.  His complaint was that due to the flexibility allotted, anyone could fire up a virtual environment at any time, without word or warning and without his staff being aware.  Change Management disciplines out the window.  Now they have a hiring freeze and are dealing with the latest “priority” project they weren’t prepared for.  If the above mentioned IT Manager in 2006, had delayed the deployment of his companies new hardware chassis, virtualization software and SAN for the sake of putting in some standards, procedures and good practices, he probably would have been chastised as my friend Peter Schiff did.

Within the past decade we have let organizational and cultural mediocrity exist because we believed that by placing total faith in the purchase of technology that our IT organizations would make the business we support more efficient, nimble and compliant.  And it may have plugged some holes in the dam for a while. 

But as corporations cut back on spending, IT organizations need to rethink the same old philosophies that got us all here in the first place.  Using the old Einstein standby adage that a solution to a problem cannot be solved at the same level that it was created, CIOs and IT management need revolutionary thinking. 

As capital budgets are getting slashed, your best opportunity at becoming more efficient and compliant may be the things you overlooked (or avoided) over the past few years.  That is looking internally and improving IT efficiencies by updating your people skills via training and improving your processes through good practices.  Peter Schiff was right, and so am I. 

Let me know if CPP can help you start your own cost savings revolution.

 Posted by:  Jay Martin

Compliance Process Partners — www.cppit.com

Important update.  The amended or revised 201 CMR 17.00 has softened the requirement for third-parties you do business with and that have access to personal data.  The original regulation slated for a May 1, 2009 compliance date stated that businesses would require “certification that such service provider has a written, comprehensive information security program that is in compliance with the provisions of these regulations”.

The revised regulation scheduled for January 2010 now states that businesses should ensure that third-parties are taking all reasonable security measures — at least as stringent as those provided in the 201 CMR 17.00 regulation — in protecting personal information.

Ensure?  How are you going to “ensure” that your third-parties are protecting themselves? 

Here’s what I recommend, and I suggest you follow my advice.  Send each of your third-parties (whether they do business in the Commonwealth or not) the 201 CMR 17.00 Audit Compliance Checklist that I provided a link for in my first blog on this very subject (see below).  Take the checklist and add a signature page and have your third-parties sign it.  If they don’t fully comply, have them put together a letter that outlines their security improvement plan with dates and have them sign that. 

If your third-party is not willing to go the extra mile, you’ll have not choice but to move on.  The eventual financial risks and public image drubbing may be too high.  Are you willing to chance it?

Let me know your thoughts.