Group items tagged

The loss of personally identifiable information, such as an individual's Social Security number, name, and date of birth can result in serious harm, including identity theft. Identity theft is a serious crime that impacts millions of individuals each year. Identity theft occurs when such information is used without authorization to commit fraud or other crimes. While progress has been made protecting personally identifiable information in the public and private sectors, challenges remain. GAO was asked to testify on how the loss of personally identifiable information contributes to identity theft. This testimony summarizes (1) the problem of identity theft; (2) steps taken at the federal, state, and local level to prevent potential identity theft; and (3) vulnerabilities that remain to protecting personally identifiable information, including in federal information systems. For this testimony, GAO relied primarily on information from prior reports and testimonies that address public and private sector use of personally identifiable information, as well as federal, state, and local efforts to protect the security of such information. GAO and agency inspectors general have made numerous recommendations to agencies to resolve prior significant information control deficiencies and information security program shortfalls. The effective implementation of these recommendations will continue to strengthen the security posture at these agencies. Identity theft is a serious problem because, among other things, it can take a long period of time before a victim becomes aware that the crime has taken place and thus can cause substantial harm to the victim's credit rating. Moreover, while some identity theft victims can resolve their problems quickly, others face substantial costs and inconvenience repairing damage to their credit records. Some individuals have lost job opportunities, been refused loans, or even been arrested for crimes they did not commit as a result of identit

The loss of personally identifiable information, such as an individual's Social Security number, name, and date of birth can result in serious harm, including identity theft. Identity theft is a serious crime that impacts millions of individuals each year. Identity theft occurs when such information is used without authorization to commit fraud or other crimes. While progress has been made protecting personally identifiable information in the public and private sectors, challenges remain. GAO was asked to testify on how the loss of personally identifiable information contributes to identity theft. This testimony summarizes (1) the problem of identity theft; (2) steps taken at the federal, state, and local level to prevent potential identity theft; and (3) vulnerabilities that remain to protecting personally identifiable information, including in federal information systems. For this testimony, GAO relied primarily on information from prior reports and testimonies that address public and private sector use of personally identifiable information, as well as federal, state, and local efforts to protect the security of such information. GAO and agency inspectors general have made numerous recommendations to agencies to resolve prior significant information control deficiencies and information security program shortfalls. The effective implementation of these recommendations will continue to strengthen the security posture at these agencies. Identity theft is a serious problem because, among other things, it can take a long period of time before a victim becomes aware that the crime has taken place and thus can cause substantial harm to the victim's credit rating. Moreover, while some identity theft victims can resolve their problems quickly, others face substantial costs and inconvenience repairing damage to their credit records. Some individuals have lost job opportunities, been refused loans, or even been arrested for crimes they did not commit as a result of identit

Companies in the technology, media and telecommunications industries (TMT) significantly reduced investment in security spending in 2008, according to a new survey from Deloitte Touche Tohmatsu. The third edition of the Deloitte TMT Global Security Survey reveals that 32 percent of respondents reduced their information security budgets, while 60 percent of respondents believe they are "falling behind" or still "catching up" to their security threats -- a significant increase from 49 percent over the previous year. "This year's results indicate companies are explicitly scaling back. With funding decreasing and the threats increasing, it is more important than ever for TMT companies to be highly cost efficient in addressing their security risks," said Irfan Saif, a principal in Deloitte & Touche LLP's Audit and Enterprise Risk Services practice. "Companies that do not have a sound understanding of their security risk profile, or who under-invest in security now, may find themselves exposed to significant and increasingly sophisticated threats that they are not equipped to mitigate." With the proliferation of digitized assets, security should claim a significant portion of a company's overall IT budget. However, only 6 percent of respondents allocate 7 percent or more of their total budget to IT security. This year represents a significant decline from the previous edition of the survey, which showed that 36 percent of the respondents allocated 7 percent or more of their budget to IT security. The survey also indicates that declining security investment is hindering adoption of new security technologies, with only 53 percent of respondents considering their organizations to be early adopters, or part of the early majority, down from 67 percent in 2007. Companies are focusing more effort on optimizing solutions that are already in place rather than investing in cutting-edge technology that can be capitalized upon during economic recovery.

