Archive for October, 2006

Non-Technical Privacy Breach Example: 700 Mail Items Stolen from USPS Truck

Friday, October 13th, 2006

This morning I heard on my local news that around 700 pieces of mail were stolen by a couple of teen boys this Wednesday from a mail delivery truck while the mail carrier was walking his route.  They left the sledgehammer in the truck that they used to break in.

The local USPS postal inspecter notified the residents and is warning them of the potential of identity theft that could result from the credit cards, checks and other types of sensitive financial information letters that were stolen.

When people think of privacy breaches they often think of high tech crimes and hackers.  This is an example of how a physical theft crime, that is also a privacy breach, is committed using the centuries old method of basic thievery.

The USPS is advising the individuals whose mail was stolen to "call their bank and ask them to place them on a Fraud Watch List" and also cancel their credit cards if they were expecting statements or new cards.

They said nothing about the USPS providing credit alerts for them, but I wonder if that is being considered?  Since the truck was locked and a sledgehammer was used for breaking and entering it is doubtful…don’t you think?

Technorati Tags







Another Privacy Breach Caused By a Mistake: Republican Party Donor PII Exposed

Thursday, October 12th, 2006

Here is another privacy breach caused by the weakest information security and privacy link; people. 

Yesterday the New york Sun reported that a Republican National Committee staff member accidentally:

"…emailed a list that contained the names, races, and Social Security numbers of dozens of top Republican donors ‚Äî and that identified two of the contributors as Muslim ‚Äî to this reporter.  In the course of preparing for a Washington fund-raiser on Friday headlined by President Bush, an RNC staffer, Dee Dee Lancaster, intended to e-mail a security list of confirmed guests to other event planners and the Secret Service. But Ms. Lancaster mistyped one of the addresses, and the e-mail wound up in the Gmail account of this reporter."

It is so easy to make this type of mistake!  All the more reason to require that when sensitive data such as this must be sent in emails that it is encrypted.  Email mistakes are made all the time; I discussed this in a recent blog.

It struck me as odd that event planners and the Secret Service would require the races and SSNs of the donors.  This should dissuade many people from donating to candidates, knowing that such sensitive information is being carelessly handled.  Even if this email mistake was not made, it is very bad security to send SSNs and other types of sensitive PII in clear text email messages.

And I’m also wondering…why would someone who donates money to a campaign need to provide his/her SSN?  I vote at every election, but I’ve never proclaimed a political party (partly to avoid constant requests for donations), so I don’t know what the typical process is for making campaign or party donations.  However, if someone asked me for a donation, and I said okay, I’d immediately withdraw that offer if they made my donation contingent upon my providing my SSN.  Of course, it may have to do with claiming it on income taxes…so now I’m definitely staying away from making donations to any political parties.  I would guess that it would be very scary to see what kind of information security and privacy practices they have within the RNC, or the Democratic National Party…or any other organized political group.

In fact, my curiosity is now piqued; I need to check their websites to see if they have posted privacy policies, or any mention of having an information security officer, privacy officer, or any type of security validation, such as a TruSecure certification or similar.  Let’s see…

The Republican National Committee

  • Posted privacy policy?  Yes.  They include a section on how they secure their information.  An okay, but lacking policy.
  • Named CISO?  No mention of any found
  • Named CPO?  No mention of any found
  • Security validation?  No

The Democratic National Committee

  • Posted privacy policy?  Yes.  They include a section on how they secure their information.  Their privacy policy is actually better than the GOP’s privacy policy, but still lacking.
  • Named CISO?  No mention of any found
  • Named CPO?  No mention of any found
  • Security validation?  No

The National Libertarian Party

  • Posted privacy policy?  Yes.  A very poorly constructed policy.  Particularly this statement within it: "From time to time, we may use customer information for new, unanticipated uses not previously disclosed in our privacy notice. If our information practices change at some time in the future we will post the policy changes to our Web site to notify you of these changes and provide you with the ability to opt out of these new uses. If you are concerned about how your information is used, you should check back at our Web site periodically."
  • Named CISO?  No mention of any found
  • Named CPO?  No mention of any found
  • Security validation?  No

The Reform Party

  • Posted privacy policy?  No
  • Named CISO?  No mention of any found
  • Named CPO?  No mention of any found
  • Security validation?  No

No warm fuzzies with information security found at any of these.

Organizations of all kinds, and all sizes, not just for-profits, need to implement information security and privacy programs to safeguard the PII they collect. 

