Archive for the ‘Information Security’ Category

Who Would Want to Be a CISO or CPO for a Social Networking Site?

Friday, October 5th, 2007

This morning I spoke with a reporter from billingworld.com about social networking sites, innovation and partnering established businesses with new sites such as this and the risks involved. After the call I continued to think about this and jotted down a few notes…

(more…)

Why Would You Trust Microsoft To Store Your Sensitive Health Information?

Thursday, October 4th, 2007

Today Microsoft launched their new web portal, HealthVault to store, for free, “medical histories, immunization and other records from doctors’ offices and hospital visits, including data from devices like heart monitors. It is also tied to a health information search engine the software maker launched last month.”

(more…)

Know How To Motivate Your Personnel To Protect Information

Wednesday, October 3rd, 2007

Not everyone has the same motivation to secure the information they handle or access while they are working. This is something very important for information security and privacy practitioners to understand, but unfortunately too many do not think about motivation factors when creating and managing their information security, privacy and compliance programs.

(more…)

Lack of testing, lack of built-in security, and inadequate protection for stored data lead list of PCI noncompliance items

Tuesday, October 2nd, 2007

I figured that since the PCI DSS compliance deadline for Level 1 merchants was this past Sunday that there would probably be a ton of published news reports about it on Monday. There were…and today as well! One that caught my eye was in eWeek on Monday, “Comparison Shows Very Little Shift in PCI Failures.”

(more…)

ABN Amro PII Breached Through P2P: Lessons Learned

Monday, October 1st, 2007

Much is written about the risks P2P presents to organizations, but many organizations continue to implement P2P technologies, or more accurately allow their personnel to implement them on computers used for business, because they are willing to risk that the threat theories will not materialize within their own organizations.

(more…)

The Need to Partner Privacy and IT Efforts *FINALLY* Makes The News!

Sunday, September 30th, 2007

I have long been promoting the concept…more accurately, the NEED…of having IT/Information Security and Privacy (often in the legal area) work closely together in order to not only result in each area being the most effective and efficient in their efforts, but also to ensure no conflicting messages are being sent and no gaps in addressing these issues exist. It is additionally good for and improves business to have these areas work closely together; there are at least 20 overlapping topics these areas work on. Unfortunately too often the Privacy and IT/Information Security areas do not even come closely to working together.

(more…)

4 Drivers For PCI DSS Compliance

Friday, September 28th, 2007

September 30 (why’d they pick a Sunday?) marks the compliance date for Level 1 organizations to be in compliance with PCI DSS.
Last week I had a nice conversation with Joe Lindstrom from Symantec about the deadline that will fall over this weekend.

(more…)

DHS Exploding Generator Shows Dire Need For Better Computer Security

Thursday, September 27th, 2007

Scanning the news this morning, this CNN headline caught my eye, “Mouse click could plunge city into darkness, experts say
The first sentence is compelling:

(more…)

18 Common Security and Privacy Work Area Vulnerabilities

Wednesday, September 26th, 2007

In 1990 when I was an internal auditor I was tasked with determining the overall information security posture of my company. One of the things that I decided would be a good thing to do was to go to the offices Saturday and Sunday evening when there would be the fewest personnel around. I wanted to look at their work areas to see what type of information security risks I could find that were a result of the work habits of the personnel.

(more…)

Canadian Privacy Commissioners Release TJX Investigation Report

Tuesday, September 25th, 2007

Yesterday the Office of the Privacy Commissioner of Canada and the Office of the Information and Prrivacy Commissioner of Alberta released their “Report of an Investigation into the Security, Collection and Retention of Personal Information” concerning the TJX breach. The investigation was performed to determine if, and if so to what extent, the incident was a violation of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and/or the Personal Information Protection Act (PIPA).

(more…)