Skip to main content

Home/ Groups/ WPPS C-Suite News
sandy ingram

How long can CISO's avoid Cloud Computing? | CISO - 0 views

  • Network & Systems delivering the cloud service How does the authentication to access the network devices and operating system implemented? Does it use any two factor authentication? About the availability of the network and security infrastructure? does it implement load balancing or high availability solutions for the critical infrastructure components like firewalls, IPS, reverse proxies etc… Is the underlying cloud systems are secured? Do they have a baseline configuration implemented? How does the configuration managed? Does the cloud computing provider got a plan and/or policy to perform configuration management, patch management, anti-malware etc. Does the network undergoes periodic penetration testing? Does it undergo internal vulnerability assessment periodically? How is it ensuring that a compromised client with privileged access to the operating system is separated internally? Does it undergo periodic audits against standards like ISO27001, SAS70 etc? How is the customer data separated from one another? What are the security controls implemented to ensure this separation? What are the protection and response controls against the Denial of Service attacks?
  • Cloud Applications & Data Protection What are the security controls in the application development process? Does it include security code reviews of the code being developed or used? Is there a documented change and configuration management process? How does the application servers patched and what frequency? What are the mechanisms for managing the access control? How is the database protected from unauthorized access? How are they identifying the access reset requests are from the actual user. How do they create and delete/disable user accounts? what are the procedures for these activities. IS the data encrypted? If encrypted, how is the encryption keys are protected? What is key management process being followed? How is the data loss prevention ensured? Details of the DLP controls implemented? Is there a backup mechanism established? How is the data protected in the backups? Does the cloud service provider meets the regulatory requirements? For example, if the service is a ecommerce service then the cloud service could become part of the card holder environment and thus the PCI DSS regulation as there are potential card data being processed. Similarly, if the health information is processed, it can be HIPAA and similar other regulations. Is the cloud computing service provider meets the compliance requirements? Where is your data being hosted? Is it within your country or its jurisdiction? Is your organization comfortable with the legal system in the country where your data resides? How about cloud computing service provider who has a network of data centres across the globe and your data is scattered across these data centres? Can it limit the countries where the data is stored?
  • What are the conditions / scenarios where the data is revealed without the consent / approval of the organization? Does the application provide enough audit trials to review the incidents? Does it corporate with local legal system? Often the local law authorities require access to the processing computers, how is it support those requests?
  • ...1 more annotation...
  • Security Management What are the information security management policies and procedures implemented and documented? Are all employees required to undergo the security awareness training and acknowledge their acceptance to the policies and procedures at least annually? Is the cloud computing service provider has a dedicated information security professional? What are the network security capabilities established by the service provider? Are these personal technical qualified and certified? How is the insider threats within the cloud service provider being addressed? What is the background verification process being followed by the cloud service provider? Is there a privileged activity monitoring of systems and databases? How is the security incidents and violations are handled? Does it have a documented policy? How is the log integrity ensured? What are the mechanisms implemented to ensure that the logs cannot be altered and / or stopped. How long the logs are kept online and on the backup? What are the business continuity and disaster recovery capabilities of the cloud service provider? Many organization look at cloud as a BCM solution. Does the underlying cloud service provider is capable of delivering a BCM aware cloud service?
sandy ingram

One Place Where Windows 8 Tablets Will Beat The iPad - 0 views

    That's because they will help meet rising demand from employees to use a tablet at work, while still pleasing IT directors worried about security and management, and purchasing directors worried about cost.
sandy ingram

Facebook Timeline Violates FTC Settlement, Says One Privacy Group | WebProNews - 0 views

  • Having just reached a settlement with the Commission in which the company is required “to take several steps to make sure it lives up to its promise in the future, including giving consumers clear and prominent notice and obtaining consumers’ express consent before their information is shared beyond the privacy settings they have established,” Facebook is changing the privacy setting of its users in a way that gives the company far greater ability to disclose their personal information than in the past. With Timeline, Facebook has once again taken control over the user’s data from the user and has now made information that was essentially archived and inaccessible widely available without the consent of the user.
  • The impetus is on the user to edit their privacy settings in order to tweak their Timeline to only show stuff that they want it to show.
  • EPIC goes on to argue that since Timeline contains new categories like “Health and Wellness,” it is ripe to be used by companies mining for medical data
  • ...1 more annotation...
  • They argue that the Timeline makes it “a heck of a lot easier for computer criminals to unearth personal details that can be used to craft attacks.”
    The settlement said that Facebook must be more forthright with its members and make sure that any changes that they make concerning privacy must be clearly and prominently spelled out.
sandy ingram

