Posts Tagged ‘information security policies’

Addressing Mobile Risks in 2015

Wednesday, December 24th, 2014

Last week fellow IBM Midsize blogger Jason Hannula wrote about Gartner’s prediction that by 2018 more than 50% of all folks will use their mobile computing devices in the workplace before, or instead of, using a desktop or laptop. That’s just three short years away. We already have an abundance of mobile devices being used in a wide range of industries. (more…)

The 3 Necessary Elements for Effective Information Security Management

Thursday, December 11th, 2014

Seeing all these really bad information security incidents and privacy breaches, often daily, are so disappointing.  Let’s consider these four in particular.

  1. The Sony hack that seems to continue to get worse as more details are reported.
  2. An ER nurse using the credit cards of patients.
  3. Breaches of Midwest Women’s Healthcare patient records due to poor disposal practices at the Research Hospital.
  4. TD Bank’s outsourced vendor losing two backup tapes containing data about 260,000 of their customers.

And the list could continue for pages.

These incidents, and most others, probably could have been prevented if an effective information security and privacy management program existed that was built around three primary core elements: (more…)

FDIC Releases Updated IT Officer’s Risk Management Program Questionnaire

Monday, December 10th, 2007

Last week the U.S. Federal Deposit Insurance Corporation (FDIC) released an updated version of their IT officer’s risk management program questionnaire for banks and financial organizations to use to prepare for regulator audits.
Information security, privacy and IT pros in all types of organizations can benefit by looking through the questionnaire, even if they are not in a regulated industry. Auditors of all types often take such questionnaires and modify them for their use, so if internal or external auditors are looking at your IT risk management program, chances are they will be looking for similar types of information.

(more…)

FTC Settlement For Marketing Via Pop-up Ads: Lessons For All Marketers Regarding Consent & Consumer Complaints

Sunday, December 9th, 2007

I like to keep my eye on the FTC site; they are very active in catching businesses violating the U.S. FTC Act by practicing unfair and deceptive business practices, particularly via the Internet. They really demonstrate the need for privacy and information security professionals to stay on top of what their business units and marketing areas are doing with regard to contacting consumers, forcing ads upon them, and gathering information from them.

(more…)

And The Award For Best Email Security Awareness Film of 2007 Goes To…

Friday, December 7th, 2007

I’ve been seeing a ton of articles and blog postings for the “Best Security <Whatever> of 2007,” “Worst Security Exploits of 2007,” “Security Projections for 2008” and so on in the past few weeks.
Well, I’ve got my own “Best of” award to give for 2007!
None of the best of or worst of postings or articles that I have seen have covered information security and privacy awareness, even though most information security incidents and privacy breaches occur as a result of humans…human error, lack of knowledge or malicious intent.

(more…)

And The Award For Best Email Security Awareness Film of 2007 Goes To…

Friday, December 7th, 2007

I’ve been seeing a ton of articles and blog postings for the “Best Security <Whatever> of 2007,” “Worst Security Exploits of 2007,” “Security Projections for 2008” and so on in the past few weeks.
Well, I’ve got my own “Best of” award to give for 2007!
None of the best of or worst of postings or articles that I have seen have covered information security and privacy awareness, even though most information security incidents and privacy breaches occur as a result of humans…human error, lack of knowledge or malicious intent.

(more…)

Be Aware: Court Ruling Allows Circumstantial Evidence In Court Case Against Company That Experienced Privacy Breach

Thursday, December 6th, 2007

So many times…actually almost every time…a privacy breach occurs the company that experienced the breach makes a public statement similar to, “We have no evidence that the personal information has been used fraudulently” or “We do not believe the information stolen will be used for identity theft.”
Why do companies so often make this statement? Because their lawyers know that it will be hard, if fraud and crime occurs using the compromised personally identifiable information (PII), to directly tie the breach to such fraud crimes.

(more…)

Be Aware: Court Ruling Allows Circumstantial Evidence In Court Case Against Company That Experienced Privacy Breach

Thursday, December 6th, 2007

So many times…actually almost every time…a privacy breach occurs the company that experienced the breach makes a public statement similar to, “We have no evidence that the personal information has been used fraudulently” or “We do not believe the information stolen will be used for identity theft.”
Why do companies so often make this statement? Because their lawyers know that it will be hard, if fraud and crime occurs using the compromised personally identifiable information (PII), to directly tie the breach to such fraud crimes.

(more…)

California Privacy Breach Law Changes Go Into Effect January 1, 2008: Redefines & Broadens “Personal Information” Definition

Wednesday, December 5th, 2007

California’s privacy breach notification law SB1386 started the ball rolling with regard to what is now at least 40 U.S. states, including the District of Columbia, that have breach notice laws. Most of the subsequent state laws largely based theirs upon SB1386, including how the law defines “personal information.”
Effective January 1, 2008, the definition of “personal information” changes when AB1298 goes into effect in California.

(more…)

Insider Threat, the Value of Computer Logs & the Need for Consistent Policy Enforcement

Monday, December 3rd, 2007

In recent years many organizations have implemented the use of computer logs on their networks to be in compliance with multiple laws. However, here’s a perfect example of the value of computer logs beyond just to be in compliance; using them for one of the things they were meant to do…catch inappropriate activity and provide evidence that a specific person is doing something inappropriate or outright wrong.
A current news story documents how computer logs will likely cost a cop his pension and could point to evidence for his missing wife.

(more…)