This month's cover story "Hard to Decipher" by Ericka Chikowski [June 2006] is highly ironic. It sites numerous executives at Fidelity as experts on the subject of customer data privacy and security.
I am an employee of Hewlett-Packard. The U.S. HP retirement plan is managed by Fidelity. A few months ago, a Fidelity employee downloaded the entire database (unencrypted) of U.S. HP employees (many tens of thousands of people) and took it to an HP meeting. The laptop was stolen along
with all the records. Fidelity's response was that the risk to identity theft was low since they suspected the target of the theft was the laptop, not the data within. Of course this was just spin to keep the HP employee backlash at a minimum.
Please forward this letter to the author. I really wish someone would do an article on the real story. If financial institutions, such as Fidelity, can't be trusted with our identity (and thereby our money), we're all going to go back to the days of putting our retirement under the mattress. The security community is so focused on theft during data
transmission, but the biggest gap is still physical security. Employees of a financial institution can merely walk out the door with the data. And the potential reward is beyond enormous.
Lainye Heiles, Hewlett-Packard
West Coast Bureau Chief Ericka Chickowski responds: Though it may serve as very little consolation to you and your co-workers, Joe Nackashi works at a completely different Fidelity subsidiary than the one that exposed HP employee data. Nackashi is CTO of Fidelity Information Services (FIS) —Fidelity's mortgage business. Had that data been FIS data, you would have been protected.
This shows how in the case of major conglomerates such as Fidelity, the security inadequacies of one business under the corporate umbrella can undermine public perception of all the other businesses as well.
While the HP data loss by a Fidelity Investments employee is inexcusable, we at SC felt that Nackashi's efforts in encrypting FIS data is still noteworthy, considering how many other companies are mulling over the same type of strong data protection. Hopefully, the CTOs at the other Fidelity businesses can learn a lesson from their colleague.
Telecommuting & bird flu
The Department of Health and Human Services' Centers for Disease Control and Prevention has provided recommendations to businesses to support preparedness efforts related to Avian Influenza Human Pandemic Influenza. Under the directive to "allocate resources to protect your employees and customers during a pandemic," the CDC has called to "enhance communications and information technology infrastructures as needed to support employee telecommuting and remote customer access." In a perfect world we could pretend that telecommuting was a great idea.
After we set aside the gargantuan and pricey task of building a remote infrastructure to handle production capacity telecommuting, we are left with an even more ominous and daunting task of security and compliance. Remember that the business makes the money, and we work to ensure that the business gets to keep the money by not getting sued, fined or shamed out of profitability. Without security controls, we cannot keep the secrets to success to ourselves or guard valued customers and clients from the competitors trying to steal them from us.
How can anyone forget what it took to even attempt compliance within the confines of a locked business facility, with managed assets and a barrage of physical, logical and administrative oversight. When I hear about home-based call centers or enterprise-wide telecommuting, my mind races through dozens of checklists and control objectives. I'm dying to know how businesses have convinced themselves they can maintain mandatory minimum compliance standards in the private homes of their workforce.
Have these businesses ensured that the authorized user working from their apartment is the only person accessing, authenticating, transmitting, processing, storing, recovering or destroying information or any other restricted/classified proprietary information?
The opportunities for accidental or intentional mishandling of data, equipment and access are as endless as the certain stream of non-compliance. Don't tell me it's all based on trust between the company and the workforce. I do not believe companies can maintain compliance deliverables in a telecommuting environment with highly regulated classifications of data. Period.
And we haven't even addressed the continuity issues related to the bird flu yet.
Lisa F. Picard, Security & Business Continuity, World Access, Inc.
Linking to SC.com
My name is Brian Nichols and I am the IT Security & Policy Officer at Louisiana State University (LSU). I noticed the vulnerability alerts section on your website and found the content to be very useful. I use your website as a resource for security-related news and information. I'm wondering if you might allow my institution to use the vulnerability alerts box information on our site?
If so, how can we link this box up to our website?
Brian Nichols, IT security & policy officer, Louisiana State University
Online Editor Frank Washkuch Jr. responds: IT security organizations and instructional institutions are invited to link to the SC Magazine website. For vulnerability alerts, just link to http://www.scmagazine.com/us/