Group items tagged

Behavioral Advertising Online behavioral advertising – the practice of tracking someone’s online activities to deliver targeted advertising – can raise potential privacy issues.  Do you disclose your practices to your customers and honor your promises? Children’s Online Privacy The Children’s Online Privacy Protection Act (COPPA) gives parents control over what information websites can collect from their kids. If you run a website designed for kids or have a website geared to a general audience but collect information from someone you know is under 13, you must comply with COPPA’s two main requirements. Credit Reports Does your business use credit reports to evaluate customers’ credit worthiness? Do you consult credit reports when considering evaluating applications for jobs, leases, and insurance? Here is information about your responsibilities when using, reporting, and disposing of information in those credit reports. Data Security Many companies keep sensitive personal information about customers or employees in their files. Having a sound security plan in place can help you meet your legal requirements to protect that sensitive information. Gramm-Leach-Bliley Act The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data. Health Privacy If you offer or maintain personal health records online, you could be covered by the FTC’s Health Breach Notification Rule. Are you familiar with your legal obligations in case of a security mishap? Red Flags Rule The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs  – or red flags – of identity theft in their day-to-day operations.

What contractual information security provisions should you consider, as a customer or as a vendor or business partner, when the contract contemplates the exchange of protected information? What do security standards and audits entail for a vendor, and what do they offer for a customer?

With heightened liability and compliance risks associated with handling protected categories of data, it is becoming more common to see contractual requirements holding vendors accountable for information security or requiring them to conform to a specified information security standard

Growing scrutiny of cloud computing security in the first half of this year is not surprising in light of the numerous data breaches, privacy issues and headline grabbing cloud outages that have occurred recently

The 26-page survey report returned a stunning conclusion – though one not surprising to those familiar with legal contracting for cloud computing; namely that a majority of cloud providers do not believe data security is their responsibility - but the customer’s. 

Small business owners' cybersecurity policies and actions are not adequate enough to ensure the safety of their employees, intellectual property and customer data, according to the 2009 National Small Business Cybersecurity Study. The study, co-sponsored by the National Cyber Security Alliance (NCSA) and Symantec [Nasdaq: SYMC], as part of this year's National Cyber Security Awareness Month, surveyed nearly 1,500 small business owners across the United States about their cybersecurity awareness policies and practices.

The survey shows discrepancies between needs and actions regarding security policies and employee education on security best practices.

The study found that while more than 9 in 10 small businesses said they believe they are safe from malware and viruses based on the security practices they have in place, only 53 percent of firms check their computers on a weekly basis to ensure that anti-virus, anti-spyware, firewalls and operating systems are up-to-date and 11 percent never check them.

Businesses that hold personally identifiable information on Massachusetts residents have one month to comply with what security experts are calling the toughest data security requirements in the nation. The Massachusetts Data Breach Law, passed in 2007, goes into effect March 1 and requires personal information in networked systems to be protected with strong encryption, firewalls, antivirus and access controls.

The law was written in response to the theft of information on more than 45 million credit card accounts from TJX Companies in 2007

The law is designed to ensure “the security and confidentiality of customer information,” based on current industry standards, focusing on threats that can or should be anticipated. The regulations take into account the size of a business, the amount of resources available to it, the amount of personal data held and the sensitivity of the data. It covers paper and electronic records and requires physical and IT security.

United States defense-related technologies and information are under attack: each day, every hour, and from multiple sources. The attack is pervasive, relentless, and unfortunately, at times successful

Defense contractors with access to classified material are required to identify and report suspicious contacts and potential collection attempts as mandated in the National Industrial Security Program Operating Manual (NISPOM)

DSS encourages all Facility Security Officers to use the information in this report to supplement security awareness and education programs at their facilities.

This would in effect shift FISMA implementation responsibility away from the Office of Management and Budget (OMB) and the National Institute for Standards and Technology (NIST) to DHS, “where the knowledge of attacks informs the defense”, Paller said.

“DHS has already demonstrated that they are focusing on the critical controls....They are focusing on effectiveness measures, rather than make work”

The proposal would also expand the DHS authority over cybersecurity of private networks, particularly critical infrastructure. DHS would have the authority to develop and conduct risk assessments of private sector critical infrastructure systems and share information with the private sector about threats and best practices.

Network & Systems delivering the cloud service How does the authentication to access the network devices and operating system implemented? Does it use any two factor authentication? About the availability of the network and security infrastructure? does it implement load balancing or high availability solutions for the critical infrastructure components like firewalls, IPS, reverse proxies etc… Is the underlying cloud systems are secured? Do they have a baseline configuration implemented? How does the configuration managed? Does the cloud computing provider got a plan and/or policy to perform configuration management, patch management, anti-malware etc. Does the network undergoes periodic penetration testing? Does it undergo internal vulnerability assessment periodically? How is it ensuring that a compromised client with privileged access to the operating system is separated internally? Does it undergo periodic audits against standards like ISO27001, SAS70 etc? How is the customer data separated from one another? What are the security controls implemented to ensure this separation? What are the protection and response controls against the Denial of Service attacks?

