Computer Care And Learning
An Attitude Adjustment Moment
Helping your computer system grow up
A simple but thorough way of securing data in your organization
First, do no harm. And pace yourself.
Pick a Leader
Get outside help
Your Information Security Manager (ISM) Assembles Her Tools
A tested, rotated offsite backup
A WISP (Written Information Security Plan)
201 CMR 17.00 compliance assurances from vendors and other partners
A sensible and realistic security philosophy
A Password List
A locked space to secure paper files
TrueCrypt containers to secure computer files
Massachusetts, since its founding, has many times been at the forefront of progressive change. People from Massachusetts played a major role in initiating the break from Great Britain and founding a representative democracy. The state was home to important leaders of the slavery abolition movement, and more recently was the first state to recognize that same-sex couples have the right to full protection of the law. (Neil Savage's book, Extraordinary Tenure, explores some of the reasons for Massachusetts's leadership role in the nation's history, http://tinyurl.com/savage-extraordinary-tenure).
Very much in that tradition, this year Massachusetts announced the most advanced data safety rules in the country. Partly due to the growing global problem of identity theft, and partly due to a major information breach at a local company (http://tinyurl.com/tjmaxx-disaster), the state has developed rules to help protect sensitive information from being misused.
The state uses the term "Personal Information" (PI) to define the information we must protect. If your organization stores social security numbers, drivers license numbers, or credit card or other financial account numbers, you must develop strong systems to protect this information, and you must have a written security plan which you check regularly to make sure the plan is being carried out well. You must appoint someone on your staff to be responsible for carrying out the plan, and the plan must include staff training in the security procedures.
You also have to make sure that if you share any of this information with vendors or business partners, they must be in full compliance with the rules.
Virtually all organizations in Massachusetts store these numbers. For example, if your organization has just one part-time employee, you must have her I-9 and W-4 form in your files permanently, and these forms have social security numbers on them. When you receive a check in payment from a customer, this check has the customer's name and bank account number on it. If you are a landlord and you do a credit check on your tenants, you will have to store their social security numbers.
So, in our view, the state is asking all organizations, from the smallest home office to the largest corporation, to develop strong data safety programs.
Our goal at this site is to help you do this in a sensible, economical way.
A number of people we've talked with about these new rules have complained about what a hassle they are, and how the last thing Massachusetts businesses need right now is an expensive and time-consuming new mandate from the state.
We want to urge you to view these regulations a little differently. The state is requiring you, your competitors, and everyone else to get their data safety act together. Yes, this will take work and money, but the net effect should be to make your computer systems safer and better, and to protect you and your customers and community from the severe consequences of a serious data breach or loss. The government requires you to insure your car, to adhere to workplace health standards, and to follow safe building codes. Now, late but better than never, the state is requiring us to make our information handling safe.
We know that if you pursue compliance in this spirit, you will value the process more, and see it as a welcome part of your business development. We'll try to help you through the process with this in mind.
The best way to comply with these regulations, in our view, is to take steps to make your system healthy and safe. You will then be compliant, but also can reap the many benefits of having a strong, secure system.
At the beginning of Tolstoi's War and Peace, Prince Vasili, at a fancy party, asks after the health of the famous Anna Pavlovna, friend of the empress. She responds, "How can a person be healthy when one is suffering so from nerves? Is it possible, in our time, to feel at peace?" She is talking about her anxiety over the French revolution and the prospect of war.
Looking at our computer system, we might respond similarly. Strong? Secure? How can such thing be possible in our time? Even a computer running the best antivirus program can be hit by a virus that generates incessant popups and disables the antivirus program. With relations between employer and employee strained by economic turmoil and the breakdown of mutual loyalty we have seen, the risk of embezzlement and internal data theft should make us all worried.
Here is our basic approach to this anxiety-creating situation:
1. Regularly backup all your data, and keep some copies of the backup in the hands of trusted people outside your organization.
2. Use industry-standard computer safety procedures.
3. Track all "Personal Information" (PI) and sensitive information as it enters the organization, is used by the organization, and is finally disposed of. Lock it up or encrypt it, giving keys only to people who need access.
4. Train and supervise your staff in your security procedures, from the moment they join the organization, to the moment they leave.
5. Create a library of how-tos to document, enforce, audit and prove your security policy.
We will now walk with you through our approach to achieving these broad goals. You will naturally adjust these based on your needs and resources. It will be helpful to everyone if you would use the 201cmr17 blog to share the particular choices you make, and the adventures you have as you work on making your organization more secure. Our blog is at 201cmr17.wordpress.com. Please feel free to contribute anonymously, but also feel free to include your company information, if you would like people to contact you to share ideas.
