Archive for the ‘government’ Category
Thursday, September 26th, 2013
I’ve received numerous questions from various news outlets, clients and colleagues since the published revelation that the NSA was getting the assistance of encryption vendors to decrypt messages throughout a very wide range of activities. A lot of folks are now throwing their hands in the air, claiming that encryption is now no longer effective, and planning to use something completely different. Hmm…wait! Don’t throw out the encryption baby with the unsafe practices bathwater yet. Encryption is still an effective, and necessary, information security control to use. The following are (more…)
Tags:awareness, BA, BAA, breach, business associate, CE, compliance, covered entity, data protection, encrypt, encryption, HIPAA, HITECH, IBM, Information Security, information technology, infosec, IT security, midmarket, monitoring, NIST, non-compliance, NSA, Omnibus, personal information identifier, personal information item, PHI, PII, policies, privacy, privacy breach, privacy laws, privacy professor, privacyprof, Rebecca Herold, risk assessment, risk management, RSA, security, social network, surveillance, systems security, training
Posted in government, Information Security | No Comments »
Wednesday, June 27th, 2012
July 4 Update to Original Post: See additional recent statements from the OCR and the Alaska DHSS about this case here.
Here is a significant sanction, just applied, that all organizations, of all sizes, need to take notice of. Even if you are not in the healthcare industry, this case points out the elements of an information security and privacy program, and the supporting safeguards, which will be used as a model of standard practices to by all types of regulatory oversight agencies. (more…)
Tags:Alaska, audit, awareness, breach, compliance, fine, HHS, HIPAA, IBM, Information Security, information technology, infosec, IT security, Medicaid, midmarket, non-compliance, OCR, personal information, personally identifiable information, PHI, PII, policies, privacy, privacy breach, privacy professor, privacyprof, Rebecca Herold, risk assessment, sanction, security, sensitive personal information, SPI, systems security, training
Posted in government, healthcare, HIPAA, HITECH | No Comments »
Thursday, June 18th, 2009
I read a story about a city government agency actually asking job applicants to provide their IDs and passwords for any online social networking type of site they participate in…
(more…)
Tags:awareness and training, Bozeman, Information Security, insider threat, IT compliance, IT training, personal privacy, policies and procedures, privacy training, risk management, security training
Posted in government, Information Security, Privacy and Compliance | 2 Comments »
Thursday, March 12th, 2009
A type of project I really love to do is a privacy impact assessment (PIA). For companies who collect or otherwise handle the personally identifiable information (PII) of individuals from multiple countries, typically doing a cross border data flow analysis of the PII is within the scope of the PIA.
(more…)
Tags:awareness and training, Department of Commerce, EU Data Protection Directive, Information Security, IT compliance, IT training, PIA, policies and procedures, privacy impact assessment, privacy training, risk management, safe harbor, security training
Posted in government, Privacy and Compliance | No Comments »
Monday, February 16th, 2009
On February 12 the U.S. Federal Trade Commission (FTC), the most actively aggressive oversight agency in the U.S. with regard to enforcing privacy protections, released new behavioral advertising principles…
(more…)
Tags:awareness and training, behaviorial advertising, compliance, FTC, Information Security, IT compliance, IT training, policies and procedures, privacy, privacy principles, privacy training, risk management, security training
Posted in government, Laws & Regulations, Privacy and Compliance | No Comments »
Friday, January 23rd, 2009
I thought it was pretty silly to read over the past few weeks that President Obama was being pressured to give up his Blackberry because of security reasons. If information security controls are properly implemented, then there is no reason that the president of the U.S., or any other person for that matter, should not use a smartphone!
I was happy to see the following article published by CNN…
(more…)
Tags:awareness and training, Barack Obama, blackberry, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training, smartphone security
Posted in government, Information Security | No Comments »
Tuesday, January 20th, 2009
Happy U.S. presidential inauguration day! 🙂 Did you take off a few minutes of work to watch the inauguration? I wasn’t going to, was planning to just catch videos on the news sites or YouTube later, but then I did, and I’m glad; it was so historical and memorable!
To celebrate, how about I tell you that NIST just made a great new document available…
(more…)
Tags:awareness and training, Information Security, IT compliance, IT training, NIST, OECD privacy principles, personally identifiable information, PII, policies and procedures, privacy training, risk management, security training, SP 800-122
Posted in government, Privacy and Compliance | No Comments »
Saturday, January 17th, 2009
I was at an ISACA meeting earlier this week, and over lunch I got into an interesting conversation with a group there about whether or not streaming video feeds were going to be allowed or blocked at the firewall during the inauguration of Barack Obama as U.S. president this coming Tuesday. Some views were that it was an historic event, that most people would not be working any way, and that to maintain goodwill with personnel the streaming videos would be allowed. Others said they would block the streaming video to maintain workable bandwidth, but they were setting up TV monitors throughout the facilities to allow personnel to view if they so chose to; allowing no network impact to others in the company who continued to work.
(more…)
Tags:awareness and training, Barack Obama, inauguration, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training
Posted in government, Information Security | No Comments »
Wednesday, January 7th, 2009
The lack of effective or consistent regulatory oversight over the past 8 years, much of which is blamed in large part for the current economic mess, means, at least to many soothsayers, that a new Obama administration will bring with it not only more aggressive compliance activities, but also a fresh round of new laws and regulations, many of which are anticipated to require much more audit logging, storage and retention, and more stringent access controls.
(more…)
Tags:awareness and training, Information Security, IT compliance, IT training, logging, Obama, policies and procedures, privacy training, retention, risk management, security training, storage
Posted in government, Privacy and Compliance | No Comments »
Monday, December 29th, 2008
Okay, this story begs the question, why didn’t someone at the Naval Research Laboratory notice disappearing equipment…?
(more…)
Tags:awareness and training, computer crime, crminal, Information Security, insider threat, IT compliance, IT training, Naval Research Laboratory, policies and procedures, privacy training, risk management, security training, theft, Victor Papagno
Posted in government, Information Security, Lost & Stolen Laptops | 2 Comments »
