Skip to main content

Home/ WPPS C-Suite News/ Group items tagged international

Rss Feed Group items tagged

sandy ingram

FTC Announces Conference on International Aspects of Securing Personal Data - 0 views

  •  
    The Federal Trade Commission, in conjunction with two international organizations, will host a two-day international conference: "Securing Personal Data in the Global Economy." The conference addresses how companies can manage personal data-security issues in a global information environment where data can be stored and accessed from multiple jurisdictions.
sandy ingram

THE INSIDE THREAT: Financial firms focus on internal threats, employee errors - 0 views

  • Mark Steinhoff, head of Deloitte's financial services security and privacy practices, said an organization's biggest mistake would be to let its guard down
  • "The number of breaches that are occurring are really at the hands of insiders and organizations are understanding that there is a real threat of malicious attacks and exposure of personal information by insiders," Steinhoff said.
    • sandy ingram
       
      The failing economy may be driving the increased concern over insider threats
    • sandy ingram
       
      "We are seeing the layoffs and other forms of downsizing. Frankly with limited budget and less than satisfied employees, it really raises the parameter on that threat."
    • sandy ingram
       
      Human error is the leading cause of information systems failure, and is likely to be the main cause of security attacks in the near future, according to 86% of those surveyed
  •  
    Banks and financial firms are placing more emphasis on internal threats to cut the flow of data leakage as a result of employee mistakes or workers disgruntled with layoffs and downsizing during the economic crisis, according to a recent survey.
sandy ingram

How long can CISO's avoid Cloud Computing? | CISO - 0 views

  • Network & Systems delivering the cloud service How does the authentication to access the network devices and operating system implemented? Does it use any two factor authentication? About the availability of the network and security infrastructure? does it implement load balancing or high availability solutions for the critical infrastructure components like firewalls, IPS, reverse proxies etc… Is the underlying cloud systems are secured? Do they have a baseline configuration implemented? How does the configuration managed? Does the cloud computing provider got a plan and/or policy to perform configuration management, patch management, anti-malware etc. Does the network undergoes periodic penetration testing? Does it undergo internal vulnerability assessment periodically? How is it ensuring that a compromised client with privileged access to the operating system is separated internally? Does it undergo periodic audits against standards like ISO27001, SAS70 etc? How is the customer data separated from one another? What are the security controls implemented to ensure this separation? What are the protection and response controls against the Denial of Service attacks?
  • Cloud Applications & Data Protection What are the security controls in the application development process? Does it include security code reviews of the code being developed or used? Is there a documented change and configuration management process? How does the application servers patched and what frequency? What are the mechanisms for managing the access control? How is the database protected from unauthorized access? How are they identifying the access reset requests are from the actual user. How do they create and delete/disable user accounts? what are the procedures for these activities. IS the data encrypted? If encrypted, how is the encryption keys are protected? What is key management process being followed? How is the data loss prevention ensured? Details of the DLP controls implemented? Is there a backup mechanism established? How is the data protected in the backups? Does the cloud service provider meets the regulatory requirements? For example, if the service is a ecommerce service then the cloud service could become part of the card holder environment and thus the PCI DSS regulation as there are potential card data being processed. Similarly, if the health information is processed, it can be HIPAA and similar other regulations. Is the cloud computing service provider meets the compliance requirements? Where is your data being hosted? Is it within your country or its jurisdiction? Is your organization comfortable with the legal system in the country where your data resides? How about cloud computing service provider who has a network of data centres across the globe and your data is scattered across these data centres? Can it limit the countries where the data is stored?
  • What are the conditions / scenarios where the data is revealed without the consent / approval of the organization? Does the application provide enough audit trials to review the incidents? Does it corporate with local legal system? Often the local law authorities require access to the processing computers, how is it support those requests?
  • ...1 more annotation...
  • Security Management What are the information security management policies and procedures implemented and documented? Are all employees required to undergo the security awareness training and acknowledge their acceptance to the policies and procedures at least annually? Is the cloud computing service provider has a dedicated information security professional? What are the network security capabilities established by the service provider? Are these personal technical qualified and certified? How is the insider threats within the cloud service provider being addressed? What is the background verification process being followed by the cloud service provider? Is there a privileged activity monitoring of systems and databases? How is the security incidents and violations are handled? Does it have a documented policy? How is the log integrity ensured? What are the mechanisms implemented to ensure that the logs cannot be altered and / or stopped. How long the logs are kept online and on the backup? What are the business continuity and disaster recovery capabilities of the cloud service provider? Many organization look at cloud as a BCM solution. Does the underlying cloud service provider is capable of delivering a BCM aware cloud service?
sandy ingram

