The "whys" of data access management are as far-reaching as the technology used to manage it.According to New York-based Ernst & Young LLC, regulatory compliance is the No. 1 driver of insurance industry information security. However, the devastating consequences of other incidents, from breaches to simple human error, can't be dismissed.
Consider the dilemma faced by Minneapolis-based Ameriprise Financial, Inc., forced recently to tell its shareholders that the theft of a single laptop resulted in the potential exposure of 158,000 client names and account identification information. And although analysts predict that Prudential Financial Inc.'s insurance group, Newark, N.J., will not be held accountable for 15 month's worth of sensitive data being misrouted to the wrong location, the damage control needed may require considerable effort.
What it boils down to is insurance organizations don't have much choice: To effectively manage ever-increasing security challenges and stay a step ahead of regulatory reporting requirements, carriers need a comprehensive approach to data access management.
That comprehensive approach is not a one-size-fits-all proposition; rather, it's one of appropriateness and magnitude, says David Meunier, vice president, chief information security officer for CUNA Mutual Group and its affiliates, a $14-billion provider of financial services to credit unions and their members worldwide.
Meunier is responsible for securing data access for the company's 6,000 employees, 2,400 of whom are housed in its Madison, Wis., headquarters, and 1,500 who access data remotely. Although Meunier is hesitant to share his company's specific security measures, he does admit that using common sense methodology is a good start.
Mix-and-match approach
A user name and password would never be sufficient across our entire business, although it may be sufficient for internal e-mail, says Meunier. "So I ask, 'do I want to authenticate out over the Internet with just my user name and password?' Probably not, so I'll probably use VPN technology and stronger passwords like RSA tokens, etc. We use a mix-and-match of authentication tools and technologies appropriate for each designated area."
Lowell Starling would agree that tailoring security to the unique needs of the user is important. As vice president, infrastructure management for health insurer Highmark, a not-for-profit independent licensee of the Blue Cross and Blue Shield Association, he oversaw the creation of the company's data center last year. An 87,000-square-foot facility near Hershey, Pa., that houses 50 employees and provides daily connectivity to more than 100 hospitals, 40,000 health care professionals and 10,000 remote users, the center provides end-to-end support of sales process, enrollment, processing claims, statistical and financial analysis, etc. The grounds surrounding the data center's physical plant are protected by perimeter-fencing and day-and-night electronic surveillance.
"We moved to 24/7 operations, Internet access and an e-platform, which lowers the cost to the customer by requiring them to exclusively conduct business with us electronically," explains Starling, "and because we are dealing with protected health information and work for Medicare and the U.S. Dept. of Defense (DoD), security is vital."
Like Meunier, Starling is vague when describing the specific security elements that apply to Highmark's internal data-processing resources, but confirmed use of a one-factor card-swipe system that users must employ multiple times before accessing even the building's lobby. Highmark also requires use of biometric fingerprint readers for access to the area housing the data center's technology core.
For both Meunier and Starling, determining adequate security measures is an ongoing process that involves heavy discussions with the business side, as well as a constant eye on user requirements, industry standards and an ever-increasing regulatory influence.
Meunier says that although CUNA Mutual is not considered a credit union or a bank, the organization must still anticipate upcoming regulatory laws, such as the Federal Financial Institutions Examination Council, or FFIEC, a Washington. D.C.-based government agency that spans five other federal financial agencies-the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency and the Office of Thrift Supervision.
A stepped-up review
FFIEC spokesperson David Barr confirmed to INN that the most recent FFIEC advisory, which asks organizations to assess the adequacy of their user authentication, applies to those institutions regulated by the members of the FFIEC.
"To my knowledge, none of those agencies regulate insurance companies. However, if an insurance company owns a financial institution regulated by one of those FFIEC members, that financial institution-not the parent-would be subject to the advisory."
