April 6th, 2008
I always invite feedback and comments about my articles and books. I like to know what people have found useful as well as hear how I can improve upon my writing and see if there is any more information I could have added or expanded upon.
So, I was interested to see that Dr. Anton Chuvakin read one of my recent PCI DSS logging compliance papers and posted to his blog about it.
However, he made a significant misquote and provided misinformation, which provide good topics for discussion…
Read the rest of this entry »
Tags: Anton Chuvakin, awareness and training, certify, compliant, HIPAA, Information Security, IT compliance, log management, PCI DSS, policies and procedures, QSA, risk management, security awareness, security training
Posted in Privacy and Compliance | 2 Comments »
April 3rd, 2008
A few weeks ago I was at a meeting for a professional organization I belong to, giving a talk about privacy breach response, and the audience was great; around 40 in attendance, all visibly listening and interested and participating. I love to look and see everyone’s faces as I am talking; seeing if they are confused, in agreement, or otherwise are reacting to the ideas and recommendations I am talking about.
I was around 20 minutes into my talk when someone’s cell phone started ringing…playing a John Phillip Sousa march. LOUDLY. I kept talking, and everyone was still listening…trying to listen…but the darn phone kept playing! People then started looking around…and finally I stopped and said, “Does someone need to get that?” One of the folks then reached down and answered it; and then left the room. Quite an unnecessary interruption.
Read the rest of this entry »
Tags: ABC World News, awareness and training, communication, Dogster, email, Information Security, instant messaging, IT compliance, meetings, policies and procedures, risk management, security awareness, security training, text messages, topless meetings, twitter
Posted in Training & awareness | 2 Comments »
April 2nd, 2008
I get several questions from folks about various information security, privacy and compliance issues. I answer all I can. Most of them are great, thought-provoking questions that help to spawn a nice discussion!
I recently got a very good and interesting question from a healthcare provider that all organizations really need to put some thought into. With this in mind, the following is the de-identified message I recieved, along with my slightly edited reply…
Read the rest of this entry »
Tags: awareness and training, HIPAA, Information Security, insider threat, IT compliance, patient privacy, policies and procedures, risk management, security awareness, security training
Posted in Privacy and Compliance | No Comments »
April 1st, 2008
Today I just finished writing the last of a three paper series, “The Essentials Series: PCI Compliance,” in which I discuss and demonstrate three ways in which meeting the PCI DSS requirements for logging also benefits businesses by putting into place log management practices that:
Read the rest of this entry »
Tags: awareness and training, Information Security, insider threat, IT compliance, log management, PCI DSS, policies and procedures, risk management, security awareness, security training
Posted in Information Security, Privacy and Compliance | No Comments »
March 30th, 2008
Business Continuity Awareness Week (BCAW) is March 31st – April 4; at least it is in the UK and throughout Europe.
Business Continuity Awareness Week in Australia is the week from Monday, April 28th – Friday, May 2nd.
Read the rest of this entry »
Tags: awareness and training, BCAW, business continuity, Business Continuity Awareness Week, Information Security, IT compliance, policies and procedures, risk management, security awareness, security training
Posted in Information Security | 1 Comment »
March 28th, 2008
Dan Swanson sent me this news story (thanks Dan!), which gave me a chuckle…
“Employee Fined $13,000 for Drunken Hacking”
A rather interesting part of his judgment:
Read the rest of this entry »
Tags: awareness and training, drunken hacking, Information Security, IT compliance, James M. DiBlasio, policies and procedures, risk management, security awareness, security training
Posted in Information Security, Miscellaneous | No Comments »
March 27th, 2008
Okay, after the recent passport files snooping debacle I found today’s news story, “Outsourcing passports ‘profound liability’” very ironic and concerning.
Not only for the reported huge waste of taxpayers’ dollars, but also for the security risks…
Read the rest of this entry »
Tags: awareness and training, GPO, Information Security, IT compliance, passport-gate, passports, policies and procedures, privacy breach, risk management, security awareness, security training
Posted in government, Information Security | 2 Comments »
March 26th, 2008
The folks from Cutter just notified me that an excerpt from a recent article I wrote, “Learning from a Privacy Ombudsman: A Case Study to Establish a Healthcare Services Ombudsman,” will soon be featured in the “Quote of the Day” section of the Cutter Web site.
Here’s the excerpt…
Read the rest of this entry »
Tags: awareness and training, healthcare, Information Security, IT compliance, policies and procedures, privacy breach, privacy ombudsman, risk management, security awareness, security training
Posted in Miscellaneous, Privacy and Compliance | No Comments »
March 25th, 2008
Yet another in a long procession of laptop thefs, “Stolen laptop contains personal info of 2,500 patients“.
Here are the first few paragraphs…
Read the rest of this entry »
Tags: awareness and training, encryption, GAO, Information Security, IT compliance, laptop loss, laptop theft, NHLBI, patient privacy, policies and procedures, privacy breach, risk management, security awareness, security training
Posted in Lost & Stolen Laptops, Privacy Incidents | 1 Comment »
March 23rd, 2008
The breach of the presidential candidates’ passport files were widely reported over the past few days, such as here and here, not to mention the many postings referencing it as “passport-gate” throughout the blogosphere and the political implications. However, based upon what I’ve been reading it looks more like the result of a poor, inadequate and vulnerable information security program.
There are many information security and privacy issues involved with this incident. It would make a great case study to use at a joint meeting with your information security, privacy and compliance folks. Some of the questions to include in your discussion could include…
Read the rest of this entry »
Tags: Analysis Corp, applications security, awareness and training, Barack Obama, Hillary Clinton, Information Security, IT compliance, John McCain, passport-gate, policies and procedures, privacy breach, risk management, security awareness, security training, Stanley Inc
Posted in Information Security, Privacy and Compliance, Privacy Incidents | No Comments »