17 Steps to Cloud Migration -- Federal Computer Week - 0 views

  • “The trick is to determine which services, information, and processes are good candidates to reside in the Clouds, as well as which Cloud services should be abstracted within the existing or emerging SOA,” Linthicum said.
  • Do Your Homework Linthicum says to start with your Architecture and make sure you understand your organization’s business drivers, information already under management, existing services under management and your core business processes.
  • In that way you can begin to look where Cloud Computing is a fit according to Linthicum. You can look to migrate to the Cloud when:*The processes, applications, and data are largely independent.*The points of integration are well defined.*A lower level of security will work just fine. *The core internal enterprise architecture is healthy.*The Web is the desired platform.*Cost is an issue.*The applications are new.
  • ...6 more annotations...
  • not all computing resources should exist in the Clouds and that Cloud is not always cost effective. It shows you need to do your homework before making any move. So, Cloud may not be a fit when the opposite conditions exist:*The processes, applications, and data are largely coupled.*The points of integration are not well defined.*A high level of security is required. *The core internal enterprise architecture needs work.*The application requires a native interface.*The cost is an issue.*The application is legacy.
  • external Cloud services should function like any other enterprise application or infrastructure resource and Cloud resources should appear native.
  • It goes without saying that as with any purchase, you should evaluate Cloud providers using similar validation patterns as you do with new and existing Data Center resources. You know there is going to be hype, but Cloud is not rocket science. If you feel you need to, hire a consultant as a trusted advisor.
  • CSC’s Yogesh Khanna told Summit attendees to embrace the business models that Clouds offer. Security barriers are all addressable not only through technology but also through policies. 
  • Be wary of the fact that there are a lot of Clouds out there. Some of the Public Clouds (e.g. Google’s or SalesForce.com) are proprietary in nature. Because this landscape is changing so fast, it is very important to maintain a level of flexibility and don’t fall prey to “vendor lock-in”.
  • “Look for some level of transparency that allows you to be certain exactly where your data is and who is seeing it,” said Khanna. “Have the flexibility to see where your data is at any given point and be able to monitor the health of the Cloud that’s delivering those services to you.”
  •  
    What the government IT manager needs when getting ready to embark on their migration to the Cloud is a good template; one that defines a proven roadmap to follow.What Cloud Computing Summit attendees learned (and now you) is that help is on the way. Cloud and SOA expert Dave Linthicum has developed a step-by-step plan to help you scale the heights. He goes through them meticulously in his new book Cloud Computing and SOA Convergence In Your Enterprise: A Step-by-Step Guide. At the Summit, Linthicum outlined the plan. Afterwards he told 1105 Custom Media you can consider Cloud Computing the extension of SOA out to Cloud-delivered resources, such as storage-as-a-service, data-as-a-service, and platform-as-a-service.
sandy ingram

Organizational Accountability is Key to Protecting Users' Privacy - Microsoft Privacy &... - 0 views

  • The conference has commenced this morning in Jerusalem, a city of both ancient traditions and thoroughly modern influences, and I was reminded of how that same dynamic is true of privacy in the Internet age.  Yesterday marked the 30th anniversary of the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.  These privacy guidelines have served as the basis for numerous privacy laws in place across the globe.  Yet, even these privacy principles need to keep pace with the changing information environment.  In my remarks today at a panel discussion titled “Notice and Consent:  Illusion or Reality?”, I suggested that individual participation through mediums such as notice and consent remains important to safeguarding users’ privacy, but by itself does not afford enough protection.  This is particularly true given the explosion of information collection and use that is the fuel of today’s Internet economy. The same is true of the various legal frameworks that govern data collection, usage, and sharing.  Both are important, but neither is sufficient on its own.
  • Alongside individual participation and regulatory oversight, another vital aspect of privacy protection is often overlooked: the role and responsibility of the organization in maintaining and protecting personal data.
  • Microsoft’s view, as outlined in a new white paper released today at the conference, is that organizations’ privacy policies and data management practices most directly influence whether users’ personal information is kept safe or exposed to risk. Therefore, we believe that organizations—including Microsoft—must hold themselves accountable for acting to protect users’ interests and taking appropriate measures to safeguard privacy and personal data, even in the absence of specific regulatory mandates.
  •  
    "This week, more than 400 policymakers, privacy advocates and industry representatives will be converging in Israel for the 32nd International Conference of Data Protection and Privacy Commissioners. "
sandy ingram

