Audit Analytics has posted their SOX 404 – Year 6 Update report.

If you give them $185 they will show you the details behind these findings:

1) As of June 2010, adverse auditor attestations accounted for 2.4% of opinions filed for Year 6, compared to 16.9% in Year 1.
2) Adverse Management-Only Assessments account for 27.8% in Year 6, which is the lowest percentage yet compared to the previous five years.
3) The ‘Segregation of Duties’ deficiency is down from 23.9% of adverse filings in Year 1 to 11% of adverse filings in Year 6.

Larry Ponemon has released a study of 65 organizations, which he used to extrapolate that patient data breaches cost hospitals $6 billion per year

70% of healthcare organizations said that protecting patient data was a low priority; 67% of organizations said they had less than two staff members dedicated to data protection management.

A majority of healthcare organizations said they had little confidence in their ability to secure patient records. According to the study, 71% of healthcare organizations had inadequate resources to protect patient data, and 69% said that there were insufficient policies and procedures in place to prevent and detect patient data loss.

The phrase little confidence in their own ability is a loaded one. I wonder if this is a split between security experts answering anonymously versus the direction of their leadership, or unified pessimism among health care management.

I noticed something odd about the numbers. Here is another look:

• 70% of healthcare organizations said that protecting patient data was a low priority
• 67% of organizations said they had less than two staff members dedicated to data protection management
• 71% of healthcare organizations had inadequate resources to protect patient data
• 69% said that there were insufficient policies and procedures in place to prevent and detect patient data loss
• 71% of respondents did not believe the HITECH Act regulations had significantly changed the management practices of patient records

I could predict the next number in that sequence although I am neither a math whiz, nor a statistician.

70% of 65 organizations is 45. Slight deviation in the answers cold come from the same 45 over and over (and over), or from the other 20 — if you are a cup is half full person. The extrapolated $6 billion estimate gets harder to believe when the numbers run so consistently. The webinar was today. I’ll have to email him my questions.

Visa has released an updated report on security breaches. It shows clearly that, within the retail industry, level 4 franchises are being breached the vast majority of time (96-97% from January 2009 to June 2010). Restaurants and lodging/hotels make up about 35% of those breaches.

A proposed explanation for this is “Many Corporate Franchisors have traditionally fallen outside the scope of Merchant and Agent PCI DSS validation programs”. One might conclude from that statement that those who fall inside the scope of compliance are breached far less than those who are outside.

The most common breach attack vector is said to be keyloggers and memory parsers. Default accounts, mis-configured network settings (e.g. direct remote access to a database with cardholder information), and single-factor remote access also are cited as contributing factors. Web attacks are relatively low. Eight countermeasures are suggested:

• For remote access, consider two-factor authentication
• Utilize host / application / network based Intrusion Detection Systems (“IDS”). Ensure sound notification system is in place
• Utilize host / application / network based Intrusion Prevention Systems (“IPS”). Ensure sound notification system is in place
• Ensure antivirus, anti-spyware and anti-malware software are up-to-date. Ensure sound notification system is in place
• Implement file integrity monitoring to detect and alert security personnel of unauthorized file changes
• Periodically reboot Point-of-Sale systems to clear volatile memory
• Include patch management, password management and the overall security configuration
• Regular application penetration tests are essential in combating known vulnerabilities (including SQL injection, Cross-site scripting, etc.)

A new category has thus been created by Visa (Corporate Franchise Servicer) to address these breaches. It will not increase requirements for any entity already validating PCI DSS compliance.