Improve Information Security And Privacy By Engaging Your Personnel And Their Children…Our Future Information Security and Privacy Leaders

January 23rd, 2008

Personnel will understand information security and privacy issues better if they can relate to the issues within their own lives. If they can see how the issues impact their family members and friends, that helps to raise awareness even more. If they can see their children’s perspectives of the issues, and see how their family members may be unknowingly putting their information at risk, it helps them to see even more the importance of the issues, and also helps them to guard against the associated threats even better.

Read the rest of this entry »

Social Engineering Schemes Increase: Great Case Study From An Actual Event

January 22nd, 2008

Last month I finished the second issue of my Protecting Information publication and the topic couldn’t be more timely: social engineering.
Just today I have already read in my daily news items 5 articles about social engineering! One in particular, “CUNA Mutual Warns on Costly HELOC Scam,” provides not only a great example of a current social engineering scam, but it would also make a great case study for social engineering training and within your awareness communications and activities. Here’s a quick overview…

Read the rest of this entry »

CMS Announces Plans To Actively Audit Hospitals For HIPAA Compliance

January 21st, 2008

The U.S. Centers for Medicare and Medicaid Services (CMS) announced last week that they plan to audit 10 – 20 hospitals for HIPAA compliance in the next 9 months according to a Government Health IT article.

Read the rest of this entry »

Insider Threat Example: Former Cox Employee Sent To Jail (And More) For Hacking System

January 20th, 2008

It is not only important, but absolutely necessary, to let personnel know what your information security and privacy policies are, along with your organization’s sanctions, and then consistently enforce your policies. If personnel know that policies are not enforced, and that there is no negative consequence for not properly safeguarding information and systems, it becomes easy for personnel to not follow policies when it is inconvenient or time-consuming to do so. It is also easier for personnel to do bad things as vendettas when they get upset.

Read the rest of this entry »

FTC Hands Down Another FTC Act Noncompliance Penalty For Bad Online Application Security

January 18th, 2008

Yesterday the U.S. Federal Trade Commission (FTC) handed down yet another penalty against an online retailer, Life is good, Inc., for not properly safeguarding their online ecommerce applications.
The FTC charged they were in violation of the FTC Act because they promised in their online privacy statement that they would safeguard their customer data, but yet a hacker “was able to use SQL injection attacks on Life is good’s Web site to access the credit card numbers, expiration dates, and security codes of thousands of consumers.”

Read the rest of this entry »

A Roadmap For Successful ITIL Implementation

January 17th, 2008

The final chapter of my ebook, “The Shortcut Guide to Improving IT Service Support through ITIL” was just released!

Read the rest of this entry »

Clearly Justify Your Information Security and Privacy Policies

January 16th, 2008

I’m helping one of my clients with updating their information security and privacy policies, aligning them with ISO 27002, and creating new policies to fill gaps as necessary based upon the organization’s risks. I was speaking with the CISO this week and he made a statement that I’ve heard many times over the years that really is a blockade to advancing information security within most organizations.
“I wish when the CEO rejects a policy he would tell me why. I know he’s short on time, but it would help me do my job so much better if he’d just explain why.”

Read the rest of this entry »

CMS Hires A Fox To Guard The HIPAA Henhouse

January 15th, 2008

I just read a very interesting article, “CMS’ HIPAA watchdog presents potential conflict” that made me go Hmmm!!
The genesis of the article is that the Centers for Medicare and Medicaid Services (CMS), the agency that is responsible for the Health Insurance Portability and Accountability Act (HIPAA) oversight and compliance enforcement, has contracted PricewaterhouseCoopers (PwC) to perform HIPAA Security Rule compliance audits during 2008.

Read the rest of this entry »

Man Pleads Guilty To Loading Keylogger Software On Public Computers Worldwide To Collect PII and Commit Fraud

January 14th, 2008

Here’s another good example of an actual cybercrime that was allowed to occur because poor of safeguards on computers provided for public use.
On January 9, 2008, Mario Simbaqueba Bonilla plead guilty to installing keylogger software on hotel business center and Internet cafe computers located in hotels throughout the world that allowed him to access the bank and other financial accounts of over 600 individuals.

Read the rest of this entry »

Insider Threat Example: Programmer Sentenced To 30 Months In Jail And $81,200 Fine

January 13th, 2008

Here’s a case I blogged about amost exactly a year ago, but it is worth revisiting since the sentencing for the crime was just handed down and it was significant. If you haven’t already, put this in your file of actual examples to incorporate into your information security and privacy awareness and training activities and content.
On January 8 a federal court in Newark, New Jersey, sentenced Yung-Hsun “Andy” Lin, a former systems administrator for Medco Health Solutions Inc., to 30 months in prison for transmitting computer code intended to wipe out data stored on Medco’s network; composed of more than 70 servers.

Read the rest of this entry »