Courts Says Employer's Lawsuit Against Ex-Employee Over Retention and Use of Twitter Ac... - 0 views

  • The takeaway is to have a written agreement that governs this issue!
  • PhoneDog said it suffered $340,000 in damages. The account had 17,000 followers, "which according to industry standards, are each valued at $2.50."
sandy ingram

Managing Cloud Risks - Forbes - 0 views

  • SLAs and the “Right to Audit” Clause When you move your data to the cloud, you must consider the risk to your brand should a breach occur. You need to ensure that any Service Level Agreements (SLAs) you have in place protect it. SLAs should address any and all risks to your data while it lives in the cloud. 
    Vendor Risk Management and Cloud Security Standards Another important consideration when mapping out your cloud GRC strategy is to ensure your vendor risk management program accounts for the new risks that come with moving to the cloud.
sandy ingram

symantec state of security 2011 survey - 0 views

    classifying confidential, sensitive information, knowing where it resides, who has access to it, and how it is coming in or leaving your organization . 
sandy ingram

Organisations fail to meet security awareness and compliance training best practices - ... - 0 views

  • “If this assessment demonstrates anything, it's that IT and security departments have got to gain greater visibility over all of their security and compliance activities and take steps to better understand and manage them.”
    A survey of high-risk organisations has found that more than three quarters fail to perform quarterly security and compliance training. According to a survey by enterprise key and certificate management solutions provider Venafi and IT security research provider Echelon One, 77 per cent of respondents failed to perform quarterly security and compliance training while 64 per cent failed to encrypt all of its data in the cloud. However 90 per cent did use encryption throughout the organisation. The survey of 420 enterprises and government agencies also found that almost 100 per cent of respondents had some degree of unquantified or unmanaged risk. When asked if their organisations encrypted data stored in public clouds such as Google Apps, and Dropbox, 40 per cent said they did not know.
sandy ingram

Is Internet Explorer 9 Now the Safest Web Browser? - 0 views

    With criminals migrating to Chrome, Bott says Chrome's filters, and its entire approach to protecting users, isn't as airtight as IE9's - or even as secure as its advocates believe.
sandy ingram

What's a Company's Biggest Security Risk? You. - - 0 views

  • Consider what happened in March at EMC Corp.'s RSA security unit, the maker of computer login devices used by thousands of other companies. A hacker sent emails to two small groups of employees that looked innocent enough, including a spreadsheet titled "2011 Recruitment plan." The message was so convincing that one employee retrieved it from the "junk mail" folder and then opened the attachment. Doing so introduced a virus inside RSA's network that eventually gave the hacker access to sensitive company data and enabled later attacks against RSA's customers.
  • Employees have more opportunities than ever to compromise company information. We not only screw up by clicking on emails from hackers that download viruses, letting them bypass corporate firewalls. We also open a Pandora's Box of security problems by circumventing company tech-support rules and doing work with personal gadgets and consumer-grade online services like Web email and cloud storage services.
  • Here's a look at what employees are doing wrong and how companies are trying to fight our bad habits
  • ...3 more annotations...
  • Today, we make ourselves easy targets by posting troves of information about ourselves and our jobs online, say security experts. Blogs and professional networks such as LinkedIn are particularly useful sources for criminals, since many people share details about their roles at work, which can be used to help determine corporate hierarchies, among other things.
  • Hackers include dangerous traps in these targeted emails, such as links leading to malware or a Web page designed to dupe the employee into entering passwords. In the RSA attack, the emails included an attachment that took advantage of a previously unknown chink in Adobe Flash software to inject a virus into the company's systems.
  • As older systems that are focused on firewalls fail, corporate IT "needs a new defense doctrine," says RSA's head of identity protection, Uri Rivner. "You need to have security cover inside your organization, rather than your perimeter. You need to understand what your users are doing, and then spot any type of suspicious activity inside."
    Hacking attacks against companies are growing bigger and bolder-witness a string of high-profile breaches this year at Sony Corp., Citigroup Inc. and others. But gone are the days when hackers would simply find holes in corporate networks to steal valuable data. Large companies have grown wise to the threat of hacking, and have spent the past 30 years hardening the perimeters of their networks with upgraded technology.
sandy ingram

Data Breaches - Beyond the Impact of Fines - 0 views

  • A recent article in the Tech Journal ( delves into the effects of data breaches, using survey information to demonstrate how they affect customer loyalty and confidence.
  • "The widespread impact of data breaches like Epsilon and Sony PlayStation, where millions of consumers were impacted around the world, is making customers more cautious about conducting business with certain financial institutions and retailers," said Jackie Gilbert, vice president of marketing and co-founder at SailPoint. "These companies obviously spent millions to recover from these data breaches, but the longer term and harder-to-measure costs will be the erosion of customer loyalty and decline in brand perception."
  • Case in point: 16% of Americans, 24% of Britons and 26% of Australians said they would no longer do business with a bank, credit card company or retailer if a security breach occurred that potentially exposed their personal and financial information to theft."
  • ...1 more annotation...
  • Although regulatory fines are painful, the loss of customers and business should really concern businesses.  Organizations and Infosec Professionals (CIO's, CISO's, etc.) would do well to take note of these results. 
    "The widespread impact of data breaches like Epsilon and Sony PlayStation, where millions of consumers were impacted around the world, is making customers more cautious about conducting business with certain financial institutions and retailers," said Jackie Gilbert, vice president of marketing and co-founder at SailPoint.
sandy ingram

Mobile malware, "whaling" top challenges of 2011, says IBM report - SC Magazine US - 0 views

  • To address these new challenges, the report said, enterprises need to shape their risk exposure, communication, end-user education and technology in a delicate balance.
  • One of the newest vectors of attack – the so-called “bring your own device” approach – has sprung up from the burgeoning market for smartphones and tablets and their adaption into the enterprise network, the report said. Security issues seen on the mobile platform are rising with the market – with double the number of mobile exploit releases that were seen in 2010.
  • Third-party app markets, a Wild West of often unregulated offerings, are the primary bazaar for malicious software created to attack mobile phones.
  • ...4 more annotations...
  • Infected mobile applications can also come from peer-to-peer networks hosted on websites
  • This year's breaches have highlighted the emerging risk of “whaling,” a variant of spear phishing that targets "big fish,” or high-level personnel
  • Of further concern for IT security professionals is the rise of professional teams charged with collecting intellectual property and strategic intelligence, the report found.
  • In addition, so-called hacktivist groups, such as LulzSec and Anonymous, have used well-worn attack techniques, such as SQL injection, to successfully target websites and computer networks for political ends rather than financial gain.
    An unprecedented number of successful attacks on corporate networks in the first half of the year illustrates that "basic network security is not just a technical problem, but rather a complex business challenge,"
sandy ingram

Small Business Facts and Figures - 0 views

    What is a small business? The Ofce of Advocacy denes a small business as an in- dependent business having fewer than 500 employees. (The denition of "small business" used in government programs and contracting varies by industry;
sandy ingram

Cloud Concerns "Unfounded and Ridiculous" Former U.S. Chief Information Officer Vivek K... - 0 views

    When I joined the Obama administration as the chief information officer, we quickly discovered vast inefficiencies in the $80 billion federal I.T. budget. We also saw an opportunity to increase productivity and save costs by embracing the "cloud computing"
sandy ingram

Tokenization & Compliance: Five Ways to Reduce Costs and Increase Data Security on Vimeo - 0 views

    A new service-based solution set now available from major players in the payments processing industry addresses many merchant concerns. End-to-end encryption (E2EE) combined with data tokenization provides enhanced security by protecting sensitive cardholder data from the point of capture through delivery to the payment processor, and by eliminating cardholder data from the merchant's environment post-authorization. With these two technologies in place, the data handled by a merchant is far less vulnerable in the event of a breach, simply because encrypted or tokenized data is useless to a thief.
sandy ingram

