I’ve received numerous questions from various news outlets, clients and colleagues since the published revelation that the NSA was getting the assistance of encryption vendors to decrypt messages throughout a very wide range of activities. A lot of folks are now throwing their hands in the air, claiming that encryption is now no longer effective, and planning to use something completely different. Hmm…wait! Don’t throw out the encryption baby with the unsafe practices bathwater yet. Encryption is still an effective, and necessary, information security control to use. The following are (more…)
Archive for the ‘government’ Category
July 4 Update to Original Post: See additional recent statements from the OCR and the Alaska DHSS about this case here.
Here is a significant sanction, just applied, that all organizations, of all sizes, need to take notice of. Even if you are not in the healthcare industry, this case points out the elements of an information security and privacy program, and the supporting safeguards, which will be used as a model of standard practices to by all types of regulatory oversight agencies. (more…)
I read a story about a city government agency actually asking job applicants to provide their IDs and passwords for any online social networking type of site they participate in…
A type of project I really love to do is a privacy impact assessment (PIA). For companies who collect or otherwise handle the personally identifiable information (PII) of individuals from multiple countries, typically doing a cross border data flow analysis of the PII is within the scope of the PIA.
I thought it was pretty silly to read over the past few weeks that President Obama was being pressured to give up his Blackberry because of security reasons. If information security controls are properly implemented, then there is no reason that the president of the U.S., or any other person for that matter, should not use a smartphone!
I was happy to see the following article published by CNN…
Happy U.S. presidential inauguration day! 🙂 Did you take off a few minutes of work to watch the inauguration? I wasn’t going to, was planning to just catch videos on the news sites or YouTube later, but then I did, and I’m glad; it was so historical and memorable!
To celebrate, how about I tell you that NIST just made a great new document available…
I was at an ISACA meeting earlier this week, and over lunch I got into an interesting conversation with a group there about whether or not streaming video feeds were going to be allowed or blocked at the firewall during the inauguration of Barack Obama as U.S. president this coming Tuesday. Some views were that it was an historic event, that most people would not be working any way, and that to maintain goodwill with personnel the streaming videos would be allowed. Others said they would block the streaming video to maintain workable bandwidth, but they were setting up TV monitors throughout the facilities to allow personnel to view if they so chose to; allowing no network impact to others in the company who continued to work.
The lack of effective or consistent regulatory oversight over the past 8 years, much of which is blamed in large part for the current economic mess, means, at least to many soothsayers, that a new Obama administration will bring with it not only more aggressive compliance activities, but also a fresh round of new laws and regulations, many of which are anticipated to require much more audit logging, storage and retention, and more stringent access controls.
Okay, this story begs the question, why didn’t someone at the Naval Research Laboratory notice disappearing equipment…?