This approach comes from Computer Care and Learning's (www.ComputerCareAndLearning.com) many years of helping people and organizations take care of their information. We combine this experience with the specific requirements of the new regulations, to produce a guide that will help you keep your data safe, and help you towards your compliance goals. Be sure to review your plans with your computer support people and your attorney, to be sure you are fully in compliance with 201 CMR 17.00, as well as the other regulations and laws that apply to your organization.
It is natural to panic a bit when you first do a serious survey of your data safety situation. The January 1st, 2010 deadline adds to the pressure. We want to encourage you to breathe steady as you proceed. You can cause more harm to your security by rushing to implement a bunch of procedures, than by doing nothing at all. Encryption is a good example. If you hastily encrypt your vital data, without proper safeguards and good practices in place, you can "lock your keys in the car" in a way that no coat hanger or friendly locksmith can rescue you. If you set up stringent security procedures that get in the way of people working, your staff will find ways around them, and create an atmosphere of disrespect for all security procedures.
So take it slow, but steady. Think of your organization as a student, who needs support, encouragement, and steady guidance. Your organization won't become secure overnight, but if you work steadily at planning and education, it can become quite secure in just a few months. Pay close attention to the cautions we point to, and in general, don't force things-- if your gut says something is not right, listen to that, and reconsider your plan. We'll try to point out some trouble spots to expect.
You might find it helpful to compare this effort to the task of getting into good physical shape and eating healthily-- you can make some major changes right away, but your body and mind need time and practice to adjust and make the changes permanent.
Both the new regulations and good business practice say that you should pick a Information Safety Manager(ISM) to lead your data security efforts. We suggest you choose someone who has been with your organization for some time and knows different parts of it well. Your ISM should have good computer skills, good leadership skills, and get along well with people. It also helps if she has an active, healthily suspicious imagination. Someone who reads spy novels in his spare time is a good find. The person needs to be flexible and able to deal with frustration, and needs to know how to work well with vendors and support organizations. If you can't get all this in one person, consider choosing a team of two with complementary skills.
Your ISM needs to develop a good working relationship with your IT support organization, and with your attorney. All plans should be reviewed with them. If you have your own IT department, we recommend that you have a computer help company review their work-- an extra set of eyes, unjaded by custom, can often see obvious and less obvious problems that your IT staff might miss. We were at a children's museum recently, and a play structure there had a piece of wood that was a pinch hazard. We mentioned this to a staff person who sat daily next to this structure. She immediately recognized the problem, and said "I've looked at this hazard every day, but I didn't see it until you pointed it out."
As your manager begins, she'll need tools for the journey. We'll discuss each tool in turn, and you'll see that mastery of these tools is a good way of achieving both compliance with 201cmr17 and good computer safety in general.
Here is the list, in order of importance, for you to keep in mind as we discuss them. Since most of our customers use PCs, this list is PC-centric, but most of it applies to Macs as well.
A tested, rotated, offsite backup system, with a backup log in Excel
A WISP (Written Information Security Plan)
A sensible and realistic security philosophy
201cmr17 compliance certifications from vendors and other partners
A password list in Excel
A locked space to secure paper files
Truecrypt containers to secure computer files
Up-to-date antivirus/antimalware software with daily updating, and software firewall
Microsoft update, with weekly updating, plus Secunia update check
Appropriate networking hardware, including wireless hardware with correct configuration
Logmein or another secure remote control program
This is surprisingly short list, but as Mr. Miyagi teaches Daniel in The Karate Kid, you don't need a lot of moves; you need to know a few moves well.
Let's talk about each in turn.
You may be surprised to find this first on the list of tools to prevent identity theft. But we have found, again and again, how central a good backup is to all data safety, including preventing data theft. Before we talk about the details of the backup system, let's outline why you should address backups first and with your best energy.
An encrypted, tested, daily, full backup system with offsite rotation provides you with a safeguard against many bad things that can happen to your data, such as fire, theft, hard drive failure, virus corruption, and sabotage, to name some of the most common. A good system can discourage embezzlement and other forms of theft, including identity theft, by providing a reliable record of what your system has contained over time. One of the favorite tools used by people who want to steal is to cover their tracks-- deleting logs, deleting other evidence, even deleting the numbers they stole, to make it hard to trace the theft. Good backups, kept securely offsite, make this much harder.
But there is an even more direct reason why backups come first in your collection of tools for preventing data theft. When you are securing your data, YOU are the biggest danger to your data. Even an experienced IT practitioner can make the mistake of encrypting something and losing the password, or have the bad luck of an encrypted file becoming corrupted and unrecoverable. We strongly recommend that you NEVER encrypt or secure any computer data without first having multiple, tested full backups, with some offsite.
