Group items tagged

Growing scrutiny of cloud computing security in the first half of this year is not surprising in light of the numerous data breaches, privacy issues and headline grabbing cloud outages that have occurred recently

The 26-page survey report returned a stunning conclusion – though one not surprising to those familiar with legal contracting for cloud computing; namely that a majority of cloud providers do not believe data security is their responsibility - but the customer’s. 

Behavioral Advertising Online behavioral advertising – the practice of tracking someone’s online activities to deliver targeted advertising – can raise potential privacy issues.  Do you disclose your practices to your customers and honor your promises? Children’s Online Privacy The Children’s Online Privacy Protection Act (COPPA) gives parents control over what information websites can collect from their kids. If you run a website designed for kids or have a website geared to a general audience but collect information from someone you know is under 13, you must comply with COPPA’s two main requirements. Credit Reports Does your business use credit reports to evaluate customers’ credit worthiness? Do you consult credit reports when considering evaluating applications for jobs, leases, and insurance? Here is information about your responsibilities when using, reporting, and disposing of information in those credit reports. Data Security Many companies keep sensitive personal information about customers or employees in their files. Having a sound security plan in place can help you meet your legal requirements to protect that sensitive information. Gramm-Leach-Bliley Act The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data. Health Privacy If you offer or maintain personal health records online, you could be covered by the FTC’s Health Breach Notification Rule. Are you familiar with your legal obligations in case of a security mishap? Red Flags Rule The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs  – or red flags – of identity theft in their day-to-day operations.

What contractual information security provisions should you consider, as a customer or as a vendor or business partner, when the contract contemplates the exchange of protected information? What do security standards and audits entail for a vendor, and what do they offer for a customer?

With heightened liability and compliance risks associated with handling protected categories of data, it is becoming more common to see contractual requirements holding vendors accountable for information security or requiring them to conform to a specified information security standard

Small business owners' cybersecurity policies and actions are not adequate enough to ensure the safety of their employees, intellectual property and customer data, according to the 2009 National Small Business Cybersecurity Study. The study, co-sponsored by the National Cyber Security Alliance (NCSA) and Symantec [Nasdaq: SYMC], as part of this year's National Cyber Security Awareness Month, surveyed nearly 1,500 small business owners across the United States about their cybersecurity awareness policies and practices.

The survey shows discrepancies between needs and actions regarding security policies and employee education on security best practices.

The study found that while more than 9 in 10 small businesses said they believe they are safe from malware and viruses based on the security practices they have in place, only 53 percent of firms check their computers on a weekly basis to ensure that anti-virus, anti-spyware, firewalls and operating systems are up-to-date and 11 percent never check them.

AVG's research shows that: * 83% agree that having the right level of IT security protection is critical to their business * 77% say that a security threat could have a significant negative impact on their business * 55% feel they can make IT security decisions without 3rd party influence * However, only 48% have a clear IT security policy in place for their staff, leaving most at the mercy of what employees decide to download or access online * As a result, perhaps not surprisingly, 1 in 4 have experienced a security breach * Most worryingly, 1 in 7 have no security software or systems in place at all AVG also asked small businesses whether they expect to see growth in the next five years - 61% of UK and 74% of US small businesses say that they do.

Employee awareness of their companies' security policies is high—if you ask the employees. In a survey of 2,000 office workers, software security company Clearswift found almost three quarters, 74 percent, felt 'confident' that they understand their employers' Internet security policies. That is, policy designed to safeguard data and IT security, as well as maintain productivity.

But the confidence is misplaced, Clearswift suggests in their summary of the findings, because a third of those surveyed have not received any training on IT security since joining their firm. And more than two thirds of those who have not had recent training joined their organization more than five years ago—a 'technological lifetime,' notes Clearswift.

"When security is kept in the shadows and not discussed openly, and only referred to when things go wrong, it is all too easy for office 'folk-law' to become perceived as official policy very quickly. If employees are not aware of when they have broken policies—in some cases because the policy is not even enforced—it can lead to a false sense of security or a belief that what they are doing is actually in line with the corporate policy."