The Government Accountability Office issued another scathing report saying that federal agencies still don't do enough to secure government IT assets. "Persistent weaknesses in information security policies and practices continue to threaten the confidentiality, integrity and availability of critical information and information systems used to support the operations, assets and personnel of most federal agencies," Gregory Wilshusen, GAO director of information security issues, wrote in a 66-page report issued Friday. "Recently reported incidents at federal agencies have placed sensitive data at risk, including the theft, loss, or improper disclosure of personally identifiable information of Americans, thereby exposing them to loss of privacy and identity theft." In a written response accompanying the report, federal CIO Vivek Kundra said OMB is committed to the vision of a secure federal government, and are taking steps to make that vision a reality. OMB, he said, has initiated a review of the language in the current reporting instructions to identify and clarify confusion in the annual reporting. OMB also is working with the CIO Council and the Council of Inspectors General on Integrity and Efficiency to improve guidance to agencies. The GAO report also said that nearly all of the 24 major federal agencies last year had weaknesses in information security controls. "An underlying reason for these weaknesses is that agencies have not fully implemented their information security programs," Wilshusen said. "As a result, agencies have limited assurance that controls are in place and operating as intended to protect their information resources, thereby leaving them vulnerable to attack or compromise."

1. You get what you pay for. 2. Americans do not take information or security as seriously as they do their love for profit & cost savings. If one does not value what they are trying to protect accurately, the investment one is prepared to make will always be insufficient. Then there are hindsight and rationalization (a.k.a. politicians) - Karl The Government Accountability Office issued another scathing report saying that federal agencies still don't do enough to secure government IT assets. "Persistent weaknesses in information security policies and practices continue to threaten the confidentiality, integrity and availability of critical information and information systems used to support the operations, assets and personnel of most federal agencies," Gregory Wilshusen, GAO director of information security issues, wrote in a 66-page report issued Friday. "Recently reported incidents at federal agencies have placed sensitive data at risk, including the theft, loss, or improper disclosure of personally identifiable information of Americans, thereby exposing them to loss of privacy and identity theft." In a written response accompanying the report, federal CIO Vivek Kundra said OMB is committed to the vision of a secure federal government, and are taking steps to make that vision a reality. OMB, he said, has initiated a review of the language in the current reporting instructions to identify and clarify confusion in the annual reporting. OMB also is working with the CIO Council and the Council of Inspectors General on Integrity and Efficiency to improve guidance to agencies. The GAO report also said that nearly all of the 24 major federal agencies last year had weaknesses in information security controls. "An underlying reason for these weaknesses is that agencies have not fully implemented their information security programs," Wilshusen said. "As a result, agencies have limited assurance that controls are in place and operating as intended to protect their inf

The discovery of documents with students' personally identifying information stored in an unlocked room has launched protests against the university's chief information security officer. Students at Binghamton University in New York are circulating a petition to remove the university's chief information security officer following the discovery of boxes full of documents listing personal information of students and parents in an unlocked storage room. The existence of the unsecured documents was discovered March 6 by a reporter working for student radio station WHRW and disclosed on March 9. For that investigative work, the student reporter could face criminal charges. Binghamton University has had other recent problems with information security. In the past year, according to an article written by Robert Glass, the WHRW news director, university employees accidentally e-mailed the Social Security numbers of 338 students to another group of 200 students, sent the personal information of exchange students -- passport scans and birth certificates -- to student groups, and disposed of information about more than 70 former graduate students in trash bins atop a pile of shredded documents. Those breaches led the university to create an information security council, with a full-time information security officer, to prevent further incidents, according to Glass. Glass did not immediately respond to a request for comment. A University spokeswoman characterized the hiring of Terry Dylewski as the university's chief information security officer as a reflection of the school's ongoing concern about information security rather than a response to past breaches. Asked about the status of the students' petition to remove Dylewski, as reported by Broome County Fox affiliate WICZ TV, she said that question should be directed to the students. The spokeswoman said the university is treating the incident as a possible crime and that a criminal investigation is ongoing. She sai

