Board Portal Security: How to keep one step ahead in an ever-evolving game

Transcription

1 Board Portal Security: How to keep one step ahead in an ever-evolving game The views and opinions expressed in this paper are those of the author and do not necessarily reflect the official policy or position of Thomson Reuters.

2 CONTENTS Introduction... 3 CONFIDENTIALITY... 3 INTEGRITY... 4 Availability... 5 INFORMATION SECURITY PROGRAMS... 6 CONCLUSION Security Checklist questions you need to ask Board Portal Security: How to keep one step ahead in an ever-evolving game JUNE 2014

3 Today, more than ever, there is heightened awareness surrounding security. We are living in a digital, e-commerce society where consumers not only have to worry about their credit and debit cards, but also about the security of devices where this information is stored commonly referred to as the cloud. It seems that consumers are inundated daily with information regarding security measures that they should follow and safeguards they should have in place. Uncertainty abounds as websites are not only hacked, but information is stolen and shared. How can customers ensure their data maintains its integrity and is secure at the highest level? What safeguards really need to be in place? Make no mistake, information security is a tough business. Those who would seek to steal confidential information are highly motivated, well-resourced and in some cases nation-state sponsored. Hackers are patient and clever. They work to identify new vulnerabilities and then craft new methods of exploiting those vulnerabilities to achieve their goals. Despite the best preventative efforts, it is usually only after an event has occurred and the vulnerability or weakness is identified that the security industry devises a way of detecting and mitigating the threat. Companies are aware of this as they continue to look for ways to reduce costs, increase efficiencies and improve communications for their board members. When companies begin to evaluate board portals, one of their primary concerns is the security and privacy of the information stored on a board portal. In almost all cases, a prospective customer wants to understand how the provider protects information from both internal and external threats. They also want to evaluate the maturity of the information security program. Only after understanding any potential risks, can a prospective client reach an informed decision on a board portal. A secure board portal provider should, at the very least, ensure that users must enter a username and password to enter the site; encrypt information and ensure the data center has a generator. But that is not enough. Information security, at its core, is about protecting the confidentiality, integrity and availability of an application or system, in this context a board portal. An application or service offering is secure if it demonstrates mature processes and has established sound operating controls. Making sure an application is secure is not a onceoff activity, but requires diligence to address new and emerging threats through a dedicated and ongoing process. When customers had to present a credit card in person before purchasing something, there were risks associated with paper copies of transactions and credit card numbers. Today, with the increase in online purchasing or simply swiping a credit card, new ways of protecting information from theft have been developed. In short, threats change over time. Hackers make their money by finding new and unique ways of stealing information. Minute by minute, persistent and typically very bright hackers are at work. If there is a way, they will usually find it. Let s take a look at some of the real-world issues providers deal with within the context of CONFIDENTIALITY, INTEGRITY and AVAILABILITY as well as the hallmarks of a mature information security program. CONFIDENTIALITY Confidentiality is about making sure information is only available to authorized users, but more than that, it is also about addressing the risk of accidental disclosure which could occur if, for example, a laptop is lost or stolen, a system or application is accessed from an unsecure network (like an open WiFi network) or even if a printed document is lost. Checks and balances need to be in place to ensure data will not inadvertently be shared with third parties and organizations must know exactly who has access to their confidential data. accelus.thomsonreuters.com 3