Here is our basic recommendation for how to achieve the goal of encrypted, tested, daily, full backups with offsite rotation:
1. Daily, backup your computer using Acronis True Image (www.acronis.com) to an external hard drive. Use AES encryption, with a password that follows your password policy (see Password List, below). Use full backups (not incremental), and create a different backup task for each day of the week. Check the backup for size and date each day.
Weekly, mount the backup and open a recent file. This is an essential step-- you must check your backup regularly by restoring a test file-- this both helps you know the backup is working, and makes you practice your password. Weekly, swap the drive with a similar drive you keep offsite. Since the backup is encrypted, a neighbor, a locked drawer in your downtown office, or a relative are good ideas. Nice social opportunity when you swap the drive if you keep it at a friend's house; one of my co-workers met his future wife by such visits.
2. Supplement this with an encrypted vital data backup onto flash drives, and CDs/DVDs. Use a TrueCrypt container (see TrueCrypt, below). If you use Outlook, backup the .pst file and the .nk2 file, and use unlocker (see below) to make sure that Outlook has not locked the .pst file before you backup. Your computer helper can write a simple batch file to automate this process somewhat. Check the backup by opening a recent file.
You may ask, why do the flash drive/DVD backup if you're already backing up using Acronis to external disk drives? This is keeping with the principle you'll see here again and again-- layers and more layers. Our experience is that external disk drives fail, decent software gets corrupted, people lose their passwords. By having your vital data in at least two locations, backed up by two entirely different methods, on to two different kinds of media, you reduce the likelihood of losing your data. Flash drives are easy to take with you, and DVDs are easy to mail-- which is a nice way of spreading your backups around, even across the country. As long as they are TrueCrypted, this gives you safety with very little risk of breach.
3. You may want to use the increasingly fancy and cheap online backup services, too-- one of my customers found Cryptonite fun to use; another customer uses SugarSync; still another uses BackupMyBusiness. Our main cautions: 1) TrueCrypt the data before backing it up online-- this protects you better from the data being breached while in the possession of the online service, in spite of their encryption schemes. 2) be sure to store the encryption key the online service provides in your password list (see Password List, below), for safety-- they cannot replace this key if you lose it.
4. We recommend you use an Excel spreadsheet to keep a backup log, including size, dates, location of backups, and when you restored a test file. This keeps everyone honest-- it becomes very obvious when the backups aren't being done, rotated offsite, and tested. This backup log becomes an important document to verify that you and your staff are taking care of your data.
A note on pacing yourself: these four steps are very worth doing, but do them at a reasonable pace. Add each element and get to know it well, don't rush. Ask for help from people who have done this before. At Computer Care and Learning, we encourage our customers to talk with one another and share notes about their backup and security systems; this helps everyone do a better job, and is a fine networking opportunity, too.
We recommend that you create a Word document named "How to keep the data in this organization safe."
This document will be your main way of planning and tracking your security effort. 201cmr17 specifically requires that you use a document like this, which the regulation refers to as a "WISP", a written information security plan. As we go forward, we'll take repeated looks at our how-to to show how it develops. Here's how your ISM (data safety manager) might start:
How to keep the data in this organization safe
by Brooke Nicole Mayfield, security manager,
Our organization is committed to protecting the private information entrusted to us in the course of business.
It is our policy to identify private information as it comes in to our company. Private information is defined as "Personal information" as defined in 201 CMR 17.00, and as additional information that we and our customers consider confidential. This information is stored in locked physical spaces or encrypted computer files, and is only retrieved by staff who have a business need for it. When there is no business need for it, the information is shredded or securely erased.
Staff who have a business need to use this information sign a confidentiality agreement upon hiring. Upon leaving the company, people relinquish their passwords and keys to the locked physical spaces, and the passwords they have been using are changed.
The organization will only share private information with partners or vendors who need the information in order to do business with us. These partners and vendors must certify to us in writing that they follow a data security plan equivalent to ours.
As an additional precaution, the organization follows industry-standard good computer security practices, including the use of up-to-date antivirus/antimalware protection, security patches, physical firewalls, good password procedures, and physical access controls.
The organization regularly audits the training and practice of its staff in enforcing data security. Staff who enforce the security rules properly are richly rewarded, and staff who do not are given verbal, then written warning, and if the problem persists, they are asked to leave.
In the event of a security breach, the Information Safety Managerwill carefully investigate and document the breach.