Government Information Security Podcasts As a GovInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info Probing Federal IT Security Programs: Gregory Wilshusen, GAO February 23, 2009 Government Accountability Office auditors will have a busy spring, examining a number of federal government programs aimed at securing government information systems and data. In an interview with GovInfoSecurity.com, Gregory Wilshusen discusses how the GAO is looking at how private industry and two dozen federal agencies employ metrics to measure the effectiveness of information security control activities. Other current GAO information security investigations he discusses include: Federal Desktop Core Configuration intended to standardize security features on personal computers purchased by the government. Trusted Internet Connection initiative aimed at slashing government Internet connections to fewer than 100 from more than 2,000. Einstein automated networking monitoring program run by U.S Computer Emergency Readiness Team. Gregory Wilshusen is director of information security issues at GAO, where he leads information security-related studies and audits of the federal government. He has more than 26 years of auditing, financial management and information systems experience. Before joining GAO in 1997, Wilshusen served as a senior systems analyst at the Department of Education as well as the controller for the North Carolina Department of Environment, Health and Natural Resources.

At last, my summer reading list is complete!

In what it described as an historic document, the National Institute for Standards and Technology issued a special report entitled Recommended Security Controls for Federal Information Systems and Organizations. Special Publication 800-53, Revision 3, is historic in nature. For the first time, and as part of a continuing initiative to develop a unified information security framework for the federal government and its contractors, NIST has included security controls in its catalog for national security and non-national security systems in its latest revision, No. 3, of Special Publication 800-53. "The important changes described (in the publication) are part of a larger strategic initiative to focus on enterprise-wide, near real-time risk management; that is, managing risks from information systems in dynamic environments of operation that can adversely affect organizational operations and assets, individuals, other organizations, and the nation," Ron Ross, NIST's Federal Information Security Management Act implementation project leader, said in a message incorporated into the 220-page report. According to the document, the updated security control catalogue incorporates best practices in information security from the Department of Defense, intelligence community and civilian agencies to produce the most broad-based and comprehensive set of safeguards and countermeasures ever developed for information systems.

GoogleApps is an upgade to the Los Angeles computer systems security? Doesn't that explain a lot?! Google Inc. this week came swinging at critics who have cited privacy and security concerns in calling on the city of Los Angeles to rethink its plan to implement the Google Apps hosted e-mail and office applications. In an interview yesterday, Matt Glotzbach, director of product management for Google Enterprise, said the angst voiced by consumer groups and others about the Los Angeles project is overstated and based on incomplete information. In fact, he contended that transitioning the applications to Google will strengthen the security of the city's data and better maintain its privacy. "From what I know of the city's operation, this is a security upgrade," Glotzbach said. "Those who may be unfamiliar with cloud computing see this as a security risk simply because it is new and because it is something different," he said. Glotzbach said he believes that at least some of the concerns raised originated from Google's competitors. Meanwhile top managers at the Los Angeles Information Technology Agency (ITA), which oversees technology implementations in the city, yesterday said the city is still committed to implementing Google Apps. The agency insisted that provisions are in place for addressing the security and privacy issues raised by critics. A spokesman for Mayor Antonio Villaraigosa said the city council will sign off on the project only after it is assured that the privacy and security concerns have been properly addressed.

Google Inc. this week came swinging at critics who have cited privacy and security concerns in calling on the city of Los Angeles to rethink its plan to implement the Google Apps hosted e-mail and office applications. In an interview yesterday, Matt Glotzbach, director of product management for Google Enterprise, said the angst voiced by consumer groups and others about the Los Angeles project is overstated and based on incomplete information. In fact, he contended that transitioning the applications to Google will strengthen the security of the city's data and better maintain its privacy. "From what I know of the city's operation, this is a security upgrade," Glotzbach said. "Those who may be unfamiliar with cloud computing see this as a security risk simply because it is new and because it is something different," he said. Glotzbach said he believes that at least some of the concerns raised originated from Google's competitors. Meanwhile top managers at the Los Angeles Information Technology Agency (ITA), which oversees technology implementations in the city, yesterday said the city is still committed to implementing Google Apps. The agency insisted that provisions are in place for addressing the security and privacy issues raised by critics. A spokesman for Mayor Antonio Villaraigosa said the city council will sign off on the project only after it is assured that the privacy and security concerns have been properly addressed.

