Click Here to Install Silverlight
United States Change | All Microsoft Sites
Results by Bing
Feature Story
Security 360: Comprehensive Approach Required for Businesses to Protect Confidential Information
Data privacy isn't just the legal department's concern; it's crucial to customer trust and business success.

REDMOND, Wash., Oct. 19, 2005 – Not too long ago, when businesses sought to protect trade secrets, confidential communications and the private information of customers, the checklist of things “to do” and “not to do” was pretty short. For most companies, it involved little more than locking file cabinets, making sure no one spoke too loudly during business lunches and ensuring old documents were shredded before they were thrown in the dumpster.

Privacy Check List
During the October Security360 webcast, Microsoft Corporate Vice President Mike Nash offered the following check list of privacy safeguards for companies to ensure they are adequately protecting confidential information on their IT systems:
Protect desktop computers:

Use firewalls to protect the perimeter of the IT network and desktops.

Get current by using up-to-date versions of software.

Deploy auto-update technology, which helps ensure software is current.

Deploy anti-spyware, anti-virus tools and phishing filters.

Use physical security to restrict access to sensitive systems.

Put policies and processes in place to manage data:

Perform a risk assessment and analysis on important customer and employee data and intellectual property. The free, online Microsoft Security Assessment Tool is available at Microsoft.com. Additional risk-management and assessment guidance is available on the TechNet security center at TechNet.

Perform an inventory of data and categorize its sensitivity level based on a risk analysis.

Define policy for protecting sensitive data and educate employees on this policy.

Create processes for managing data based on data-handling policies – and have policy in place for how sensitive data is backed up and stored. As appropriate, organizations should deploy technologies, such as encryption, to protect the storage disk.

Deploy the following technologies to automate and help enforce your data handling policies:

Access Control List (ACL), policy-based rules that prescribe different levels of access to system and user information, to protect sensitive folders, shares, intranet sites and SharePoint sites

Encrypted File System (EFS), the built-in file encryption tool in Microsoft Windows 2000, Microsoft Windows XP Professional and Microsoft Windows Server 2003, to mitigate the risk of stolen laptops by preventing unauthorized access to data on machines

Rights Management Services (RMS) for defining and enforcing security and Full Volume Encryption, which will be available in Microsoft Windows Vista for documents distributed outside a company’s firewall and to help secure the entire computer against offline attacks

Group Policy in Active Directory to define privacy settings, such as password policies and Smartcard policies, throughout an organization

Systems Management Server (SMS) to change and configuration management for the Microsoft platform by providing software and updates to users quickly and cost-effectively 

Educate employees, vendors and partners on safe online habits. Good habits include:

Using strong passwords

Using unique passwords for different website

Ensuring Secure Sockets Layer (SSL) encryption is used when providing information in a web form

Ensuring you are at the right website

Not clicking on links in e-mail

Not leaving laptops unattended or unprotected while away from the office.

The checklist is considerably longer today. The increasing power and ubiquity of information technology (IT) has spurred on a virtually non-stop exchange of electronic data and documents among co-workers, partners and customers. During this month’s Security 360 webcast, Microsoft Corporate Vice President Mike Nash and Director of Product Management Amy Roberts of Microsoft’s Security Technology Unit, gathered with security and privacy experts from the industry to discuss privacy and offer businesses advice on how to reduce the risk of private information getting into the wrong hands, while continuing to realize the business value of anytime, anywhere access and exchange of information.

During the live 60-minute webcast, the experts urged businesses to gain a better understanding of both the differences and similarities between privacy and security. They also discussed the importance of strong policies and procedures to help manage and protect confidential information – in tandem with powerful Microsoft technologies designed to help businesses increase privacy and security.

The webcast aired Tuesday and is available on demand at www.microsoft.com/security360 along with past shows from the series. Microsoft began offering the webcasts in 2004 to help businesses leaders and IT professionals learn about the latest techniques and technology to help protect their PCs and IT infrastructure. Localized versions of the on-demand webcasts are available in nine languages.

Defining the Privacy Challenge

Concern about data privacy has been growing within the corporate world for years. But it has begun to take center stage in boardrooms and IT departments following high-profile breaches of customer payment information and other confidential data. Nash cited a 2005 CSI/FBI Computer Crime and Security survey that estimated the total financial damage caused by unauthorized access to sensitive information has grown 600 percent over the past year, with 30 percent of companies reporting losses. More than half (56 percent) of these breaches were performed by people within the companies, according to the survey.

In the United States, new federal and state regulations, such as the Health Information Portability and Accountability Act (HIPAA) and the financial account requirements of the Sarbanes-Oxley Act, have created strict legal requirements for privacy for many businesses. Laws in Europe, Canada, and Japan add additional regulatory requirements for international businesses.

Nash and other experts said the protection of corporate and customer data needs to be viewed as more than a legal obligation for today’s businesses; it must be seen as a key to building customer trust and business success.

“Branded organizations begin with a concept of trust. If the public believes we are using information inappropriately or are not protecting it adequately, it will really hit the trust concept very, very hard,” said Marty Abrams, senior policy advisor and executive director of the Center for Information Policy Leadership, during the “What Is It?” segment of the webcast. “It’s hard to recover from a loss of reputation.”

In fact, more than eight out of 10 consumers say they would stop doing business with a company if they heard or read that the company misused customer information, according to a 2003 study by Privacy & American Business.

