Government Information Security Podcasts
Credit
Eligible
As a GovInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info
Heartland Breach -- What it Means to Banking Institutions: James Van Dyke, Javelin Strategy & Research
January 29, 2009
The Heartland Payment Systems data breach - it's the first major security incident of 2009. But how big is it really? What are the key takeaways for banking institutions left explaining this breach to their customers?
In an exclusive interview, James Van Dyke, Founder and President of Javelin Strategy & Research, discusses the implications of the Heartland case, offering insight on:
Conclusions we can draw from the Heartland breach;
How banking institutions should communicate with their customers;
Vulnerabilities we should watch to avoid the next big breach.
Van Dyke is founder and president of Javelin Strategy & Research. Javelin is the leading provider of independent, quantitative and qualitative research for payments, multi-channel financial services, security and fraud initiatives. Javelin's clients include the largest financial institutions, card issuers and technology vendors in the industry.
The key points of the plan closely mirror recommendations offered late last year by a bipartisan commission of computer security experts, which urged then president-elect Obama to set up a high-level post to tackle cyber security, consider new regulations to combat cyber crime and shore up the security of the nation's most sensitive computer networks.
The strategy, as outlined in a broader policy document on homeland security priorities posted on the Whitehouse.gov Web site Wednesday, states the following goals:
* Strengthen Federal Leadership on Cyber Security: Declare the cyber infrastructure a strategic asset and establish the position of national cyber advisor who will report directly to the president and will be responsible for coordinating federal agency efforts and development of national cyber policy.
* Initiate a Safe Computing R&D Effort and Harden our Nation's Cyber Infrastructure: Support an initiative to develop next-generation secure computers and networking for national security applications. Work with industry and academia to develop and deploy a new generation of secure hardware and software for our critical cyber infrastructure.
* Protect the IT Infrastructure That Keeps America's Economy Safe: Work with the private sector to establish tough new standards for cyber security and physical resilience.
* Prevent Corporate Cyber-Espionage: Work with industry to develop the systems necessary to protect our nation's trade secrets and our research and development. Innovations in software, engineering, pharmaceuticals and other fields are being stolen online from U.S. businesses at an alarming rate.
* Develop a Cyber Crime strategy to Minimize the Opportunities for Criminal Profit: Shut down the mechanisms used to transmit criminal profits by shutting down untraceable Internet payment schemes. Initiate a grant and training program to provide federal, state, and local law enforcement agencies the tools they need to detect and prosecute cyber crime.
*
The article Dump Your Social Media Strategy; it's not Customer Service - Forbes made me wonder if companies are still missing the point of social as badly as R. Tarkoff, CEO of Lithium, would have us believe. Anyone with a thousand or more employees will likely have over 170, mostly unmanaged, s
Today's post discusses the relationship between strategy, leadership, and vision, 3 processes normally associated with senior organizational members. The majority of employees in mid to large sized corporations spend their time in tactical pursuit of short-term goals set by managers. Rather than
The U.S. government's director for cybersecurity resigned on Friday, criticizing the excessive role of the National Security Agency in countering threats to the country's computer systems.
"He has tendered his resignation," Amy Kudwa, a Department of Homeland Security spokeswoman told Reuters.
Former Silicon Valley entrepreneur Rod Beckstrom said in a resignation letter published by the Wall Street Journal it was a "bad strategy" to have the National Security Agency, which is part of the Department of Defense, play a major role in cybersecurity.
Beckstrom headed the National Cybersecurity Center, which was created last March to coordinate all government cybersecurity efforts and answers to the Department of Homeland Security.
Homeland Security said in a statement that it has a strong relationship with the NSA and continues to work closely with all of its partners to protect the country's cyber networks.
Beckstrom wrote to Homeland Security Secretary Janet Napolitano on Thursday in his resignation letter that the NSA currently dominates most national cyber efforts.
"While acknowledging the critical importance of NSA to our intelligence efforts, I believe this is a bad strategy on multiple grounds," he wrote in the letter posted by the Wall Street Journal on its website.
National Security Agency officials could not immediately be reached for comment.
Beckstrom said in his letter that the cybersecurity group did not receive adequate support to accomplish its role during the previous administration of President George W. Bush, which only provided the center with five weeks of funding in the last year.