I wonder…in the case of the RNC…shouldn’t they be subject to FTC Act violation actions?  They state in their posted privacy policy, "Strict security measures are in place to protect the loss, misuse and alteration of any and all information pertaining to GOP.com."  After all, Eli Lilly was handed a consent order that will impact them significantly for 20 years from the time of their incident in 2002 that was the result of an email mistake.

Technorati Tags







Point/Counterpoint: Outsourcing to India – Secure or Not Secure?

Wednesday, October 11th, 2006

It was with great coincidental irony that I read two stories back-to-back today discussing whether or not outsourcing business processes to India was or was not secure.  One was a personal opinion article, and the other was based upon a study.  Both are good to consider, and make some serious points.

The Financial Express story claimed, "Security concerns unwarranted."  The Daily Telegraph reported, "Secrets for Sale."

So…does this point to these stories as ad hominem arguments, or do they each make some truly valid points? 

With that question in mind I was taken back in time (imagine retrospective music now playing…perhaps Carly Simon…or Five for Fighting…) to when I was but a wee, very young toddler…and the 60-Minutes segments, Point/Counterpoint, were on each Sunday with James Kirkpatrick and Shana Alexander …which of course then brought to mind Saturday Night Live’s take of it with Dan Aykroyd and Jane Curtin spoofing the roles…which was hilarious!  Yes, I should not have been staying up that late when I was but a wee, very young toddler, but usually no one realized I was up watching from the depths of the dark hall in the back of the living room… 🙂

I wonder; how would these stories work by intertwining the reports?  Hmmm…Let’s give it a try…

The part of Dan will be played by the Financial Express story that all outsourcing to India is secure; the Jane part will be played by the Daily Telegraph story about widespread fraud with outsourced organizations in India.  Let’s see how this works with actual excerpts from the reports…

Dan (Financial Express):  "…complex outsourcing businesses have moved to technical support centres located in countries such as Mexico, China, South Africa and India."

Jane (Daily Telegraph): "ANZ employs hundreds of workers in Indian call centres and NAB is also looking to shift 160 data processing jobs for India."

Dan (Financial Express):  "The Indian ITeS-BPO industry has also become the favourite hunting ground for the Western tabloid press. These publications have started conducting ‚Äòsting‚Äô operations to investigate and highlight the ‚Äòrot‚Äô in the Indian BPO companies. In an already tense situation, these press articles often paint the entire Indian ITeS-BPO industry with the same brush. The ground reality, however, is different. There have been isolated instances of breach of privacy by some individuals. Once detected, both the companies and the Indian authorities have acted swiftly and promptly to investigate and prosecute the con-cerned individuals."

Jane (Daily Telegraph): "CALL centre fraud is flourishing in India with confidential details of bank and mobile phone customers readily available for sale."

Dan (Financial Express): "Indian BPO companies as well as trade bodies such as NASSCOM and CII have also put their weight behind industry-wide initiatives to strengthen the screening of employees, monitor and report adherence to accepted worldwide security best practices and lobby with the Indian government to amend and update the Indian IT Act."

Jane (Daily Telegraph): "The Dispatches documentary The Data Theft Scandal claims the fraud is widespread and exists in major Indian cities including Calcutta, Delhi, Hyderabad and Bangalore."

Dan (Financial Express): "I believe that the security concerns are being blown a bit out of proportion, given the ‘high decibel’ visibility and hype surrounding the outsourcing industry, particular in India."

Jane (Daily Telegraph): "One former call centre worker told the Channel 4 program: "The potential for fraud was very, very high. "I mean, security where I worked was non-existent. It’s really that easy to take anything you want out of the buildings." A middleman admitted the information he was selling for $20 per set was obtained from an Indian call centre selling mobile phones – and boasted he could provide the records of 100,000 customers each month."

Dan Aykroyd (RH*): Jane, you ignor…oops…sorry; the SNL sketches became a bit too vivid…

Jane (Daily Telegraph): "One call centre consultant showed off the illegal data he was offering for sale from his laptop. His database of about 200,000 identities included some passport and licence details obtained from customers who bought mobile phones via an Indian call centre. Data protection lawyer Stewart Room said the program proved the fraud was systematic. "What I’ve seen here is the best evidence you could give me … of wholesale disregard for fair and lawful practices in information processing,” he said.  "You couldn’t scare me more. This is as bad as it gets. This is evidence of serious criminal offences.""

Dan (Financial Express): "The government and industry in India have taken some important measures to address the issue of data security and the associated perceptions. These initiatives, if implemented in letter and spirit, would go a long way in promoting the Indian ITeS-BPO sector."