Your organization's awareness of real vs. imagined risks can have a huge impact on how safe you are. Just a few thoughts to get you started: in many years of working with organizations, the computer helpers at Computer Care and Learning have observed no intrusions into customers from outside, except by generic virus and malware infections. In the same time span, we have seen or heard about several instances of major embezzlement by trusted staff people. Your security arrangements should take internal theft extremely seriously, and you should work hard to create an environment which makes this kind of theft very difficult. We would like to add that, in our own view, the biggest victim of embezzlement and theft is the thief-- property can be replaced, but the damage to a person's character by doing something dishonest is very hard to repair. Everyone, under some circumstances, can give way to temptation-- help people resist their weaknesses by making theft difficult. Do this socially, by making data safety part of your culture, and do it technically by the methods we explore on this site. Be aware of people's stresses in your organization; be alert to people who have gotten disconnected or are in times of turmoil, and help them.
Until we have something better, a WISP document like the one above, signed by the CEO of your vendor or partner, goes a long way towards assuring compliance. The "public" WISP would be shortened, to reduce unnecessary detail and keep some methods private. Our hope is that our community will develop a rigorous, peer-reviewed certification process. We hope that this site will be one of the early steps towards that process.
We recommend that your Information Safety Manager (ISM) develop a password list for the company. Bruce Schneier's Password Safe program is a good tool to use to manage your passwords. You may also use Excel for this purpose, Winzip-Encrypted or Truecrypted(see Winzip and Truecrypt, below). Excel is simpler to use and you have more formatting flexibility; Password Safe has the great advantage of being able to use the passwords discreetly even when sharing your computer screen with colleagues or students.
The basic rule for passwords is that they be 8 characters, including at least one non-letter character and at least one change of case. We recommend you take a song or a poem or a saying, and take the first letter of each word, so a decent password is Rrryb,gdts (Row row row your boat, gently down the stream). We don't want words or names, because people can use dictionary attacks, and computer have gotten very fast at trying combinations.
The only exception to the 8 character rule is for Truecrypt passwords (20 characters), which you'll read about below.
If you use Excel, a good layout for the password list is:
User name Password Song/poem Description
JoanJett Ilr&r,paditjbb "I love rock & roll, put another dime in the jukebox baby" Itunes store password
All passwords for the organization are stored here, including workstation passwords, which are passed in person to the Information Security Manager (ISM).
The list is printed out, and a copy given to the CEO and the ISM to take home and keep in a safe place there. If you are using Password Safe, use the export feature to export to Excel. Then print out what you need, and use Tolvanen's Eraser program (see below) securely to erase the exported file.
Note that good business practice, and 201 CMR 17.00, requires workstation passwords.
Note also that when a person leaves an organization, the best practice is to change all passwords on the list she has access to. This is a serious challenge, that can lead to unexpected problems. For example, if you change your adminstrator password to your network, your backup system will stop working until you change the password there. If you add a Windows password to a Vista machine, the password cache can get cleared, and automatic connections to peer workstations will stop working.
You can invest in new file cabinets, or retrofit old ones (www.cubiclekeys.com advertises this service).
Your ISM needs to develop a system for the handling of the keys. For example, in a Boston mortgage processing company, only two staff people, plus the data manager and the president, need to look at these reports. All 4 of them are given a key request form to sign:
I accept a single copy of the key to the credit report filing cabinets. I will keep the cabinets locked at all times, except when I am standing next to them and taking out or putting in a credit report. Any credit reports which I receive by mail or fax, or print out or take out of the file cabinet, will stay with me until I return them to the locked file cabinet.
I will not share my key with any other person, and I agree to return it when I leave the company.
One theme we will emphasize here, which we will return to repeatedly: data safety is as much a social process as a computer process. For security to work in your organization, you must all respect your security rules. As is the case with tools, we recommend only a few rules, but these few rules must be taken seriously by everybody. For keys and passwords, the rule is: never share your key or password with any unauthorized person, even if you trust them, and they are your friend, relative, or longtime co-worker. Emphase that this is a safety practice that everyone follows, not an attack on anybody's honesty.
Winzip is a respected, mature program that lets you encrypt your files using strong encryption. We think that for business uses, it is easier to use than TrueCrypt, and less prone to careless mistakes.
Having said that, TrueCrypt is a versatile, well-respected, free program that allows you to create a new drive on your computer-- you pick the letter-- which you can use like any other drive. Copy files to it, delete files, create folders and subfolders, copy whole folder trees from you data. Once you lock the new drive, it turns into a regular Windows/DOS file that contains gibberish. When you unlock it with the password, it becomes the new drive again, and you get access to all the files.
Tolvanen's Eraser (http://www.tolvanen.com/eraser/) is a free, widely-used program that lets you securely delete electronic files from your computer so that no one, including an IT professional with fancy recovery tools, can recover the files.