His resignation will be effective March 13, the letter said.
The newspaper said the Obama administration was conducting a 60-day review of the cybersecurity program started by Bush last year to protect government networks.
The more things change, the more they stay the same.
Such is the case for information security management, which has been voted - for the seventh consecutive year - the most important issue affecting IT strategy, investment and implementation over the coming 12 to 18 months, according to the American Institute of CPAs' 20th Annual Top Technology Initiatives Survey.
Employing a new strategy this year, the institute's 10-member tech task force distributed surveys to approximately 50,000 of the institute's members and then advertised the survey in an electronic newsletter.
"We changed the voting audience," said David Cieslak, CPA, CITP and co-chair of the task force, noting that they sought responses from all institute members, without feedback from outside technology groups, as in past years. "It's a big year - our 20th - we wanted to make sure it was reflective of our membership."
This year's survey received more than 700 responses, which ranked 33 technology initiatives that they perceived as having the most impact over the next 12-to-18 months.
The most pressing initiative, according to respondents - information security management - is an integrated, systematic approach that co-ordinates people, policies, standards, processes and controls used to safeguard critical systems and information from internal and external security threats.
"Integrity, confidentiality and the relationship that CPAs have with their clients is something that has always been important to accountants," said Mary MacBain, CPA, CITP and a task force co-chair. "Security is going to continue to be important."
Jim Bourke, a member of the task force and partner-in-charge of technology at CPA and business advisory firm Withum Smith+Brown in Red Bank, N.J., said that it's no surprise to see information security management make the top slot yet again: "Look at the top three - what's the theme? Security and the concern about the privacy issues involving data. For the past few years, many CPAs ha
In this expert videocast, you will learn about Web 2.0 software, the threats they pose, and whether the benefits outweigh the risks. Key areas covered include the threats posed by services like Facebook, MySpace, and LinkedIn, as well as wikis and blogs. Our expert also dives into particular attack vectors and scenarios that are becoming popular, defensive policy, and technology best practices and Web 2.0 trends to monitor going forward.
Speaker
David Sherry
CISSP, CISM - CISO, Brown University
As chief information security officer of Brown University, David Sherry is charged with the development and maintenance of Brown's information technology security strategy, IT policies and best practices, security training and awareness programs, as well as ongoing risk assessment and compliance tasks. Sherry has 20 years of experience in information technology. He most recently worked at Citizens Bank where he was vice president for enterprise identity and access management, providing leadership for compliance and security governance. He had also served as Citizens' vice president for enterprise information security, overseeing the company's security operations and controls. He has taught classes at colleges in both Massachusetts and Rhode Island, as well as spoken on identity management strategy and implementation at industry conferences. He holds undergraduate and graduate degrees in business management.
As the National Security Council works on its comprehensive review of federal cybersecurity programs for President Obama, it is going to great lengths to consider privacy and civil liberty issues, some Congress members said Thursday.
The House Cybersecurity Caucus on Thursday met with Melissa Hathaway, the acting senior director for cyberspace for the National Security and Homeland Security Councils, who is conducting for the administration a 60-day cybersecurity review.
Rep. James Langevin (D-R.I.), co-chair of the House Cybersecurity Caucus, said Hathaway has been meeting with privacy and civil liberties groups to receive their input on how to reform cybersecurity.
Those issues are "a forethought rather than an afterthought," he said. "Because these are such powerful tools (to grant federal authorities to regulate cyberspace), we're going to have to have the buy-in of the public and have their support."
While the Senate is working on its own plan for White House-run cybersecurity efforts, Langevin said Hathaway's assessment may ultimately suggest a strategy with a stronger emphasis on inter-agency efforts.
Langevin said it is still unclear whether Hathaway will recommend that a new office for cybersecurity should be created within the Executive Office of the President--a move some senators are pushing for. Certainly, though, policy will have to come from the White House.
"This is going to have to be an ongoing strategy of collaboration and cooperation directed out of the White House," Langevin said. "But there won't be one king, so to speak, at the end of the day. The chief information officers at the departments and agencies are still going to have a role to play."