A health care industry coalition on Monday released a prescriptive security framework that organizations can use to safeguard patient records as they increasingly move online. The framework, released by the Health Information Trust Alliance (HITRUST) -- which represents health care providers, pharmacies, insurers, biotech firms and medical device manufacturers -- is based on well-known standards such as COBIT, NIST and ISO 270001. But this is the first benchmark developed specifically for protecting health data. "It's tailored to protecting health information right out of the gate," Michael Wilson, vice president and chief information security officer of McKesson, the largest U.S. pharmaceutical distributor, told SCMagazineUS.com on Monday. "It's just a different sort of data. It's still structured [like other verticals], but there's a lot more of it in health care." The framework was created to improve adoption rates with regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and increase patient confidence in the security of their information. It also arrives on the heels of the new $787 billion economic stimulus bill, about $20 billion of which is earmarked to encourage health care organizations to adopt electronic health records as a way to reduce the number of medical errors and save money. The stimulus bill, in itself, contains srict privacy and security regulations for patient information. The standards took about 18 months to devise and can be implemented by organizations of any size, according to HITRUST. "2009 will be a turning point for information security in the health care industry, when organizations will begin implementing the framework...and create a cascading effect that will impact and benefit the entire health care ecosystem," Daniel Nutkis, CEO of HITRUST, said in news release. Wilson said the framework also will enable companies such as McKesson to show their customers and business partners that they are taki

This year was an interesting year in privacy and information security, and by looking back, we can clearly discern trends that will likely be a major part of the security management landscape in 2009. More and more states passed breach-notification laws and several enhanced or extended existing legislation. Software-as-a-Service (SaaS) and virtualization really took off, and compliance's looming presence grew with PCI DSS version 1.2 and some actual enforcement of HIPAA. Of particular note was Massachusetts' data breach law 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth. This is to date the most comprehensive law of its kind, setting a new standard for what breach-notification laws should look like; it covers both paper and electronic records, it mandates appropriate security awareness training as well as security and risk assessments and, most importantly, requires companies to make changes to their security programs in accordance with the findings of those risk assessments. Similarly, California enhanced the well-known CA-1386 to include not just traditional financial information, but also health care and health insurance data as well. With new mandates popping up all the time, it's no wonder compliance was one of the biggest focus areas for enterprise information security teams in the past year, and this trend will clearly continue in 2009; there will be more regulation on both the state and federal levels, and stronger enforcement of existing regulations. Fines and other penalties for violations of PCI DSS and HIPAA will continue to rise, along with the inevitable rise in discoveries of malfeasance. As a result, there will be an even larger focus on compliance by upper management, which also means decreased time and budget for necessary security controls that don't clearly fall under a compliance umbrella.

Is your company keeping information secure? Are you taking steps to protect personal information? Safeguarding sensitive data in your files and on your computers is just plain good business. After all, if that information falls into the wrong hands, it can lead to fraud or identity theft. A sound data security plan is built on five key principles: * Take stock. Know what personal information you have in your files and on your computers. * Scale down. Keep only what you need for your business. * Lock it. Protect the information in your care. * Pitch it. Properly dispose of what you no longer need. * Plan ahead. Create a plan to respond to security incidents. To learn more about how you can implement these principles in your business, play our interactive tutorial. You'll see and hear about practical steps your business can take to protect personal information. After you experience the tutorial, we hope you'll take advantage of the other resources on this site to educate your employees, customers, and constituents. Order copies of our brochure, Protecting Personal Information: A Guide for Business, or publish an article on information security in your newsletter, magazine, or website. All of the information on this site is in the public domain; we hope you'll share it freely.

The Federal Trade Commission today announced that it has approved a Federal Register notice seeking public comment on a proposed rule that would require entities to notify consumers when the security of their electronic health information is breached. The American Recovery and Reinvestment Act of 2009 (the Recovery Act) includes provisions to advance the use of health information technology and, at the same time, strengthen privacy and security protections for health information. Among other things, the Recovery Act recognizes that there are new types of Web-based entities that collect or handle consumers' sensitive health information. Some of these entities offer personal health records, which consumers can use as an electronic, individually controlled repository for their medical information. Others provide online applications through which consumers can track and manage different kinds of information in their personal health records. For example, consumers can connect a device such as a pedometer to their computers and upload miles traveled, heart rate, and other data into their personal health records. These innovations have the potential to provide numerous benefits for consumers, which can only be realized if they have confidence that the security and confidentiality of their health information will be maintained. To address these issues, the Recovery Act requires the Department of Health and Human Services to conduct a study and report, in consultation with the FTC, on potential privacy, security, and breach notification requirements for vendors of personal health records and related entities. This study and report must be completed by February 2010. In the interim, the Act requires the Commission to issue a temporary rule requiring these entities to notify consumers if the security of their health information is breached. The proposed rule the Commission is announcing today is the first step in implementing this requirement. In keeping with the Recover

Like this http://cheaptravelbooker.com Like this http://cheaptravelbooker.com like this http://killdo.de.gg travel,hotel,fun,hotel new,new offer,hotel best,best hotel,hotel travel,seo,backlinks,edu,gov,ads,indexing,bookmark,killgoggle,gogglesuck,goggle bookmark,kill goggle,yahoo,bing,indexing,quality links,linkwell,traffic boster,index best

In belt-tightening times, making the case for security investment is more difficult than ever. Security Catalyst founder Michael Santarcangelo details five steps risk professionals can use to communicate value effectively. The biggest challenge security teams face in their organization is one of perception, according to Michael Santarcangelo, founder of Security Catalyst, a New York-based consultancy focused on changing the way people protect information. Santarcangelo, who was recently a keynote speaker at the CSO Perspectives conference, said professionals focused on security are practiced at looking at risks and reducing them. Unfortunately, the rest of society often doesn't see risks the same way, making communication difficult (See also: Security and Business: Communication 101). "They lack relevant context," said Santarcangelo. "So security people get wrapped up in thinking: 'The CFO wants an ROI. We better work on ROI.' But what the CFO is really saying is:' I don't understand what you do. So you have to justify it to me.' Santarcangelo outlined his strategies for making the case for security investments at the three-day event held in Clearwater, Florida. He gave an audience of security professionals the details of his five step process for getting executives and boards to understand, and even approve, spending decisions in tough economic times. Create Santarcangelo believes one of the most effective ways to communicate value is to place focus back on the person to whom you are trying to make your pitch (See also: A CEO and CSO Who Actually Communicate). "The reason why someone changes a behavior or takes an action is because there is an inherent benefit to the person," said Santarcangelo. "But when many people start to create, they forget that. They tend to fall into the trap of thinking: 'I'm really smart and I know a lot of stuff. So I'm just going to say it and hope they will understand the value of it.'" Instead, Santarcangelo recommends creating

Compared to other key corporate executives, CEOs appear to underestimate the IT security risks faced by their own organizations, according to a survey of C-level executives released today by the Ponemon Institute. The Ponemon survey (download PDF) of 213 CEOs, CIOs, COOs and other senior executives reveals what appears to be a perception gap between CEOs and other senior managers concerning information security issues. For instance, 48% of CEOs surveyed said they believe hackers rarely try to access corporate data. On the other hand, some 53% of other C-level executives believe that their company's data is under attack on a daily or even hourly basis. The survey also found that the top executives were less aware of specific security incidents at their companies than other C-level executives and are more confident that data breaches can be easily avoided. Ponemon found that CEOs tend to view data protection efforts as vital to maintaining good customer satisfaction levels and to the company's brand image. The other managers, however, were more likely to say that the most important role for data security efforts is to satisfy regulatory requirements. The survey also found that CEOs and other top managers differed in their opinion of who is responsible for protecting corporate data. While eight out of 10 respondents said they believe there is one person responsible for data protection in their organization, there was a sharp difference of opinion on just who that person was. More than half of the CEOs said that CIOs are responsible for protecting data at their companies; only 24% of other senior managers felt the same way. And 85% of respondents said someone else would be held responsible for a data breach. "On the issue of accountability, we found that while people acknowledged that data breaches were a problem, very few people felt that if [their company] suffered a breach, they would be held responsible," said Larry Ponemon, founder of the Ponemon Institute.

