Archive for May, 2007

Many New U.S. State and Federal Privacy Bills Introduced, and Some New State Data Protection Laws Signed

Monday, May 21st, 2007

Boy oh boy, do we ever need a comprehensive federal data protection law in the U.S.! Each week more and more state level laws are introduced, many of them passed, all dealing with different aspects of data protection, and all impacting and complicating an information security and privacy professional’s responsibilities.
This past week was a busy one with a flurry of new and updated bills related to protecting privacy introduced, and a few new state laws.

(more…)

The Need to Build Security In: Poor Implementation of Indianapolis Public Schools Website Allows Viewing of PII For 7000+ Students and Teachers

Friday, May 18th, 2007

Today Monsters and Critics reported, “Indianapolis Public Schools exposes thousands to risk of identity theft.”
Apparently the Indianapolis Public Schools (IPS) website “that allows teachers to post reviews, student-writing samples, grades, and other confidential material to the IPS network” was implemented and configured without much attention to security.

(more…)

Does Using “Certified” Software Products Improve Compliance?

Thursday, May 17th, 2007

It seems the term “certified” is being used more and more…for professionals, hardware, software, you name it.
You see software vendors touting that their products have been certified and that they will help companies meet “compliance,” but I have found very little research into what this really means, or if it means anything at all.

(more…)

Know What You’re Buying…for Computer Service Contracts as Well as Security and Privacy Products

Wednesday, May 16th, 2007

This morning I was watching Good Morning America (GMA) with my sons before they left for school. Noah said, “Hey, they’re talking about my computer!”

(more…)

Information Security and Privacy Professionals Must Partner on Over 15…no wait…Over 20 Different Enterprise Issues

Wednesday, May 16th, 2007

Not too long ago I blogged about the need for information security and privacy professionals to work together to address safeguarding sensitive and personally identifiable information (PII). Within it I talked about how a workshop Chris Grillo and I created and give, “Handling Complex and Difficult Privacy and Information Security Issues,” discusses over 15 common issues that these professionals need to partner on.

(more…)

Great New Site for Data Loss Statistics

Tuesday, May 15th, 2007

There is a great new site, etiolated.org, that takes the privacy breach data accumulated by attrition.org and parses it into some very interesting statistics, trends charts, provides areas for commentary, and lots of other interesting and useful information.

(more…)

High School Cyber-Defense Competition: Mentoring Information Security Leaders of the Future

Tuesday, May 15th, 2007

There is great opportunity to ensure future computer systems and applications are more securely engineered than they are now by teaching our children from a young age the importance of information security and privacy, and showing them what needs to be done. I often have fantastic conversations with my sons about information security and privacy issues; they always bring wonderful perspectives I never thought about.

(more…)

Social Engineering & the Need for Awareness & Training: Fraudsters Are Calling Businesses Pretending to Be SEC Staff Members

Monday, May 14th, 2007

Another example of a social engineering scam, and another example of why awareness and training are so important for safeguarding information…
On May 10th the U.S. Securities and Exchange Commission (SEC) issued a press release warning that imposters were calling companies, claiming to be SEC examiners, and demanding “immediate access to confidential records.”

(more…)

Information Security & Privacy Awareness: Engage Personnel In Thinking About the Issues To Improve Security and Privacy

Saturday, May 12th, 2007

It really bothers me when so-called information security and privacy “experts” make statements that awareness activities have no impact. They base their opinions on measurements that could very well be, and likely are, unrelated to each other. Last year a study was presented in Europe claiming awareness activities has no impact on security.
Hogwash!

(more…)

Insider Threat Example: Engineer Leaks U.S. Military Secrets

Friday, May 11th, 2007

There has been a lot of talk and blogging recently about whether or not there is a need for an information security industry/profession. Um sure, and there is no need for the physical security industry/profession either, is there?
As long as humans touch information in any way, electronically or physically, information security will be needed to provide them with policies, procedures, standards, guidance, training, ongoing awareness, and responding to and fixing the security messes and privacy breaches they cause.

(more…)