4 Authentication Authentication verifies who a user is. A secure system requires a user to enter specific information in order to authenticate themselves (in other words to verify their identity). Simply entering information, however, is no longer enough. For example, users should be required to use a strong password and only authorized users should be able to log into the subsystems that make up the board portal. For added security, two factor authentication should be in place. Authorization Authorization verifies what a user is authorized to do and occurs after successful authentication. It is important the application not only authorizes the user upon login, but also continuously during their session. If the same application is used for multiple roles, then it should ensure users cannot elevate their privileges beyond those assigned. INTEGRITY Data integrity centers around making sure data cannot be modified without detection. This includes data entered into the board portal, data as it streams across a network and application source codes. Vulnerability management is an essential aspect of data integrity and organizations must know exactly who will have access to their data. Furthermore, data must be verified on a regular basis, to ensure it is complete and intact. Encryption Data encryption techniques ensure the information stored within the board portal remains confidential and cannot be accessed even by those who manage the systems and application. If the data is encrypted in the system, access to the key that makes decryption possible must be tightly controlled and the encryption key must be protected. Organizations must understand what type of encryption technologies are used to ensure data confidentiality. Man-in-the-Middle Attacks (MITM Attacks) A MITM attack is when someone captures information sent over a network and reassembles it to obtain unauthorized access to a system or information. A board portal must take steps to ensure that all information (including credentials) sent to and from the server remains confidential by implementing network-level security using HTTPS. It is important to understand how the data traverses through the network, whether it can ever be viewed as cleartext and furthermore, what protocols are used. DDoS Protection As with any product delivered over the internet, it is crucial a company is able to protect itself from a Distributed Denial of Service (DDoS) attack. A DDoS attack restricts the availability of a website. Hacktivists like Anonymous use DDoS attacks to take websites offline to punish those they feel deserve it. Before choosing a board portal, clients need to understand what, if any, protection it has against a DDoS attack and whether the data center that serves the application is served by one or more internet service providers. Offline access Board portals typically offer both online and offline access to information. This allows a board member to download information to their local computer or tablet and read the information offline. The application should effectively provide the same level of protection offline as it does online. Measures must be in place to provide offline authentication and there should be specific controls in place to manage access via ipads or other tablets. Moreover, the account should be locked after a definitive number of failed login attempts. Multiple Boards It is quite common for a board member to sit on more than one board. For board members in this situation, it is useful if the same board portal solution is able to be used across all boards. 4 Board Portal Security: How to keep one step ahead in an ever-evolving game JUNE 2014

5 The board portal must therefore address the potential risk of data leakage from one board to another. Logging Applications should provide enough granularity in their logs to accurately determine if, for example, user A performed action B. The authentication subsystems should capture both successful and unsuccessful log-in attempts and logs must be tamper-proof and periodically reviewed to detect any unusual activity. Change Management Software applications are constantly receiving upgrades, bug fixes and small feature tweaks. A system that does not change will become less secure over time. In order to remain secure, an operational process involving the understanding, communicating and documenting of changes must be followed. Change management processes vary between organizations, but it is important that each organization has these in place and that they are followed to the letter. Companies should ensure the organization operating their chosen board portal has a strong change management methodology and controls in place to prevent unauthorized changes to the running software. Peer Reviews or Other Software Testing Software should be reviewed by an independent party (not a member of the development team) to ensure that appropriate care has been taken to detect software security flaws. Automated testing tools should be used to identify potential security flaws and a process must be in place to report flaws as they are tracked and resolved. AVAILABILITY For any board portal to serve its purpose, it needs to be readily available. The networks, servers and application must all remain operational under all circumstances, including power failures, natural disasters and intentional attempts to deny service availability. Any single points of failure within the infrastructure must be identified and rectified and companies must ensure there are no redundant providers serving the end points. Data Center Power and Cooling Maintaining a data center in the event of a power loss is a complex task that requires planning and regular testing. The data center power infrastructure where the board portal is located should be tested for a 100% loss of local power and checks performed to ascertain for how long the UPS remains active. Pertinent issues to consider include whether the power feed from the local utility is limited to a single entrance, or whether there are several; whether the data center is fed by more than one utility; whether testing activity records have been maintained and whether the HVAC systems and generators have been regularly maintained. Organizations should also check whether there are contracts in place with fuel suppliers to maintain fuel in the generators and whether the access control systems for the data center continue to work in the event of a loss of power. Disaster Recovery and Business Continuity It is important to address the potential loss of the technical components that make up the board portal. The people who operate and maintain the board portal should be able to continue operations in the event of a local natural disaster or other occurrence that prevents them from occupying their normal facilities. Before choosing a board portal, organizations must ensure the company has a disaster recovery plan that is regularly checked. Other things to consider include the Recovery Time Objective (RTO) to get the site up and running in the event of a catastrophic technical failure; the disaster recovery plans include a Recovery Point Objective (RPO) addressing potential data loss during a critical failure; and whether the company has a business continuity plan for each location that operates, maintains and supports the board portal. accelus.thomsonreuters.com 5

