There have been a lot online posts and talk lately about risk management and the “proper” or “acceptable” way to do risk assessments. It seems that the overwhelming talk, though, is only about the right and wrong way to do a risk assessment whenever considering a risk management program. Certainly, using the best risk assessment method to fit your business environment is very important; one size, and one method, does not fit all! However, there are so many more activities necessary within a risk management program than just occasionally doing a risk assessment. Regulatory agencies are (more…)
Posts Tagged ‘electronic mail’
Work Area Reviews are Necessary for Effective Risk Management
Monday, December 17th, 2012Tags:audit, awareness, breach, compliance, customers, data protection, e-mail, electronic mail, email, employees, employment, facebook, fake IDs, hiring, HR, human resources, IBM, Information Security, information technology, infosec, IT security, job applicants, laws, messaging, midmarket, non-compliance, patients, personal information, personally identifiable information, personnel, PII, policies, privacy, privacy breach, privacy professor, privacyprof, Rebecca Herold, risk, risk assessment, risk management, security, sensitive personal information, social media, social networking, SPI, systems security, test data, training, twitter, walk through
Posted in Information Security | 2 Comments »
Are You Faking It?
Thursday, November 29th, 2012Are you faking it online? Or faking it at work? While faking it certainly has its benefits in both places, I want to touch upon a couple of concerns I have with using fake identities. (more…)
Tags:awareness, breach, compliance, customers, data protection, e-mail, electronic mail, email, employees, employment, facebook, fake IDs, hiring, HR, human resources, IBM, Information Security, information technology, infosec, IT security, job applicants, laws, messaging, midmarket, non-compliance, patients, personal information, personally identifiable information, personnel, PII, policies, privacy, privacy breach, privacy professor, privacyprof, Rebecca Herold, reputation, risk, security, sensitive personal information, social media, social networking, SPI, systems security, test data, training, twitter
Posted in Social Media | 2 Comments »
Implementing a Data De-Identification Framework
Wednesday, November 21st, 2012Growing numbers of organizations are trying to figure out the benefits of anonymizing, or as HIPAA (the only regulation that provides specific legal requirements for such actions) puts it “de-identifying,” personal information. Healthcare organizations see benefits for improving healthcare. Their business associates (BAs) see benefits in the ways in which they can minimize the controls around such data. Of course marketing organizations salivate at the prospects of doing advanced analysis with such data to discover new trends and marketing possibilities. The government wants to use it for investigations. Historians want to use it for, yes, marking historical events. And the list (more…)
Tags:anonymization, anonymized, audit, awareness, BAs, breach, CEs, compliance, customers, data protection, de-identificaiton framework, de-identification, de-identify, e-mail, electronic mail, email, employees, employment, Herold de-identification, HHS, HIPAA, hiring, HITECH, HR, human resources, IBM, Information Security, information technology, infosec, IT security, job applicants, laws, messaging, midmarket, non-compliance, OCR, patients, PbD, personal information, personally identifiable information, personnel, PHI, PII, policies, privacy, privacy breach, Privacy by Design, privacy professor, privacyprof, Rebecca Herold, reputation, risk, security, sensitive personal information, SPI, systems security, training
Posted in HIPAA, privacy, Uncategorized | No Comments »
ISMS Certification Does Not Equal Regulatory Compliance
Wednesday, October 31st, 2012Last week I got the following question:
“By becoming ISO 27001 certified does that automatically mean we comply with HIPAA and HITECH requirements? Are there any requirements of HIPAA/HITECH that are not required to meet ISO 27001 standards?”
This is not the first time I’ve gotten this question, and others similar. As new technology businesses, cloud services and other businesses are popping up to provide services to large regulated organizations, start-ups are increasingly looking for a way to differentiate themselves from their competitors, and also prove that they have not only effective security controls in place, but that they also (more…)
Tags:27001, 27002, audit, awareness, breach, certification, compliance, customers, data protection, e-mail, electronic mail, email, employees, employment, HHS, HIPAA, hiring, HITECH, HR, human resources, IBM, Information Security, information technology, infosec, ISMS, ISO27001, ISO27002, IT security, job applicants, laws, messaging, midmarket, non-compliance, OCR, patients, personal information, personally identifiable information, personnel, PII, policies, privacy, privacy breach, privacy professor, privacyprof, Rebecca Herold, reputation, risk, security, sensitive personal information, SPI, systems security, training
Posted in HIPAA, HITECH, Laws & Regulations | No Comments »
Repost From Social Media to Lose Customers and Friends Fast
Monday, October 22nd, 2012Last week one of my Facebook friends started a “friends only” discussion on his wall. It was a very interesting discussion, and one of his friends took the discussion, pretty much verbatim, and posted within a “public” (as in meant for the world to see) popular blog site. So the information on the Facebook page, where around 250 – 300 people could see the posts were now in a location where the bazillion (possibly a bit fewer) blog readers could see all the posts and the full names of those who made them. This is not the first time a situation like this has occurred. A lot of the information posted on people’s social media pages are really tempting to take and use as examples, or for business activities such as for marketing and promotions. However, doing so could get you into some personal and/or legal hot water. As organizations and individuals consider taking information they find on social media sites, they need to consider the reasons why doing so may not be a good idea after all.
