May 17, 2012

Posts Comments

You are here: Home / 2010 / Archives for April 2010

New Survey Results Claim Security Expertise Not Enough for Successful ESRM

April 14, 2010 By Leave a Comment

In April, the CSO Roundtable of ASIS International released the results of a comprehensive survey of its members and of the ASIS membership.  The survey was meant to demonstrate some level of understanding that the security industry has concerning the adoption of an “Enterprise Security Risk Management” (ESRM) methodology.

The survey, conducted in the fall of 2009, asked for information regarding at least the following areas:

  1. What risks were the most challenging?
  2. Where do organizational support for ESRM initiatives came from?
  3. Which business elements of an organization were included in ESRM?
  4. What was security’s role in the ESRM process?
  5. Who has ultimate responsibility for risk in the organization?

More than 80 Chief Security Officers, and more than 200 other ASIS members from around the world, responded to the survey.

One of the major findings from the survey was best expressed by Timothy L.Williams, CPP, Dir of Global Security for Caterpillar, and a member of the CSO Roundtable Advisory Board, when he stated, “We learned that traditional security issues are rarely the ones that keep security professionals awake at night; instead, risks such as database theft, network failure and economic problems are top concerns.  We discovered that most CSOs and, indeed, nearly half of non-CSOs, are already deeply involved with evaluating and mitigating non-security risks in their organizations.”

Another survey result claims that CSOs reported the greatest non-security risk they face is the downturn of the economy, followed by business issues such as competition and regulatory pressures. More than half of the CSOs surveyed said they and their security departments were involved in researching, prioritizing, mitigating or evaluating these non-security risks.

Additionally, survey results also indicated that the vast majority of security professionals believe that excellent business management, leadership and communication skills—not security expertise—are the traits that will lead to success in ESRM.

If any of these questions listed above or results stated above appear to reflect similar behaviors in your organization or even a basis for how security standards are established in your organization, then please pass this information along to those internal information security and risk management team members or perhaps, outside security consultants, who are responsible for establishing and maintaining a  level of enterprise security risk management most appropriate to  your organization.

Click here to read the full report.

Filed Under: Cybersecurity, Environmental Security, Information Security, Physical Security Tagged With: , , , , , ,

Are Data Breaches Increasing or Decreasing in Number?

April 13, 2010 By Leave a Comment

Most information security professionals argue over this question, but, usually agree that even if our government establishes a single data breach list requiring mandatory public reporting, a true measurement of data breach activity may always be a point of serious debate.

With this level of potential ambiguity facing information security managers in organizations, and rather than trying to focus on a question without a clear answer, we recommend that they read/review the recently released 2009 Identity Theft Resource Center® (ITRC) Breach Report.

The ITRC report used percentages to analyze the 498 breaches recorded this year looking for any changes or new trends and includes at least the following main highlights:

  • paper breaches account for nearly 26% of known breaches (an increase of 46% over 2008)
  • business sector climbed from 21% to 41% between 2006 to 2009, the worst sector performance by far
  • malicious attacks have surpassed human error for the first time in three years
  • Out of 498 breaches, only six reported that they had either encryption or other strong security features protecting the exposed data

 We hope you find this information valuable in helping your information security managers plan and implement an effective corporate security and compliance program for their organization.

Click here to read more about this report.

Filed Under: Information Security Tagged With: , , , , ,

Interoperability Rivals Security as CIO Cloud Concern

April 12, 2010 By Leave a Comment

While CIO’s often mention security as a major concern when reviewing and evaluating cloud computing services, our research has indicated that CIO’s are finding cloud interoperability issues to be a growing matter of concern as well.

In a recent article written by Laura Smith, posted on the SearchCIO.com website and entitled “Cloud Interoperability Standards Aim for Vendor Independence”, you will find valuable information that may be needed to help your organization determine which cloud computing service offering would work best for that organization.

Moving your company’s team of risk assessment managers beyond a predominant cybersecurity concern over the adaption of cloud computing applications will require not only the availability of current ongoing developments in this cloud technology, but, also access to related resource materials, blogs, and website links that address this interoperability and portability aspect of cloud computing.