Since its inception, IT has focused on reducing costs through process automation and the implementation of applications. However, that is no longer enough to sustain competitive advantage in a rapidly changing world. Today, important business decisions depend on having up-to-date, trustworthy information. At the same time, you need to assess the internal and external risks involved in such decisions. This is not easy, which is why organizations need to build an Information Strategy to guide them
Supercharging the HVA Engineering and Maintenance Risk Assessment in the Healthcare Setting
Webinar Registration
Hospitals have been under close scrutiny for years to insure they evaluate and mitigate risks and exposures that could impact their ability to deliver healthcare services under all conditions. A staple of this activity is the "Hazard Vulnerability Assessment". A traditional HVA looks at specific threats within four categories (natural, technological, human and hazardous materials). While the HVA is useful for auditors looking to confirm minimum compliance, it does not properly arm the organization to assess how risk, mitigation strategies and limited capital can effectively be deployed for maximum benefit. Come hear from leaders of Deaconess Health Systems Engineering and Maintenance team on how they partnered with Virtual Corporation to execute an effective risk assessment methodology and toolkit across the DHS enterprise. Participants will see examples of innovative risk mapping and reporting methods that yield high information density in simple, understandable format.
Presenters: Mark Merrill, Facility Engineer, Deaconess Health System
Tom Barnett, Manager, Engineering and Maintenance, Deaconess Health System
Scott Ream, President, Virtual Corporation
Webinar Registration
Hospitals have been under close scrutiny for years to insure they evaluate and mitigate risks and exposures that could impact their ability to deliver healthcare services under all conditions. A staple of this activity is the "Hazard Vulnerability Assessment". A traditional HVA looks at specific threats within four categories (natural, technological, human and hazardous materials). While the HVA is useful for auditors looking to confirm minimum compliance, it does not properly arm the organization to assess how risk, mitigation strategies and limited capital can effectively be deployed for maximum benefit. Come hear from leaders of Deaconess H
Complimentary Webinar: Managing Data Breach Litigation
You are cordially invited to attend a complimentary Webinar hosted by Debix
Titled: Managing Data Breach Litigation.
Proskauer Rose, Partner, Tanya Forsheit, will discuss recent developments in data breach litigation and other privacy class actions. Tanya also will discuss lessons to be learned from recent decisions and what these court opinions mean for companies facing privacy litigation.
Kroll Ontrack, Senior Managing Director, Alan Brill, will provide lessons learned from the field on litigation strategies. The presentation will include practical tips on avoid litigation, getting litigation dismissed or in the unfortunate scenario of a lawsuit, winning strategies.
Debix, VP of Emerging Technologies, Julie Fergerson has been working with data breached organizations for over 10 years and will moderate the call.
67% of French Organisations Hit By One or More Data Breach Incidents Within Last Twelve Months Research from Ponemon Institute Reveals that only 9 Percent of Respondents have an Overall Encryption Plan or Strategy Applied Consistently across the Enterprise PARIS and MENLO PARK, Calif., Sept. 9 /PRNewswire/ -- PGP Corporation, a global leader in enterprise data protection, has announced the results of its inaugural annual study by The Ponemon Institute, identifying the steps French organisations are taking in order to safeguard their confidential data. The 2009 Annual Study: France Enterprise Encryption Trends study, which polled 414 IT security professionals at enterprises and public sector organisations, found that 67 percent of French organisations have been hit by at least one data breach incident within the last year, with 18 percent having been hit by more than five incidents. A massive 92 percent of the data breaches were never disclosed as there was no legal or regulatory requirement to do so. Despite the large number of data breach incidents, 71 percent responded that data protection was a 'very important' or 'important' part of their risk management Strategy, with protecting sensitive or confidential information in motion (transfer) or at rest (storage) their top priority.
Paul Greenberg explains it this way in CRM at the Speed of Light, Fourth Edition: Social CRM 2.0 Strategies, Tools, and Techniques for Engaging Your Customers "It is a revolution in how we communicate, not how we do business....We are now living in the era of the social customer.
"Forrester often gets inquiries such as, "What requirements should we keep in mind while developing our disaster recovery plans and documents?" and, "Which strategies work best for managing our disaster recovery program once it's in place?" "
""So many people in America think this does not affect them. They've been
convinced that these programs are only targeted at suspected terrorists. … I
think that's wrong. … Our programs are not perfect, and it is inevitable that
totally innocent Americans are going to be affected by these programs," former
CIA Assistant General Counsel
Suzanne
Spaulding
tells FRONTLINE correspondent Hedrick Smith in Spying on the
Home Front.