Compared to other key corporate executives, CEOs appear to underestimate the IT security risks faced by their own organizations, according to a survey of C-level executives released today by the Ponemon Institute. The Ponemon survey (download PDF) of 213 CEOs, CIOs, COOs and other senior executives reveals what appears to be a perception gap between CEOs and other senior managers concerning information security issues. For instance, 48% of CEOs surveyed said they believe hackers rarely try to access corporate data. On the other hand, some 53% of other C-level executives believe that their company's data is under attack on a daily or even hourly basis. The survey also found that the top executives were less aware of specific security incidents at their companies than other C-level executives and are more confident that data breaches can be easily avoided. Ponemon found that CEOs tend to view data protection efforts as vital to maintaining good customer satisfaction levels and to the company's brand image. The other managers, however, were more likely to say that the most important role for data security efforts is to satisfy regulatory requirements. The survey also found that CEOs and other top managers differed in their opinion of who is responsible for protecting corporate data. While eight out of 10 respondents said they believe there is one person responsible for data protection in their organization, there was a sharp difference of opinion on just who that person was. More than half of the CEOs said that CIOs are responsible for protecting data at their companies; only 24% of other senior managers felt the same way. And 85% of respondents said someone else would be held responsible for a data breach. "On the issue of accountability, we found that while people acknowledged that data breaches were a problem, very few people felt that if [their company] suffered a breach, they would be held responsible," said Larry Ponemon, founder of the Ponemon Institute.

There are many websites that sell or provide for free, personal information about individuals. This information is gathered from many sources including white pages listings (directory assistance), publicly-available sources and public records. * Data vendors that offer an opt out policy * Data vendors that do not offer an opt out policy Directory Listings: To prevent the cross-referencing of your address with your phone number, you can choose to not have your information available in the phone book or through directory assistance. If your number is "unlisted," your name, address and phone number will not be printed in the phone book, but the information is available through both directory assistance and reverse directory assistance. If your number is "unpublished," your information will not be printed in the phone book and is not available through directory assistance or reverse directory assistance. Or you can list your name and phone number, but not your address. Telephone companies usually charge a monthly fee to be unlisted or unpublished. Public Records: Please note that public records are often that--public. Web sites that provided personal information gathered from various sources are not required to offer a way to have that information removed or suppressed, though many will as a courtesy. The table below notes many of the more common online providers of public and non-public information that do offer an opt out mechanism. The opt out notes below usually only apply to non-public information. Not all web sites that sell personal information allow individuals to have their information removed or suppressed. Check the privacy policy of the site to see if they offer an opt-out mechanism. If one is provided, ask the online data broker for clarification on whether opting out also applies to public records information they may maintain. Some online data vendors will request information from you (such as your Social Security number or date of birth) to proce

Data Privacy Trends: Randy Sabett, Information Security Attorney March 26, 2009 Activity at the State Level Points Toward a Federal Data Breach Notification Law Data privacy legislation -- the trend started in California and is being discussed heatedly in Massachusetts today. Data breach notification and privacy laws have now been enacted in 40 separate states, and government observers think we're close to seeing federal legislation proposed. In an exclusive interview, Randy Sabett, a noted privacy/information security attorney, discusses: Trends in state data privacy legislation; What these laws mean to businesses; The Obama Administration's approach to data privacy; Trends to keep an eye on throughout 2009. Randy V. Sabett, CISSP, is a partner in the Washington, D.C. office of Sonnenschein Nath & Rosenthal LLP, where he is a member of the Internet, Communications & Data Protection Practice. He counsels clients on information security, privacy, IT licensing, and patents, dealing with such issues as Public Key Infrastructure (PKI), digital and electronic signatures, federated identity, HIPAA, Gramm-Leach-Bliley, Sarbanes-Oxley, state and federal information security and privacy laws, identity theft and security breaches. He served as a Commissioner for the Commission on Cyber Security for the 44th Presidency.

"Knowledge is the currency of the future," says Sidney Pearl, Global Director of Enterprise Security Solution management for the Unisys Global Financial Services business. And according to the latest Unisys Security Index, Americans are getting much smarter - and more demanding - about the basic information security they expect from government and businesses. In an exclusive interview, Pearl discusses: Results of the latest Unisys Security Index; The security topics that mean the most to U.S. consumers; What these findings mean for government agencies and banking institutions. Pearl's Enterprise Security Solutions Management Group has worldwide responsibility for defining and managing the company's Fraud, Risk Management and Enterprise Security services offerings for the financial industry. Unisys provides Security Business Operations services and solutions to financial services clients in over 40 countries.

