Archive for April, 2007

Free Information Security Training Workshops from FISSEA

Tuesday, April 17th, 2007

The information security and privacy incidents tally continues to grow every day, the threats and vulnerabilities continue to appear every day, and information security and privacy professionals have a hard time keeping up with them all, not to mention keeping their own personnel aware of the many issues they face in their every day business work. And then to get the resources and time necessary to create an effective program! I know many folks often seem overwhelmed.


Admitted HIPAA Noncompliance at UPMC: Penalties Must Be Applied to Make Laws Effective

Monday, April 16th, 2007

On April 13 the Pittsburgh Tribune-Review reported that the University of Pittsburgh Medical Center (UPMC) admitted to using the records of 80 patients, including names and Social Security numbers, for a presentation they made at a 2002 symposium, in violation of the Health Insurance Portability and Accountability Act (HIPAA).


Obscure Email Security Issues: Whitehouse Provides Lessons in Email Management Practices and Using Non-Business Email Accounts to Conduct Business

Sunday, April 15th, 2007

So much is in the news lately related to information assurance it is hard to pick which one to share my thoughts about. However, the misuse of email, managing email, and the maintenance of email systems, which I know I’ve already talked about recently, just keeps bubbling to the top of concerns.
Throughout last week and over the weekend while watching the news programs, listening to the political pundits, and reading various news magazines there has been much talk about how perhaps millions of Whitehouse emails have seemed to have vanished, along with discussion about the use of non-Whitehouse systems for Whitehouse business emails.


Data Storage Must Be Secured to Protect Privacy

Saturday, April 14th, 2007

Often times privacy breaches occur because the access controls are not configured appropriately for databases, or inadequate processes weren’t even established to protect data within the network perimeter. Too many organizations still focus almost all of their efforts on securing the typically highly fuzzy and porous perimeter to the exclusion of other highly vulnerable areas. Many incidents can be prevented by putting more attention and time to securing the data storage areas.


Obscure Email Security Issue: 5 Lessons About Re-using Email Addresses

Thursday, April 12th, 2007

Does your organization ever re-use email addresses whenever someone leaves the company? Do you know that some of your customers‚Äô and personnel’s email service providers re-use email addresses when their subscribers leave? Probably more than you realize.


Security Software Must be Secure: 25 Questions To Ask Security Vendors

Wednesday, April 11th, 2007

A little over 10 or so years ago, when I was responsible for information security and privacy at a large financial organization, I was doing research into PKI products and solutions. The sales exec for one of the products I was considering insisted on coming onsite with his “lead scientists and engineers” to tell me and some other folks in the IT and information security area about how wonderful their PKI product was. I did some research and prepared a couple of pages of questions to ask them about the specifics of their product. The sales exec, who has since gone on to other work and is also now a friend of mine, later told me that he felt like shrinking and hiding under the table as I asked questions about the specifics, functionality and support of their product that the developers themselves could not answer, and, even worse, many that they had not even thought about.


Security: NIST Releases Report on Biometrics Advances

Tuesday, April 10th, 2007

Improved algorithms used in facial recognition software programs have improved the success of such technology by up to ten times since 2002, the National Institute of Standards and Technology (NIST) said in a report,”Face Recognition Vendor Test (FRVT) 2006 and the Iris Challenge Evaluation (ICE) 2006 Large-Scale Results” issued March 29.


HIPAA Security Rule and Privacy Rule Enforcement Reportedly Going To Be Pursued In 2007

Monday, April 9th, 2007

Something that has bothered me, and many others, for a very long time is how there have been absolutely no enforcement actions for the Health Insurance Portability and Accountability Act (HIPAA) privacy rule or security rule since they went into effect. Passing a law and then not doing anything to enforce it, even after the enforcement agencies have received tens of thousands of complaints reporting noncompliance, makes the law weak and prone to disregard by covered entities (CEs) who see others getting away with noncompliance with just a, “Whoops! Sorry, we’ll try to fix that.”


Security and Legal Implications: NLRB Hears Oral Argument Regarding Employee’s Use of Employer’s Email System

Sunday, April 8th, 2007

There are increasing reports of email misuse, malicious use, mistaken use, and just plain bad implementations of email systems that allow the many threats out in the wild and woolly Internet, and the desperado insiders, to exploit vulnerabilities. It is most common for information assurance pros to be fairly diligent in trying to keep malware out of the enterprise network through scanning and filtering emails, and it is good to see that it is also becoming a growing trend to try and prevent sensitive data from leaving the enterprise by using scanning and encryption. However, there are many other mishaps and business damage that can occur through the use, or misuse, of email and email monitoring that can have legal implications.


The Path Less Traveled…I’ve Been “Tagged” to Blog About How I Got Into This Business and To This Point in my Career

Friday, April 6th, 2007

I had been planning to post about a legal argument made regarding employer’s email systems and employee rights, but I’ll save that until the weekend…this sounds more fun right now any way!