Governance 101: Best practices for creating and managing team sites - SharePoint Online... - 0 views

    If you're a team site owner, it's a good idea to create a governance model to address your site's policies, processes, roles, and responsibilities.
sandy ingram

Infosecurity (USA) - White House cybersecurity proposal shifts FISMA responsibility to DHS - 0 views

  • This would in effect shift FISMA implementation responsibility away from the Office of Management and Budget (OMB) and the National Institute for Standards and Technology (NIST) to DHS, “where the knowledge of attacks informs the defense”, Paller said.
  • “DHS has already demonstrated that they are focusing on the critical controls....They are focusing on effectiveness measures, rather than make work”
  • The proposal would also expand the DHS authority over cybersecurity of private networks, particularly critical infrastructure. DHS would have the authority to develop and conduct risk assessments of private sector critical infrastructure systems and share information with the private sector about threats and best practices.
  • ...5 more annotations...
  • “This brings the same rationality to offense informing defense. Instead of telling people that they have to have a good security plan, what DHS’s role will be is to demonstrate what best practices are and make sure people are measuring against those best practices”, Paller said.
  • The White House proposal would also create a national data breach notification requirement standardizing various state laws
  • “The administration's proposal would protect individuals by requiring businesses to notify consumers if personal information is compromised, and clarifies penalties for computer crimes including mandatory minimums for critical infrastructure intrusions.
  • The proposal would improve critical infrastructure protection by bolstering public-private partnerships with improved authority for the federal government to provide voluntary assistance to companies and increase information sharing.
  • It also would protect federal government networks by formalizing management roles, improving recruitment of cybersecurity professionals, and safeguarding the nation's access to cost-effective data storage solutions.”
    The White House proposal, which is a comprehensive cybersecurity plan, includes a provision directing the Department of Homeland Security (DHS) "to exercise primary responsibility within the executive branch for information security. This includes implementation of information security policies and directives and compliance" with FISMA, except for national security systems.
sandy ingram

Study Finds Companies Struggle to Measure Effectiveness of the Compliance Function - 0 views

  • Senior compliance officers at more than 100 leading U.S. companies responded to 28 questions in four key areas critical for the compliance function: leadership, reporting relationships and structure; compliance function scope, focus and risk; metrics to gauge program effectiveness; and budget, staffing and resources. A major finding of the study: One of the biggest obstacles facing Chief Compliance Officers (CCOs) is measuring the effectiveness of their compliance functions - almost 40 percent of the companies surveyed said they make no attempt to measure the effectiveness of their compliance program.
  • “An effective compliance program is the cornerstone of cooperation credit allowed under the U.S. Sentencing Guidelines and stakeholders are demanding much higher transparency in how compliance risk is effectively managed,” said Miles Everson, PwC principal and global and U.S. risk and compliance leader.
  • “Without a clear measure of the compliance department’s effectiveness, much else is in jeopardy. Lacking this,
  • ...8 more annotations...
  • how does the board know that compliance risks are effectively addressed?  Let alone that the compliance function itself is effective? 
  • According to the study, a critical element to the compliance department’s success is the perceived stature of the CCO and his or her influence among other top leadership.
  • “It’s essential that the compliance function have visibility and direct access both to senior executives in the organization and to the board or one of its committees,” added Everson. “This access helps keep risk and compliance issues on the company’s agenda and lets key ethics and compliance issues surface in a timely fashion.”
  • The State of Compliance survey also provided another interesting glimpse into corporate compliance when it asked about reporting structures. Regulators have long preferred that a company’s top compliance officer report directly to the board, and just last year the U.S. Sentencing Guidelines were revised to state more clearly that CCOs should not be, nor report to, the general counsel.
  • PwC and Compliance Week also found that, over the next 18 months, CCOs anticipate significant challenges when it comes to risk - and that when issues arise, they expect the consequences to be severe.
  • When asked about several high-level categories of risk, such as compliance risk, security risk, reputational risk and others, 48 percent believed the likelihood of a compliance failure was high or very high. 
  • What's more, 65 percent of respondents felt the impact of a compliance risk event, should it occur, would be high or very high. 
  • Effective compliance programs need input and guidance from many different voices in the company (IT, internal audit, finance, security). It is in the company’s benefit for the compliance department to borrow resources from those teams to achieve its goals, rather than build its own expertise in each department.
    "The results of The State of Compliance: 2011, an inaugural study conducted by PwC US and Compliance Week, will be released today at the Compliance Week 2011 6th Annual Conference for corporate financial, legal, risk, audit and compliance officers in Washington, D.C. The report - the first of its kind - identifies a wide range of compliance issues confronting organizations today and will stay current as new companies participate, accurately reflecting the changing compliance landscape."
sandy ingram

