Group items matching

in title, tags, annotations or url

Date: Tuesday, February 10, 2009 Time: 2:00 p.m. EST/11:00 a.m. PST Follow the link below to register: http://sc.haymarketcomm.net/r/?ZXU=775318&ZXD=33050957 Organizations are still struggling to get into compliance with PCI DSS, especially as the PCI Security Standards Council continues to update and tweak the Standards. There's much to keep in mind and even more to do in order to adhere to the mandates, so what are the critical steps to get there. Experts share their know-how. Featured speakers Rich Mogull, L.L.C., Founder and Principle Analyst, Securosis Murray Rosenthal, CISA, Senior Policy Analyst - Security I&T Strategic Planning & Architecture Information & Technology Division, City of Toronto Sponsored by Symantec http://sc.haymarketcomm.net/r/?ZXU=775319&ZXD=33050957 Follow the link below to register: http://sc.haymarketcomm.net/r/?ZXU=775320&ZXD=33050957

This year was an interesting year in privacy and information security, and by looking back, we can clearly discern trends that will likely be a major part of the security management landscape in 2009. More and more states passed breach-notification laws and several enhanced or extended existing legislation. Software-as-a-Service (SaaS) and virtualization really took off, and compliance's looming presence grew with PCI DSS version 1.2 and some actual enforcement of HIPAA. Of particular note was Massachusetts' data breach law 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth. This is to date the most comprehensive law of its kind, setting a new Standard for what breach-notification laws should look like; it covers both paper and electronic records, it mandates appropriate security awareness training as well as security and risk assessments and, most importantly, requires companies to make changes to their security programs in accordance with the findings of those risk assessments. Similarly, California enhanced the well-known CA-1386 to include not just traditional financial information, but also health care and health insurance data as well. With new mandates popping up all the time, it's no wonder compliance was one of the biggest focus areas for enterprise information security teams in the past year, and this trend will clearly continue in 2009; there will be more regulation on both the state and federal levels, and stronger enforcement of existing regulations. Fines and other penalties for violations of PCI DSS and HIPAA will continue to rise, along with the inevitable rise in discoveries of malfeasance. As a result, there will be an even larger focus on compliance by upper management, which also means decreased time and budget for necessary security controls that don't clearly fall under a compliance umbrella.

US senators have drafted legislation that would give the federal government unprecedented authority over the nation's critical infrastructure, including the power to shut down or limit traffic on private networks during emergencies. The bill would also establish a broad set of cybersecurity standards that would be imposed on the government and the private sector, including companies that provide software, IT work or other services to networks that are deemed to be critical infrastructure. It would also mandate licenses for all individuals administering to strategically important networks. The bill, which is being co-sponsored by Senate Commerce Committee chairman John Rockefeller IV and Senator Olympia Snowe, was expected to be referred to a senate committee on Wednesday. Shortly after a working draft of the legislation began circulating, some industry groups lined up to criticize it for giving the government too much control over the internet and the private companies that make it possible. "This gives the president too much power and there's too little oversight, if there's any at all," said Gregory Nojeim, senior counsel at the Center for Democracy and Technology. "It gives him the power to act in the interest of national security, a vague term that has been broadly defined." Nojeim was pointing to language in the bill that permits the president to "order the limitation or shutdown of internet traffic to and from any compromised federal government or United States critical infrastructure information system or network" after first declaring a national cybersecurity emergency. A separate provision allows the executive in chief to "order the disconnection of any federal government or United States critical infrastructure information systems or networks in the interest of national security." "It applies to any critical infrastructure," Nojeim added. "Surely, the internet is one." The bill would also require NIST, or the National Institute of standards and Techn

