Group items tagged

Forrester has a recommendation for CISOs struggling with how to secure corporate data: Stop trying so hard. Despite years of investments in technology and processes, protecting enterprise-wide data remains a maddeningly elusive goal for chief information security officers (CISOs). Software-as-a-service (SaaS), Web 2.0 technologies, and consumerized hardware increase the number of escape routes for sensitive information. Regulations, statutes, and contractual expectations drown CISOs in audit requests and ratchet up the pressure to do something about the problem. Hordes of vendors confuse CISOs with innumerable sales pitches. Instead of beating your head against the wall, devolve responsibility to the business, keeping controls closest to the people who use the data. IT security should be primarily responsible only for deploying data protection technologies that require minimal or no customization.

In this video, Andre Gold, vice president and CISO of MoneyGram International, will discuss the basics of disaster recovery and business continuity planning, and define several general terms associated with disaster recovery and business continuity planning to help organizations develop a more accurate understanding. The text transcript of Gold's comments is included below. Andre Gold: Over the past four to five years, I've spent a lot of time in disaster recovery and business continuity planning as part of my role as the chief risk officer as well as the CISO for a couple major organizations. During that time, in working with those firms, I've had a greater appreciation of disaster recovery and business continuity planning, and I've learned that although BCP and DR are very important to firms, when its actually time to execute upon those respected strategies, many firms fail, and they fail fundamentally because they lose sight of the core elements of disaster recovery and business continuity planning. And with that, it's those core elements that we will be discussing today.

"It was fascinating to read your thoughts about our recent conversation in CSO (see The Many Challenges of Finding Work as a CISO/CSO"). And when I say "fascinating," I mean in the sense of watching Nascar: a lot of predictable left turns and some really embarrassing, squirm-inducing shots of the fans. I do like you, I think you're a nice guy, and so I wanted to give you some feedback about the interview process and what you're going to need to change to be successful. I don't think you're going to enjoy reading this. But maybe some of those hours that you're spending maintaining that "vast database" of yours could be better spent understanding why we hired someone who understands they're an engineer."

One of the most enlightening articles I have seen on the value of security to corporate America.

A disconnect exists between federal government CIOs, CISOs and IT hiring managers and the human resources professionals charged with finding qualified candidates with cybersecurity skills, according to a just-published report. The report, Cyber In-Security: Strengthening the Federal Cybersecurity Workforce from the Partnership for Public Service, concludes that IT managers are less satisfied than their HR counterparts with the quality of cybersecurity recruits and the time it takes to hire IT security personnel. "The human capital management process is broken; operations and HR people should be joined at the hip and collaborate across the government," the report quotes Norman Lorentz, former chief technology officer at the White House Office of Management and Budget. Indeed, one third of chief information officers, chief information security officers and IT hiring managers surveyed for the report expressed unhappiness with candidate quality vs. 10 percent for HR managers. Sixty-one percent of HR managers vs. 40 percent of IT managers expressed satisfaction with candidate quality (see chart).

Banks and financial firms are placing more emphasis on internal threats to cut the flow of data leakage as a result of employee mistakes or workers disgruntled with layoffs and downsizing during the economic crisis, according to a recent survey. The report, "Protecting What Matters: The Sixth Annual Global Security Survey," is based on a Deloitte survey of 250 CISOs in the financial-services industry. It found that 36% of respondents believe the internal threat represents the greatest risk to organizations, compared to 13% who said external threats are the biggest concern. Mark Steinhoff, head of Deloitte's financial services security and privacy practices, said an organization's biggest mistake would be to let its guard down. While the number of security breaches may have declined over the last year, cybercriminals are not rationing back their efforts. "The number of breaches that are occurring are really at the hands of insiders and organizations are understanding that there is a real threat of malicious attacks and exposure of personal information by insiders," Steinhoff said. The failing economy may be driving the increased concern over insider threats, Steinoff said. "The climate we're in today causes concerns about disgruntled employees," he said. "We are seeing the layoffs and other forms of downsizing. Frankly with limited budget and less than satisfied employees, it really raises the parameter on that threat." Human error is the leading cause of information systems failure, and is likely to be the main cause of security attacks in the near future, according to 86% of those surveyed. To protect against employee mistakes that lead to a breach, financial firms should focus on risk rather than compliance to protect themselves, Steinhoff said. "[Organizations] need to look at what they want to protect and look at various types of threats internally and evaluate who has access to the data and who has access to which system, and approach it from that persp