Businesses worldwide are investing vast resources to address the challenges of privacy and security, yet they continue making headlines. At the root of the challenge, the Security 360 panelists noted, is the question of how businesses approach privacy – even how they and the general public define the term.

Panelists defined IT privacy as the protection of a broad swath of corporate data. In addition to intellectual property and corporate secrets, companies need to protect confidential customer health and financial information, as well as personal information such as Social Security numbers, addresses, credit-card information and even information about browsing habits.

During the 360 Roundtable, hosted by Roberts, Adam Shostack, an independent cryptographer and security expert, said the term privacy is used in everything from advertisements to sell curtains to political short hand during the ongoing debate about abortion rights. Privacy “has this enormously broad spectrum of meaning,” Shostack said. If companies don’t consider this broad spectrum, they are likely to touch a raw nerve with their customers, he said.

Rather than viewing privacy and security as one and the same thing, businesses need to view privacy as a separate yet related responsibility, Shostack and others said.

“It’s difficult to have privacy without security, but if you say you have a secure environment that doesn’t guarantee you have privacy,” said Gerry Gebel, senior analyst for the IT analyst firm Burton Group.

Peter Cullen, chief privacy strategist for Microsoft, noted during the roundtable discussion that the IT departments within many businesses are investing time and resources to restrict access to their corporate networks resources and the information stored on them. But these same protections aren’t always extended to the information that is collected or stored on employee laptops or their corporate websites. Although these sites collect much of the same customer information as is securely stored on the network, they are often run by corporate marketing departments, which aren’t always tasked with IT privacy, he said.

New Software, Services Underpin Privacy

Except in specialized computing environments, businesses have traditionally had few tools to limit distribution of confidential or personal information. During Tuesday’s webcast, Nash and others discussed new technologies offered by Microsoft and other companies that have made it easier for companies to affordably increase data privacy. Windows Rights Management Services (RMS) technology, introduced in Microsoft Windows Server 2003, and Information Rights Management (IRM) technology, introduced in Microsoft Office 2003, allow the creator of a document or an e-mail to set rules for who can open the document and whether the document can be revised, printed or forwarded.

IRM in Microsoft Office 2003 permits the protection of Microsoft Office documents, while RMS allows organizations to set consistent rules for how documents can be used, and can be integrated into third-party applications and Microsoft Office 2003. Once a document or e-mail message is protected by rights-management technology, the protections travel with the file.

Privacy Policies, Procedures Equally Important

Technology is only part of the solution, and is only as effective as the internal practices and policies companies set up for the technology to help enforce, the expert panelists said.

The security breaches that have really sapped public trust in recent years have “had nothing to do with the big system itself,” said Marty Abrams, senior policy advisor and executive director of the Center for Information Policy Leadership. These breaches involved “the wrong people seeing the data at the wrong time and using it in the wrong way.”

Nash presented a checklist (see Privacy Check List, this page) of recommendations for companies to help ensure adequate privacy safeguards.

Stephen Fridakis, chief security engineer at the consulting firm Bearing Point, said companies need to establish rules that apply to all of their networks and applications, and designate a custodian for each type of data and application. “That person owns the data and has the responsibility to allocate different access roles to different groups of people,” Fridakis said during a roundtable discussion led by Nash.

Joe Gimigliano, associate director of architecture and security for the pharmaceutical company Purdue Pharma, said companies need to go as far as identifying employees who are responsible for uncovering breaches.

Purdue Pharma has placed all of the systems with private data on an isolated network with strictly controlled access. “We can apply additional controls because it is much less of an investment…to apply all the logging and monitoring controls in the isolated segment as opposed to across the entire infrastructure,” Gimigliano said.

The company also has hired outside security firms to access private data in its IT system. “It’s eye opening to see…your strengths and…your weaknesses,” Gimigliano said.

Shostack said some companies are adopting a different approach; they are limiting the information they collect from customers – and going as far as hiring independent credit agencies to assess the creditworthiness of a customer for them. “That way the company doesn’t see or store the social security number,” he said. “They haven’t seen it (so) they can’t accidentally disclose it.”

Several of the experts advised companies to use extreme caution and ensure they use latest encryption technologies if they allow employees to keep confidential information on laptops and other mobile devices. To help address these concerns, Microsoft is adding full-volume encryption to the next version of the Windows operating system said Jeffrey Friedberg, director of Windows Privacy at Microsoft. This hardware-based data-protection technology is designed to prevent anybody but the authorized user from accessing data on the machine.

Another important component of corporate privacy involves sharing information. Gebel said companies can attract and retain customers by ensuring they are clearly explain the types of information they collect, why they collect it and how they protect it. The same transparency should apply if a company uncovers a privacy breach, Shostack said.

“The key,” he said, “is really fast disclosure that tells people what happened, why it happened and what you are doing about it.”

Press Resources
Contact
Related Items
Microsoft Resources:

Security 360 Webcasts

Security & Privacy Newsroom on PressPass

Microsoft Privacy Web site

Security & Privacy Information for Developers

Microsoft Trustworthy Computing Web site

MSN PC Safety & Security

Whitepapers:

Using Windows XP Professional with Service Pack 2 in a Managed Environment: Controlling Communication with the Internet – Aug. 6, 2004

The Security Risk Management Guide – Oct. 15, 2004

XPS for IT Professionals

A Guide to Privacy at Microsoft – Jan. 28, 2005