Archive for April, 2007

Addressing Privacy: There Will Never Be a Technology-Only Solution Because of the Human Factors Involved

Sunday, April 29th, 2007

Last week I had the pleasure of being interviewed by Jay Cline for a Computerworld article he was doing about small companies, such as mine, that provide privacy services to organizations.


Privacy: Surveillance and Poor Security Practices

Saturday, April 28th, 2007

Today I read with interest an article in the U.K.’s Guardian Unlimited, “Surveillance ‘intrudes on our lives‘.”
I am doing some research into various surveillance methods, such as with CCTV, key loggers, and other methods of surreptitiously recording the activities of individuals, typically without their consent, and often without their knowledge.


Keyloggers + Social Engineering = Identity Theft: Fraudsters Exploit Human Frailties with Seductive Messages

Friday, April 27th, 2007

Fraudsters and cybercriminals continue to find creative ways to exploit technology and human weakness to facilitate their crimes. Another new exploit they are using is hijacking popular Google search terms, typically targeting bank sites, and then inserting HTML into the legitimate response pages to get end-users to provide personally identifiable information (PII), typically website user IDs and passwords, often in conjunction with keyloggers they download to the victims’ computers.


HIPAA: More Changes and Initiatives by HHS

Thursday, April 26th, 2007

I’ve been reading so much about HIPAA lately; no enforcement actions yet, but a lot of changes, proposals and initiatives.
Two more I read about recently:


Information Security and Privacy Professionals Must Partner on Over 15 Different Enterprise Issues

Wednesday, April 25th, 2007

Recently I read a print article written by a prominant privacy officer at a well-known company who has been writing a lot of articles about privacy over the past couple of years. She is successful and usually has some good advice, but what worried me about the latest article I read, and some of her other articles, is that she specifies that certain issues are handled by IT and/or the information security officer, so privacy officers do not need to worry about them or even know much, if anything at all, about them. The topics she’s mentioned have been encryption, outsourcing IT functions, and information security policies, just to name a few.


SOX Compliance: Fraudsters Posing as Officials Selling “Compliance Solutions;” *NO* vendor Product Can Make an Organization 100% Compliant With ANY Regulation

Tuesday, April 24th, 2007

Something that has irritated me for a very long time are vendors who see a chance to make a quick buck off of worried organizations, afraid they are not going to be in compliance with new laws, and create junk products to sell to them using fear, uncertainty and doubt (FUD). FUD products.
I saw a lot of HIPAA FUD back when that regulation went into effect, and saw way too many people spending way too much money for so-called HIPAA security and privacy certifications offered by vendors who did not even have anyone on staff with any type of healthcare provider, payer or clearinghouse practitioner experience. Not to mention HIPAA compliance solutions.


HIPAA: Advisory Workgroup Proposes PHI Security and Privacy Requirements Should Apply to All Organizations

Monday, April 23rd, 2007

The Department of Health and Human Services (HHS) has a Confidentiality, Privacy, and Security Workgroup, also known as the American Health Information Community, that is made up of practitioners, IT folks, lawyers and other leaders outside of the government who want a say in how protected health information (PHI) is safeguarded, shared, and otherwise handled.


Information Security: Laws Require Secure Disposal of Information in All Forms; Using BS 8470:2006 for Compliance

Friday, April 20th, 2007

Many information security incidents have occurred through non-technical means by simply and thoughtlessly throwing away printed documents into publicly-accessible trash bins, or even putting computers and sensitive documents out on the streets. I have blogged about this several times, such as here, here, and here.


Anonymous Posting on the Internet: Privacy vs. Defamation vs. Information Security

Thursday, April 19th, 2007

Over the past few months I’ve discussed with several different organizations the issue of their personnel posting on Internet sites, to blogs, within Internet communities, and various other locations. The issues are many, but few organizations have really thought about them all; the implications of employees posting from the corporate network, using their corporate email address within online postings, the time used while at work to post, the possibility of libelous statements being made that the corporation may have to ultimately end up paying for, and many assorted other issues.


SMBs, Identity Theft & Insider Threat: Bad SMB Security Impacts Organizations of All Sizes

Wednesday, April 18th, 2007

There are many articles written about the insider threat, several have been done, and often the focus is on large organizations where those employees with malicious intent are often either in positions of trust way down in the org chart, or the perpetrator is the person at the helm of the organization.