For Meunier, "it means doing more of a stepped-up review to make sure we are doing what they are asking. Because we play heavily in the financial space, we have to look at where this applies to us," he says.
"I try to take a philosophical approach, because when we look at the regulations to make sure we are in compliance, we use those as guidance, because I'm already trying to drive toward that type of outcome-just based on evaluation of our risk."
CUNA Mutual also monitors industrywide practices. "If I pick solution 'A' for our multifactor authentication and the credit union industry selects solution 'B,' and we are very integrated in some of the applications we are using, we will have integration challenges."
Assessing the adequacy of user authentication means evaluating whether a user should have permission to access data based on one or more factors, such as "what the user has," "what the user knows" and "who the user is."
Depending upon the level of risk, more and more financial organizations are combining the use of complex password schemes, digital certificates, proximity cards, hardware tokens, smart cards and multi-factor biometrics, says Ariana-Michele Moore, banking group senior analyst at Celent LLC, a Boston-based research firm.
Moore maintains that, for commercial physical access control, smart cards are by far the most widely used device for gaining access control to secure areas such as data centers, she says.
"But the desire to have a physical access device that is tied to the actual person, whether by knowledge (PIN) or by a physical characteristic (biometrics) is growing," says Moore.
Both Starling and Meunier believe that best practice industry standards can guide the creation of more than just data access: It can be used to maintain a successful audit program.
Highmark's work with the DoD requires the company to adhere to the DoD Information Technology Security Certification and Accreditation Process, and its work with the Centers for Medicare and Medicaid Services requires the company to make its records available to the government at a moment's notice.
Standards and best practices
"This all requires us to consider carefully who accesses what data and when," says Starling, who reports having participated in 34 internal and external audits last year.
Willibert Fabritius, an auditor with TUV Rheinland of North America, a Newtown, Conn., provider of testing and assessment services, says companies that combine best practices with additional standards such as ISO 17799 and British standard BS 7799-2 can help achieve continuous improvement of information security management.
"BS 7799-2 is an information security management system that uses the same improvement philosophies as ISO 9001 and emphasizes the risk management process that affects all areas of a business," he says.
"The ISO 17799 standard creates a code of practice for information security management. When the two standards are combined, a company has a great platform from which to create a secure IT system. And by achieving such standards, the company can tout its security when marketing its services."
Meunier uses standards to help frame efficiencies around CUNA Mutual's governance and the security auditing process. "We are building toward COBIT, ISO1779 and BS 7799," he says.
"When external auditors come in, they audit toward industry standards and controls that look at accountability, sustainability, repeatability. We need to be able to prove how a certain security element works compared to industry standards for control."
Value of education
Of all the elements of a successful security program, however, Meunier sees powerful potential in the value of education. This month CUNA Mutual is launching an updated Web-based "Security Basics" certification program that all employees are required to complete.
"At its basic level, we give [employees] tools, tips and tricks, such as 'Don't put your password on a Post-it and tape it underneath the keyboard,' or 'check your fax machine before you walk away to make sure you are not leaving sensitive information.'"
From there, the program starts specializing. "We are conducting executive-level briefings," says Meunier. "And we're promoting field user-level education so salespeople, who are typically working in a wireless environment, will understand exposures, hot spots, EVDO (Evolution Data Optimized) wireless capabilities, Bluetooth, etc."
The program will also help CUNA Mutual's helpdesk. "They hold the keys to the kingdom because they can change IDs," says Meunier, "so we'll help them better identify and thwart against social engineering."
Both Starling and Meunier agree that a comprehensive security program is necessary, but ultimately, a one-size-fits-all scheme won't work when managing data access.
"Protecting the perimeter is just one piece of the security puzzle," says Starling. "You need to focus on all constituents and all data access possibilities."
It all comes down to looking at what it is you are trying to secure, adds Meunier. "We need to make sure they are who they say they are on the other side, and they are getting at the data meant for their access only and not data that they shouldn't see."
