Today we are speaking with Aftab Jamil, Partner in the Technology Practice at BDO. Listen to the full podcast below.

Overall, how would you grade information security at our nation’s institutions of higher education?

Most schools do an excellent job of protecting their central systems and infrastructure. Some schools struggle with protecting distributed systems, sometimes not knowing which of these systems have highly sensitive data stored on them and sometimes not being sure that the administrators of such systems are up to speed with respect to needed security precautions. In some cases, the designated system administrators have too many demands on their time to even be able to implement the precautions.

Do you think schools are, or will be, ripe targets as criminals use increasingly sophisticated tools to steal information?

Not particularly. Master cybercriminals have much more fertile fields to plow. There have been very few cases where criminals have actually profited from stealing information from a school’s database. There are several reasons for this. First, we seldom store data that would enable a criminal to gain access to a bank account, except on our highly protected central systems. Second, banks and credit card agencies are much more sophisticated than a few years ago and have implemented multi-layered defenses against a criminal who knows only a name and an SSN gaining access to an account and being able to transact business.

On the other hand, universities are seeing spammers become more sophisticated in their efforts to penetrate a machine and take it over in order to make money spamming. These spammers are not interested in the data on the machine; they are interested in controlling the machine. Between the spammers and the mischief makers, university security departments never run out of work to do.

Tell us how GMU protects itself from being a victim of data breaches and 4) In terms of data breach trends, have you all seen an increase in attempts to breach GMU?

While criminals are not targeting GMU in order to steal data, when spammers and mischief makers gain access to machines on which sensitive data are stored, serious and expensive problems are created for the university. Responding to a breach is expensive; shutting down systems important to carrying out university business is disruptive; notifying constituencies that someone managed to get into a machine that had stored on it their personal data is expensive and time consuming; but even more important, it strains the trust bonds between the university and its stakeholders.

For all these reasons, we work hard and spend much money in order to keep people from breaching machines on which sensitive data are stored. This includes creating policies that severely restrict who can store sensitive data; auditing machines that have significant sensitive data stored on them; segregating machines with sensitive data into a different part of the network; specifying standards and responsibilities for system administrators; taking over the management of servers when the department is unable to secure them adequately; and implementing various intrusion prevention and detecting systems.

Do you all have any cyber-security educational initiatives aimed at helping the students to be more aware of identity theft?

We use the educational resources contributed by the higher education community to the EDUCAUSE/Internet2 Network and Computer Security Task Force. We also develop our own resources, which means we create flyers, posters, articles in the student newspaper, presentations at student orientation, etc. Before we allow the computers of students in university housing to connect to the network, we run a scan on them to make sure they are free of malware and that they have automated update of patches and anti-virus definitions. This can all be for naught if the student responds to a clever phish.

We do all of the above to protect the student’s machine from being taken over by a spammer or being damaged by malware or used to disrupt the network by a mischief maker. While we also deploy materials that warn of identify theft, we know that the student is in more danger of identity theft when they hand their credit card to a server in a restaurant than when they connect their computer to a network. Moreover, eighty five percent of the students in the residence halls have chosen to have their computers placed in the protected zone on the network so that nothing can be downloaded to their machines unless they take action to initiate the download (usually via a phish but sometime via downloading “free” software).

Q: Tell Us About the Red Flags Regulation.
A: Red Flags Rule requires many financial institutions and any other businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs – or “red flags” – of identity theft in their day-to-day operations.

The compliance deadline for financial institutions was November 1, 2008, but the FTC delayed its enforcement of the rules until May 1, 2009, and now it’s been extended to August 1, 2009, to give non-financial institutions more time to comply.

Q: What must financial institutions do to comply with the ruling?
A: The key elements are spelled out in the 60-page regulation. The risk-based rule requires each institution/creditor that holds customer accounts (or any other account for which there is a reasonably foreseeable risk of identity theft) to:

• Identify relevant patterns, practices and specific forms of activity
• Respond to red flags and incorporate into the program
• Oversee service providers
• Train staff
• Obtain approval of a written program by senior management or the board of directors and
• Continued oversight and updating of the program.

In addition, the rule includes “guidelines” that are more detailed and include 26 illustrative examples of red flags that institutions may consider in developing their program. These examples address: alerts from consumer reporting agencies, suspicious documents, suspicious personal identifying information, suspicious activity with a covered account and notices of suspicious activity.

Q: What is BITS doing regarding this regulation?
A: We have actually been very busy over the past two years in preparing for this regulation. As you may know, BITS is the technology and operations division of the Financial Services Roundtable, and primarily we have been working with executives from member financial institutions and regulators to understand the new regulation and to develop cost-effective compliance strategies.

Specifically, we have submitted a detailed comment letter to the federal regulatory agencies in 2007 in response to the proposed regulation; convened a dozen conference calls with an average of 75 members for each call to better understand the rule and discuss common compliance strategies; engaged credit bureaus, U.S. Postal Service and others on address discrepancy requirements; conducted a survey on challenges with developing red flags program with input from 32 member companies; and engaged regulators to understand the requirements and interpretation.

Q: What are the cost requirements of this ruling?
Given the way the regulatory agencies drafted the rules, there is some flexibility to developing programs that are risk-based and an integral part of existing programs, including fraud, customer authentication. The good news is that the regulation is drawing attention from the many parties (e.g., financial institutions, creditors, universities, credit bureaus, medical professionals, third party service providers, government agencies) that play an important role in preventing, detecting and responding to fraud and identity theft.

While new regulatory requirements usually add new costs, they can, if done well, help organizations better manage the risks while protecting consumers at the same time. For some financial institutions, the regulation provided a means for developing better fraud prevention programs that cut across multiple lines of business. For institutions that are not used to protecting personally identifiable information, the regulation could be very expensive to implement. Financial institutions are very good at protecting personally identifiable information. Given the tough economic environment, our members have looked at ways to implement cost-effective identity theft red flags programs.

Q: What role does ITAC, the Identity Theft Assistance Center play in this?
A: ITAC will play an integral part of implementing an identity theft red flags program for the vast majority of Roundtable members, as well those who have participated in the BITS red flags discussions that are using as part of their comprehensive identity theft program.

John Carlson is Senior Vice President of BITS/Financial Services Roundtable where he oversees the BITS regulatory program covering information security, operational risk, vendor management, fraud risk, and business continuity planning. BITS is the technology and operations division of the Financial Services Roundtable.