Archive for the ‘Information Security’ Category
Wednesday, September 10th, 2008
For day 3 of Global Security Week I want to talk a little bit about the importance of securely disposing of your papers and storage media that contains personal information…
(more…)
Tags:awareness and training, cybercrime, data disposal, disposal rule, dumpster diving, FACTA, Global Security Week, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training
Posted in Information Security | No Comments »
Monday, September 8th, 2008
Here’s an interesting article about cybercrime to kick off Day 1 of Global Security Week…
(more…)
Tags:awareness and training, cybercrime, Global Security Week, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training
Posted in Information Security, Training & awareness | No Comments »
Monday, September 1st, 2008
Now, here’s a great example of an organization actually following through on their procedures to review access logs, and then to apply sanctions and take necessary other actions in response to non-compliance with not only organizational policies, but also with applicable laws…
(more…)
Tags:awareness and training, Information Security, insider threat, IRS, IT compliance, IT training, John Snyder, Kentucky, logs review, policies and procedures, privacy training, risk management, security training
Posted in Information Security, Non-compliance Sanctions Examples, Privacy and Compliance | No Comments »
Saturday, August 30th, 2008
I’ve been doing a lot of work with data retention and disposal policies and procedures lately, remembering the silly things I have read about with regard to organizations getting rid of their computers, such as selling their computers on eBay when they no longer need them…without removing the information! This is certainly not a phenomenon that is confined to the U.S.
Lo and behold, another situation has happened where an organization sold their old computer on eBay…for a bargain at £77 ($141), and it contained a a huge amount of personally identifiable information (PII), including credit card applications, on what is reported to be as many as over 1 million customers. Here are a few excerpts from the report in Forbes…
(more…)
Tags:awareness and training, data disposal, Information Security, insider threat, IT compliance, IT training, laptop incident, outsourcing risks, PII, policies and procedures, privacy incident, privacy training, risk management, security training, vendor risks
Posted in Information Security, Lost & Stolen Laptops, Privacy and Compliance, Privacy Incidents | No Comments »
Thursday, August 28th, 2008
Here are some more data retention tips and considerations as a follow-up to my Tuesday blog post…
(more…)
Tags:awareness and training, data retention, disposal, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training
Posted in Information Security, Laws & Regulations | No Comments »
Tuesday, August 26th, 2008
There have been several interesting news reports recently about data retention proposals, plans, practices and laws in the U.K.
Currently there are proposals to require emails to be retained for a full year, but critics contend that sloppy data retention practices will result in actual retention periods much longer, if the emails even ever get deleted.
This is an important point; when it comes to data retention, the requirements are rarely, if ever, followed by some organizations…
(more…)
Tags:awareness and training, data retention, disposal, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training
Posted in Information Security, Laws & Regulations, Privacy and Compliance | No Comments »
Friday, August 22nd, 2008
A few months ago I blogged about a co-anchor at a television station who was accused of getting into his co-anchor’s email and passing information from the messages along to news outlets.
I was interested to see a CNN report today, “Fired anchor pleads guilty to e-mail snooping” that followed up on this story. Larry Mendte reportedly admitted to accessing Alycia Lane’s emails, in her 3 home and work accounts, over 500 times over a 2-year period!
Okay, why was he able to so easily get into her email accounts…3 OF THEM!…over a period of 2 years?! Wasn’t there any security applied to these email systems?
Some possibilities…
(more…)
Tags:Alycia Lane, awareness and training, email security, Information Security, IT compliance, IT training, Larry Mendte, policies and procedures, privacy training, risk management, security training
Posted in Information Security, Privacy Incidents | 2 Comments »
Tuesday, August 19th, 2008
Yesterday CNN ran an interesting story, “U.S. at risk of cyberattacks, experts say.”
For those of you in the information security biz this is not new news, I know. We’ve known and discussed the massive and insidious types of damage that could be done through cyber attacks for several years. However, there is still not enough being done.
(more…)
Tags:awareness and training, CNN, cyberattack, cybercrime, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training
Posted in Information Security | 2 Comments »
Friday, August 15th, 2008
Is your accountant or tax preparer sending your personally identifiable information (PII) offshore? Possibly.
Here is the second part of the first article, “(Mis)Using Social Security Numbers in Business,” within my August issue of IT Compliance in Realtime Journal, which discusses the use of SSNs (get the nicest version of the full journal here)…
(more…)
Tags:awareness and training, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training, social security number, SSN
Posted in Information Security, Privacy and Compliance | 1 Comment »
Wednesday, August 13th, 2008
Recently I got a call from a representative of one of the free IT magazines I subscribe to. The rep wanted to renew my subscription, and needed to ask me a few “qualifying” questions first. Fine.
When she asked, “What is your Social Security number?” I responded, “You don’t need to know.”
She replied, “Yes, I do. We must verify that you are, indeed, who you say you are, so we need your Social Security number to do that. It is our standard procedure.”
“Well,” I told her, “Don’t you think it is poor business practice to make an unnannounced call to your subscribers and ask them for a Social Security number? After all, you made the contact with me, not the other way around. I answered my phone, didn’t I? And besides, how do I know *YOU* are who you say you are? Can you please give me your Social Security number so I can verify that you are, indeed, who you say you are?”
(more…)
Tags:awareness and training, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training, social security number, SSN
Posted in Information Security, Privacy and Compliance | 1 Comment »