6 Vulnerability Management No software is perfect and new vulnerabilities in operating systems, web server software and database software are found almost daily. Companies that provide board portals should demonstrate a mature vulnerability management program to evaluate, prioritize and deploy security patches to operating systems, servers and databases on a regular basis. The board portal should conduct regular testing to ensure the vulnerability program is continuously operating as intended and should have a mitigation strategy in place. Application Security Because no software is perfect including custom-built board portals all board portals should have an application security program to identify potential and known security flaws in their software. The board portal should undergo manual penetration tests that mimic internetbased hacking attempts and the running software should be tested on a regular basis. Ideally, the company should be willing to share the results of such testing with clients. Another consideration is whether the board portal offers any training resources to the development organization on how to write secure codes. Security Training and Awareness Because threats evolve over time, a regular program of security awareness is essential to ensure the board portal s staff members are kept up to date regarding new threats. The board portal should offer employees security awareness training and materials on a regular basis. INFORMATION SECURITY PROGRAMS Mature organizations with effective information security programs have a few things in common. Firstly, they use standardized processes that are documented to more easily allow new staff to become proficient quickly. They also understand risks and threats change over time and develop programs to identify those threats early. They provide training and awareness programs to spread the knowledge of new threats and risks to a larger audience and, finally, they provide assurance to their customers (through independent third-party confirmation) that their security controls are continually operating as designed. Third-Party Confirmation Conducting a third party audit such as an SSAE 16 or SysTrust provides clients with the assurance that an independent party has evaluated the security controls in place and confirmed they operate effectively. Organizations should seek clarification as to the type of audit conducted, how often it is conducted and whether the audit reports produced any exceptions. Dedicated Information Security Professionals Understanding new threats as they evolve and designing responses to those threats are skills that are perfected over time. A systems engineer or developer who manages security on a parttime basis is not sufficient to ensure a board portal is secure and evolving alongside new risks. Organizations should consider whether their preferred board portal has a dedicated security organization, whether they have access to resources that assist in identifying new threats and if they have security partners to assist in developing responses to evolving threats. The Human Factor One basic, but critical issue when evaluating security is the human factor. Although often overlooked, human error can be dangerous and is responsible for most data leakage. It is therefore important that board portals do not encourage the sharing of credentials, other than with an administrator. Your chosen board portal should integrate seamlessly with a Mobile Device Management (MDM) solution in the event a device is stolen and should incorporate best practice in the management of user accounts. 6 Board Portal Security: How to keep one step ahead in an ever-evolving game JUNE 2014

7 CONCLUSION Security challenges continue to evolve daily. Sophisticated, persistent attacks are changing the rules of the game and this can be overwhelming, even paralyzing for organizations when comparing solutions. Trusting data to reputable companies with solid security practices is a must. Before choosing a board portal, organizations must ensure due diligence in exploring all facets of an intuitive, robust and secure board portal. accelus.thomsonreuters.com 7

8 Security Checklist: Questions You Need to Ask Confidentiality Who has access to my data? How can I be assured that my data will not be shared with third parties? Authentication Does the application require user authentication before allowing access? If so, are there controls in place, such as requiring a strong password? Does the application offer additional security options like two factor authentication? Are only authorized users able to log in to the subsystems that make up the board portal? Authorization If the application is used for multiple roles, how does it ensure that users cannot elevate their privileges beyond those assigned? Does the application check to see if a user s authorization is appropriate only on login or continuously throughout the session? Integrity Who will have access to your data? How is data verified to ensure that it is complete and intact on a regular basis? Encryption What type of encryption technologies are used to ensure data confidentiality? If the data is encrypted in the system, who has access to the key that makes decryption possible? How is the encryption key protected? Man-in-the-Middle Attacks How does data traverse through the network? Can data ever be viewed in cleartext? What protocols are used? DDos Protection Does the board portal have any protection from a DDoS attack? Is the data center that serves the application served by one or more internet service providers? Offline Access Does the application provide substantially the same protections offline as online? Does the application provide offline authentication? How do they cater for devices such as ipads or other tablets? Is the account locked after a definitive number of failed login attempts? Multiple Boards Can the same board portal solution be used for a single user who sits on multiple boards? If so, how does the board portal address the potential risk of data leakage from one board to another? Logging Are the logs tamper-secure? Are the logs periodically reviewed to detect unusual activity? Change Management Does the organization that operates the board portal have a strong change management methodology? How does the organization prevent unauthorized changes to the running software? Peer Reviews or Other Software Testing Are automated testing tools used to identify potential security flaws? How are reported flaws tracked and resolved? 8 Board Portal Security: How to keep one step ahead in an ever-evolving game JUNE 2014

