![Qwest White Paper: Managed Security
Industry Data Security Standard (PCI DSS)—to whatever
new transparency requirements will arise from the For more information about
banking crisis.
Qwest’s managed security
But business must go on. CIOs must manage security
risks while addressing business needs and focusing services, visit us at
on revenue-generating activities. This paper offers a www.qwest.com/business
strategy for providing data security and protection that
addresses the rising data threat landscape, the need for
compliance, and today’s lean IT staffs.
Good Enough Isn’t Being Compliant
Always Enough Some of these regulations, or parts of them, promote
Unlike conventional projects with a beginning, middle data protection within particular industries. For ex-
and an end, IT security is never finished. The security ample, the Gramm-Leach-Bliley Act (GLBA) has privacy
program implemented yesterday may not be adequate stipulations to protect information in the financial ser-
tomorrow because new threats arise every day. vices industry, including companies providing financial
products and services to consumers. For example, the
Opportunistic predators, for example, exist both inside
GLBA’s Financial Privacy Rule requires financial institu-
and outside the organization. Organized crime is a ma-
tions to give their customers privacy notices that ex-
jor concern from a financial perspective because their
plain the institution’s information collection and sharing
motivation is typically financial gain, which causes them
practices. In addition, customers have the right to limit
to continually seek out potential network infrastructure
the sharing of their information.
vulnerabilities, and create new viruses and worms. This
has significantly raised the quality of threats that com- Failure to comply with these regulations can lead to stiff
panies must defend themselves against. penalties—HIPAA fines, for example, can be as high as
$50,000 per violation. And the American Recovery and
Though most IT managers are vigilant and diligent in us-
Reinvestment Act of 2009 will further tighten HIPAA’s
ing the tools they have to protect corporate data, there
privacy and security rules for data breach notification,
are often blind spots that these predators will find and
enforcement, audit trails and encryption. Then there’s
exploit. Ensuring corporate data is safe takes consider-
the PCI DSS, which governs payment card transactions.
able proactive, continual monitoring—or outside help.
Here again, noncompliance can be expensive: for ex-
“Keeping up with the high traffic in vulnerability disclo- ample, Visa could fine transaction processors between
sures is a perennial challenge and an important part of $5,000 and $25,000 a month if the merchants or retail-
our program since we focus on proactively identifying ers they represent are not PCI compliant.
and remediating risks,” says Michael Glenn, director of
What’s troublesome is that companies often think
information security and chief information security official
they’re in compliance but end up finding out the hard
(CISO) at Qwest Communications International Inc., a
way that they’re not. Take the examples of RBS World-
managed security provider. “We have to balance our re-
Pay and Heartland Payment Systems, which process
sources between our proactive, innovative programs and
credit card payments. Before the end of 2008, they were
our reactive obligations, including a growing list of compli-
believed to be PCI compliant. However, hackers tapped
ance auditing, certification and reporting activities.”
into their data, including cardholders’ private informa-
Those compliance issues can be burdensome. Mandat- tion. The point is that just checking a checkbox for
ed compliance with a wide and growing variety of state, compliance may not protect your organization’s data;
federal and industry regulations places an increasing you must have solid security practices in place to first
strain on IT staff. protect data, and then meet compliance obligations.
[2] WP090991 8/09](https://image.slidesharecdn.com/managedsecurityforanotsosecureworldwp090991-13279020421045-phpapp02-120129234154-phpapp02/85/Managed-Security-For-A-Not-So-Secure-World-Wp090991-2-320.jpg)
![Qwest White Paper: Managed Security
There are intangible costs as well. A breach in security of
this magnitude causes a lack of confidence among cur- Benefits of an
rent and prospective customers. CIOs and IT managers Outsourcing Partner
recognize this threat. In a recent survey conducted by
IDG Research Services on behalf of Fiberlink Communi-
r Staff: Professionally trained talent to
manage and implement security programs
cations, 81 percent of respondents said that damage to
and plans
their company’s reputation from a data breach was their
greatest concern, followed by legal consequences and r SOlutIOnS: Carefully researched and
costs (79 percent) and loss of critical data (74 percent). selected security technologies
Things like proactive network monitoring, testing and r COSt: Lower total cost of ownership for
tracking, complex firewall configuration, a comprehen- labor and technology through scaling,
sive vulnerability management program, centralized configuration, maintenance of technology
logging and auditing, an access control program, and solutions, training personnel, and research-
sound, comprehensive security policies are necessary ing processes and products
for a good security program and to meet compliance
r KnOwledge: Experience and knowledge
obligations. Considerable staff and resources are also
base to discover vulnerabilities, face new
required.
security threats and solve complex security
So, how does the CIO face these challenges? problems
Outsourcing Managed Security
Given the security risk climate and the reduction in IT for a fully dedicated security staff or ongoing training. In
staffs, working with an IT and security service provider addition, expert security professionals, especially those
is more practical. With the appropriate foundation of with credentials from professional associations, are in
outsourced services, security becomes manageable high demand, so retaining them can be difficult.
and reliable.