80% of Australian companies suffered data breach. What protections are in your consult... - 0 views

  • A whopping 34% of respondents report an average breach cost them $5000,
  •  
    What protections are written in your international consultant agreements?
  •  
    A new survey reveals almost 80% of local companies have experienced data breaches in the past five years, with 40% recording between six and 20 breaches
sandy ingram

Steven Cloherty: Microsoft Online Services Risk Management | Charles | Channel 9 - 0 views

  • The Microsoft Business Productivity Online Suite (BPOS) has recently earned the Statement on Auditing Standard (SAS) No. 70 Type II, Federal Information Processing Standard (FIPS) 140-2 compliance, and the International Organization for Standardization’s (ISO) 27001 standard – among others.  In addition, Microsoft has launched a new dedicated government cloud as part of the Business Productivity Online Suite to meet the most rigorous government requirements for security and privacy, including complying with the International Traffic in Arms Regulations (ITAR). Learn how these and other certifications help ensure our customers security, privacy, and business continuity. 
sandy ingram

Survey Finds Gap in Attitudes Between the Cloud "Haves" and "Have-Nots" - ReadWriteCloud - 0 views

  • This post is part of our ReadWriteCloud channel, which is dedicated to covering virtualization and cloud computing. The channel is sponsored by Intel and VMware.
  • London-based communications SaaS provider Mimecast has announced the results of its second annual Cloud Adoption Survey. The survey, conducted by independent research firm Loudhouse, assessed the attitudes of IT decision-makers in the U.S. and UK about cloud computing
  • The majority of organizations now use some cloud-based services. The report found 51% are now using at least one cloud-based application. Adoption rates for U.S. businesses are slightly ahead of the UK with 56% of respondents using at least one cloud-based application, compared to 50% in the UK
  • ...7 more annotations...
  • Two thirds of businesses are considering adopting cloud computing. 66% of businesses say they are considering adopting cloud-based services in the future, with once again, U.S. businesses leaning more towards adoption than their UK peers (70% of U.S. businesses, and 50% of UK ones).
  • Email, security, and storage are the most popular cloud services. 62% of the organizations that use cloud computing are using a cloud-based email application. Email services are most popular with mid-size businesses (250-1000 employees) with 70% of organizations this size using the cloud for email. Smaller businesses (under 250 employees) are most likely to use the cloud for security services, and larger enterprises (over 1000 employees) most likely to opt for cloud storage services.
  • Existing cloud users are satisfied. Security is not considered to be an issue by existing cloud users: 57% say that moving data to the cloud has resulted in better security, with 58% saying it has given them better control of their data. 73% say it has reduced the cost of their IT infrastructure and 74% believe the cloud has alleviated the internal resource pressures.
  • Security fears are still a barrier. 62% of respondents believe that storing data on servers outside of the business is a significant security risk. Interestingly, this number was higher for users of cloud applications than it was for non-users (only 59% of non-users thought it was risky, while 67% of users did.)
  • Some think the benefits of the cloud may be overstated.54% of respondents said the potential benefits of the cloud are overstated by the IT industry, and 58% indicated they believed that replacing legacy IT solutions will almost always cost more than the benefits of new IT.
  • "The research shows that there is a clear divide within the IT industry on the issue of cloud computing," says Mimecast CEO and co-founder Peter Bauer. "While those organisations that have embraced cloud services are clearly reaping the rewards, there are still a number who are put off by the 'cloud myths' around data security and the cost of replacing legacy IT
  • It is now up to cloud vendors to educate businesses and end users to ensure that these concerns do not overshadow the huge potential cost, security and performance benefits that cloud computing can bring."
  •  
    Existing cloud users are satisfied. Security is not considered to be an issue
sandy ingram

