Data Risk Governance

Exploring the intersection between information security, privacy, technology and the law.

Archive for August, 2009

Multi-Factor Authentication: Satisfying the Interagency Guidance (Financial Institutions)

Posted by Matt on August 25, 2009

For details on the actual Interagency Guidance, see this page.

Hopefully you have some semblance of an application inventory.

Filter your apps on three criteria:

  1. Any application facing the Internet that is accessed by customers, AND one of the following:
  2. Can the customer access his or her own personal information (SSN, DOB, Acct #, Name, Address, etc.; these attributes should already be defined in your organization’s information security policy)?  OR
  3. Can the customer initiate a movement of funds to another party?

This should give you the entire population of applications in scope for multi-factor authentication (MFA) analysis. Tier your results according to the following prioritization scale:

  1. Internet facing applications that allow both funds movement and access to personal information;
  2. Internet facing apps that do NOT move funds but still allow access to personal information;
  3. Further tier these apps according to the types and combinations of personal information available. For example, toxic combinations of multiple elements vs. single elements.
a. SSN + DOB + Name + Address + Mother’s Maiden Name
b. Name + Address + Account #
c. Name + Account #
d. Name only

This is just a simple example, obviously your tiering could be more complex and varied.  Once your tiering is complete, there is an imaginary line where all the apps above the line need to be brought into conformity with the MFA guidance and all the apps below can be justifiable excluded based on low asset value (low risk transactions).

The Interagency Guidance for MFA requires three outcomes:

  1. Implement true two-factor authentication
  2. Implement Layered controls
  3. Implement “other” compensating controls

For your higher risk apps, according to your tiering, you should do item 1 or 2. For lower risk apps, look at doing 2 or 3.

The “layered” controls approach can be interpreted (but it will depend partly on your examiners and their style) as a totality of control in place to protect customer information. If you already do a risk assessment for info sec or GLBA or something else, you can leverage that. Totality of controls, layered security would certainly include the SOX general computer controls, so leverage that documentation if you have to.

The “other” controls, in my opinion is the regulator’s response to push back from the industry to stop short of mandating MFA. In other words, if you can make a good argument why you don’t need MFA and that current controls exist that are effective enough, given the risk profile of the application (asset value, data at risk, type and number of transactions, etc.) you are good to go.

Posted in Regulation, Risk Assessment, Risk Management & Compliance | Leave a Comment »

e-Discovery Curriculum and Course

Posted by Matt on August 24, 2009

Updated 12/2/09

Regarding an e-Discovery course at an accredited law school, this fall semester 2009,  I will be live-blogging the course. The casebook for the course is Electronic Discovery and Digital Evidence by the Honorable Shira A. Scheindlin, et. al., West Publishing, ISBN: 978-0-314-19131-1. For interested parties, I encourage you to obtain a copy of the case book and read along, keep up with the reading assignments and we can engage in a dialogue on this blog.

Full Syllabus here.

View Week One discussion, notes and case briefs here.

View Week Two discussion and notes on guest speaker George Socha and EDRM here.

Week Three: Labor Day Holiday

Week Four: Sept. 14, 2009, discussion and notes with guest speaker Craig Ball, here.

Week Five: Sept. 21, 2009,  Duty to Preserve; Zubulake V and Guest Speaker Hilde Baubier from 3M, see discussion here.

Week Six: see discussion here.

Week Seven: Oct. 5, 2009, see discussion here.

Week Eight: Oct. 12, 2009, Forms of Production, Search Technologies and guest speaker Paul Luehr, of Stroz Friedberg, LLC. See discussion here.

Week Nine: Oct. 19, 2009, Metadata and guest speaker Jeremy Wunsch, CEO of Lucidata. See discussion here.

Week Ten: Oct. 26, 2009:Forced Production of Not Reasonably Accessible Data, Cost Sharing/Shifting (Zubulake I), Production From Non-Parties, International Cross-Border Issues (EU Privacy Accord). See discussion here.

Week Eleven: Nov. 2, 2009, Spoliation Part 1. See discussion here.

Week Twelve: Nov. 9, Spoliaiton Part 2. See discussion here.

Week Thirteen: Nov. 16,  Ethics and Professional Responsibility, Third-Parties and Adjuncts. See discussion here.

Week Fourteen: Nov. 23, Waiver of Attorney-Client Privilege, FRE 502,  Waiver Agreements.  See discussion here.


OVERVIEW

  1. The Importance of Electronic Discovery in Litigation
  2. The Effect of Electronic Information on Discovery Practice
  3. Records Retention & The Duty to Preserve
  4. Duty to Preserve
  5. Possession, Custody & Control, Meet & Confer
  6. Data Collection
  7. Form of Production, Search Methods
  8. Metadata, On-Site Inspection & Mirror Imaging, Production of Not Reasonably Accessible Data
  9. Cost Sharing/Cost Shifting, Production from Non-Parties, Cross-Border Protection Issues
  10. Spoliation – Part I
  11. Spoliation – Part II
  12. Ethical Issues & Professionalism
  13. Privilege Issues
  14. Admissibility of Digital Evidence

(Tags: e-discovery ediscovery ”e discovery” “ediscovery study group” “e-discovery study group” “e discovery study group” “e-discovery class” “ediscoveryclass” “e discovery class” “e-discovery training” “ediscovery training” “e discovery training” “ediscovery book” “e-discovery book” “e discovery book” “e-discovery case book” “ediscovery case book” “e discovery case book” “ediscovery casebook” “e-discovery casebook” “e discovery casebook”

Posted in eDiscovery | Tagged: , , | Leave a Comment »

 
Follow

Get every new post delivered to your Inbox.