Cloud Applications & Data Protection What are the security controls in the application development process? Does it include security code reviews of the code being developed or used? Is there a documented change and configuration management process? How does the application servers patched and what frequency? What are the mechanisms for managing the access control? How is the database protected from unauthorized access? How are they identifying the access reset requests are from the actual user. How do they create and delete/disable user accounts? what are the procedures for these activities. IS the data encrypted? If encrypted, how is the encryption keys are protected? What is key management process being followed? How is the data loss prevention ensured? Details of the DLP controls implemented? Is there a backup mechanism established? How is the data protected in the backups? Does the cloud service provider meets the regulatory requirements? For example, if the service is a ecommerce service then the cloud service could become part of the card holder environment and thus the PCI DSS regulation as there are potential card data being processed. Similarly, if the health information is processed, it can be HIPAA and similar other regulations. Is the cloud computing service provider meets the compliance requirements? Where is your data being hosted? Is it within your country or its jurisdiction? Is your organization comfortable with the legal system in the country where your data resides? How about cloud computing service provider who has a network of data centres across the globe and your data is scattered across these data centres? Can it limit the countries where the data is stored?

What are the conditions / scenarios where the data is revealed without the consent / approval of the organization? Does the application provide enough audit trials to review the incidents? Does it corporate with local legal system? Often the local law authorities require access to the processing computers, how is it support those requests?

Employee awareness of their companies' security policies is high—if you ask the employees. In a survey of 2,000 office workers, software security company Clearswift found almost three quarters, 74 percent, felt 'confident' that they understand their employers' Internet security policies. That is, policy designed to safeguard data and IT security, as well as maintain productivity.

But the confidence is misplaced, Clearswift suggests in their summary of the findings, because a third of those surveyed have not received any training on IT security since joining their firm. And more than two thirds of those who have not had recent training joined their organization more than five years ago—a 'technological lifetime,' notes Clearswift.

"When security is kept in the shadows and not discussed openly, and only referred to when things go wrong, it is all too easy for office 'folk-law' to become perceived as official policy very quickly. If employees are not aware of when they have broken policies—in some cases because the policy is not even enforced—it can lead to a false sense of security or a belief that what they are doing is actually in line with the corporate policy."

Thing is, the pitch is less believable these days, and the atmosphere is becoming downright hostile. We face more and larger breaches, increased costs, more advanced adversaries, and a growing number of public control failures.

PGP Corporation, an enterprise data protection company, and the Poneman Institute, a privacy and information management research firm, as part of their fifth annual U.S. Cost of a Data Breach Study, tracked a wide array of cost elements

data breaches caused by malicious attacks and botnets were on the high end of severity and cost responses. These types of breaches doubled from 2008 to 2009.

“United States defense-related technologies and information are under attack: each day, every hour, and from multiple sources. The attack is pervasive, relentless, and unfortunately, at times successful,” writes Kathleen Watson, director of DSS. “As a result, the United States’ technical lead, competitive edge, and strategic military advantage are at risk; and our national security interests could be compromised.”

Attempts to gather intelligence information were traced to over half of the countries in the world. After East Asia and the Pacific, the Near East and Europe and Eurasia were of greatest counterintelligence concern. Despite their overall decline, “European and Eurasian cyber actors remain some of the most active targeters of United States technology.”

“Facilitated by ever increasing world wide connectivity, the ease of inundating industry with overt email requests and webpage submissions made direct requests a premier vehicle for solicitation and/or collection,” the report states. “While not all direct requests for information or services represent organized collection attempts, exploitation of this medium provides collectors an efficient, low-cost, high-gain opportunity to acquire classified or restricted information.”

"Our research shows that the healthcare industry is struggling to protect sensitive medical information, putting patients at risk of medical identity fraud and costing hospitals and other healthcare services companies millions in annual breach-related costs," said Dr. Larry Ponemon, chairman and founder, Ponemon Institute.  "At this point one would hope to see that healthcare organizations have improved information security practices and come into compliance with HITECH, now that it's been more than one year since it was enacted.  Instead we found enormous vulnerabilities.  The protection of patient data should be at the forefront of their efforts."

ey findings of the research: Data breaches are costing the healthcare system billions.  The total economic burden created by data breaches on the healthcare industry is nearly $6 billion annually.  The impact of a data breach over a two-year period is approximately $2 million per organization and the lifetime value of a lost patient is $107,580.  The average organization had 2.4 data breach incidents over the past two years.  Major factors causing data breaches are unintentional employee action, lost or stolen computing devices and third-party error.Healthcare organizations are not protecting patient data.  Organizations have little or no confidence in their ability to appropriately secure patient records (58 percent).  Healthcare organizations have inadequate resources (71 percent) and insufficient policies and procedures in place (69 percent) to prevent and quickly detect patient data loss.Protecting patient data is not a priority.  Seventy percent of hospitals stated that protecting patient data is not a top priority.  Patient billing (35 percent) and medical records (26 percent) are the most susceptible to data loss or theft.  A majority of organizations have less than two staff dedicated to data protection management (67 percent).HITECH has exposed the healthcare industry's lax data protection practices rather than improved the safety of patient records.  The majority (71 percent) of respondents do not believe the HITECH Act regulations have significantly changed the management practices of patient records.  The findings indicate that there is a significant number of data breaches that go undetected, and therefore unreported.

"We talk with healthcare compliance people dealing with data breach risks every day and they just can't get their arms around the problem of data exposure," said Rick Kam, president and co-founder of ID Experts.  "Unfortunately, in healthcare organizations, patient revenue trumps risk management."