Archive for the ‘government’ Category

Use Encryption despite Your NSA Snooping Fears

Thursday, September 26th, 2013

I’ve received numerous questions from various news outlets, clients and colleagues since the published revelation that the NSA was getting the assistance of encryption vendors to decrypt messages throughout a very wide range of activities. A lot of folks are now throwing their hands in the air, claiming that encryption is now no longer effective, and planning to use something completely different.  Hmm…wait! Don’t throw out the encryption baby with the unsafe practices bathwater yet. Encryption is still an effective, and necessary, information security control to use. The following are (more…)

Lack of Basic Security Practices Results in $1.7 Million Sanction

Wednesday, June 27th, 2012

July 4 Update to Original Post: See additional recent statements from the OCR and the Alaska DHSS about this case here.

Here is a significant sanction, just applied, that all organizations, of all sizes, need to take notice of. Even if you are not in the healthcare industry, this case points out the elements of an information security and privacy program, and the supporting safeguards, which will be used as a model of standard practices to by all types of regulatory oversight agencies. (more…)

Don’t Manage Employee Online Activities By Requiring Their IDs & Passwords!

Thursday, June 18th, 2009

I read a story about a city government agency actually asking job applicants to provide their IDs and passwords for any online social networking type of site they participate in…

(more…)

1746 Organizations In The U.S.’s EU Safe Harbor Program

Thursday, March 12th, 2009

A type of project I really love to do is a privacy impact assessment (PIA). For companies who collect or otherwise handle the personally identifiable information (PII) of individuals from multiple countries, typically doing a cross border data flow analysis of the PII is within the scope of the PIA.

(more…)

New Online Behavioral Advertising Principles: Self Regulation Does Not Mean Less Scrutiny By The FTC!

Monday, February 16th, 2009

On February 12 the U.S. Federal Trade Commission (FTC), the most actively aggressive oversight agency in the U.S. with regard to enforcing privacy protections, released new behavioral advertising principles

(more…)

Business Info Fact Of The Day: Smartphones CAN Be Used Securely!

Friday, January 23rd, 2009

I thought it was pretty silly to read over the past few weeks that President Obama was being pressured to give up his Blackberry because of security reasons. If information security controls are properly implemented, then there is no reason that the president of the U.S., or any other person for that matter, should not use a smartphone!
I was happy to see the following article published by CNN…

(more…)

New Guidelines for Safeguarding Personal Data

Tuesday, January 20th, 2009

Happy U.S. presidential inauguration day! 🙂 Did you take off a few minutes of work to watch the inauguration? I wasn’t going to, was planning to just catch videos on the news sites or YouTube later, but then I did, and I’m glad; it was so historical and memorable!
To celebrate, how about I tell you that NIST just made a great new document available…

(more…)

Random thoughts: Network or security changes on inauguration day (1/20)?

Saturday, January 17th, 2009

I was at an ISACA meeting earlier this week, and over lunch I got into an interesting conversation with a group there about whether or not streaming video feeds were going to be allowed or blocked at the firewall during the inauguration of Barack Obama as U.S. president this coming Tuesday. Some views were that it was an historic event, that most people would not be working any way, and that to maintain goodwill with personnel the streaming videos would be allowed. Others said they would block the streaming video to maintain workable bandwidth, but they were setting up TV monitors throughout the facilities to allow personnel to view if they so chose to; allowing no network impact to others in the company who continued to work.

(more…)

With New Year & New U.S. Administration, New Compliance Actions Projected

Wednesday, January 7th, 2009

The lack of effective or consistent regulatory oversight over the past 8 years, much of which is blamed in large part for the current economic mess, means, at least to many soothsayers, that a new Obama administration will bring with it not only more aggressive compliance activities, but also a fresh round of new laws and regulations, many of which are anticipated to require much more audit logging, storage and retention, and more stringent access controls.

(more…)

Insider Threat Example: 19,000 Pieces Of Computer Equipment Stolen; Why Didn’t Someone Notice?

Monday, December 29th, 2008

Okay, this story begs the question, why didn’t someone at the Naval Research Laboratory notice disappearing equipment…?

(more…)