Archive for July, 2008

Laws & Regulations Require Security & Privacy Training & Awareness

Wednesday, July 9th, 2008

I’m in the final weeks of creating some privacy breach training courses that will not only help personnel to prevent privacy breaches, but also help support compliance with the FACTA Red Flags rule, the at least 45 U.S. privacy breach notice laws, plus many other laws and regulations.
Over the past decade+ there have been a large number of laws, regulations and industry standards that have specifically stated the need for organizations to provide information security and privacy training and awareness to their personnel.

(more…)

Information Security and Privacy Education Lesson Fines And Court Penalty Judgments

Tuesday, July 8th, 2008

My July issue of “IT Compliance in Realtime” has been published!
This month I continue to focus on the importance of information security and privacy training and awareness to not only improve security and privacy preservation, but also to meet a very wide range of compliance requirements. The first article in this month’s Journal is, “Information Security and Privacy Education Support Compliance.” Download the PDF of the full Journal issue for the formatted, best-looking version.
Here are the first couple of sections from that article…

(more…)

15 Actions/Penalties Brought By FTC Under GLBA + FTC Act

Monday, July 7th, 2008

The FTC has long provided a great role model for other government oversight and enforcement agencies with regard to their activities in ensuring organizations follow data protection laws and also ensure organizations actually fulfill the promises they make within their published information security and privacy policies. It is too bad most of the other government agencies are not as diligent or nearly as effective in helping to ensure organizations sufficiently protect personally identifiable information (PII).
While doing some research today I compiled a list of the actions the FTC has taken, which I thought may be useful to some of you as well…

(more…)

Social Engineering Rescues Long-Time Hostages

Saturday, July 5th, 2008

Yesterday it was widely reported that 15 hostages held by Colombia’s Marxist guerrillas for as long as 6 years were freed after some very brave and daring commandos posed as being part of the guerrilla group.
The news reports described it as a stunning rescue, and it definitely was that; quite stunning!
As we watched the numerous news reports about it, I spoke with my boys about the tactics they used to get the hostages freed.
Recently I’ve been creating social engineering training content along with a social engineering awareness assessment tool, and something I found remarkable about the rescue was how it used social engineering to its full affect to rescue the hostages.
Some of the tactics in this situation included:

(more…)

Just Because Security Is Simple Doesn’t Mean People Will Do It

Thursday, July 3rd, 2008

Last Friday I was pondering whether folks were more diligent about security in their homes than businesses were based upon my admittedly very unscientific observations of wireless access points as I drove through the Des Moines, Iowa metro.
To which Davi Ottenheimer commented (thanks Davi!),

(more…)

Texas EZPawn Throws Away Its Security Promises and Customers’ Privacy and Gets A Handed A Significant Penalty

Wednesday, July 2nd, 2008

Well, here is yet another company that had a nasty habit of just throwing papers containing their customers’ personally identifiable information (PII) into publicly accessible trash cans.
On June 24 a Texas judge handed down a civil penalty of $600,000 against Texas EZPawn for tossing their customer PII, including Social Security numbers, bank account information, driver’s license numbers, date of birth, and other identifying information, into their trash cans without first irreversibly and completely shredding the papers. You can see an example of the types of records found in the trash in the court documents.

(more…)

Information Security and Privacy Convergence Is Nothing New…Both Areas MUST Collaborate

Tuesday, July 1st, 2008

The comparatively new awareness of the need for information security and privacy convergence and collaboration has actually existed for many years. I first experienced this firsthand in the first half of the 1990’s when I was responsible for information security in a multinational financial and insurance company. The company launched one of the very first online banks, and I was establishing the security requirements when I saw the need to address the privacy aspects. This was before the passage of GLBA or HIPAA, but I knew that a few bills addressing privacy had been being considered, not only in the U.S. but also worldwide, and that the OECD privacy principles were the basis for many of the privacy requirements.

(more…)