On the flipside, a well-recognized, comprehensive
Of course, cost is a consideration. You should conduct security service provider has already gone through the
a thorough analysis of the time and expenses involved rigors of recruiting and training quality security person-
in using internal resources and then weigh it against nel. In addition, these teams have been exposed to a
an outsourcing provider’s cost model. For example, the variety of enterprise security challenges from a diverse
cost of managing and configuring technology is a key clientele. Tapping into this expertise offers not only a
component of the total cost of a security program. And skilled security strategy, but also a fresh look at how to
you have to consider whether your in-house expertise is address risks.
up to the task.
Another consideration is that IT and business processes
“Inevitably, difficult economic times can cause other- are often in flux, due to changing market conditions
wise good people to make poor decisions,” says Glenn. and business demands. Managing them requires both
“I expect to see a continued need for vigilance against time and broad experience; organizations with tight IT
malicious software and attacks like spear phishing that budgets can suffer process management constraints. An
are rooted in fraud, along with the ever-present insider outsourcing partner can add value by bringing a wide
threat. In a downturned economy, you do not want to be range of expertise and the ability to look at the entire
significantly cutting your information security program.” scope of a company’s processes to identify potential
obstacles or problem areas.
To stay abreast of vulnerabilities and threats, IT person-
nel must continually expand their knowledge and exper- Employing the best people and processes are only
tise, which can be challenging if budgets do not allow parts of the equation. You also need the right tech-
[3] WP090991 8/09](https://image.slidesharecdn.com/managedsecurityforanotsosecureworldwp090991-13279020421045-phpapp02-120129234154-phpapp02/85/Managed-Security-For-A-Not-So-Secure-World-Wp090991-3-320.jpg)
![Qwest White Paper: Managed Security
nology. Because new security tools and solutions term business goals. Using managed services to address
are introduced every day, evaluating, purchasing and security risks is a best practice to reduce costs, ensure
maintaining them requires time and an understanding compliance and allow IT staff to focus on critical busi-
of how they will best fit the organization. A feasible ness operations.
alternative is to lean on a managed security provider
Glenn offers this closing advice: “Spend just as much,
that has experience with a wide variety of solutions,
and preferably more of your energy on building rela-
and that can provide a thorough analysis of which
tionships with key stakeholders across your enterprise
tools are most appropriate.
than you spend learning the bits and bytes of the latest
technical toy. If you have the right relationships with
your business, you can always find a means to accom-
Conclusion plish your objectives by making your business success-
In the IT landscape, vulnerabilities and threats arise ful through good security practices and risk manage-
constantly while new and shifting compliance regula- ment. Learning those technical means together gives
tions place increased pressure on data protection. And you more credibility.”
CIOs must face these issues with reduced staff and
Take an honest look at your internal capabilities, and
contracted budgets.
compare them to what a managed security services
A solid relationship with a managed service provider provider can offer, including economies of scale. It’s
can be of great help, freeing CIOs to focus on core likely that a security strategy that includes outsourcing
business operations, build better relationships with in its mix will be a cost-effective, practical and winning
stakeholders and ultimately achieve short and long- solution.
failing to Comply
Data breaches have resulted in disciplinary actions and fines by the Federal Trade Commission
(FTC) in numerous cases. Here are a few examples:
r The FTC disciplined a Texas-based mortgage company after it failed to provide reasonable security to
protect sensitive customer data. Third-party home sellers were able to access private data without
security measures in place. A hacker compromised the data by breaking into a home seller’s computer,
obtaining the lender’s credentials and using them to access hundreds of consumer reports. Because
this mortgage company had inadequate data protection, they were liable for the security breach.
r When hackers stole the personal data of some 46 million customers of retail conglomerate TJX Compa-
nies, the FTC attributed the breach to a failure by TJX to use reasonable and appropriate security mea-
sures on its networks. As a result, a third party must audit the company every other year for 20 years
and TJX must show improvement in its network security, service provider selection and how it handles
consumer information. The retailer also negotiated a settlement reported at more than $40 million with
Visa International.
r After it was discovered that hackers had accessed the sensitive information of hundreds of consum-
ers, an online seller of computer supplies was admonished by the FTC. The company failed to provide
reasonable security to protect sensitive customer data such as personal information and credit card
numbers. The vendor suffered bad publicity and diminished overall customer confidence.