Jane (Daily Telegraph): "Another middleman offered details for as little as $12.50 per customer. He said the data was mined by agents posing as technical support staff, who carried the sensitive data away using computer memory sticks. One seller who feared he was being set up agreed call centre fraud was bad for India’s economy because foreign companies might pull out and leave thousands unemployed."

Dan (RH): Jane, you ignorant, misguided sl*t! Once again, you missed the point entirely.  Why should…

Jane (RH): Thank you, Dan!  Hoping your news is good news. Good night, and have a pleasant tomorrow.
 

Thank you for indulging my attempted levity…I just finished working another 14-hour day, so I thought it would be good to lighten up a bit…ahh…I needed that!  🙂

The outsourcing of business processes and the caretaking of sensitive data *IS* a huge risk to organizations, no matter to what country or to what other organization, and ensuring the security of that data entrusted to the outsourced entities is very important.  I spend much of my time researching and investigating the information security claims of my clients’ business process outsourced vendors; such due diligence is not only a good idea in today’s environment, but it is also important for showing due diligence, as well as required by various laws, regulations and contractual agreements.

* RH: Rebecca Herold

Technorati Tags







Lost Hard Drive with PII + Tardy Notification = Upset Alumns

Tuesday, October 10th, 2006

Personal information about 4,400 alumns from Troy Athens High School in the Detroit area went missing in August, but the affected alumns were not notified until October 5.

Part of the delay was because the hard drive was missing and they thought it may have just been misplaced.  And they still aren’t sure if it was stolen, still at a computer services shop, or simply lost under a pile of stuff during renovations.

It is understandable that they would want to make sure it wasn’t simply put where it should not have been, but two months seems excessive.  And some, perhaps most or even all, of the alumns are understandably angry about the delay in notification.

""I’m obviously upset about the whole thing," said Paul Nagy, 24, a 2000 graduate of Troy Athens. "Look at all the time it’s going to take to stay with this — the monitoring of credit reports. It could take someone a long time to go through all those names, so it could be years down the road before it comes into play."

One alumnus, Nick Britzky, 25, of Sterling Heights is rallying support among alumni to demand that the school district be held responsible for ensuring that the confidential information isn’t used against them.

Britzky, a 2000 graduate, has started two Web sites and plans to approach administrators on Wednesday.

"Join our fight to get them to provide us with our right to free credit monitoring," reads his plea on the Web site troyathenssucks.com, which features a photograph of the high school with the universal symbol of the red circle with a slash through it.

"I checked it out and it costs about $15 a month to get credit reports from three reporting agencies," said Britsky. "I know that could cost the district a lot of money, but it’s a good step.""

Organizations need to understand that individuals impacted by data incidents are becoming more and more vocal and active in demanding credit monitoring be provided following incidents.  And, considering the impact fraud, crime, indentity theft, and other malfeasance could have, and has had, on growing numbers of individuals, it is understandably so. 

It sounds like this school did not have an incident response plan, particularly with regard to PII, in place prior to this incident, otherwise it likely would have been handled better.

Regarding the particular incident…

"She [Superintendent Barbara Fowler] said the hard drive came up missing while the school was undergoing renovations over the summer. At the same time, a company was hired to back up the hard drive.  She said during renovations, the computer was placed in a hallway while the school was being prepared for fall. A school employee later realized that the hard drive was missing. Fowler said they questioned the firm, CEO Image in Plymouth, a software development company, about the hard drive, and they said they did not have it or know its location."

Do you know the whereabouts of all your computers, computer storage media, and so on, at all times…or at least those that contain PII?  Hopefully you have policies and procedures to ensure you do.

Technorati Tags






Laptop Incident: Personal Information on 2400 Marines On “Missing” Laptop

Monday, October 9th, 2006

Last week a laptop was reported missing from the Camp Pendleton Marine Corps base.

"It’s happened again. A laptop computer loaded with personal information has turned up missing. This time, the laptop contained information on 2400 residents of the Camp Pendleton Marine Corps base. The computer was reported missing last week by a company that helps manage base housing. Both the company and the Camp are investigation the loss of the laptop. A statement from Camp Pendleton says as of Friday, investigators had found no evidence that the data on the laptop has been accessed. So far, authorities aren’t saying what kind of information was on the computer. Camp Pendleton is located north of San Diego, and is a major Marine Corps’ training facility on the West Coast."

I tried to find more information about this case than what was within this report, but without luck.

What is most noticeable about this incident report is the lack of details.