The Federal Trade Commission had some sharp words for Internet advertising companies Thursday, saying that they simply are not disclosing how they collect information about users well enough. And the agency threatened that the industry had better get its act together - or else. Or else what? Well, that's a bit harder. The commission has limited ability to issue binding regulations on advertising practices, and the process is cumbersome. But if the agency were to say that its attempt over the last few years to have Internet companies voluntarily bolster their privacy standards has failed, it could encourage Congress to pass online privacy legislation. Indeed, two members of the commission - Pamela Jones Harbour, an independent, and Jon Leibowitz, a Democrat - issued statements saying that while they support the commission's action, they hope for further regulation and possibly legislation on the issue. What the commission issued Thursday was the final version of its principles for online behavioral advertising - that is, ads shown to you based on something you did in the past. The agency issued its first draft of these at the end of 2007 and spent more than a year digesting comments. These principles were meant to spur various Internet groups to create self-regulatory standards for their members. And one group, the Network Advertising Initiative, did publish new rules. The top recommendation was that users should be given clear notice about what information was collected and an easy way to tell sites to stop watching them. "What we observe is that, with rare exception, is not the rule for any Web sites," said Eileen Harrington, the acting director of the commission's bureau of consumer protection, in an interview Thursday. "It is far more commonplace to put the information in the midst of lengthy and hard-to-understand privacy policies."

Industry Insiders Discuss HIT and HIPAA Issues March 30, 2009 by Astrid Fiano, Writer A significant part of President Obama's health care reform agenda is the push for implementing more health care technology. In the health care field privacy is always a major concern, and was the impetus of the Health Insurance Portability and Accountability Act of 1996--protecting the privacy of individually identifiable health information in all formats, and the confidentiality provisions of the Patient Safety Act--protecting identifiable information being used to analyze patient safety events. So those in the health care industry now wonder will the Administration's focus on health IT (HIT) present more challenges to privacy concerns? As part of a continuing focus on HIT issues, DOTmed interviewed industry expert Kirk J. Nahra, a partner in the Washington D.C. legal firm of Wiley Rein LLP, specializing in privacy and information security for the health care and insurance industries, and named an expert practitioner by the Guide to the Leading U.S. Healthcare Lawyers. DOTmed also interviewed Lise Rauzi, Vice President, Training Development, for Health Care Compliance Strategies (HCCS). HCCS provides online training compliance for employees. Nahra notes that regardless of the rising concern over privacy and the new HIT legislation, there have already been formal HIPAA security rules on electronic information in place for several years--the health care industry compliance has just been inconsistent. The problem -- to the extent there is one -- is that HIPAA rules are process-oriented, Nahra explained. The rules don't tell an entity what to do, but rather what to evaluate--a standard set of questions, but without a standard set of answers. For example, a covered entity has to have an internal audit, but the rules do not tell the entity how best to carry out that internal audit. Not surprisingly, different businesses have different ideas on how to implement their HIPAA evaluations

Consumers face a greater risk of losing control of their data when doing business with smaller retailers, as many haven't made investments to comply with the Payment Card Industry's Data Security Standard (PCI DSS), according to a new survey. The survey, which covered 560 U.S. and multinational organizations, asked respondents a variety of questions about their investments and deployment of technology to comply with PCI DSS, which was introduced in 2005. It's an industry Standard created by major credit card companies that's designed to protect customer payment data. The survey found that 55 percent of organizations only secured credit card information but not other data such as Social Security and driver's license numbers or bank account details. Also, only 28 percent of smaller companies between 501 to 1,000 employees comply with PCI DSS. That compares with more than 70 percent of large merchants with 75,000 or more employees that claimed they're compliant.

"Bankers are playing with fire by increasing risk when taxpayer tolerance with financial bailouts has worn perilously thin, the International Monetary Fund warned. Managing director Dominique Strauss-Kahn reckons bankers may be in the throes of a "Mardi Gras" party of renewed speculation ahead of a looming regulatory crackdown. Yet the return of their old habits is dangerous. If a new financial crisis occurred in a few years" time, the public would be unwilling to support another round of massive bailouts, he told the Confederation of British Industry. Democracy itself could be threatened if banks went back to taxpayers with their caps in their hands. "In an atmosphere of increasing optimism, we see signs of old habits coming back. Risk-taking is on the rise," said Strauss-Kahn. "Right now, regulatory uncertainty is throwing up some perverse incentives. For example, it might be encouraging a risk-taking culture -- a Mardi Gras effect whereby financial institutions party now in expectation of lean times to come. "Clearly, this is dangerous, not least for emerging markets. And we may run out of time -- if we wait too long to implement these reforms, it might be too late." A second wave of rescues may simply not get through national legislatures, he added: "The political reaction would be very strong, putting some democracies at risk." IMF figures show the aftershocks of the 2008 crisis are far from over, with firms recognising only half of their losses worldwide. Yet despite the fragility of the financial sector, there is mounting evidence that traders are making hay before tougher regulatory standards come into force. Investment banking profits have soared this year, as firms make the most of ultra-low interest rates, money-printing operations and huge government bond issuance programmes. Strauss-Kahn argued countries need to act quickly to remove "regulatory uncertainty" -- ensuring bankers do not make the most of the current confusion over future standards