9/11 has indelibly altered America in ways that people are now starting to
earnestly question: not only perpetual orange alerts, barricades and body frisks
at the airport, but greater government scrutiny of people's records and
electronic surveillance of their communications. The watershed, officials tell
FRONTLINE, was the government's shift after 9/11 to
a
strategy of pre-emption
at home -- not just prosecuting terrorists for
breaking the law, but trying to find and stop them before they strike.
President Bush
described
his
anti-terrorist measures as narrow and targeted, but a FRONTLINE investigation
has found that the
National Security Agency
(NSA) has engaged in wiretapping and sifting Internet communications of millions
of Americans; the FBI conducted a data sweep on 250,000 Las Vegas vacationers,
and along with more than 50 other agencies, they are mining commercial-sector
data banks to an unprecedented degree."
An explosion in threats against the nation's cybernetworks has led the Pentagon to develop a cyberwar strategy and prompted states to open cybersecurity offices.
"A new report from Javelin Strategy and Research suggests that many credit and debit card holders fail to understand the importance of a notice saying that a credit card or debit card has been breached and do not protect themselves from fraud.
The company's research found that people notified of a breach of their secure data were four times as likely as the public at large of actually experiencing financial or other fraud within a year of the notification.
Further, those who experienced a breach in their secure data and then an incident of fraud very rarely link the fraud to the breach.
"Among consumers who received a data breach notification in the past 12 months, 19% suffered fraud, yet only 2% attributed their fraud to a data breach, the firm reported. "It seems as if consumers are not connecting the dots on data breach notifications to fraud events. They are aware, in the abstract, some personal records of theirs have been compromised, but when they become a victim of fraud they do not make the connection to the breach notification.""
"Sun Microsystems, Inc. and Deloitte today announced a collaborative initiative to help companies develop efficient, cost-effective and sustainable technology and business processes to address their unique regulatory compliance and technology governance challenges.
As part of this initiative, Sun and Deloitte today announced their plans for the Center for Technology Governance and Compliance (CTGC), which combines Deloitte's consulting and advisory services with Sun's IT management solutions and services, including its Information Lifecycle Management (ILM) and Identity Management technology portfolios. Access to the professionals and services within the CTGC is available through Sun Solution Centers. To learn more, please visit http://www.sun.com/compliance or http://www.deloitte.com/ .
As a worldwide leader in network computing systems, Sun provides scalable solutions designed to protect and manage business-critical information through its lifecycle. The combination of Deloitte and Sun brings together complementary competencies to deliver a business-driven, technology-enabled framework for creating and implementing technology governance and compliance strategies and programs."
"Consumers who have received a data breach notification letter are four times more likely than others to be the victim of identity theft, according to a survey released this week by Javelin Strategy and Research.
Approximately 11 percent of U.S. consumers have received a data breach notification letter in the past 12 months with a third of the breaches involving Social Security numbers and 15 percent involving ATM PINs, according to Javelin's third annual survey of nearly 5,000 U.S. consumers, released Tuesday.
Of those who have received a data breach notification letter in the past year, 19.5 percent said they were the victims of fraud associated with identity theft, compared to 4.3 percent who have not received a notification but were victimized.
"It wasn't just a statistical anomaly," Robert Vamosi, a Javelin risk fraud and security analyst and the author of the study, told SCMagazineUS.com on Wednesday. "In 2007 and 2006, we saw a similar pattern, so this isn't a blip. This is something that has been going on for a while.""
eBook: Compliance 2.0: Comprehensive, Scalable and Sustainable Systems
http://go.techtarget.com/r/6705298/226727/1
Enterprises are moving towards a top-down approach to compliance that
starts with risk assessment and prioritization, experts agree.
In this expert e-book gain insight from senior IT and security officers
who are taking a holistic approach to compliance for long-term
sustainability and cost reduction. Learn which quantitative tools you
can use to prioritize your efforts, maximize your investments and get
key business executives to support your next project.
Learn how to:
** Bring your data into governance
** Understand and manage your risk exposure
** Get the right people on board to support your strategy and policies
Start building your true compliance infrastructure:
http://go.techtarget.com/r/6705299/226727/2