It is not only important, but absolutely necessary, to let personnel know what your information security and privacy policies are, along with your organization’s sanctions, and then consistently enforce your policies. If personnel know that policies are not enforced, and that there is no negative consequence for not properly safeguarding information and systems, it becomes easy for personnel to not follow policies when it is inconvenient or time-consuming to do so. It is also easier for personnel to do bad things as vendettas when they get upset.
Posts Tagged ‘privacy policy’
Insider Threat Example: Former Cox Employee Sent To Jail (And More) For Hacking System
Sunday, January 20th, 2008FTC Hands Down Another FTC Act Noncompliance Penalty For Bad Online Application Security
Friday, January 18th, 2008Yesterday the U.S. Federal Trade Commission (FTC) handed down yet another penalty against an online retailer, Life is good, Inc., for not properly safeguarding their online ecommerce applications.
The FTC charged they were in violation of the FTC Act because they promised in their online privacy statement that they would safeguard their customer data, but yet a hacker “was able to use SQL injection attacks on Life is good’s Web site to access the credit card numbers, expiration dates, and security codes of thousands of consumers.”
Clearly Justify Your Information Security and Privacy Policies
Wednesday, January 16th, 2008I’m helping one of my clients with updating their information security and privacy policies, aligning them with ISO 27002, and creating new policies to fill gaps as necessary based upon the organization’s risks. I was speaking with the CISO this week and he made a statement that I’ve heard many times over the years that really is a blockade to advancing information security within most organizations.
“I wish when the CEO rejects a policy he would tell me why. I know he’s short on time, but it would help me do my job so much better if he’d just explain why.”
CMS Hires A Fox To Guard The HIPAA Henhouse
Tuesday, January 15th, 2008I just read a very interesting article, “CMS’ HIPAA watchdog presents potential conflict” that made me go Hmmm!!
The genesis of the article is that the Centers for Medicare and Medicaid Services (CMS), the agency that is responsible for the Health Insurance Portability and Accountability Act (HIPAA) oversight and compliance enforcement, has contracted PricewaterhouseCoopers (PwC) to perform HIPAA Security Rule compliance audits during 2008.
Man Pleads Guilty To Loading Keylogger Software On Public Computers Worldwide To Collect PII and Commit Fraud
Monday, January 14th, 2008Here’s another good example of an actual cybercrime that was allowed to occur because poor of safeguards on computers provided for public use.
On January 9, 2008, Mario Simbaqueba Bonilla plead guilty to installing keylogger software on hotel business center and Internet cafe computers located in hotels throughout the world that allowed him to access the bank and other financial accounts of over 600 individuals.
FTC Fines Mortgage Co. For Tossing PII Into Dumpster: FACTA/FCRA, GLBA, & FTC Act Violations
Wednesday, December 26th, 2007On December 17 the U.S. Federal Trade Commission (FTC) fined and penalized American United Mortgage Company for throwing the personally identifiable information (PII) and financial information of its customers and consumers into an open, publicly-accessible dumpster.
Under the terms of the penalty, American United Mortgage Company must:
Be Prepared For Privacy Breaches!
Friday, December 21st, 2007This morning I did a podcast interview with bankinfosecurity and they already have it posted!
During the interview I answered and expanded upon five questions and issues:
The 12 Threats of Chistmas
Friday, December 21st, 2007It is time for some humorous entertainment to complement the holiday season, and PGP Corporation has provided it!
Kevin Beaver pointed me to a great YouTube clip, “The 12 Threats of Christmas.”
New Wireless = New Vulnerabilities = More Incidents?
Thursday, December 20th, 2007Most folks are looking at what’s coming in 2008. Heck, let’s go a bit further and look at some potentially big changes slated for 2009!
I just read an interesting Business Week story, “Just Ahead: A Wider Wireless World.”
In February, 2009 analog television broadcasting will be terminated.