"Temporary workers brought in to help during the busy holiday shopping season can sometimes pose a data security risk for companies. Retailers that hire temporary help need to keep a watchful eye on them to reduce the risk of data compromises, said Bob Russo, general manager of the PCI Security Standards Council. The council oversees the implementation of mandatory security Standards for protecting credit and debit card data across the payment industry. With many retailers hiring temporary workers to handle extra business, vigilance is key, Russo said. "Management needs to hover at this time of the year, especially with temps," he said. Temporary workers who handle credit card data or are involved in any form of payment processing need to follow appropriate security procedures. Proper access controls also need to be in place to prevent temporary workers from gaining access to other systems, he said."

The Supreme Court upheld a U.S. government crackdown on profanity on television, a policy that subjects broadcasters to fines for airing a single expletive blurted out on a live show. In its first ruling on broadcast indecency standards in more than 30 years, the high court handed a victory on Tuesday to the Federal Communications Commission, which adopted the crackdown against the one-time use of profanity on live television when children are likely to be watching. The case stemmed from an FCC decision in 2006 that found News Corp's Fox television network violated decency rules when singer Cher blurted out an expletive during the 2002 Billboard Music Awards broadcast and actress Nicole Richie used two expletives during the 2003 awards. No fines were imposed, but Fox challenged the decision. A U.S. appeals court in New York struck down the new policy as "arbitrary and capricious" and sent the case back to the FCC for a more reasoned explanation of its policy.

Visa Inc.'s top risk management executive today dismissed what she described as "recent rumblings" about the possible demise of the PCI data security rules as "premature" and "dangerous" to long-term efforts to ensure that credit and debit card data is secure. Speaking at Visa's Global Security Summit in Washington, Ellen Richey, the credit card company's chief enterprise risk officer, insisted that despite recent data breaches at two payment processors, the Payment Card Industry Data Security Standard (PCI DSS) "remains an effective security tool when implemented properly." Richey added that breaches such as the ones at Heartland Payment Systems Inc. and RBS WorldPay Inc. were shaping public opinion and obscuring what otherwise has been "substantial progress" on the security front over the past year. "I'm sure that everyone in this room has read the headlines questioning how an event of this magnitude could still happen today," Richey said, referring to the Heartland breach. "The fact is, it never should have" - and indeed wouldn't have if Heartland had been vigilant about maintaining its PCI compliance, according to Richey. "As we've said before," she continued, "no compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach." Pointing to Visa's decision last week to remove both of the breached payment processors from its list of PCI-compliant service providers, Richey said that Heartland would face fines and probationary terms that were proportionate to the still-undisclosed magnitude of the breach. "While this situation is unfortunate, it does not make me question the tools we have at our disposal," she said of the PCI rules.

Senate Judiciary Chairman Patrick Leahy (D-Vt.) has reintroduced a data breach bill that would set tougher rules for government agencies and private sector firms regarding consumers' personal information. This will be the third time around the block for the Personal Data Privacy and Security Act, which has cleared the Judiciary Committee, but never come to a vote on the Senate floor. The bill would preempt the more than 40 state laws laying out requirements for notifying consumers in the event of a data breach, a long-deferred legislative goal that has the general support of the IT industry. But Leahy's bill is about more than just data breaches. Among other things, it would set baseline security information standards for government agencies, something that the Obama administration has begun to work on with the early steps of an overhaul of the government's cybersecurity apparatus. "This is a comprehensive bill that not only deals with the need to provide Americans with notice when they have been victims of a data breach, but that also deals with the underlying problem of lax security and lack of accountability to help prevent data breaches from occurring in the first place," Leahy said in a statement. "Passing this comprehensive data privacy legislation is one of my highest legislative priorities as Chairman of the Judiciary Committee."

