Posts Tagged ‘policies and procedures’
Thursday, August 21st, 2008
Not much surprises me any more with regard to some of the silly things that organizations do with printed PII that put the involved individuals at risk.
However, I was surprised when I watched an ABC News report this morning…
(more…)
Tags:awareness and training, disposal, disposal rule, FACTA, Information Security, IT compliance, IT training, personally identifiable information, PII, policies and procedures, privacy training, risk management, security training
Posted in Laws & Regulations, Privacy and Compliance, Privacy Incidents | 1 Comment »
Wednesday, August 20th, 2008
It amazes me how many news articles are frequently reported that are related to the misuse or breach of social security numbers (SSN). Today just a few the stories that popped up included:
(more…)
Tags:awareness and training, FTC, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training, social security number, SSN
Posted in Laws & Regulations | 1 Comment »
Tuesday, August 19th, 2008
Yesterday CNN ran an interesting story, “U.S. at risk of cyberattacks, experts say.”
For those of you in the information security biz this is not new news, I know. We’ve known and discussed the massive and insidious types of damage that could be done through cyber attacks for several years. However, there is still not enough being done.
(more…)
Tags:awareness and training, CNN, cyberattack, cybercrime, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training
Posted in Information Security | 2 Comments »
Sunday, August 17th, 2008
When I got my Sunday Des Moines Register out of the orange box across the road this morning, the front page headline leaped out at me, “Medical privacy law fails to stop snooping.”
In one of the incidents described, a woman was incredibly embarrassed and humiliated after all the intimate details about an operation she had on her uterus, including her full name, that were in her doctor’s files were apparently published in marketing material…
(more…)
Tags:awareness and training, Des Moines Register, HHS, HIPAA, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training
Posted in Laws & Regulations, Privacy and Compliance, Privacy Incidents | 2 Comments »
Friday, August 15th, 2008
Is your accountant or tax preparer sending your personally identifiable information (PII) offshore? Possibly.
Here is the second part of the first article, “(Mis)Using Social Security Numbers in Business,” within my August issue of IT Compliance in Realtime Journal, which discusses the use of SSNs (get the nicest version of the full journal here)…
(more…)
Tags:awareness and training, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training, social security number, SSN
Posted in Information Security, Privacy and Compliance | 1 Comment »
Thursday, August 14th, 2008
Recently I wrote about the privacy implications of Google Street View after communicating with John Grogan (from Popular Science and Computer World) about this topic; see here and here.
Today I saw an ABC news video…
(more…)
Tags:awareness and training, Computerworld, Google street view, Google walking directions, Information Security, IT compliance, IT training, John Brandon, policies and procedures, Popular Science, privacy training, risk management, security training, surveillance
Posted in Privacy and Compliance | 3 Comments »
Wednesday, August 13th, 2008
Recently I got a call from a representative of one of the free IT magazines I subscribe to. The rep wanted to renew my subscription, and needed to ask me a few “qualifying” questions first. Fine.
When she asked, “What is your Social Security number?” I responded, “You don’t need to know.”
She replied, “Yes, I do. We must verify that you are, indeed, who you say you are, so we need your Social Security number to do that. It is our standard procedure.”
“Well,” I told her, “Don’t you think it is poor business practice to make an unnannounced call to your subscribers and ask them for a Social Security number? After all, you made the contact with me, not the other way around. I answered my phone, didn’t I? And besides, how do I know *YOU* are who you say you are? Can you please give me your Social Security number so I can verify that you are, indeed, who you say you are?”
(more…)
Tags:awareness and training, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training, social security number, SSN
Posted in Information Security, Privacy and Compliance | 1 Comment »
Tuesday, August 12th, 2008
For those of you that weren’t aware, this past weekend the long-running Defcon convention (historically started with only “hard core” hackers in attendance, but now huge numbers of information security pros and law enforcement attend) was held in Las Vegas.
Some MIT students, Zack Anderson, R.J. Ryan and Alessandro Chiesa, were scheduled to talk about “Anatomy of a Subway Hack,” detailing a school project they did, and received an “A” on, that showed how the Massachusetts Bay Transportation Authority (MBTA) cards could be hacked to basically change a $1.25 MBTA fare card to a $100 fare card.
Well, the MBTA got wind of this…actually the MIT students contacted them in July to tell them about this security flaw, as well as let them know they were giving a presentation about it…and filed an injunction last Friday to keep the MIT students from giving their presentation on Sunday.
But guess what? Yep…I bet you can see this coming…
(more…)
Tags:awareness and training, Defcon, Information Security, IT compliance, IT training, MBTA, MIT, policies and procedures, privacy training, risk management, security training
Posted in government, Information Security | 3 Comments »
Monday, August 11th, 2008
It used to be very common for various state and local government agencies, such as the Department of Motor Vehicles, to sell their records, containing vasts amounts of personally identifiable information (PII), as a revenue stream. That changed when Rebecca Schaeffer’s stalker killed her in 1989 after paying $250 to get her address, and other PII on file, from the California Department of Motor Vehicles.
After this horrible, tragic demonstration of how very bad things can happen when people have full reign to get access to PII, states started enacting drivers protection acts to keep the PII the agencies had on file from being accessed in such egregiously irresponsible ways. Finally, a U.S. federal law, the Drivers Privacy Protection Act (DPPA) was enacted to help protect the PII in drivers’ records.
So, I found the following inappropriate release from a state agency to be very interesting…
(more…)
Tags:awareness and training, DPPA, Information Security, IT compliance, IT training, Missouri Department of Revenue, policies and procedures, privacy training, publicdata.com, risk management, security training, Shadowsoft, social engineering
Posted in government, Information Security, Laws & Regulations, Privacy and Compliance | No Comments »
Friday, August 8th, 2008
Tags:awareness and training, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training, social engineering
Posted in Information Security, Training & awareness | No Comments »