As if banks didn't have enough on their plates with compliance and regulation on the federal front, come May 1, they will have to be mindful of strict new rules coming from the Commonwealth of Massachusetts around data security. The Massachusetts Data Security Regulations are perhaps like no other in terms of their depth and scope. During a teleconference, attorneys from the privacy and data security practice of the law firm Goodwin Procter (Boston) described this very detailed, all-encompassing set of rules designed to keep consumers' personal data safe. They go beyond the rules of other states and the federal government that simply require companies to notify their customers of theft of their personal information. "Personal information," for the purposes of the regulation, is described as someone's first and last name or first initial and last name, in combination with Social Security Number, driver's license number or financial account number. At its core, the regulation states that companies, including banks, that handle the personal data of a Massachusetts resident must show they have in place a comprehensive, written information security program with heightened security procedures around how this information is handled. The rules also extend to entities' service providers and the degree to which they too much show they comply with the Massachusetts rules of handling data on residents. Companies have until May 1 to amend their vendor contracts to reflect this and until Jan. 1, 2010 to certify their vendors comply. Furthermore, companies must comply with these rules even if they do not have a single office in the Bay State or if they are in an already heavily regulated industry, like financial services. As long as customers in businesses' databases reside in Massachusetts, those companies are affected by the rules. According to partner Deborah Birnbach, this is some of the most intrusive legislation as it relates to the operation of businesses. "It requires

You systems administrator knows more about you than you think.

More than one-third of information technology professionals abuse administrative passwords to access confidential data such as colleagues' salary details or board-meeting minutes, according to a survey. Data security company Cyber-Ark surveyed more than 400 senior IT professionals in the United States and Britain, and found that 35 percent admitted to snooping, while 74 percent said they could access information that was not relevant to their role. In a similar survey 12 months ago, 33 percent of IT professionals admitted to snooping. "Employee snooping on sensitive information continues unabated," Udi Mokady, CEO of Cyber-Ark, said in a statement. Cyber-Ark said the most common areas respondents indicated they access are HR records, followed by customer databases, M&A plans, layoff lists and lastly, marketing information. "While seemingly innocuous, (unmanaged privileged) accounts provide workers with the 'keys to the kingdom,' allowing them to access critically sensitive information," Mokady said. When IT professionals were asked what kind of data they would take with them if fired, the survey found a jump compared with a year ago in the number of respondents who said they would take proprietary data and information that is critical to maintaining competitive advantage and corporate security. The survey found a six-fold increase in staff who would take financial reports or merger and acquisition plans, and a four-fold increase in those who would take CEO passwords and research and development plans.

The more things change, the more they stay the same. Such is the case for information security management, which has been voted - for the seventh consecutive year - the most important issue affecting IT strategy, investment and implementation over the coming 12 to 18 months, according to the American Institute of CPAs' 20th Annual Top Technology Initiatives Survey. Employing a new strategy this year, the institute's 10-member tech task force distributed surveys to approximately 50,000 of the institute's members and then advertised the survey in an electronic newsletter. "We changed the voting audience," said David Cieslak, CPA, CITP and co-chair of the task force, noting that they sought responses from all institute members, without feedback from outside technology groups, as in past years. "It's a big year - our 20th - we wanted to make sure it was reflective of our membership." This year's survey received more than 700 responses, which ranked 33 technology initiatives that they perceived as having the most impact over the next 12-to-18 months. The most pressing initiative, according to respondents - information security management - is an integrated, systematic approach that co-ordinates people, policies, standards, processes and controls used to safeguard critical systems and information from internal and external security threats. "Integrity, confidentiality and the relationship that CPAs have with their clients is something that has always been important to accountants," said Mary MacBain, CPA, CITP and a task force co-chair. "Security is going to continue to be important." Jim Bourke, a member of the task force and partner-in-charge of technology at CPA and business advisory firm Withum Smith+Brown in Red Bank, N.J., said that it's no surprise to see information security management make the top slot yet again: "Look at the top three - what's the theme? Security and the concern about the privacy issues involving data. For the past few years, many CPAs ha

Reform legislation is expected to be introduced this spring to update the Federal Information Security and Management Act, known as FISMA. A major complaint about FISMA is that complying with its rules does not necessarily guarantee departmental and agency information systems are secure. In this exclusive interview, Sen. Tom Carper, chairman of the Senate Subcommittee on Federal Financial Management, Government Information, Federal Services and International Security, discusses: Key provisions in the bill to improve ways to measure and determine the security of federal government information systems; Efforts to create a government-wide Chief Information Security Officer Council; His views on the most pressing cybersecurity challenges facing the nation: identity theft and the viability of financial institutions and threats by foreign nations to federal information systems.