Network & Systems delivering the cloud service How does the authentication to access the network devices and operating system implemented? Does it use any two factor authentication? About the availability of the network and security infrastructure? does it implement load balancing or high availability solutions for the critical infrastructure components like firewalls, IPS, reverse proxies etc… Is the underlying cloud systems are secured? Do they have a baseline configuration implemented? How does the configuration managed? Does the cloud computing provider got a plan and/or policy to perform configuration management, patch management, anti-malware etc. Does the network undergoes periodic penetration testing? Does it undergo internal vulnerability assessment periodically? How is it ensuring that a compromised client with privileged access to the operating system is separated internally? Does it undergo periodic audits against standards like ISO27001, SAS70 etc? How is the customer data separated from one another? What are the security controls implemented to ensure this separation? What are the protection and response controls against the Denial of Service attacks?

Cloud Applications & Data Protection What are the security controls in the application development process? Does it include security code reviews of the code being developed or used? Is there a documented change and configuration management process? How does the application servers patched and what frequency? What are the mechanisms for managing the access control? How is the database protected from unauthorized access? How are they identifying the access reset requests are from the actual user. How do they create and delete/disable user accounts? what are the procedures for these activities. IS the data encrypted? If encrypted, how is the encryption keys are protected? What is key management process being followed? How is the data loss prevention ensured? Details of the DLP controls implemented? Is there a backup mechanism established? How is the data protected in the backups? Does the cloud service provider meets the regulatory requirements? For example, if the service is a ecommerce service then the cloud service could become part of the card holder environment and thus the PCI DSS regulation as there are potential card data being processed. Similarly, if the health information is processed, it can be HIPAA and similar other regulations. Is the cloud computing service provider meets the compliance requirements? Where is your data being hosted? Is it within your country or its jurisdiction? Is your organization comfortable with the legal system in the country where your data resides? How about cloud computing service provider who has a network of data centres across the globe and your data is scattered across these data centres? Can it limit the countries where the data is stored?

What are the conditions / scenarios where the data is revealed without the consent / approval of the organization? Does the application provide enough audit trials to review the incidents? Does it corporate with local legal system? Often the local law authorities require access to the processing computers, how is it support those requests?

Staying Wired When possible and convenient, use a wired network. Wired networks, whose signals are contained within wires, are much safer than wireless networks, whose signals are broadcast into the air. One can be safe from a number of malicious attacks by connecting a computer to the router (a device that connects networks, in this case, your local network to the Internet) via an ethernet cable, instead of connecting via wireless. Appropriate network settings, of course, must be entered into the computers.

Taking the Office Wireless

Securing Each Network Node

“If this assessment demonstrates anything, it's that IT and security departments have got to gain greater visibility over all of their security and compliance activities and take steps to better understand and manage them.”

Businesses that hold personally identifiable information on Massachusetts residents have one month to comply with what security experts are calling the toughest data security requirements in the nation. The Massachusetts Data Breach Law, passed in 2007, goes into effect March 1 and requires personal information in networked systems to be protected with strong encryption, firewalls, antivirus and access controls.

The law was written in response to the theft of information on more than 45 million credit card accounts from TJX Companies in 2007

The law is designed to ensure “the security and confidentiality of customer information,” based on current industry standards, focusing on threats that can or should be anticipated. The regulations take into account the size of a business, the amount of resources available to it, the amount of personal data held and the sensitivity of the data. It covers paper and electronic records and requires physical and IT security.

United States defense-related technologies and information are under attack: each day, every hour, and from multiple sources. The attack is pervasive, relentless, and unfortunately, at times successful

Defense contractors with access to classified material are required to identify and report suspicious contacts and potential collection attempts as mandated in the National Industrial Security Program Operating Manual (NISPOM)

DSS encourages all Facility Security Officers to use the information in this report to supplement security awareness and education programs at their facilities.

This would in effect shift FISMA implementation responsibility away from the Office of Management and Budget (OMB) and the National Institute for Standards and Technology (NIST) to DHS, “where the knowledge of attacks informs the defense”, Paller said.

“DHS has already demonstrated that they are focusing on the critical controls....They are focusing on effectiveness measures, rather than make work”

The proposal would also expand the DHS authority over cybersecurity of private networks, particularly critical infrastructure. DHS would have the authority to develop and conduct risk assessments of private sector critical infrastructure systems and share information with the private sector about threats and best practices.

Thing is, the pitch is less believable these days, and the atmosphere is becoming downright hostile. We face more and larger breaches, increased costs, more advanced adversaries, and a growing number of public control failures.