Great New Site for Data Loss Statistics

May 15th, 2007

There is a great new site, etiolated.org, that takes the privacy breach data accumulated by attrition.org and parses it into some very interesting statistics, trends charts, provides areas for commentary, and lots of other interesting and useful information.

Read the rest of this entry »

High School Cyber-Defense Competition: Mentoring Information Security Leaders of the Future

May 15th, 2007

There is great opportunity to ensure future computer systems and applications are more securely engineered than they are now by teaching our children from a young age the importance of information security and privacy, and showing them what needs to be done. I often have fantastic conversations with my sons about information security and privacy issues; they always bring wonderful perspectives I never thought about.

Read the rest of this entry »

Social Engineering & the Need for Awareness & Training: Fraudsters Are Calling Businesses Pretending to Be SEC Staff Members

May 14th, 2007

Another example of a social engineering scam, and another example of why awareness and training are so important for safeguarding information…
On May 10th the U.S. Securities and Exchange Commission (SEC) issued a press release warning that imposters were calling companies, claiming to be SEC examiners, and demanding “immediate access to confidential records.”

Read the rest of this entry »

Information Security & Privacy Awareness: Engage Personnel In Thinking About the Issues To Improve Security and Privacy

May 12th, 2007

It really bothers me when so-called information security and privacy “experts” make statements that awareness activities have no impact. They base their opinions on measurements that could very well be, and likely are, unrelated to each other. Last year a study was presented in Europe claiming awareness activities has no impact on security.
Hogwash!

Read the rest of this entry »

Insider Threat Example: Engineer Leaks U.S. Military Secrets

May 11th, 2007

There has been a lot of talk and blogging recently about whether or not there is a need for an information security industry/profession. Um sure, and there is no need for the physical security industry/profession either, is there?
As long as humans touch information in any way, electronically or physically, information security will be needed to provide them with policies, procedures, standards, guidance, training, ongoing awareness, and responding to and fixing the security messes and privacy breaches they cause.

Read the rest of this entry »

The Importance of Policies…Breathalyzer = Drug Test = Physical Search = 4th Amendment Violation?: Iowa High School Students Given Breathalyzer Tests at the Prom

May 10th, 2007

I’m always interested in reading about information security and privacy issues reported here in the heartland.
A story in my local daily paper, the Des Moines Register, caught my eye and filled my thoughts today and points out, among other things, the importance of having policies and communicating them.

Read the rest of this entry »

Two U.S. Federal Data Protection Bills Approved: One May Actually Make It Through

May 9th, 2007

It looks like we make actually get a federal data protection law, that includes breach notice requirements, this year. Such a law is long overdue; not only to protect personally identifiable information (PII), but also to help businesses to resolve their growing headaches involved with trying to comply with at least 36 state breach notice laws as well as dozens of other state level data protection and credit freeze laws, and multiple industry-specific data protection laws.

Read the rest of this entry »

Deadline is Today for Submitting Comments to the DHS About Draft REAL ID Rules

May 8th, 2007

The Department of Homeland Security (DHS) published draft rules regarding REAL ID. Comments are due by 5:00 PM Eastern Time *TODAY*.

Read the rest of this entry »

France Fines Tyco Healthcare: U.S. Companies, You MUST Know and Follow International Data Protection Laws

May 7th, 2007

In April the French Data Protection Authority (CNIL) reported they had issued a $40,972 fine against a subsidiary of U.S.-based Tyco Healthcare in March for inadequate storage safeguards and cross-border transfer of employee personally identifiable information (PII).

Read the rest of this entry »

Data Security: OECD Publishes New Privacy Guidelines for Accessing Data From Publicly Funded Research Projects

May 6th, 2007

On May 3 the Organization for Economic and Cooperation and Development (OECD) released a new 24-page guideline,”Principles and Guidelines for Access to Research Data from Public Funding” for organizations in governments throughout the world regarding access to data from publicly funded research projects.

Read the rest of this entry »