A little over 10 or so years ago, when I was responsible for information security and privacy at a large financial organization, I was doing research into PKI products and solutions. The sales exec for one of the products I was considering insisted on coming onsite with his “lead scientists and engineers” to tell me and some other folks in the IT and information security area about how wonderful their PKI product was. I did some research and prepared a couple of pages of questions to ask them about the specifics of their product. The sales exec, who has since gone on to other work and is also now a friend of mine, later told me that he felt like shrinking and hiding under the table as I asked questions about the specifics, functionality and support of their product that the developers themselves could not answer, and, even worse, many that they had not even thought about.
Archive for the ‘Information Security’ Category
Security Software Must be Secure: 25 Questions To Ask Security Vendors
Wednesday, April 11th, 2007Security: NIST Releases Report on Biometrics Advances
Tuesday, April 10th, 2007Improved algorithms used in facial recognition software programs have improved the success of such technology by up to ten times since 2002, the National Institute of Standards and Technology (NIST) said in a report,”Face Recognition Vendor Test (FRVT) 2006 and the Iris Challenge Evaluation (ICE) 2006 Large-Scale Results” issued March 29.
HIPAA Security Rule and Privacy Rule Enforcement Reportedly Going To Be Pursued In 2007
Monday, April 9th, 2007Something that has bothered me, and many others, for a very long time is how there have been absolutely no enforcement actions for the Health Insurance Portability and Accountability Act (HIPAA) privacy rule or security rule since they went into effect. Passing a law and then not doing anything to enforce it, even after the enforcement agencies have received tens of thousands of complaints reporting noncompliance, makes the law weak and prone to disregard by covered entities (CEs) who see others getting away with noncompliance with just a, “Whoops! Sorry, we’ll try to fix that.”
Security and Legal Implications: NLRB Hears Oral Argument Regarding Employee’s Use of Employer’s Email System
Sunday, April 8th, 2007There are increasing reports of email misuse, malicious use, mistaken use, and just plain bad implementations of email systems that allow the many threats out in the wild and woolly Internet, and the desperado insiders, to exploit vulnerabilities. It is most common for information assurance pros to be fairly diligent in trying to keep malware out of the enterprise network through scanning and filtering emails, and it is good to see that it is also becoming a growing trend to try and prevent sensitive data from leaving the enterprise by using scanning and encryption. However, there are many other mishaps and business damage that can occur through the use, or misuse, of email and email monitoring that can have legal implications.
The Path Less Traveled…I’ve Been “Tagged” to Blog About How I Got Into This Business and To This Point in my Career
Friday, April 6th, 2007I had been planning to post about a legal argument made regarding employer’s email systems and employee rights, but I’ll save that until the weekend…this sounds more fun right now any way!
Insider Threat Example: Former Wal-Mart Employee Spied Because His Managers Told Him To
Wednesday, April 4th, 2007I have seen organizations where management and staff members were so fixated on protecting the company, to the disregard of observing laws and complying with policies, that they ended up doing completely inappropriate actions that involved infringing on privacy and breaking laws.
How Long Has It Been Since You’ve Done An Awareness Activity? Privacy and Security Week Starts April 8
Monday, April 2nd, 2007Awareness activities are an important and necessary component of an effective, layered, information assurance program. Too little time is spent on communicating information security and privacy requirements, threats, vulnerabilities, and other related issues within most organizations. Providing regular traning and ongoing awareness activities to all personnel, along with customized training to targeted groups with unique information security responsibilities, such as call centers, sales and marketing folks, and applications and systems developers, as is also very important.
What Businesses Need to Know About Reputation-Based Messaging Technology
Sunday, April 1st, 2007I first started hearing about reputation-based technologies used in conjunction with filtering messages a couple of years ago. What a great idea! It does make sense to analyze the characteristics of a message to help determine whether or not it is legitimate, spam, contains malware, or is likely to be some other type of message you do not want getting onto your corporate network, doesn’t it? Trying to determine the “reputation” of the message seems to be a good additional check. Banks and credit card companies have been doing similar types of activities for decades, looking at the reputation of their loan and card applicants, when generating credit scores. It seems as though this type of analysis, while not fool-proof, could also have the potential to greatly assist with keeping unwanted messages from clogging the enterprise networks and mailservers.
What Were They Thinking!? U.S. Marshals Put The PII of Thousands of People on a D.C. Street For Anyone To Take
Saturday, March 31st, 2007I read a lot of articles about incidents; it is hard to keep up with them all! However, one I ran across on the WUSA 9News Now site in Washington D.C. grabbed my attention.