If keeping in touch with the progress made regarding standards developed for the cloud is important to your business continuity and information security managers, then you may want to visit a cloud standards wiki website, which was created by a standards development organization, and pass this informational link to those managers.

Click here to access a great one-stop resource location and be sure to avail yourself of searching through all of the links and references offered by Laura Smith.

And, as always, please share your comments on the value of the information we are suggesting for you and your organization, as well as, any additional inputs you may have to help keep our readers in touch with this important topic.

Filed Under: Cybersecurity Tagged With: , , , , , , , ,

New Electric Outage Information Portal Now Available

April 9, 2010 By Leave a Comment

A new electric outage information portal is now available under the name Outage Central with a mission to provide access to real-time maps, comprehensive outage data information links, and severe weather alerts to utility emergency resource personnel.

The company that created and powers this website is Macrosoft, a company based in Parsippany, NJ. 

We recommend this information as valuable to disaster recovery and business continuity planning teams in your organization.

For more information, please go to outagecentral.com

Filed Under: Business Continuity Info Tagged With: , ,

Registrar Offers Free Personal Information Compliance Webinar

April 8, 2010 By Leave a Comment

National Quality Assurance, USA, Inc. (NQA), a leading provider of quality and environmental management registration services for industries including aerospace, defense, telecommunications, automotive and information technology is offering a free webinar on the topic of Personal Information (PI) compliance.

Many of our readers may be facing challenges regarding their ability as an organization to comply with new regulatory requirements regarding the privacy of personal information for not only employees, but also for vendors, customers and other related parties to their organization.

We would encourage listening to this valuable resource offering and passing this posting along to risk management and information security management team members in your organization for their further discussion and evaluation.

Click here to learn more about the registrar, NQA,  and gain access to watch this free pre-recorded webinar.

Filed Under: Information Security Tagged With: , , , , ,

Supply Chain Management Requires Strong Business Continuity Component

April 7, 2010 By 1 Comment

Few can argue against the statement that business continuity is a crucial component of supply chain management.  This website strongly supports this statement and is constantly looking for current information and resources to make the implementation of strong business continuity methodology an ongoing continuous improvement process within organizations. 

To support that BC methodoly, business continuity planning and implementation team members of those organizations must apply  BC management concept(s) to each of their supply chain management responsibilities and include a review of the status of BC in all of the ongoing risk assessment activities for both internal organizational compliance management questionaires as well as compliance audits of vendors in their supply chains.

With that objective in mind, we recommend viewing the Supply Chain Risk website organized by Jan Husdal as time well spent for growing your resource library with relevant information to assist the risk mitigation process surrounding both local and global potential supply chain management threats to your organization.

Click here to view and access the resources posted on the Supply Chain Risk website.

Filed Under: Business Continuity Info Tagged With: , , , , , , , , , , ,

Data Theft vs. Data Leakage

April 6, 2010 By Leave a Comment

Many of us may be more than familiar with the topic of information security breaches affecting organizations as a result of data theft.  However, some of us may not be aware of the term data leakage and how different this term is from data theft.  In fact, some of us may be working at companies today that are potential victims of data leakage, may certainly have no policies or procedures to address this data leakage risk and thus may not be able to mitigate this information security threat to their organization.   To those companies, we offer a link to information and to a potential solution to the data leakage risk.

Addressing the position that data theft and data leakage are not the same, Tom Olzak, a contributing writer on the CSO Security and Risk website, has recently written an article to help us clarify that difference and focus on the fact that data leakage from approved or accepted business practices can be a significant security vulnerability facing many companies today.

Mr Olzak defines data leakage as, “… the incremental movements of information from areas of high trust to myriad office locations with little or no protection”, and offers a list of questions which an organization can use as a guide to help start internal assessments of that organization’s vulnerability to data leakage risks.

Click here to read more about this important information security topic.