President-elect Barack Obama has promised to computerize all of America's medical records within five years. He made the pledge last week in a speech at George Mason University. "This will cut waste, eliminate red tape and reduce the need to repeat expensive medical tests," he said. "But it just won't save billions of dollars and thousands of jobs, it will save lives by reducing the deadly but preventable medical errors that pervade our health care system." But the road to digitized medical records will be a tough and expensive one, CNN Money reported. Today, only about 8% of the country's 5,000 hospitals and 17% of its 800,000 physicians use electronic medical records. There is also the issue of patient privacy. Numerous hospitals have faced security issues since moving to electronic medical records. The Industry Standard reported on a security breach at a Los Angeles hospital last month. And then there is the cost. Studies done by Harvard, RAND and the Commonwealth Fund peg the cost of the digitization plan between at least $75 billion to $100 billion, according to the CNN article. However, the health care industry spends $2 trillion dollars a year, so the $100 billion may be well worth the long-term savings.

PCI - better than nothing, but still vastly inadequate. - Karl The Heartland Payment Systems and Network Solutions data breaches have thrust the Payment Card Industry Data Security Standard (PCI DSS) into the spotlight, raising the question: Does PCI compliance help in the fight against fraud? David Taylor, founder of PCI Knowledge Base, recently administered new research on PCI compliance, and in an exclusive interview he discusses: Goods news - and not-so-good-news - about PCI compliance; Unique PCI challenges for merchants and banking institutions alike; What needs to be done to raise awareness of PCI compliance. Taylor founded the PCI Knowledge Base and before that the PCI Alliance. He worked with many leading edge companies as an analyst for Gartner for 14 years. The PCI Knowledge Base is a research community that shares information and knowledge to help merchants, banks and other organizations achieve PCI compliance.

The Heartland Payment Systems and Network Solutions data breaches have thrust the Payment Card Industry Data Security Standard (PCI DSS) into the spotlight, raising the question: Does PCI compliance help in the fight against fraud? David Taylor, founder of PCI Knowledge Base, recently administered new research on PCI compliance, and in an exclusive interview he discusses: Goods news - and not-so-good-news - about PCI compliance; Unique PCI challenges for merchants and banking institutions alike; What needs to be done to raise awareness of PCI compliance. Taylor founded the PCI Knowledge Base and before that the PCI Alliance. He worked with many leading edge companies as an analyst for Gartner for 14 years. The PCI Knowledge Base is a research community that shares information and knowledge to help merchants, banks and other organizations achieve PCI compliance.

"We all know that Internet and communications technology is changing rapidly, creating huge opportunities for business innovation and individual self-expression. Most people are probably not aware, however, that privacy law is not evolving nearly as quickly. It is time to update legal protections to reflect the impact the digital revolution is having on modern life. Cloud computing -- a bit of tech-jargon meaning the use of remote servers to store and process data -- is a great example. The movement of personal and proprietary data off desktop computers and into "the cloud", which is made up of server farms and broadband connections, is a major disruptive trend in computing. Unless our laws change to account for cloud computing and other equally momentous technology developments, the Constitution's protection against unreasonable search and seizure will become a relic of the past. The federal law setting standards for government access to personal communications -- the Electronic Communications Privacy Act (ECPA) -- was written more than two decades ago, before the Internet took off. "

"The U.S. Supreme Court Monday will hear arguments for and against the constitutionality of the oversight board established to monitor public company financial activity as part of the Sarbanes-Oxley regulation. The Sarbanes-Oxley Act was created and enacted into law partly in response to corporate accounting scandals such as Enron and WorldCom. The regulatory standard set out to reduce such fraudulent financial activities and provide an oversight mechanism for public companies. Part of the law includes the establishment of the Public Company Accounting Oversight Board (PCAOB), which consists of five members appointed by the Securities and Exchange Commission (SEC). The arguments to be heard this week relate directly to the PCAOB. While set up to regulate financial accounting at companies, those opposed to the board's powers argue that because its members are not appointed by the president, the board's control is unconstitutional based on the country's tenets of three branches of government. The challengers to the law say that the PCAOB lacks the presidential control required for executive branch agencies because the five members are appointed by the SEC, which doesn't fall under presidential powers. As a private agency in essence, the PCAOB is able to act as a government authority, which the Free Enterprise Fund believes to be unconstitutional. "

