The Home Depot, Inc. (“Home Depot”) recently entered into a multi-state Assurance of Voluntary Compliance with Attorneys General of 46 states) as a result of its 2014 data breach. This massive data breach resulted in the exposure of approximately 40 million Home Depot customers. The settlement was to the tune of $17.5 Million. The settlement also detailed the precise controls, including controls for third-party risk management, that need to be addressed. This list can act as a checklist for all InfoSec programs.
The original list will be found at Assurance of Voluntary Compliance.
Here is a summary of the controls required:
Information Security Program
Implement a comprehensive information security program that contains administrative, technical, and physical safeguards.
A Chief Information Security Officer should be appointed who will be responsible for the information security program as per the settlement. The position is specifically required to advise the Chief Executive Officer and Board of Directors on the security posture, security risks, and security implications.
The settlement also requires annual security and privacy training to all personnel whose job involves access to the company’s network or responsibility for customer personal information.
Required Specific Security Safeguards
The information security program should :
- Be reasonably designed and implemented for appropriate handling and investigation of security incidents involving personal information collected from customers.
- Maintain and support network software, considering the impact an update will have on data security.
- Encryption protocols and policies should be designed to encrypt personal information and sensitive information stored on laptops or other portable devices or when transmitted across public networks or wirelessly
- Compliance with the PCI-DSS
- Segmentation: Implement policies and procedures to segment network and permit systems to communicate as necessary to perform their business and operational functions
- Logging and Monitoring: Implement controls to manage access of any device attempting to connect to Home Depot’s Cardholder Data Environment firewalls, authentication credentials, or other such access-restricting mechanisms
- SIEM: SIEM should be configured appropriately, regularly maintained, and updated to ensure proper review, follow-up, and security incidents remediation.
- Access Control and Account Audits: policies, procedures, and controls to manage and audit the use of Home Depot’s individual accounts, systems administrator accounts, service accounts, and vendor accounts, configured adequately with unique user names and passwords, which shall be monitored for abnormal behavior indicative of a security event.
- Password Management: Implement and maintain password policies and procedures requiring risk-based controls to manage access to and use of Home Depot’s user accounts
- Two-Factor Authentication: This should be implemented for Home Depot’s systems administrator accounts and remote access into Home Depot’s network
- File Integrity Monitoring: Implement controls to prevent and detect unauthorized modifications to critical applications or operating system files within the Cardholder Data Environment
- Firewalls: Implement and maintain firewall policies and procedures to restrict connections between internal networks to the Cardholder Data Environment as part of its defense-in-depth architecture.
- Payment Card Security: Implement steps designed to manage the review and adopt improved, industry-approved payment card security technologies relevant to Home Depot’s business.
- Devalue Payment Card Information: Implement steps to devalue payment card information through a retail transaction at a Home Depot store.
- Risk Assessment Program:
- Identify internal and external risks to personal information.
- Assessment of safeguards in place to control these risks
- Evaluation and adjustment of the information security program in light of the results of testing and monitoring
- Implementation of reasonable safeguards to control these risks; and
- Documentation of safeguards implemented in response to such annual risk assessments
- Penetration Testing program. This should be done on an annual basis, at the least for Home Depot’s internal and external network defenses.
- Intrusion Detection Solution: Implement and maintain an intrusion detection system to prevent unauthorized access to its environment.
- Vendor Account Management: Implement and maintain risk-based policies and procedures for auditing vendor compliance with Home Depot’s information security program. This should include:
- A contractual requirement for vendor compliance
- Periodic evaluations of vendor’s cybersecurity practices and compliance
- Granting the vendors the minimum access necessary to perform their duties and responsibilities
- On-site security review of critical vendors; and
- Monitoring of IP addresses and login times typically associated with vendors.
This settlement has given Home Depot a detailed list, which provides an exemplary layout of controls and programs to implement a robust security program and improve their security posture. Other companies can peruse this list too to cross-check their controls against this recommended one.
A good security program may be a little expensive, but a breach will not only cost you millions of dollars, but it will also cost you time and tarnish your reputation.