United States, Litigation, Mediation & Arbitration, Didn't See That Coming? Why Many Em... - 0 views

  • Daniels Midland employee who embezzled millions, to the bookkeeper in Maine who took thousands from the church's coffers. The current rough economy and easy access to sophisticated technology are potent ingredients for creating the perfect storm for organizational fraud.
  • Enabling technologies like sophisticated color printers, remote access to linked computers, and data-capturing viruses have played a significant role in how employees can commit and conceal fraud. Even without accessible technology, the lack of segregation of duties and "less paper" (making for fewer paper trails) in the working environment make it easier for employees to commit fraud.
  • While technology and the economy may facilitate fraud, it is an employee's motivation and opportunity that are the most important elements in understanding fraud risk. Motivation (also known as incentives or pressures), opportunity, and rationalization of the fraudulent behavior are the three critical elements necessary for fraud to occur
  • ...9 more annotations...
  • UNDERSTANDING THE ELEMENTS OF FRAUD
  • Incentives/pressures
  • Opportunity
  • Rationalization
  • Opportunity
  • Using the Fraud Triangle Theory gives us a means to understanding and deterring fraud by identifying and mitigating the elements necessary to enable fraud. Removing weak internal control systems and replacing them with stronger systems, observing employee behavior, and modeling behavior from the top down, can reduce a company's fraud risk tremendously.
  • Opportunity
  • Rationalization is the final component of the 3
  • Opportunity is the one area that an employer can best control
  •  
    "Didn't See That Coming? Why Many Employers are Vulnerable to Employee Fraud"
sandy ingram

CERT's Podcast Series - 0 views

  •  
    CERT'S PODCASTS: SECURITY FOR BUSINESS LEADERS: SHOW NOTES Tackling Tough Challenges: Insights from CERT's Director Rich Pethia Key Message: Rich Pethia reflects on CERT's 20-year history and discusses how he is positioning the program to tackle future IT and security challenges. Executive Summary CERT's vision is a securely connected world. CERT's mission is to enable informed trust and confidence in the use of information technology. To achieve this vision and mission, CERT has broadened its perspective to include the full system/software engineering and operations life cycle and is reaching out to thought leaders in the global IT and security community. In this podcast, Rich Pethia, director of the CERT Program at Carnegie Mellon University's Software Engineering Institute, discusses the past, current, and future state of Internet security and CERT's role in tackling future challenges as CERT celebrates its 20th anniversary. PART 1: LOOKING BACK, LOOKING FORWARD: THE GOOD, THE BAD, AND THE UGLY CERT's Vantage Point CERT's vision is a securely connected world, supported by CERT's mission of enabling informed trust and confidence in the use of information technology. As the director of CERT, Pethia has unique access to government, commercial, and industry leaders. The Good News Internet use continues to grow, not just in size (number of people, volume of traffic) but also in utility, for example: * the increasing amount of real government and business operations * the introduction of new applications * the growing use of new mobile appliances User awareness of the need to address security is increasing along with increasing attention from service providers (firewalls, virus protection, anti-spyware, data backup). Developers are paying more attention to building security into their products. Vendors have more mature processes for providing cost-effective, timely updates for software vulnerabilities. Users are more willing
sandy ingram

Picking an anti-fraud team » Adotas - 0 views

  • Individuals in areas such as sales and marketing will absorb fraud identification, reporting, and prevention responsibilities.
  • This will prove to be ineffective for the following reasons:
  • 1. The sales and marketing staffs are not trained to identify fraud and they cannot keep up with the ever-changing tactics
  • ...7 more annotations...
  • 2. Associates are conflicted when faced with a fraud incident. They are not motivated to report fraud and their compensation structure dissuades them from reporting incidents.
  • 3. Business goals are not aligned appropriately, which naturally moved fraud last on the priority list for the associates assigned the additional responsibilities.
  • 4. While the internal attempt is made, no time is spent on partner due diligence and monitoring.
  • Organizations will benefit in the long term by hiring dedicated staff.
  • This tactic is one component of my company’s Best Practice approach to doing business.
  • When recruiting for your team, expect to receive a small number of resumes compared to the average you may receive for other positions
  • Do not worry about where to post the job description, just get it posted.
sandy ingram