9 Availability Are there any single points of failure within the infrastructure? Are there redundant providers serving the end points? Data Center Power and Cooling Is the power feed from the local utility limited to a single entrance or are their multiple entrances? Is the data center fed power from more than one utility? Does the company keep records of testing activity? Do their records show regular maintenance for the HVAC systems and generators? Do they have contracts with fuel suppliers to maintain fuel in the generators? Do the access control systems for the data center work in the event of a loss of power? Disaster Recovery and Business Continuity Does the company have a disaster recovery plan? If so, how often is the plan tested? What is the Recovery Time Objective (RTO) to get the site up and running in the event of a catastrophic technical failure? Do the disaster recovery plans also include a Recovery Point Objective (RPO) addressing potential data loss during a disaster or critical failure? Does the company have a business continuity plan for each location that operates, maintains and supports the board portal? Vulnerability Management Does the board portal conduct regular testing to ensure that the vulnerability program is operating as intended? What type of mitigation strategy does the board portal follow? Application Security Does the board portal undergo manual penetration tests that mimic potential hacker activity via the internet? Is the running software tested on a regular basis? What results of this testing are they willing to share with you? Do they offer any training resources to their development organization on how to write secure codes? Security Training and Awareness Does your board portal offer their employees security awareness training and materials? If so, is this training required and how often does it occur? Information Security Programs Third-Party Confirmation What type of audit is conducted? How often is it conducted? Do the audit reports produce any exceptions? Dedicated Information Security Professionals Does your board portal have a dedicated security organization? Do they have access to resources that assist in identifying new threats? Do they have security partners to assist in developing responses to those threats? The Human Factor Does your board portal encourage sharing credentials with another user other than an admin? Does your board portal integrate seamlessly with a Mobile Device Management (MDM) solution in the event of a stolen device? Does your board portal make use of best practice in the management of user accounts? accelus.thomsonreuters.com 9

10 THOMSON REUTERS ACCELUS The Thomson Reuters Governance, Risk & Compliance (GRC) business delivers a comprehensive set of solutions designed to empower audit, risk and compliance professionals, business leaders, and the Boards they serve to reliably achieve business objectives, address uncertainty, and act with integrity. Thomson Reuters Accelus connects business transactions, strategy and operations to the ever-changing regulatory environment, enabling firms to manage business risk. A comprehensive platform supported by a range of applications and trusted regulatory and risk intelligence data, Accelus brings together market-leading solutions for governance, risk and compliance management, global regulatory intelligence, financial crime, anti-bribery and corruption, enhanced due diligence, training and e-learning, and board of director and disclosure services. Thomson Reuters has been named as a category leader in the Chartis RiskTech Quadrant For Operational Risk Management Systems, category leader in the Chartis RiskTech Quadrant for Enterprise Governance, Risk and Compliance Systems and has been positioned by Gartner, Inc. in its Leaders Quadrant of the Enterprise Governance, Risk and Compliance Platforms Magic Quadrant. Thomson Reuters was also named as Operational Risk Software Provider of the Year Award in the Operational Risk and Regulation Awards THOMSON REUTERS ACCELUS BOARDLINK BoardLink is a secure board portal, accessible online or via an ipad app. It enables board members to communicate and share documents, create topic-specific workspaces, compile and share board books, and provides a single, secure portal for corporate secretaries and board members to access critical business intelligence and board committee documents. BoardLink is designed to enable corporate secretaries and board members to manage the quarterly business activities of the board, stay up to date on the latest business news and regulatory changes, manage multiple layers of risk, and optimize governance and disclosure initiatives. For more information, visit accelus.thomsonreuters.com 2014 Thomson Reuters GRC01220/6-14