Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« The Need to Partner Privacy and IT Efforts *FINALLY* Makes The News! | Main | Lack of testing, lack of built-in security, and inadequate protection for stored data lead list of PCI noncompliance items »

ABN Amro PII Breached Through P2P: Lessons Learned

Much is written about the risks P2P presents to organizations, but many organizations continue to implement P2P technologies, or more accurately allow their personnel to implement them on computers used for business, because they are willing to risk that the threat theories will not materialize within their own organizations.

As is the tendency, most organizations do not implement security safeguards until 1) they get burned themselves; 2) they must do so to be in compliance with applicable laws and regulations; or 3) other organizations similar to them have experienced incidents for the identified theoretical risks.

To date there have really been few actually reported examples of network and information compromises via P2P technologies. However, over the past two weeks it was widely reported that ABN Amro Mortgage Group experienced a privacy breach as a result of one of their employees using a P2P product, Lime Wire.

"The ABN Amro data breach appears to have occurred after a business analyst at the Citigroup unit in Florida -- or a member of her family -- signed up last year to use a service similar to Lime Wire. By doing so, she appears to have inadvertently exposed many documents from her computer: not just the spreadsheets, but also personal documents such as her résumé and a Travelocity confirmation of a family trip. It isn't clear how long the information was online or how far it has spread. The analyst says she was laid off this summer; she says she wasn't aware of the data breach until she was contacted by a reporter Thursday."

Now here's a statistic that should get your attention...

According to the published report, Tiversa indicates 1.3 billion searches are conducted on P2P networks each day, compared to 130 million searches a day on Google!

This incident is a very good example to use within your awareness messages, along with using it as a good case study within your training.

This points out the need for organizations to have strong controls implemented for personally identifiable information (PII), not only within the network perimeter, but also on any endpoints where PII is accessed or stored, most particularly those that are remotely located, such as within the ex-employee's home.

Many bad things can happen to data, including PII, under the complete control of your personnel if 1) there are inadequate safeguards in place, and 2) if the personnel are not kept aware of security risks and how to use their computers in ways that will not put PII at risk.

If you allow P2P to be used by your personnel, do you have enforced policies and procedures in place providing them the requirements for how to use P2P? Is it possible for personnel to change the P2P settings and subsequently put PII at risk? In most cases it is.

Some of the lessons to learn from this:

* Organizations must provide training and ongoing awareness for information security and privacy issues, such as using P2P.

* Organizations must have policies and procedures in place regarding the use of P2P.

* Mobile PII...basically any PII sent through publice networks and/or stored or accessed on mobile computing devices and mobile storage devices...should be encrypted.

Tags:                      
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on October 1, 2007 7:55 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/533

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.