 |
||||
|
|
|||
|
||||
Requires Free Membership to View
When you become a member, my editorial team will provide you with expert insight for creating and maintaining a manageable compliance infrastructure. From targeted tips to webcasts and discussion forums, we have you covered.
Scot Petersen, Editorial Director, SearchCIO-Midmarket.com
to the P2P Cyber Protection and Informed User Act, which would require user approval when a P2P file-sharing program is installed and give the Federal Trade Commission the ability to introduce regulations that enforce the bill, the FTC has released a guide for businesses to protect against P2P security risks.
The FTC guide suggests that businesses:
- Apply application-level encryption to protect file information where possible and restrict where sensitive data may be saved.
- Use file-naming conventions that are less likely to disclose the information a file contains.
- Monitor P2P networks directly or use a third-party information security provider.
- Install network monitoring tools that "restrict, monitor and otherwise manage access" to P2P file-sharing networks from the organization's network, including intrusion detection systems, intrusion prevention systems or firewalls.
The FTC has also posted a series of criteria for evaluating P2P security risks.
If a business does not have tight controls around applications deployed at endpoints, it should also monitor inbound and outbound traffic to ensure that sensitive data is not being leaked over the P2P network, said Christophe Veltsos, president of North Mankato, Minn.-based security consultant Prudent Security LLC. And businesses should be monitoring more than simply the IP or port numbers, he said, adding that firewalls are not enough protection since a "quick search for p2p bypass firewall reveals a myriad of ways to circumvent that control."
|  | ||||||||||||||||
| |||||||||||||||||
Days before the P2P Cyber Protection and Informed User Act was introduced in February, the Federal Trade Commission notified nearly 100 organizations that sensitive data about employees and customers had leaked onto peer-to-peer file-sharing networks. The data breaches alert on P2P file sharing served as a notice that the nation's top consumer privacy regulator is watching how enterprises address this risk.
The sensitive data was accessible to "any users of those networks, who could use it to commit identity theft or fraud," read the FTC statement. "We found health-related information, financial records and drivers' license and Social Security numbers -- the kind of information that could lead to identity theft," said FTC chairman Jon Leibowitz in the notice.
The P2P Cyber Protection and Informed User Act was introduced by Sens. John Thune (R-S.D.) and Amy Klobuchar (D-Minn.) last month.
"As a former prosecutor, I know that identity theft and security leaks can be prevented," Klobuchar said in a statement posted on her website. "Families across Minnesota run the risk of unintentionally sharing all of their private files, like tax returns, legal documents, medical records and home movies when they are connected to peer-to-peer networks. This bill will let people know -- in a way that they can understand -- that their personal files are being shared with complete strangers."
A similar software notification bill designed to introduce notice and consent into the process of using peer-to-peer software was passed in the House of Representatives last year.
Let us know what you think about the story; email Alexander B. Howard, Associate Site Editor or @reply to @digiphile on Twitter. Follow @ITCompliance for compliance news throughout the week.
Join the conversationComment
Share
Comments
Results
Contribute to the conversation