Archive for August, 2007

U.S. Dept. of Homeland Security Makes 14 Privacy Impact Assessments Available

Wednesday, August 15th, 2007

I am a huge proponent of privacy impact assessments (PIAs); basically risk assessments for privacy. PIAs can reveal gaps in privacy practices, along with the information security practices used to protect privacy. They are important and effective exercises for all organizations that handle personally identifiable information (PII).

(more…)

Are the U.S. Numbers Planning For ISMS (ISO 27001) Certification Really At 80%?

Monday, August 13th, 2007

Over the weekend I was reading the latest issue of SC Magazine, and some of the statements within the article “U.S. lags in ISO 27001 compliance” made me go, “Huh?”

(more…)

Bad Advice from the Uninformed and Inexperienced Hurt Information Security & Privacy Efforts

Sunday, August 12th, 2007

The results of the poll for this past week show that 91% believe information security and privacy training and awareness is important, but 9% believe it is not necessary to effectively safeguard data.
Well, I’ve had some very interesting conversations in the past few years, usually while at conferences and when chatting with vendors, who were emphatic about how awareness and training is “a waste of time and money.” As the results of my very unscientific poll show, while this opinion may be a very small percentage, it still could significantly impact information security program efforts based upon the folks who are putting down the awareness and training…the influence they have on non-infosec corporate decision makers could be very damaging to overall efforts…

(more…)

Trick or Treat for Poll Clicks, Please! :)

Friday, August 10th, 2007

Do you think my current blog poll (right side of screen, scroll down a bit) is lame? I had a couple of my friends and information assurance friends tell me that my question this week is a no-brainer; that no one will take a poll that is obvious.
Well, if you read my blog occasionally you know that I am a strong believer that information security and privacy awareness and training is absolutely necessary for security and privacy efforts to be effective. But, I have also seen published statements from some otherwise very smart folks stating that awareness and training efforts are a waste of time, a waste of money, or that only technology alone can result in effective security since most folks will “never learn anyway.”

(more…)

Avoid Being Sued And Losing Customers: Don’t Go Changing Your Privacy Policy Willy-Nilly!

Friday, August 10th, 2007

Many organizations dangerously change their posted privacy policies often, and often without giving notice to their customers. It is important to always keep in mind that your posted privacy policy is a legally binding contract with your customers. You cannot agree to do one thing with your customers’ personally identifiable information (PII) when they start doing business with you and then change that agreement without notifying and allowing your customers to agree to that change.

(more…)

You Will Be Judged By The Company You Keep: 4 Good Reasons (And More) To Ensure Your Business Partners Have Good Information Security Programs

Thursday, August 9th, 2007

Over the past few years I have done well over a hundred business partner security program reviews for organizations who wanted to ensure that the organizations to whom they were entrusting their sensitive data, or other business processing, had appropriate security and privacy policies, practices, training and were generally trustworthy.

(more…)

Boiling Down PCI DSS Compliance; It’s Really Just Common Sense Information Security

Wednesday, August 8th, 2007

I subscribe to many (sometimes I think too many) assorted email newsletters that cover a wide range of compliance issues. One came through today from the IT Compliance Institute with the subject line, “PCI fails, Fidelity breach, death by upgrade, more‚Ķ”
PCI fails? Sounded interesting so I went to their story about it.
(Title corrected on 8/9; thanks Grit!)

(more…)

77% Polled Believe Privacy Is Possible

Tuesday, August 7th, 2007

77% of those participating in my completely unscientific blogsite poll from last week indicated privacy is still possible.

(more…)

Wii Need To Be Creative With Information Security and Privacy Awareness

Monday, August 6th, 2007

No, I didn’t misspell in the title… 🙂
My youngest son recently celebrated his birthday. Both my sons are the greatest kids I could ever have dreamed of. They both always do their chores and homework with very little prodding, are healthy, smart, considerate, loveable…well, I could go on and on. I am very thankful for them.

(more…)

Privacy in the 21st Century is Captured Well in This Year’s GSW Logo Competition Winner

Sunday, August 5th, 2007

Global Security Week (GSW) is September 3 – 7 this year, and the topic is Privacy in the 21st Century.
All the GSW logo entries were nice, but I think the winner of the GSW logo competition, Emily Hoelscher, captures the essence of privacy quite well. I really like how Emily incorporated both physical and data issues into her design.

(more…)