  • Was the personal data encrypted?  Probably not, or it is likely the incident would not have been reported.
  • Were the inviduals whose personally identifiable information (PII) was on the laptop notified?
  • It is vague to say it is "missing," was it really stolen?

Also, it is becoming frustratingly common to see the statement, "investigators had found no evidence that the data on the laptop has been accessed."  Of course there is no evidence…they don’t even know where the laptop is! 

And it is highly likely that nothing bad, unscrupulous or criminal would be done with the PII right away.  "Evidence" of misuse of PII may not be discovered for many weeks or months.

Technorati Tags






FTC Act Noncompliance: Being an SMB Will Not Save You From Noncompliance Penalties

Friday, October 6th, 2006

The FTC just settled another violation of the FTC Act, this one for pretexting and selling call records.  This is a one-person business, demonstrating that the FTC does not only go after the big fish, but the business minnows are fair game as well.

When speaking with many SMBs, many have indicated that they do not believe oversight agencies would ever be interested in their compliance, or non-compliance, activities because they would not have as large of a fines involved, and/or they are just too small for any government oversight agency to care about.

Businesses must realize that the FTC is not using noncompliance just as a revenue generating machine targeting those multi-million dollar settlements.  They are going to investigate businesses of any size, in any industry, that they believe are practicing unfair and deceptive business practices, and are otherwise in non-compliance with the FTC Act. 

If your organization is making promises…within posted privacy poicies, within mailings to your customers, within emails, or otherwise involved in illegal activities such as pretexting, and so on…your business is at risk of potentially huge fines (although this particular one does not sound huge, remember this is basically a one-man business, so it may have significant impact on him), but usually making much bigger impact, resource and time-wise, are the consent order requirements that can go on for years and years…many organizations having 20 year consent order requirements for independent audits, documentation filings, and so on.

In this latest case, the defendant, Integrity Security & Investigation Services, Inc. (Edmund Edmister), agreed to a consent order requiring him to:

  • Discontinue obtaining, causing others to obtain, marketing, or selling customer phone records and consumer personal information derived from phone records.
  • Stop making false or deceptive representations, such as impersonating any person or entity, directly or by implication, to any person or entity in order to obtain consumer personal information.
  • Stop requesting any person or entity to obtain consumer personal information relating to any third person, if the person making such a request knows or should know that the person or entity to whom such a request is made will obtain or attempt to obtain such information in violation of this consent decree.
  • Pay a $2,700 penalty.
  • Cooperate in meeting with the FTC whenever they request, along with providing interviews, conferences, pretrial discovery, review of documents, and any thing else related to this issue whenever requested.
  • For the next 3 years, deliver a copy of the consent order to all of his principals, officers, directors, and managers of this business, and of any other business the Defendant controls, directly or indirectly, and obtain signed receipts and acknowledgments from each.
  • For the next 3 years deliver copies of the consent order to all of his employees, agents, and representatives, and obtain signed receipts and acknowledgments from each.
  • For the next 3 years document all of the following and provide to the FTC at any time upon their request:
    • A. Accounting records that reflect the cost of goods or services sold, revenues generated, and the disbursement of such revenues
    • B. Personnel records accurately reflecting: the name, address, and telephone number of each person employed in any capacity by such business, including as an independent contractor; that person’s job title or position; the date upon which the person commenced work; and the date and reason for the person’s termination, if applicable
    • C. Customer files containing the names, addresses, phone numbers, dollar amounts paid, quantity of goods or services purchased, and description of goods or services purchased, to the extent such information is obtained in the ordinary course of business
    • D. Complaints and refund requests (whether received directly, indirectly or through any third party) and any responses to those complaints or requests
    • E. Copies of all sales scripts, training materials, advertisements, or other marketing materials, and records that accurately reflect the time periods during which such materials were used and the persons and business entities that used such materials
    • F. To the extent consumer personal information is obtained through the use of any third party, records that accurately reflect the name, address and telephone number of such third party, including, but not limited to, copies of all contracts and correspondence (other than correspondence that contains consumer personal information) between him and the third party
    • G. Copies of each acknowledgement of receipt of the consent order.
  • For the next 3 years, notify the FTC of changes in address, employment, and other changes in the current business and any new business
  • For the next 3 years, be closely monitored for compliance with these requirements.

Technorati Tags






Privacy Incident Example: PII Dumped At Recycling Center

Thursday, October 5th, 2006

Today it was reported in Australia that "sensitive medical records and personal health information" was dumped at a recycling center in Canberra.  This was an example of a privacy incident given within the annual report from the ACT Community and Health Services Complaints Commissioner.