"A German computer scientist has published details of the secret code used to protect the conversations of more than 4bn mobile phone users. Karsten Nohl, working with other experts, has spent the past five months cracking the algorithm used to encrypt calls using GSM technology. GSM is the most popular standard for mobile networks around the world. The work could allow anyone - including criminals - to eavesdrop on private phone conversations. Mr Nohl told the Chaos Communication Congress in Berlin that the work showed that GSM security was "inadequate". "

With increasing dependency on information systems and advances in cloud computing, the smart grid and mobile computing, maintaining the confidentiality and integrity of citizens' personally identifiable information is a growing challenge. A new draft document from the National Institute of Standards and Technology (NIST) addresses that challenge by adding privacy controls to the catalog of security controls used to protect federal information and information systems.

"The credentials of thousands of Microsoft Windows Live ID accounts were posted online late last week, company officials said Monday. The company confirmed Monday in a blog post that several thousand Windows Live customers had their usernames and passwords exposed on a third-party site over the weekend. "Upon learning of the issue, we immediately requested that the credentials be removed and launched an investigation to determine the impact to customers," the post said. "As part of that investigation, we determined that this was not a breach of internal Microsoft data and initiated our standard process of working to help customers regain control of their accounts." Windows Live IDs let users gain entry into Hotmail, Messenger, Xbox LIVE, according to Microsoft. The usernames and passwords that were leaked may also be used for other Microsoft services, including the company's web-based Office program and the Skydrive online storage service. News of the breach spread early Monday, but it was unclear how the credentials were originally obtained."

The US government has now adopted a policy of fostering the adoption of electronic medical records (EMR). The policy is intended to increase the efficiency of the US healthcare system, thereby lowering costs and reducing the incidence of preventable errors. At the same time, through its The Health Insurance Portability and Accountability Act (HIPAA) privacy rules, the government has set minimum standards for the security of those records. These two goals-privacy and security of these records, along with their free interchange among medical providers-can easily wind up at odds with each other. A recent study that looked at the role of state privacy laws in EMR adoption suggests that the problem is very real, as state privacy laws seem to inhibit the use of EMR by hospitals located there. The authors, based at MIT and the University of Virginia, line up a variety of data that validate their suggestion that privacy and the use of EMR may require a careful balance. So, for example, they cite some highly publicized lapses when it comes to the maintenance of patient privacy: someone once offered the records of 200,000 patients for sale on Craigslist, while hospitals have seen their own employees attempt to get at the electronic files of famous patients. Perhaps more significantly, the authors suggest that the public, as represented by their legislators, has concerns about the privacy of EMR. They found that states that have passed their own privacy laws to supplement the HIPAA rules tend to have a higher percentage of their populace signed up for the Do Not Call Registry, indicating a corresponding individual-level interest in maintaining privacy. So, they looked at whether these laws had any impact on the adoption of EMR by hospitals located in each state.

making best indexing in goggle and bing. RADJASEOTEA is a master of backlinks. You want indexing in goggle and bing. LOOK THIS www.fiverr.com/radjaseotea/making-best-super-backlink-143445

The California State Senate approved today SB 20, legislation by State Senator Joe Simitian (D-Palo Alto), which aims to strengthen existing privacy protection laws for California consumers. The new law builds on legislation authored by Simitian in 2002 that requires a business or government agency that incurs a data breach to provide notice to the individual(s) whose information was compromised. More than 40 states have adopted similar legislation since that time, largely based on the California measure. "No one likes to get the news that information about them has been stolen," said Simitian, "but when it happens, people are entitled to get a notice they can understand, and that helps them decide what to do next." "The premise is simple," added Simitian. "What you don´t know can hurt you. Ignorance is not bliss. And you can´t protect yourself if you don´t know you´re at risk." Simitian said his latest proposal (SB 20), "is designed to make a good law even better." California´s current security breach notification law (AB 700, Simitian -2002) requires notice to consumers when their information has been compromised, but does not require data holders to provide any standard set of information about the nature of the breach. SB 20 will enhance consumer knowledge about security breaches by requiring that the notification contain specified information, including the type of personal information breached and the date of the breach.