One of the more interesting panel discussions at the IDC Cloud Computing Forum on Feb 18th in San Francisco was about managing the complexities of security, privacy and compliance in the Cloud. The simple answer according to panelists Carolyn Lawson, CIO of California Public Utilities Commission, and Michael Mucha, CISO of Stanford Hospital and Clinics is "it ain't easy!" "Both of us, in government and in health, are on the front-lines," Lawson proclaimed. "Article 1 of the California Constitution guarantees an individual's right to privacy and if I violate that I've violated a public trust. That's a level of responsibility that most computer security people don't have to face. If I violate that trust I can end up in jail or hauled before the legislature," she said. "Of course, these days with the turmoil in the legislature, she joked, "the former may be preferable to the later." Stanford's Mucha said that his security infrastructure was built on a two-tiered approach using identity management and enterprise access control. Mucha said that the movement to computerize heath records nationwide was moving along in fits and starts, as shown by proposed systems likeMicrosoft (NSDQ: MSFT)'s Health Vault and Google (NSDQ: GOOG)'s Personal Health Record. "The key problem is who is going to pay for the computerized of health records. It's not as much of a problem at Stanford as it is at a lot of smaller hospitals, but it's still a huge problem." Mucha said that from his perspective security service providers in the cloud and elsewhere are dealing with a shrinking security parameter or fence, which is progressing from filing cabinets, to devices, to files, and finally to the individual, who under the latest Health Insurance Portability and Accountability Act (HIPAA) privacy rules has certain rights, including rights to access and amend their health information and to obtain a record of when and why their Protected Health Information (PHI) record has bee

In this expert videocast, you will learn about Web 2.0 software, the threats they pose, and whether the benefits outweigh the risks. Key areas covered include the threats posed by services like Facebook, MySpace, and LinkedIn, as well as wikis and blogs. Our expert also dives into particular attack vectors and scenarios that are becoming popular, defensive policy, and technology best practices and Web 2.0 trends to monitor going forward. Speaker David Sherry CISSP, CISM - CISO, Brown University As chief information security officer of Brown University, David Sherry is charged with the development and maintenance of Brown's information technology security strategy, IT policies and best practices, security training and awareness programs, as well as ongoing risk assessment and compliance tasks. Sherry has 20 years of experience in information technology. He most recently worked at Citizens Bank where he was vice president for enterprise identity and access management, providing leadership for compliance and security governance. He had also served as Citizens' vice president for enterprise information security, overseeing the company's security operations and controls. He has taught classes at colleges in both Massachusetts and Rhode Island, as well as spoken on identity management strategy and implementation at industry conferences. He holds undergraduate and graduate degrees in business management.

When the CISO asks to speak to you with that look on his face, you know the news isn't good. We were contacted by one of our third-party vendors, whom we had hired to do analysis on our website traffic. It appears that we have been passing sensitive information to them over the Internet. This sensitive information included data, such as customer names, addresses and credit card information. Because we are a public company, there are many regulatory guidelines that we have to follow like Sarbanes-Oxley (SOX) and the Payment Card Industry's (PCI) data security standard. Fortunately for us, our vendor has retained a copy of everything that we have sent to them. Unfortunately for us, it was six months of information totaling over a terabyte. Since our website is international, the legal department needed to obtain outside council to assist us in this matter. It will be a few days until I receive the data from the vendor.

The discovery of documents with students' personally identifying information stored in an unlocked room has launched protests against the university's chief information security officer. Students at Binghamton University in New York are circulating a petition to remove the university's chief information security officer following the discovery of boxes full of documents listing personal information of students and parents in an unlocked storage room. The existence of the unsecured documents was discovered March 6 by a reporter working for student radio station WHRW and disclosed on March 9. For that investigative work, the student reporter could face criminal charges. Binghamton University has had other recent problems with information security. In the past year, according to an article written by Robert Glass, the WHRW news director, university employees accidentally e-mailed the Social Security numbers of 338 students to another group of 200 students, sent the personal information of exchange students -- passport scans and birth certificates -- to student groups, and disposed of information about more than 70 former graduate students in trash bins atop a pile of shredded documents. Those breaches led the university to create an information security council, with a full-time information security officer, to prevent further incidents, according to Glass. Glass did not immediately respond to a request for comment. A University spokeswoman characterized the hiring of Terry Dylewski as the university's chief information security officer as a reflection of the school's ongoing concern about information security rather than a response to past breaches. Asked about the status of the students' petition to remove Dylewski, as reported by Broome County Fox affiliate WICZ TV, she said that question should be directed to the students. The spokeswoman said the university is treating the incident as a possible crime and that a criminal investigation is ongoing. She sai