SOURCE: www.ftc.gov
[4] WP090991 8/09](https://image.slidesharecdn.com/managedsecurityforanotsosecureworldwp090991-13279020421045-phpapp02-120129234154-phpapp02/85/Managed-Security-For-A-Not-So-Secure-World-Wp090991-4-320.jpg)
Managed Security For A Not So Secure World Wp090991
- 1. White Paper: Managed Security Managed Security for a Not-So-Secure World CIOs need a strategy for a secure enterprise in today’s insecure world. It turns out that the infamous TJX Companies breach in January 2007 was only the tip of the iceberg: there has been an explosion of data security incidents in the past few years. In 2008, the Identity Theft Resource Center (ITRC) reported 656 breaches, a 47 percent increase over 2007. And there have been 213 data breaches in the first five months of this year alone. This risky data environment is colliding with an IT landscape of shrinking resources. An April 2009 Lieberman Software survey of IT professionals discovered that 60 percent of respondents work at organizations that have cut their IT budgets, and 40 percent of organi- zations have reduced their IT teams. Such cuts leave fewer resources available to handle the ongoing need for compliance with a bevy of regulations—from the Sarbanes-Oxley Act (SOX) to the Health Insur- ance Portability and Accountability Act (HIPAA) to the Payment Card WP090991 8/09
- 2. Qwest White Paper: Managed Security Industry Data Security Standard (PCI DSS)—to whatever new transparency requirements will arise from the For more information about banking crisis. Qwest’s managed security But business must go on. CIOs must manage security risks while addressing business needs and focusing services, visit us at on revenue-generating activities. This paper offers a www.qwest.com/business strategy for providing data security and protection that addresses the rising data threat landscape, the need for compliance, and today’s lean IT staffs. Good Enough Isn’t Being Compliant Always Enough Some of these regulations, or parts of them, promote Unlike conventional projects with a beginning, middle data protection within particular industries. For ex- and an end, IT security is never finished. The security ample, the Gramm-Leach-Bliley Act (GLBA) has privacy program implemented yesterday may not be adequate stipulations to protect information in the financial ser- tomorrow because new threats arise every day. vices industry, including companies providing financial products and services to consumers. For example, the Opportunistic predators, for example, exist both inside GLBA’s Financial Privacy Rule requires financial institu- and outside the organization. Organized crime is a ma- tions to give their customers privacy notices that ex- jor concern from a financial perspective because their plain the institution’s information collection and sharing motivation is typically financial gain, which causes them practices. In addition, customers have the right to limit to continually seek out potential network infrastructure the sharing of their information. vulnerabilities, and create new viruses and worms. This has significantly raised the quality of threats that com- Failure to comply with these regulations can lead to stiff panies must defend themselves against. penalties—HIPAA fines, for example, can be as high as $50,000 per violation. And the American Recovery and Though most IT managers are vigilant and diligent in us- Reinvestment Act of 2009 will further tighten HIPAA’s ing the tools they have to protect corporate data, there privacy and security rules for data breach notification, are often blind spots that these predators will find and enforcement, audit trails and encryption. Then there’s exploit. Ensuring corporate data is safe takes consider- the PCI DSS, which governs payment card transactions. able proactive, continual monitoring—or outside help. Here again, noncompliance can be expensive: for ex- “Keeping up with the high traffic in vulnerability disclo- ample, Visa could fine transaction processors between sures is a perennial challenge and an important part of $5,000 and $25,000 a month if the merchants or retail- our program since we focus on proactively identifying ers they represent are not PCI compliant. and remediating risks,” says Michael Glenn, director of What’s troublesome is that companies often think information security and chief information security official they’re in compliance but end up finding out the hard (CISO) at Qwest Communications International Inc., a way that they’re not. Take the examples of RBS World- managed security provider. “We have to balance our re- Pay and Heartland Payment Systems, which process sources between our proactive, innovative programs and credit card payments. Before the end of 2008, they were our reactive obligations, including a growing list of compli- believed to be PCI compliant. However, hackers tapped ance auditing, certification and reporting activities.” into their data, including cardholders’ private informa- Those compliance issues can be burdensome. Mandat- tion. The point is that just checking a checkbox for ed compliance with a wide and growing variety of state, compliance may not protect your organization’s data; federal and industry regulations places an increasing you must have solid security practices in place to first strain on IT staff. protect data, and then meet compliance obligations. [2] WP090991 8/09
- 3. Qwest White Paper: Managed Security There are intangible costs as well. A breach in security of this magnitude causes a lack of confidence among cur- Benefits of an rent and prospective customers. CIOs and IT managers Outsourcing Partner recognize this threat. In a recent survey conducted by IDG Research Services on behalf of Fiberlink Communi- r Staff: Professionally trained talent to manage and implement security programs cations, 81 percent of respondents said that damage to and plans their company’s reputation from a data breach was their greatest concern, followed by legal consequences and r SOlutIOnS: Carefully researched and costs (79 percent) and loss of critical data (74 percent). selected security technologies Things like proactive network monitoring, testing and r COSt: Lower total cost of ownership for tracking, complex firewall configuration, a comprehen- labor and technology through scaling, sive vulnerability management program, centralized configuration, maintenance