The type of incident with the recycling center is not uncommon.  This highlights the huge problems within organizations with regard to information security and privacy programs:  Lack of policies, lack of procedures and lack of awareness. 

If personnel were told the risks and proper procedures to follow for disposing of personally identifiable information (PII) there would be many fewer silly types of incidents such as these.

The report itself has some interesting statistics about all aspects of healthcare, beyond information security and privacy; use the applicable portions as examples within your information security and privacy awareness and training efforts.  Although the report was specific to the healthcare industry, some of the lessons learned are applicable to all types of organizations. 

Some statistics I particularly found interesting include:

  • There was a "13 per cent spike in complaints about the health sector in 2005-06."
  • "The commissioner’s office received 580 inquiries that resulted in 276 complaints in the past financial year – up 13 per cent on 2004-05."

The public is becoming more vocal about their concerns and are increasingly more likely to file formal complaints to the regulatory oversight agencies.

The report emphasizes the importance of awareness. 

You can never tell personnel or your consumers enough times, or in too many different ways, about information security and privacy.

Much of the report covers compliance and privacy concepts that are new to information security professionals, such as providing access to individuals’ PII upon their request, allowing them to request corrections to their PII, and so on. 

Technorati Tags





Workshop Coming Soon: Effectively Partnering Information Security and Privacy For Business Success

Thursday, October 5th, 2006

I wrote about this last month, but since the workshop is quickly approaching, I wanted to put out a quick reminder of this message to those of you who may be interested in attending…

The number of information security and privacy incidents are not on the decline; quite to the contrary.  As the amount of data and information continues to grow exponentially, as the flavors of information technologies continue to be cooked up and become quickly ladled into the business environment, as computers and data bytes become more mobile, and as the ethereal world gets more intimate as systems continue to become interconnected, more incidents will occur, more data protection laws will emerge, and more ways to compromise data and systems will continue to appear. 

Establishing effective privacy and information security strategies has moved to the top of the list for companies maintaining customer and employee information. However, there are often gaps in communication and coordination between privacy and information security activities, creating risks for incidents, duplication of effort, contradictory privacy and security initiatives, along with contractual and regulatory noncompliance.

Successful efforts require privacy and information security strategies to be complementary and integrated throughout all of the enterprise, within every business process stage and at every level within the organization.  There must be documented processes for addressing information security and privacy throughout the entire applications and systems development lifecycle.  There must be coordinated and mutually supportive information security and privacy awareness and training efforts.  Corporate policies, and website policies, must establish clear requirements for personnel to follow to safeguard information, in addition to complying with applicable laws and regulations.  There must be processes to ensure the security of information entrusted to third parties.  A corporate information security and privacy framework must be built, using the concepts from such already established and globally supported frameworks as COBIT, ITIL, ISO27001 (BS7799), and the OECD privacy principles, to address these, and other, major information security and privacy issues that will turn out to be your company’s security and privacy Achilles’ heel if you don’t.

I had the opportunity to work with Christopher Grillo to create a workshop,"Effectively Partnering InfoSec and Privacy For Business Success" that provides insight into Privacy and Information Security practitioners’ roles and responsibilities within the organization and offers not only guidance and discussion for how to effectively work together, but we have also spent literally hundreds of hours creating tools to help support information security and privacy that we provide to workshop attendees.  Businesses are now successfully using these tools to make their information seccurity and privacy efforts more efficient and effective. 

Within our workshop, through presentation, discussion, and case-studies, attendees will obtain a better understanding of the challenges faced by both information security and privacy, and be able to create a workable framework for integrating efforts. Participants take away tools for building an effective Privacy and Information Security framework, a roadmap for creating synergy between the groups, and many tools and methodologies to start using right away to result in positive business impact. 

If you take our workshop along with the CSI conference in November, you will save $200 on the regular workshop cost.  I was happy to recently learn that CSI is allowing us to give a discount code for our workshop through my blog; if you only want to attend our workshop, then you can save $100 by using the code PR133 when you register

If you already have an integrated, highly successful information security and privacy program in place, that is great!!  I know it takes a lot of effort to have a successful program.  You likely have spent a great amount of figurative blood, sweat and tears in making your program effective and successful. 

