NEW KDSA BLOG ANNOUNCED!

by dmortimer 4. November 2009 22:52

We would like to announce the launch of our new BLOG!  Our plan for this blog is not to write something every day, but rather use it as a platform to offer awareness and education about new trends, technologies and ways for businesses to use IT to advance their business. Our goal is for companies to not see IT as a hindrance to their success, but to embrace it as a strategic differentiator that can ensure a more streamlined and productive operation.

IT is always changing, and one of KDSA’s main functions as an IT consulting company and trusted advisor is to learn about new technologies, develop and test them internally, and then find the best solutions for our customers. We do not sell anything that we don’t use ourselves.

Remember, this blog isn't going to talk about our services; rather, it is a sounding board and a resource to give our readers a better knowledge of new or upcoming regulatory and compliance requirements, industry trends, and issues that may significantly impact your business.   If you have suggestions about topics, or would like any additional information about any posts, please feel free to call me at 978-989-0790 ext 214 or email to joeloconte@kdsaconsulting.com.

By the way, I guess I should introduce myself. My name is Joe LoConte, and I am the marketing representative here at KDSA Consulting. I've been working with KDSA for almost 2 years now, and have had the opportunity to work in all areas of this company. I may not know the exact answer to your questions, but I can find someone who can.  This I feel is the best quality of KDSA Consulting. We all work together to solve our clients’ problems.

Tags:

Permalink | Comments (1)

Community Health Resources Expands Network Protection with Fortinet Consolidated Security Solution

by dmortimer 29. September 2009 22:45

Community Health Resources Expands Network Protection with Fortinet Consolidated Security Solution

Agency Adds Network Security Functions for Enhanced Protection, Ease of Management and Lower Total Cost of Ownership

SUNNYVALE, Calif. - June 25, 2008 - Fortinet® - the pioneer and leading provider of unified threat management (UTM) solutions - today announced that Community Health Resources (CHR) has deployed a Fortinet FortiGate™ multi-threat security appliance to help secure its network from malicious Internet attacks. CHR initially planned to deploy the FortiGate appliance for firewall protection, replacing an underperforming competitive solution. Upon seeing the strength of the Fortinet firewall, the agency decided to implement additional Fortinet security functions including antivirus, intrusion prevention (IPS) and Web filtering protection while maintaining a low total cost of ownership and ease of management.

Community Health Resources is a private, non-profit, community-based system of behavioral health care dedicated to helping people of all ages lead happier and healthier lives. As CHR continually expands its service offerings to better serve the community needs in Connecticut, its network security needs are also expanding.

CHR's previous firewall solution was periodically rebooting on its own which would cause throughput and latency issues. Also adding to network problems was CHR IT staff's inability to add new employees to the firewall profile. With these two problems, CHR turned to KDSA Consulting, LLC, an information technology consulting firm specializing in outsourced network administration and financial accounting software solutions, to help find a network security solution that would increase up-time while lowering total cost of ownership and enabling the network to scale in-line with the agency.

"We were looking to simplify network management and wanted a robust and consolidated security solution so that we didn't have to have multiple people managing the network," said Jason Francia, senior network administrator for Community Health Resources. "The Fortinet solution is allowing us enterprise-level security that is easy to use and meets our growing needs."

Fortinet's FortiGate-400A multi-threat security solution is helping to provide firewall, antivirus, IPS and Web filtering protection at CHR's Windsor, Conn. headquarters. CHR's ability to add advanced network security functions to its initial firewall requirements is due to Fortinet's integrated and scalable multi-threat security solution. Without having to deploy new point products, CHR easily added security functionalities to its network and thereby lowered the total cost of ownership.

Soon to be added to the CHR network are several of their residential programs located throughout northern Connecticut. These homes house children and adolescents and will be using Fortinet for Web filtering so that the children are unable to access inappropriate Websites. Currently, the homes are not connected to the CHR network and, therefore, no restrictions are placed on Internet usage.

"Non-profit agencies like Community Health Resources are forced to be cost conscious yet need enterprise-level network security," said Karl Soderlund, vice president of Americas sales and business development for Fortinet. "Fortinet's consolidated network security approach allows for agencies such as CHR to easily scale to its growing needs by adding network security functionality without the burden of working with additional vendors or adding headcount."

Fortinet provides ASIC-accelerated security appliances, which are used by enterprises and service providers to enhance and consolidate their security needs while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection - including firewall, antivirus, intrusion prevention, VPN, Web filtering, spyware prevention and anti-spam - designed to help customers protect against network and content level threats. Delivered via its flagship FortiGate family of appliances, Fortinet provides a flexible and extensible platform of security applications and services that enable customers to deploy and centrally manage the same broad level of protection at remote locations as they have for headquarters and data center environments.

About Community Health Resources (www.chrhealth.org)
Community Health Resources is one of the leading providers of community mental health care in the state of Connecticut. Each year, CHR helps thousands of adults, children and families successfully live with mental illness. CHR's professional staff, who are committed to recovery, provide treatment, support, rehabilitation, prevention and educational services to those in need.

About KDSA Consulting, LLC (www.kdsaconsulting.com)
KDSA Consulting, LLC located in North Andover, MA provides the full spectrum of information technology services for small to medium sized businesses and not-for-profit organizations. Our infrastructure division designs local and wide area networks, disaster recovery solutions and provides contracted "managed services" support to end users. Our software division performs system selection consulting, financial accounting project management, implementation and training along with customized programming and database management services.

