Group items tagged

Complying with the Red Flags Rule: A Do-It-Yourself Prevention Program for Businesses and Organizations at Low Risk for Identity Theft

"Didn't See That Coming? Why Many Employers are Vulnerable to Employee Fraud"

FTC Extends Enforcement Deadline for Identity Theft Red Flags Rule At the request of several Members of Congress, the Federal Trade Commission is further delaying enforcement of the "Red Flags" Rule through December 31, 2010, while Congress considers legislation that would affect the scope of entities covered by the Rule. Today's announcement and the release of an Enforcement Policy Statement do not affect other federal agencies' enforcement of the original November 1, 2008 deadline for institutions subject to their oversight to be in compliance. "Congress needs to fix the unintended consequences of the legislation establishing the Red Flags Rule - and to fix this problem quickly. We appreciate the efforts of Congressmen Barney Frank and John Adler for getting a clarifying measure passed in the House, and hope action in the Senate will be swift," FTC Chairman Jon Leibowitz said. "As an agency we're charged with enforcing the law, and endless extensions delay enforcement." The Rule was developed under the Fair and Accurate Credit Transactions Act, in which Congress directed the FTC and other agencies to develop regulations requiring "creditors" and "financial institutions" to address the risk of identity theft. The resulting Red Flags Rule requires all such entities that have "covered accounts" to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities - known as "red flags" - that could indicate identity theft. The Rule became effective on January 1, 2008, with full compliance for all covered entities originally required by November 1, 2008. The Commission has issued several Enforcement Policies delaying enforcement of the Rule. Most recently, the Commission announced in October 2009 that at the request of certain Members of Congress, it was delaying enforcement of the Rule until June 1, 2010, to allow Congress time to finalize leg

Information security professionals face mounting threats, hoping some mix of technology, education, and hard work will keep their companies and organizations safe. But lately, the specter of failure is looming larger. "Pay no attention to the exploit behind the curtain" is the message from product vendors as they roll out the next iteration of their all-powerful, dynamically updating, self-defending, threat-intelligent, risk-mitigating, compliance-ensuring, nth-generation security technologies. Just pony up the money and the manpower and you'll be safe from what goes bump in the night.

I found that the agencies generally saw between 25 and 50 percent savings in moving to the cloud. For the federal government as a whole, this translates into billions in cost savings, depending on the scope of the transition. Many factors go into such assessments, such as the nature of the migration, a reliance on public versus private clouds, the need for privacy and security, the number of file servers before and after migration, the extent of labor savings, and file server storage utilization rates. Based on this analysis, I recommend five steps be undertaken in order to improve efficiency and operations in the public sector: the government needs to redirect greater resources to cloud computing in order to reap efficiencies represented by that approach, the General Services Administration should compile data on cloud computing applications, information storage, and cost savings in order to determine possible economies of scale generated by cloud computing, officials should clarify procurement rules to facilitate purchasing through measured or subscription cloud services and cloud solutions appropriate for low, medium, and high-risk applications, countries need to harmonize their laws on cloud computing to avoid a "Tower of Babel" and reduce current inconsistencies in regard to privacy, data storage, security processes, and personnel training, and lawmakers need to examine rules relating to privacy and security to make sure agencies have safeguards appropriate to their mission.

United States defense-related technologies and information are under attack: each day, every hour, and from multiple sources. The attack is pervasive, relentless, and unfortunately, at times successful. As a result, the United States' technical lead, competitive edge, and strategic military advantage are at risk; and our national security interests could be compromised. Defeating this attack requires knowledge of the threat and diligence on the part of all personnel charged with protecting classified information, to deter or neutralize its effect. The Defense Security Service (DSS) works with defense industry to protect critical technologies and information. Defense contractors with access to classified material are required to identify and report suspicious contacts and potential collection attempts as mandated in the National Industrial Security Program Operating Manual (NISPOM). DSS publishes this annual report based on an analysis of suspicious contact reports (SCRs) that DSS considers indicative of efforts to target defense-related information.

An unprecedented number of successful attacks on corporate networks in the first half of the year illustrates that "basic network security is not just a technical problem, but rather a complex business challenge,"

More enforcement coming SOX 404(b) will matter FCPA compliance Focus on risk management

Over the last few years, both consumers and corporate clients have rushed to move their data to .the cloud,.1 adopting web-based applications and storage solutions provided by companies that include Google, Microsoft and Yahoo. Over 69% of Americans use webmail services, store data online, or otherwise use software programs such as word processing applications whose functionality is in the cloud. This trend is only going to continue. The shift to cloud computing exposes end-users to privacy invasion and fraud by hackers. Cloud computing also leaves users vulnerable to significant invasions of privacy by the government, resulting in the evisceration of traditional Fourth Amendment protections of a person's private files and documents. These very real risks associated with the cloud computing model are not communicated to consumers, who are thus unable to make an informed decision when evaluating cloud based services.

The three-month extension, coupled with this new guidance, should enable businesses to gain a better understanding of the Rule and any obligations that they may have under it. These steps are consistent with the House Appropriations Committee's recent request that the Commission defer enforcement in conjunction with additional efforts to minimize the burdens of the Rule on health care providers and small businesses with a low risk of identity theft problems. Today's announcement that the Commission will delay enforcement of the Rule until November 1, 2009, does not affect other federal agencies' enforcement of the original November 1, 2008, compliance deadline for institutions subject to their oversight.

"In risk-averse or highly litigious companies, the legal department should own the information governance program, but they should hire an information management person at a high level,"

Existing cloud users are satisfied. Security is not considered to be an issue

"Most C-level executives are inundated with far more material then they could ever read, so this post will be short and to the point. If you're a CEO, CIO, or other C-level executive, here are three things that you need to know to avoid over-spending on cyber security:"

"Back in the 1990s fellow science and technology journalist Charles Mann and I wrote a book uncovering the true story of how a lone, young, cognitively impaired hacker with relatively few computer skills managed to perpetrate what was then the most extensive and scariest series of computer break-ins ever - government weapons labs, dam control systems and ATM networks were among the hundreds of networks compromised. At the end of the book, we predicted that no matter how much effort was poured into making the Internet safer, hackers would always be able to have a field day, partly for technical reasons but also because companies and individuals would never get it together to take simple precautions critical to safe computing."

"Employee theft and fraud is on the increase - and an Australian start-up company believes it has pioneered a means of early detection. According to a recent survey conducted by KPMG, the total funds lifted from organisations came to $345 million - a significant increase from the $301 million of 2008, totalling 174,914 cases. "Employee fraud is a growing concern for organisations in all business sectors both in monetary and reputational terms," says Alon Spitzer, who has founded Integrity Elements, a company specialising in the new field of ' integrity testing and valuation'."

"This week, more than 400 policymakers, privacy advocates and industry representatives will be converging in Israel for the 32nd International Conference of Data Protection and Privacy Commissioners. "

"This is one of the most significant threats companies face,"

People to Google: Doug Leland, Microsoft John Brennan, the President's top adviser for counterterrorism and homeland security. Kevin Rowney, Symantec, founder of the firm's Data Loss Prevention Unit

small businesses do not get the same protections afforded consumers who are the victim of online fraud.