I also know there are so many new and evolving challenges that even the most dedicated and hard-working information security and privacy professionals can benefit from new ideas, interactions with others, and effective tools and resources.  If you want to improve your information security and privacy programs, or need help establishing them, I hope you’re able to join us.  After all the hard work we put into creating this workshop, I am happy to know that the people who have attended have told Christopher and I that they found it very valuable, and that they were very pleasantly surprised by the large amount of tools and reference material we provided to the workshop attendees.

Technorati Tags






Workshop Coming Soon: Effectively Partnering Information Security and Privacy For Business Success

Thursday, October 5th, 2006

I wrote about this last month, but since the workshop is quickly approaching, I wanted to put out a quick reminder of this message to those of you who may be interested in attending…

The number of information security and privacy incidents are not on the decline; quite to the contrary.  As the amount of data and information continues to grow exponentially, as the flavors of information technologies continue to be cooked up and become quickly ladled into the business environment, as computers and data bytes become more mobile, and as the ethereal world gets more intimate as systems continue to become interconnected, more incidents will occur, more data protection laws will emerge, and more ways to compromise data and systems will continue to appear. 

Establishing effective privacy and information security strategies has moved to the top of the list for companies maintaining customer and employee information. However, there are often gaps in communication and coordination between privacy and information security activities, creating risks for incidents, duplication of effort, contradictory privacy and security initiatives, along with contractual and regulatory noncompliance.

Successful efforts require privacy and information security strategies to be complementary and integrated throughout all of the enterprise, within every business process stage and at every level within the organization.  There must be documented processes for addressing information security and privacy throughout the entire applications and systems development lifecycle.  There must be coordinated and mutually supportive information security and privacy awareness and training efforts.  Corporate policies, and website policies, must establish clear requirements for personnel to follow to safeguard information, in addition to complying with applicable laws and regulations.  There must be processes to ensure the security of information entrusted to third parties.  A corporate information security and privacy framework must be built, using the concepts from such already established and globally supported frameworks as COBIT, ITIL, ISO27001 (BS7799), and the OECD privacy principles, to address these, and other, major information security and privacy issues that will turn out to be your company’s security and privacy Achilles’ heel if you don’t.

I had the opportunity to work with Christopher Grillo to create a workshop,"Effectively Partnering InfoSec and Privacy For Business Success" that provides insight into Privacy and Information Security practitioners’ roles and responsibilities within the organization and offers not only guidance and discussion for how to effectively work together, but we have also spent literally hundreds of hours creating tools to help support information security and privacy that we provide to workshop attendees.  Businesses are now successfully using these tools to make their information seccurity and privacy efforts more efficient and effective. 

Within our workshop, through presentation, discussion, and case-studies, attendees will obtain a better understanding of the challenges faced by both information security and privacy, and be able to create a workable framework for integrating efforts. Participants take away tools for building an effective Privacy and Information Security framework, a roadmap for creating synergy between the groups, and many tools and methodologies to start using right away to result in positive business impact. 

If you take our workshop along with the CSI conference in November, you will save $200 on the regular workshop cost.  I was happy to recently learn that CSI is allowing us to give a discount code for our workshop through my blog; if you only want to attend our workshop, then you can save $100 by using the code PR133 when you register

If you already have an integrated, highly successful information security and privacy program in place, that is great!!  I know it takes a lot of effort to have a successful program.  You likely have spent a great amount of figurative blood, sweat and tears in making your program effective and successful. 

I also know there are so many new and evolving challenges that even the most dedicated and hard-working information security and privacy professionals can benefit from new ideas, interactions with others, and effective tools and resources.  If you want to improve your information security and privacy programs, or need help establishing them, I hope you’re able to join us.  After all the hard work we put into creating this workshop, I am happy to know that the people who have attended have told Christopher and I that they found it very valuable, and that they were very pleasantly surprised by the large amount of tools and reference material we provided to the workshop attendees.

Technorati Tags






Insider Security Threats: More Examples of How People Are Your Weakest Information Security Link

Wednesday, October 4th, 2006

I’m compelled to write once more about the biggest information security, privacy and compliance vulnerability businesses face, the human factor, after reading in SearchCIO, "Insider Security Threats: Watch Out for the Quiet Ones."

This story, however, pointed out that not only do businesses face significant risks of personnel purposefully deciding to do bad things, but that more often than not it is lack of policies, enforcement and training that lead to security incidents.

Yes, you definitely need technology, as the report indicates, but you also need strong policies, executive support, enforced sanctions, and ongoing awareness and training.

Yes, and this is also worth a deja vu…

Technology alone will not protect your business data; you also need strong policies, executive support, enforced sanctions, and ongoing awareness and training.

Technorati Tags