If you find this information helpful please pass it along to your internal information systems security managers as well as your risk management and business continuity planning team members.

Filed Under: Information Security Tagged With: , , , , , ,

Business Continuity Professionals Need to Sharpen Business Skills

April 5, 2010 By 1 Comment

This topic of improving business skills of business continuity professionals along with where today’s organizations may be  most vulnerable in the future  was addressed by Tom Field, editorial director of the Information Security Media Group, in a recent interview with Roberta Witty, a research VP at Gartner, and, who is part of the Compliance, Risk and Leadership group within Gartner with a primary area of focus of business continuity management and disaster recovery.  This interview was posted on the GovInfoSecurity website.

In this interview, Roberta Witty does a good job of listing the  many challenges facing business continuity managers today and clearly identifying those areas where organizations may be most vulnerable in the future.  To mitigate those future risks, Roberta Witty suggests an improvement action plan is needed for today’s BC professionals.   

Much of the information Ms. Witty shares is relevant to the similar challenges and typical agenda items discussed regularly by many business continuity management consultants and internal BC members of organizational risk management teams.

The GovInfoSecurity website is a favorite recommendation by this website, and this recent interview is just one of the examples of the many valuable resources that should be required reading/listening by all BC/DR professionals.

Click here to be able to receive a download MP3 file of Ms. Witty’s interview or to open and play a streaming audio file of that interview.

Filed Under: Business Continuity Info Tagged With: , , , ,

PS-Prep Update – Possible Next Step: Auditor Training?

April 1, 2010 By 1 Comment

Lisa DuBrock, Contributing Editor

Now that the comment period on the three DHS proposed standards has closed, focus likely turns to the ANSI National Accreditation Board (ANAB) and the development of an accreditation rule.  As a subset of that accreditation rule, qualifications are also most likely to be developed regarding the requirements for an individual to become a PS-Prep auditor.   

Early indications are that ANAB, on behalf of the PS-Prep Program, will require auditors to have knowledge of at least one, two or all of the three proposed standards as well as ISO (International Standards Organization) auditing techniques. 

As a support for these potential developments, it is somewhat expected that ANAB will release a Request for Proposal calling for the development of a series of detailed auditor training programs aligned with this accreditation ruling. The focus of these training programs would be to allow certified body/registrars (CBR’s) to educate their audit staff as to the best way to evaluate compliance with the DHS proposed standards; a key requirements for PS-Prep accreditation. 

It can also be a possiblity that CBRs can apply to be selectively accredited in one, two or all three of the DHS proposed standards. Following that approach, auditors similarly could specialize their training in one, two or all three standards, however; I beleive it is most likely that knowledge of ISO auditing techniques will be a pre-requisite in all cases. 

With this critical step seemingly underway, it appears that the PS-Prep program is gaining momentum and future announcements addressing other aspects of the program should be expected to follow soon.

Filed Under: PS-Prep Program Tagged With: , , , , ,

New Identity Theft Affects 3.3 Million Borrowers

April 1, 2010 By Leave a Comment

In a recent article written by Mary Pilon and published by the Wall Street Journal, it was reported that names, addresses, Social Security numbers and other personal data on borrowers were stolen from the St. Paul, Minn., headquarters of Educational Credit Management Corp. (ECMC), a nonprofit guarantor of federal student loans, during the weekend of March 20-21, 2010.

It was also reported that company and federal officials said they believed last week’s theft of identity data on 3.3 million people with student loans was the largest-ever breach of such information and could affect as many as 5% of all federal student-loan borrowers.

Of some significance is the fact that this was not an IT related breakdown of information security policy or procedure.  As stated and cited in the article, ECMC spokesman Paul Kelash remarked that, “…It was a simple, old-fashioned theft.  It was not a hacker incident.”

This article is a hard reminder to our internal physical security and risk management team members to not overlook the need for constant monitoring and ongoing improvement to both corporate physical and IT related security policies and procedures.

Click here to read the entire article.

Filed Under: Physical Security Tagged With: , , , , , ,
Newer Posts »