About Fortinet (www.fortinet.com)
Fortinet is the pioneer and leading provider of ASIC-accelerated unified threat management, or UTM, security systems, which are used by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection--including firewall, antivirus, intrusion prevention, VPN, spyware prevention and anti-spam -- designed to help customers protect against network and content level threats. Leveraging a custom ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only security products that are certified in seven programs by ICSA Labs: firewall, antivirus, IPSec, SSL, network IPS and anti-Spyware. Fortinet is privately held and based in Sunnyvale, California.

Copyright © 2008 Fortinet, Inc. All rights reserved. Fortinet is a registered trademark of Fortinet, Inc. FortiGate, FortiOS, FortiAnalyzer, FortiASIC, FortiCare, FortiManager, FortiWiFi, FortiGuard, FortiClient, FortiReporter and other names are trademarks of Fortinet, Inc. in the United States and/or other countries. All other trademarks referred to herein are the property of their respective owners.

 

 

Tags: , ,

Firewall Implementation

Permalink | Comments (0)

Head off security breaches with compliance by the March deadline

by dmortimer 22. September 2009 03:20

In the wake of recent data security breaches that continue to affect Massachusetts residents, the state has recently passed new protective regulations to safeguard their personal information, or PI. And frankly, it can’t be happening a moment too soon.

The legislation, known formally as Massachusetts Regulatory Compliance Law 201 CMR 17.00, is intended to protect residents’ PI.

With the deadline for compliance recently extended to March 2010, these regulations set minimum standards for businesses to safeguard PI contained in both paper and electronic records. This law is in addition to existing compliance regulations such as SOX, HIPAA and PCI.

A “breach of security” is defined as an unauthorized acquisition of PI that creates a substantial risk of identity theft or fraud against a resident of Massachusetts.

The critical question, of course, is who needs to comply, and how will compliance be defined?

The first part of the question is relatively simple: Ultimately, the legislation applies to all organizations that own, license, store or maintain PI about a resident of the Commonwealth of Massachusetts.

Under the new law, PI is defined as an individual’s first and last name (or first initial and last name) and one of the following: Social Security number, driver’s license number or state-issued identification card number, or a financial account number, credit card number or debit card number.

Actual compliance, the second part of the question, is a bit more complicated.

To comply with the regulation, organizations must implement a range of security and privacy standards and technologies described in the law.

These boil down to six general requirements:

  1. Develop, implement and maintain a comprehensive written information security program (WISP) for PI;
  2. Make sure the WISP is properly staffed and establish monitoring and training to ensure employee compliance;
  3. Identify and inventory all paper and electronic records to determine if they contain PI which must be secured;
  4. Restrict collection and access to PI to only those required for legitimate business purposes;
  5. Encrypt PI stored on laptops and portable devices, including laptops, flash drives, PDAs or information transmitted over wireless or public networks;
  6. Take reasonable steps to verify that third-party service providers with access to PI have appropriate safeguards in place that meet or exceed the standards.

With these requirements as a backdrop, how does a business actually begin the process of getting started on a program to gain compliance with the new statute?

While not intended to be a specific inventory of action steps, the following list will illustrate the basic effort that companies must undertake.

  • Establish a team. It is very important for senior management to participate; they need to be involved with establishing the policies and procedures for the organization.
    Typically, this team will also include members of human resources, IT, legal and administrative departments.

  • Formulate, then implement, the WISP. This must be extremely comprehensive, including all administrative, technical and physical safeguards.

  • Designate a data security coordinator. This person will shoulder primary responsibility for implementing the WISP, as well as training employees to follow properly the plan’s myriad parameters.
    In addition, the coordinator should perform regular monitoring and testing of the plan’s safeguards, as well as evaluate third-party service providers for compliance.

  • Establish internal risk guidelines. This includes amending employment contracts to require compliance with the plan, developing disciplinary actions to be taken based on the nature of a specific violation, limiting the amount of PI collected as reasonably necessary for the business and more.

  • Establish physical risk guidelines. This encompasses prohibiting employees from keeping open files containing PI on their desks when they are not present; securing files and records containing PI at the end of the workday; restricting visitors access to one entry point for each building that PI is stored, and more.

  • Establish external risk guidelines. This means that reasonably up-to-date firewall protection and computer operating system software security vulnerability patches are installed on all systems processing PI. Also, all PI stored on laptops or portable devices must be encrypted and all PI records and files transmitted across public or wireless networks must be encrypted.

  • Perform gap analysis. Determine specific safeguard areas that require actions for improvement.

  • Maintain, monitor and test. This involves distributing copies of the WISP plan to employees, conducting immediate and regular training of employees and reviewing all security measures annually or upon any material change in business practices impacting the integrity of security.

  • Notification. Whenever there is an incident that may require notification under M.G.L c.93H, there must be a post-incident review of events and actions taken.

Anyone doubting the need to fully comply with the new statute should consider the penalties. Organizations that do not comply may, in the event of a data breach, be subject to serious fines ($100 to $5,000 per violation, depending on the type), as well as potential lawsuits filed by the Massachusetts Attorney General, businesses or individuals.

Needless to say, the information technology people in your company will be a vital part of the team established to meet the requirements of the new legislation.

Some areas that they can help address are assessing, updating or revising your existing security program; implementing some of your existing compliance procedures; and helping to make strategic investments in newer firewalls, encryption alternatives and other technologies.

Organizations may also need to reach out to various partners such as their legal counsel and/or outside technology consultants to ensure they fully understand the requirements for compliance.

As of this writing, modifications were being considered to the legislation, so it’s important to check the following resources for the latest version:

Office of Consumer Affairs & Business Regulation

Massachusetts Society of Certified Public Accountants

InfoSecurity Analysis.com

Dawn Mortimer, CPA, CITP, is principal and co-founder of KDSA Consulting, a North Andover-based company that is designed to meet the unique technology goals of businesses in a wide variety of industries.

Tags:

Security

Permalink | Comments (0)