The Future of Enterprise 2.0 Technologies - ReadWriteWeb - 0 views

  • Forrester predicts that social networking tools and internal wikis "will have the greatest impact on workplace collaboration"
sandy ingram

Why IT Is Moving to the Cloud - 0 views

  • While concerns about security, identity, SLAs, and other topics are still on the minds of many IT pros, those concerns are gradually being addressed by cloud providers
  • While cloud computing may not be a complete solution for every enterprise—nobody is talking about ditching internal data centers yet, and probably never will—a number of pressing factors are driving the growth of cloud computing. I’ll cover some of the biggest drivers towards cloud computing adoption here.
  • Improved IT Agility As recently as a few years ago, it took far too long for many IT departments to respond to increasing demand for computing capacity.
  • ...3 more annotations...
  • Cost Savings and ROI Cloud computing isn’t a panacea, but there are clear-cut cases where moving part of your IT infrastructure to the cloud makes solid operational and financial sense.
  • Private Cloud vs. Public Cloud
  • Cloud-Savvy IT Staff
  •  
    "70 percent of IT decision makers are using or plan to use cloud computing in their own enterprises within 24 months."
sandy ingram

Study Finds Companies Struggle to Measure Effectiveness of the Compliance Function - 0 views

  • Senior compliance officers at more than 100 leading U.S. companies responded to 28 questions in four key areas critical for the compliance function: leadership, reporting relationships and structure; compliance function scope, focus and risk; metrics to gauge program effectiveness; and budget, staffing and resources. A major finding of the study: One of the biggest obstacles facing Chief Compliance Officers (CCOs) is measuring the effectiveness of their compliance functions - almost 40 percent of the companies surveyed said they make no attempt to measure the effectiveness of their compliance program.
  • “An effective compliance program is the cornerstone of cooperation credit allowed under the U.S. Sentencing Guidelines and stakeholders are demanding much higher transparency in how compliance risk is effectively managed,” said Miles Everson, PwC principal and global and U.S. risk and compliance leader.
  • “Without a clear measure of the compliance department’s effectiveness, much else is in jeopardy. Lacking this,
  • ...8 more annotations...
  • how does the board know that compliance risks are effectively addressed?  Let alone that the compliance function itself is effective? 
  • According to the study, a critical element to the compliance department’s success is the perceived stature of the CCO and his or her influence among other top leadership.
  • “It’s essential that the compliance function have visibility and direct access both to senior executives in the organization and to the board or one of its committees,” added Everson. “This access helps keep risk and compliance issues on the company’s agenda and lets key ethics and compliance issues surface in a timely fashion.”
  • The State of Compliance survey also provided another interesting glimpse into corporate compliance when it asked about reporting structures. Regulators have long preferred that a company’s top compliance officer report directly to the board, and just last year the U.S. Sentencing Guidelines were revised to state more clearly that CCOs should not be, nor report to, the general counsel.
  • PwC and Compliance Week also found that, over the next 18 months, CCOs anticipate significant challenges when it comes to risk - and that when issues arise, they expect the consequences to be severe.
  • When asked about several high-level categories of risk, such as compliance risk, security risk, reputational risk and others, 48 percent believed the likelihood of a compliance failure was high or very high. 
  • What's more, 65 percent of respondents felt the impact of a compliance risk event, should it occur, would be high or very high. 
  • Effective compliance programs need input and guidance from many different voices in the company (IT, internal audit, finance, security). It is in the company’s benefit for the compliance department to borrow resources from those teams to achieve its goals, rather than build its own expertise in each department.
  •  
    "The results of The State of Compliance: 2011, an inaugural study conducted by PwC US and Compliance Week, will be released today at the Compliance Week 2011 6th Annual Conference for corporate financial, legal, risk, audit and compliance officers in Washington, D.C. The report - the first of its kind - identifies a wide range of compliance issues confronting organizations today and will stay current as new companies participate, accurately reflecting the changing compliance landscape."
1 - 14 of 14
Showing 20 items per page