Reason #1: It will (more…)
Tags:awareness, breach, compliance, copyright, Creepshots, customers, data protection, e-mail, electronic mail, email, employees, employment, facebook, Gawker, hiring, HR, human resources, IBM, Information Security, information technology, infosec, IT security, job applicants, laws, LinkedIn, messaging, Michael Brutsch, midmarket, non-compliance, patients, personal information, personally identifiable information, personnel, PII, policies, privacy, privacy breach, privacy professor, privacyprof, Rebecca Herold, Reddit, reputation, risk, security, sensitive personal information, social media, social network, SPI, systems security, training, twitter, Violentacrez
Posted in Social Media | 2 Comments »
Please Don’t Tell Me You’re Still Using SSNs as IDs!
Tuesday, October 2nd, 2012Okay, I just finished the 3rd conversation in just the past two weeks alone with an organization that is using Social Security Numbers (SSNs) as their primary form of customer and/or employee identification. I’ve written about this topic numerous times over the past 15 years. Seriously; all businesses out there doing this, please make a plan to stop doing this! Why? Here are three good reasons. (more…)
Tags:awareness, breach, compliance, customers, e-mail, electronic mail, email, employees, employment, hiring, HR, human resources, IBM, ID theft, identifiers, identity theft, IDs, Information Security, information technology, infosec, IT security, job applicants, messaging, midmarket, non-compliance, patients, personal information, personally identifiable information, personnel, PII, policies, privacy, privacy breach, privacy professor, privacyprof, Rebecca Herold, security, sensitive personal information, social security number, SPI, SSN, systems security, training
Posted in Information Security, Laws & Regulations | 1 Comment »
A Cyber Bullying Victim Shares His Experience
Monday, October 1st, 2012Today is October 1st, which is also Blue Shirt Day™ World Day of Bullying Prevention©!
Cyber bullying is a topic I cover in my Q3 2012 issue of Protecting Information Journal, and my youth reporter for this quarter’s issue, Lexx, wrote about his personal experience with cyber bullying. Typically only my subscribers get to read these great articles, but in honor of Blue Shirt Day™ I want everyone to have a chance to read his article that provides important insights into how so many of our children are dealing with this growing problem. Here it is in its entirety; please provide feedback, not only to me, but also for my talented youth reporter! (more…)
Tags:awareness, Blue Shirt Day, breach, bullying, CiviliNation, compliance, cyber bully, cyberbully, Daniel Solove, e-mail, electronic mail, email, Information Security, information technology, infosec, IT security, Mary Kay Hoal, messaging, non-compliance, online posting, personal information, personally identifiable information, PII, policies, privacy, privacy breach, privacy professor, privacyprof, protecting information, protecting information journal, Rebecca Herold, reputation, security, sensitive personal information, social media, SPI, Sue Scheff, systems security, training, tweet, twitter, YourSphere
Posted in Cyber Bullying | No Comments »
Privacy Scares from the Ghosts of Job Applicants Past
Monday, September 17th, 2012There is a topic that has been coming up, over and over and over again over the past 12 years, that I’ve never seen addressed in other publications. What does your organization do with all the personal information you collect from job applicants? Consider a real situation I encountered around ten years ago. (more…)
Tags:awareness, breach, compliance, e-mail, electronic mail, email, employment, hiring, HR, human resources, IBM, Information Security, information technology, infosec, IT security, job applicants, lawsuits, messaging, midmarket, non-compliance, online posting, personal information, personally identifiable information, personnel, PII, policies, privacy, privacy breach, privacy professor, privacyprof, Rebecca Herold, security, sensitive personal information, social media, SPI, sue, systems security, training, tweet, twitter
Posted in Privacy and Compliance, Uncategorized | Comments Closed
6 Questions to Ask before Posting to Social Networks
Friday, August 31st, 2012Every day I see yet another (often another dozen) situation where employees misused, abused or otherwise accused social media sites to the chagrin of their employers. Businesses need to make a coordinated effort, using a combination of policies, training and technology to mitigate the risks (to personnel as well as the business) of workers using social media sites. Today let’s consider what organizations should be telling their workers about social media information security and privacy. (more…)
Tags:awareness, breach, bullying, compliance, cyberbullying, e-mail, electronic mail, email, facebook, IBM, Information Security, information technology, infosec, IT security, lawsuits, Linked In, messaging, midmarket, non-compliance, online posting, personal information, personally identifiable information, PII, policies, privacy, privacy breach, privacy professor, privacyprof, Rebecca Herold, security, sensitive personal information, social media, SPI, systems security, training, tweet, twitter
Posted in Social Media, Training & awareness | 5 Comments »
Are Emails of Public Company Execs Private or Public?
Thursday, August 16th, 2012At the end of July, Twitter suspended the account of Guy Adams, a reporter for the UK’s Independent, after he posted the corporate email address of Jim Bell, Producer of NBC Olympics, and said less than flattering things about his expectations for how NBC would do in their Olympics coverage. Adams reportedly claimed that he felt the email account was open to public use since it showed up in Google search results. However, privacy concerns were widely expressed over his decision to share the executive’s contact details, and thus his account was suspended. Apparently NBC complained, Twitter listened, and Guy’s account was shut down. After a bit of hullabaloo, Twitter then changed heart and re-activated his Twitter account. I received several great questions related to this, collectively boiling down to the following five: (more…)
Tags:awareness, breach, compliance, CSO Online, e-mail, electronic mail, email, Guy Adams, IBM, Information Security, information technology, infosec, IT security, Jim Bell, lawsuits, messaging, midmarket, NBC, non-compliance, Olympics, online posting, personal information, personally identifiable information, PII, policies, privacy, privacy breach, privacy professor, privacyprof, Rebecca Herold, security, sensitive personal information, social media, SPI, sue, systems security, training, tweet, twitter
Posted in Social Media, Training & awareness | No Comments »