Last Friday I was pondering whether folks were more diligent about security in their homes than businesses were based upon my admittedly very unscientific observations of wireless access points as I drove through the Des Moines, Iowa metro.
To which Davi Ottenheimer commented (thanks Davi!),
Posts Tagged ‘IT compliance’
Just Because Security Is Simple Doesn’t Mean People Will Do It
Thursday, July 3rd, 2008Texas EZPawn Throws Away Its Security Promises and Customers’ Privacy and Gets A Handed A Significant Penalty
Wednesday, July 2nd, 2008Well, here is yet another company that had a nasty habit of just throwing papers containing their customers’ personally identifiable information (PII) into publicly accessible trash cans.
On June 24 a Texas judge handed down a civil penalty of $600,000 against Texas EZPawn for tossing their customer PII, including Social Security numbers, bank account information, driver’s license numbers, date of birth, and other identifying information, into their trash cans without first irreversibly and completely shredding the papers. You can see an example of the types of records found in the trash in the court documents.
Information Security and Privacy Convergence Is Nothing New…Both Areas MUST Collaborate
Tuesday, July 1st, 2008The comparatively new awareness of the need for information security and privacy convergence and collaboration has actually existed for many years. I first experienced this firsthand in the first half of the 1990’s when I was responsible for information security in a multinational financial and insurance company. The company launched one of the very first online banks, and I was establishing the security requirements when I saw the need to address the privacy aspects. This was before the passage of GLBA or HIPAA, but I knew that a few bills addressing privacy had been being considered, not only in the U.S. but also worldwide, and that the OECD privacy principles were the basis for many of the privacy requirements.
Where And How Do You Dispose Of Your Cell Phones and Paper Documents?
Monday, June 30th, 2008Something I’m planning to do this summer with my sons is to do some dumpster diving, with the advice of my police and security services company owner friends, to see just how much personal information is left out for just anyone walking by to pick up and use, or misuse. We’ll also see about any cell phones that were just dropped in the dumpster or trash can…
How do you dispose of your cell phones? At work, and at home? And what do you do with the papers that contain personally identifiable information (PII) and other sensitive information when you throw them away? Are you more diligent at work? Or at home?
With this in mind, here’s another section from the third article in my June issue of “IT Compliance in Realtime“…
Where And How Do You Dispose Of Your Computers, CDs, USB Drives, Etc.?
Sunday, June 29th, 2008In the past few years I’ve performed over 100 information security and privacy program reviews for the vendors and business partners of my clients, and I have often found these contracted organizations have lax to non-existent to outragiously irresponsible computer and electronic storage device disposal practices. One of the “information security” policies for one of the vendors actually directed their personnel to try to sell their old computers and storage devices on e-Bay or other online sites in order to recoup some of the costs…this was in their “Information Disposal Security Policy”! It had absolutely no mention of removing the data before trying to sell the devices; the main intent was to recoup as much of the investment as possible.
With this in mind, here’s another section from the third article in my June issue of “IT Compliance in Realtime“…
Where And How Do You Dispose Of Your Computers, CDs, USB Drives, Etc.?
Sunday, June 29th, 2008In the past few years I’ve performed over 100 information security and privacy program reviews for the vendors and business partners of my clients, and I have often found these contracted organizations have lax to non-existent to outragiously irresponsible computer and electronic storage device disposal practices. One of the “information security” policies for one of the vendors actually directed their personnel to try to sell their old computers and storage devices on e-Bay or other online sites in order to recoup some of the costs…this was in their “Information Disposal Security Policy”! It had absolutely no mention of removing the data before trying to sell the devices; the main intent was to recoup as much of the investment as possible.
With this in mind, here’s another section from the third article in my June issue of “IT Compliance in Realtime“…
More Wifi Security At Home Than At Work?
Friday, June 27th, 2008Last week I posted about how, while driving my sons into town for Noah to attend band camp, they found 100+ wifi hotspots, and only 12 of them were secured according to their macbook lock icons.
This was in a primarily business area, with lots of small to medium sized businesses along the road, strip mall type of shops, and a large shopping mall.
This week while driving my sons into a different part of town for Heath to attend
Disposal of Computers
Thursday, June 26th, 2008Time to post some of the info from the 3rd of the articles from my June issue of “IT Compliance in Realtime Journal” before the month is over!
The 3rd article is “What to Tell Personnel: Disposal Security and Privacy.”
Here is a section from the article…
Tools <> Technology
Wednesday, June 25th, 2008I participate in the LinkedIn community, and I occasionally put out short “status” messages when I’m working on products, projects or going to provide training. My current “status update” statement is, “Rebecca is creating tools to support information security, privacy and compliance management and leadership.” (I’m really excited about these tools…I know they work!)
I received a message regarding this status update from one of my LinkedIn contacts. Here’s an excerpt…
Tell Personnel How to Protect Mobile Computing Devices and Storage Media
Tuesday, June 24th, 2008You can’t expect your personnel to know how to safeguard information and computing devices if you do not tell them *HOW* to safeguard them!
Humans are not born with an inherent instinct to automatically safeguard information assets. In fact, some folks seem to be born with a pre-disposition to fling caution to the wind when it comes to protecting information. Why else would someone drink three tall beers while working alone in a busy airport bar/restaurant and then leave their laptop completely unsecured on the table top to go somewhere else down the hallway out of sight for 30 minutes? (Saw this on a recent trip.) Yes, I know the alcohol had some impact on their decision-making, but think about all the folks in your organization who have a tendency to do risky activities even without the influence of alcohol.
The fourth section from the second article in the June issue of my “IT Compliance in Realtime Journal” discusses why all organizations must provid training and ongoing awareness communications to their personnel for how to protect mobile computing devices.
You cannot expect your personnel to know how to safeguard information and mobile computers if you do not provide them with training and ongoing awareness for how to do it! Deja vu…did I already say this? You bet; and I’ll probably say it a few million times more in my lifetime because it is so important, yet so seldom considered!
Here’s an unformatted version; you can download a much nicer PDF version of it with the entire June Journal…