E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Accountants, home page.
LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by Bennett Gold LLP, Chartered Accountants

Effective December 31, 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering articles from the period 1999 to 2012.


Source: itWorldCanada

Posted on November 15, 2006

      Regulatory requirements and increasing consumer concerns about information security breaches are making data-level security controls a top priority for 2007, according to IT managers at the Computer Security Institute (CSI) trade show in Orlando this week.

      After years of implementing technologies such as firewalls and intrusion detection systems to keep network perimeters safe, companies now must move similar controls down to the data level, they said.

      "The data now matters above everything else," said John Ceraolo, director of information security for JM Family Enterprises Inc., a US $9.4 billion auto distribution and financing company based in Deerfield Beach, Fla.

      Non-public information of all sorts needs to be protected, whether it is at rest or in transit, he said. And that requires an increasing focus on measures such as data classification and encryption, stronger user access and authentication and usage monitoring and auditing, Ceraolo said.

      Most of the "blocking and tackling" that was needed to handle network threats has, to a large extent, already been accomplished via technologies such as firewalls, and intrusion detection and prevention systems, said Mark Burnett, director of IT security and compliance at Gaylord Entertainment Co. in Nashville.

      The goal now is to put multi-layered defenses around the data as well, he said. "We are layering technology controls to make sure we can identify where the information is passing across our network" and protect it.

      "The overall driving force behind our [security] program is reputation management. We have worked hard to build the Gaylord brand," he said. "Any one incident could ruin all that work."

      Also driving the focus are regulations that Gaylord is required to comply with such as the Payment Card Industry (PCI) data security standard mandated by the major credit card companies and Sarbanes-Oxley, he said. "We absolutely recognize the need to protect sensitive information and are working hard to fulfill that obligation," he said.

      Ann Garrett, the chief information security officer at the North Carolina state office of information technology in Raleigh, said that a new state law governing the use of personally identifiable information has elevated the need for security controls at the data level. The law went into effect for private industry on Oct. 1 and will apply to state agencies on Oct. 1, 2007.

      "We have a strong network firewall, intrusion detection system and intrusion prevention system," Garrett said. What's lacking are controls for mitigating user errors at the end point, she said. As a result, there's an increased focus on data encryption - and on ways to log and audit user transactions. "We have to add accountability and auditability" at the end point, she said. "There is a whole lot of emphasis on protecting personally identifiable information right now," Howard said during a panel discussion. "Congress, the Office of Management and Budget and Inspectors General are looking over our shoulders closely."

      Howard's agency earlier this year disclosed that it had lost a back-up disk containing sensitive data on 757 current and former HUD employees. "We pulled back the sheet and discovered there is a lot to do" to protect personally identifiable data, Howard said.

      HUD plans to have an implementation plan in place by the end of the year to address issues identified so far, he said. Among the planned measures are data encryption, two-factor authentication of users and the ability to more closely monitor user activity.

      "There are so many vulnerabilities out there, there aren't enough hackers to take advantage of all of them," Howard said. So it's important to take a holistic risk-based approach to securing data and to understand that it's about "people, process and technology," he said.

CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.

Final Entries

LINK TO: Bennett Gold Chartered Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Privacy Breaches.

Get WebTrust
Working For
Your Site.