City and County of San Francisco Adopts Microsoft Cloud Solution: This solution will he... - 0 views

  • “The City and County of San Francisco has always been forward-thinking in leveraging technology to improve the services it provides,” said Gail Thomas Flynn, vice president of U.S. State and Local Government at Microsoft Corp. “We are excited at the opportunity to equip and support the employees of San Francisco with the tools they need to better serve the people of San Francisco.”
  • Several competing solutions were examined based on criteria that included price, security, functionality, flexibility, SLA-backed service, proven record for support, and integration with existing infrastructure and tools.
  • “By moving to the Microsoft platform, we not only get immediate improvements to our system, but we gain a disaster-resilient system that provides the most modern information tools, with solid support provisions that can scale with the needs of our constituents,” San Francisco Chief Information Officer Jon Walton said.
    "SAN FRANCISCO - May 18, 2011 - The City and County of San Francisco today announced that it will upgrade and consolidate its multiple citywide email systems used by more than 23,000 employees as part of its ongoing efforts to improve the quality and efficiency of its services and reduce IT management costs. "A key part of serving a community as diverse and vibrant as ours starts with making the right investments in information technology," San Francisco Mayor Edwin M. Lee said. "It is our responsibility to make decisions that are fiscally responsible, forward-looking, and improve the services that city and county employees provide to our constituents.""
sandy ingram

Ponemon Study: 73% Believe Cloud Providers Do Not Protect User's Confidential Informati... - 0 views

  • Growing scrutiny of cloud computing security in the first half of this year is not surprising in light of the numerous data breaches, privacy issues and headline grabbing cloud outages that have occurred recently
  • The 26-page survey report returned a stunning conclusion – though one not surprising to those familiar with legal contracting for cloud computing; namely that a majority of cloud providers do not believe data security is their responsibility - but the customer’s. 
  • In addition, the survey revealed that a “majority of cloud computing providers surveyed do not believe their organization views the security of their cloud services as a competitive advantage.
  • ...7 more annotations...
  • Further, they do not consider cloud computing security as one of their most important responsibilities and do not believe their products or services substantially protect and secure the confidential or sensitive information of their customers.”
  • The study further reports that the majority of cloud providers surveyed “admit they do not have dedicated security personnel to oversee the security of cloud applications, infrastructure or platforms.”
  • One bit of somewhat good news the survey revealed is that “about one-third of the cloud providers in our study are considering such solutions [providing additional security] as a new source of revenue sometime in the next two years.”
  • Another of the report’s conclusion is that “the focus on cost and speed and not on security or data protection [in cloud offerings] creates a security hole.” This potential “security hole” is a prime reason we advise clients, in certain circumstances, to be prepared to walk away from cloud providers under consideration if adequate and legally defensible security measures cannot be adequately negotiated and contractually provided for.
  • The report also states that “cloud providers are least confident about the following security requirements: Identify and authenticate users before granting access Secure vendor relationships before sharing information assets Prevent or curtail external attacks Encrypt sensitive or confidential information assets whenever feasible Determine the root cause of cyber attacks
  • These are serious security concerns any way you slice it
  • The fundamental takeaway from the Ponemon study is that cloud security is very much a work in progress, and that any cloud initiative or plan for corporate cloud usage needs serious due diligence by representatives from business, IT and legal working in conjunction
    Growing scrutiny of cloud computing security in the first half of this year is not surprising in light of the numerous data breaches, privacy issues and headline grabbing cloud outages that have occurred recently.
1 - 20 of 152 Next › Last »
Showing 20 items per page