Archive for July, 2008

Free Info Sec & Privacy Training Hosted By The FTC and COPP

Thursday, July 31st, 2008

If you’re in the Los Angeles area on August 13, here’s what looks to be a good, FREE, day of getting information security and privacy training hosted by the U.S. Federal Trade Commission (FTC) and the California Office of Privacy Protection (COPP).
If you are a company with no dedicated information security or privacy position, like most small and medium sized businesses (SMBs), then go to this event to hear WHY you need to make efforts to safeguard your customers’ and employees’ personally identifiable information (PII). Hey, if you’re in the area, it’ll only cost your time!
Here’s the full announcement…


Do You Do Data Mining?

Wednesday, July 30th, 2008

Many folks like to argue and pick apart what is meant by “data mining.” Marketers I’ve spoken with claim they are not doing data mining with their customers’ information, but just “repurposing” it.
Whatever you call it, you need to know how your organization is using personally identifiable information (PII) in ways other than the purposes for which it was collected. Many times these other purposes are achieved through data mining.
Last week the U.S. Department of Homeland Security held a workshop, “Implementing Privacy Protections in Government Data Mining” that provided some good information about data mining privacy issues that all organizations should consider. The comments the DHS received prior to the event were very interesting.


17 Info Security & Privacy Topics Call Center Staff Must Understand

Tuesday, July 29th, 2008

Okay…back to my continuing lecture on the need to provide targeted training on specific information security and privacy topics to the various responsibility groups throughout your enterprise.
Consider this; what if you took a driver’s education class and all they told you to do, by showing you on a PowerPoint slide, is how to put the key in the ignition, turn the engine over, how to press the accelerator to move forward, and how to press the brakes to stop. Then they told you to go out there and drive…have it it! Would you be well prepared to get onto the road and deal with all the other things you need to know about driving? Most likely not. If you feel you would be well prepared, please tell me you will not be driving on the central Iowa roads… 🙂


Death and Data

Monday, July 28th, 2008

I encountered something rather remarkable in just the past two months; a couple of CISOs told me that they have had high-level business leaders, each of whom had a significant amount of computing equipment and information at their homes, die suddenly as a result of different circumstances.
As I discussed this with them, I wondered, how many organizations are ready to deal with something like this?


People Need Periodic, Effective, Training And Ongoing Awareness To Truly Safeguard Information

Friday, July 25th, 2008

Imagine this; what if you were given training just one time, in a 1-hour session with no hands-on practice, for how to do first aid and give CPR and then were never given more training or reminders about how to do first aid and CPR…two years later would you be able to competently perform first aid when someone needed it? Probably not. Probably not even 1 year later, or even 6 months later.
People need to have regularly scheduled training and ongoing awareness in how to do activities competently. You cannot expect to give a 1-hour, often poorly-constructed, training course about information security or privacy and the have the people taking the training know what to do weeks or months or even yeas later. However, this is the situation that occurs in a very large portion of organizations.
It is no wonder that the majority of security incidents and privacy breaches occur as a result of lack of knowledge and mistakes.
Here is the third part of the third article, “Providing Call Centers with Information Security and Privacy Education,” in my July issue of IT Compliance in Realtime, that speaks to this issue…


Call Center Folks Have Huge Amounts Of Access TO PII

Thursday, July 24th, 2008

Need more reasons from my post from yesterday about why call centers need targeted training and ongoing awareness?
If so, then here is the second part of the third article, “Providing Call Centers with Information Security and Privacy Education,” in my July issue of IT Compliance in Realtime


The Area With The Most Customer Contact Usually Has The Least Information Security and Privacy Training

Wednesday, July 23rd, 2008

Think for a few moments about the area in your company that has the most, or close to the most, direct contact with your customers and consumers…


Are You Providing Targeted Training For IT Personnel?

Tuesday, July 22nd, 2008

If I’ve said it once, I’ve said it a million times, but I’ll say it again…
Providing general information security and privacy training to all personnel is good, and should be done! However, you ALSO need to provide targeted training, and ongoing awareness communications, to different groups throughout your organization based upon their job responsibilities that involve information assets and personally identifiable information (PII).


“Cyber Security in the Three Times: Past, Present, & Future”

Monday, July 21st, 2008

Here is a very interesting-looking online seminar…FREE…looks worth checking out…


First HIPAA Sanction Applied! $100,000 + Required Actions

Friday, July 18th, 2008

My jaw almost dropped early this morning when I saw the press release from the HHS yesterday, “HHS, Providence Health & Services Agree on Corrective Action Plan to Protect Health Information
Is it about time the HHS actually enforced HIPAA? Yes!
Without applied sanctions for noncompliance, laws and regulations are meaningless and ineffective.
I’m going to look at the Resolution Agreement closely and comment on that soon…in the meantime here is the full press release: