The proper definition and assignment of information security roles and responsibilities has always been a key principle of information security governance. In fact, every major information security and data privacy regulation requires that the organization document roles and responsibilities. Real-World Challenges Despite being such a core governance requirement, in practice many organizations are still behind [...]
Author Archives: David Lineman
Assessing the risk of third-party vendors has been a growing problem for compliance management. Because of the growing number of data breaches related to third-parties, regulators have been focusing on the inherent risks of outsourcing. Within the financial services industry, this has long been accomplished via a SAS70 (now SSAE16) type audit. Within the U.S. [...]
The European Union recently released a set of draft recommendations for a major update to the current privacy framework that underpins Directive 95/46/EC. The changes would introduce a single set of rules on data protection, valid across the EU. The proposed changed give individuals more control over their personal information and would have a significant […]
New information security policy updates address key elements of operational security HOUSTON, Texas – Janurary 31, 2012 - Information Shield (www.informationshield.com) today announced the latest update of the PolicyShield Information Security Policy Subscription service. The latest release includes includes over thirty new pre-written security policy statements, three addition pre-written sample documents and eleven addition policy-related [...]
New PolicyShield Update Addresses Third Party Management New information security policy updates address key elements of operational security HOUSTON, Texas – Janurary 31, 2012 - Information Shield (www.informationshield.com) today announced the latest update of the PolicyShield Information Security Policy Subscription service. The latest release includes includes over thirty new pre-written security policy statements, three addition [...]
The Privacy Rights Clearinghouse recently released their review of what they call the most significant data breaches of 2011. Even if you have read about each of these incidents before, they are worth reading again in summary form. What is perhaps most striking is how the most basic security policies and procedures are often the […]
In September 2011 a security researcher purchased some used network equipment for about $30 USD from Ebay. Once the equipment was delivered, the researcher found that it used to belong to the UK National Air Traffic Services (NATS) and that loads of sensitive data was still stored on the device, including network IP addresses and […]
One of the most intriguing cyber-security stories ever is the recent hack and public smearing of information security from HB Gary by hacker group Anonymous. The incident relates to the WikiLeaks scandal, and the ongoing fear that major corporations might be the next victims of embarrassing document leaks. Tech writers Michael Riley and Brad Stone […]
We hear reports of new data breaches almost daily. While most of them are fairly complex stories, they most always begin at some point with a human "insider" making a mistake. In fact, 2011 could be considered the “Year of the Insider.” From the RSA hack and Sony Playstation breach, to the Epsilon e-mail breach [...]
In July 2011, The Australian Defence Signals Directorate (DSD) published an updated list of their Top 35 Mitigation Strategies. This list was based on the analysis of real-world events within the government agencies, and is designed to identify the top set of controls that would have the most impact on reducing actual incidents. The list […]