of technology logging and auditing, an access control program, and solutions, training personnel, and research- sound, comprehensive security policies are necessary ing processes and products for a good security program and to meet compliance r KnOwledge: Experience and knowledge obligations. Considerable staff and resources are also base to discover vulnerabilities, face new required. security threats and solve complex security So, how does the CIO face these challenges? problems Outsourcing Managed Security Given the security risk climate and the reduction in IT for a fully dedicated security staff or ongoing training. In staffs, working with an IT and security service provider addition, expert security professionals, especially those is more practical. With the appropriate foundation of with credentials from professional associations, are in outsourced services, security becomes manageable high demand, so retaining them can be difficult. and reliable. On the flipside, a well-recognized, comprehensive Of course, cost is a consideration. You should conduct security service provider has already gone through the a thorough analysis of the time and expenses involved rigors of recruiting and training quality security person- in using internal resources and then weigh it against nel. In addition, these teams have been exposed to a an outsourcing provider’s cost model. For example, the variety of enterprise security challenges from a diverse cost of managing and configuring technology is a key clientele. Tapping into this expertise offers not only a component of the total cost of a security program. And skilled security strategy, but also a fresh look at how to you have to consider whether your in-house expertise is address risks. up to the task. Another consideration is that IT and business processes “Inevitably, difficult economic times can cause other- are often in flux, due to changing market conditions wise good people to make poor decisions,” says Glenn. and business demands. Managing them requires both “I expect to see a continued need for vigilance against time and broad experience; organizations with tight IT malicious software and attacks like spear phishing that budgets can suffer process management constraints. An are rooted in fraud, along with the ever-present insider outsourcing partner can add value by bringing a wide threat. In a downturned economy, you do not want to be range of expertise and the ability to look at the entire significantly cutting your information security program.” scope of a company’s processes to identify potential obstacles or problem areas. To stay abreast of vulnerabilities and threats, IT person- nel must continually expand their knowledge and exper- Employing the best people and processes are only tise, which can be challenging if budgets do not allow parts of the equation. You also need the right tech- [3] WP090991 8/09
- 4. Qwest White Paper: Managed Security nology. Because new security tools and solutions term business goals. Using managed services to address are introduced every day, evaluating, purchasing and security risks is a best practice to reduce costs, ensure maintaining them requires time and an understanding compliance and allow IT staff to focus on critical busi- of how they will best fit the organization. A feasible ness operations. alternative is to lean on a managed security provider Glenn offers this closing advice: “Spend just as much, that has experience with a wide variety of solutions, and preferably more of your energy on building rela- and that can provide a thorough analysis of which tionships with key stakeholders across your enterprise tools are most appropriate. than you spend learning the bits and bytes of the latest technical toy. If you have the right relationships with your business, you can always find a means to accom- Conclusion plish your objectives by making your business success- In the IT landscape, vulnerabilities and threats arise ful through good security practices and risk manage- constantly while new and shifting compliance regula- ment. Learning those technical means together gives tions place increased pressure on data protection. And you more credibility.” CIOs must face these issues with reduced staff and Take an honest look at your internal capabilities, and contracted budgets. compare them to what a managed security services A solid relationship with a managed service provider provider can offer, including economies of scale. It’s can be of great help, freeing CIOs to focus on core likely that a security strategy that includes outsourcing business operations, build better relationships with in its mix will be a cost-effective, practical and winning stakeholders and ultimately achieve short and long- solution. failing to Comply Data breaches have resulted in disciplinary actions and fines by the Federal Trade Commission (FTC) in numerous cases. Here are a few examples: r The FTC disciplined a Texas-based mortgage company after it failed to provide reasonable security to protect sensitive customer data. Third-party home sellers were able to access private data without security measures in place. A hacker compromised the data by breaking into a home seller’s computer, obtaining the lender’s credentials and using them to access hundreds of consumer reports. Because this mortgage company had inadequate data protection, they were liable for the security breach. r When hackers stole the personal data of some 46 million customers of retail conglomerate TJX Compa- nies, the FTC attributed the breach to a failure by TJX to use reasonable and appropriate security mea- sures on its networks. As a result, a third party must audit the company every other year for 20 years and TJX must show improvement in its network security, service provider selection and how it handles consumer information. The retailer also negotiated a settlement reported at more than $40 million with Visa International. r After it was discovered that hackers had accessed the sensitive information of hundreds of consum- ers, an online seller of computer supplies was admonished by the FTC. The company failed to provide reasonable security to protect sensitive customer data such as personal information and credit card numbers. The vendor suffered bad publicity and diminished overall customer confidence. SOURCE: www.ftc.gov [4] WP090991 8/09