May 17, 2012

Posts Comments

You are here: Home / Archives for Security / Information Security

E-Discovery — A Recent Court Decision to Adopt Default Standards is Made by the District of Delaware

February 28, 2012 By Leave a Comment

Photo courtesy of blog.advanceddiscovery.com

Judging from several comments received, it appears that many of our readers are taking a “side lines” approach to just watching the e-discovery dynamic develop its own way to walk and talk as remains only a potential risk mitigation event for them as either individuals or as associates of the organizations for which they work.

While there is nothing wrong with that approach, it behooves them to stay informed to stay current and “safe” and, to that point, our staff has made e-discovery a part of its “watch list” of internet content search efforts, so that as relevant material issues are reported, our staff may share that information with our readers on a timely basis.

Such is the case in a recent posting by the Morgan, Lewis & Bockius LLP group announcing that the District of Delaware has adopted a set of default standards for E-Discovery.

Time will tell if this decision by the District of Delaware will impact the continuation of an apparent recent trend on the part of the federal courts, and an attempt to lower the costs associated with e-discovery by offering guidelines designed to streamline the process of e-discovery.

Click here to read the full comments of the Morgan, Lewis & Bockius LLP group.

Click here to also read the Default Standard referenced in this reported event.

If applicable, please pass this information along to those associates in your organization who are responsible for e-discovery related risk management.

Perhaps business continuity planning, crisis management or PS-Prep strategy planning team members may also have a long-term interest in these developments and would want to add this content to their resource reference libraries.

Filed Under: Corner Office Viewpoint, Cybersecurity, Information Security, Organizational Resiliency, PS-Prep Program, Regulatory Compliance, Risk Management Tagged With: , , ,

Security Myths? You Decide.

February 28, 2012 By Leave a Comment

Recently, Ellen Messmer, Network World, posted an interesting article that resulted from her asking security experts, consultants, vendors and enterprise security managers to share their favorite “security myths”.

For many of our readers, who are tasked with developing risk mitigation strategies against security related threats; our staff believes that the information provided by Messmer is an interesting addition to any resource reference library on this timely and critical risk topic for many organizations today.

A quick summary of the 13 security myths presented and discussed by Messmer are as follows:

  1. More security is always better.
  2. The DDoS problem is bandwidth-oriented.
  3. Regular expiration (typically every 90 days) strengthens password systems.
  4. You can rely on the wisdom of the crowds.
  5. Client-side virtualization will solve the security problems of ‘bring your own device.
  6. IT should encourage users to use completely random passwords to increase password strength and they should also require passwords to be changed at least every 30 days.
  7. Any computer virus will produce a visible symptom on the screen.
  8. We are not a target.
  9. Software today isn’t any better than it used to be in terms of security holes.
  10. Sensitive information transfer via SSL session is secure.
  11. Endpoint security software is a commodity product.
  12. Sure, we have a firewall on our network; of course we’re protected!
  13. You should not upload malware samples found as part of a targeted attack to reputable malware vendors or services.

Please let our readers know your opinions, comments and perhaps additional security myths that you may have encountered recently …..

If applicable, please share this information with those information security, risk and/or crisis management and disaster preparedness team members in your organization.

Click here to view Messmer’s full article on this timely topic for all information security related professionals.

Filed Under: Cybersecurity, Information Security, Risk Management Tagged With: , , , , , , , , , , , , , , , , , ,

E-Discovery Breakthrough — “Predictive Coding” Endorsed by Judge’s Ruling

February 27, 2012 By Leave a Comment

Photo courtesy of ediscoveryblog.sonian.com

In a recent landmark e-discovery decision, U.S. Magistrate Judge Andrew Peck of Manhattan federal court, cited a study that concluded technology-assisted review is more accurate — and 50 times more economical — than “exhaustive manual review.”

In his decision to endorse the “predictive coding” process, Judge Peck recalls that judges and parties have been concerned about being the first to produce discovery by way of predictive coding, for fear that the document production process wouldn’t hold up to scrutiny. Plaintiffs have also worried that defendants would tamper with search parameters to hide potentially relevant documents.

“What the bar should take away from this opinion,” Peck concluded, “is that computer-assisted review is an available tool and should be seriously considered for use in large-data-volume cases where it may save the producing party (or both parties) significant amounts of legal fees in document review.

This breakthrough decision gives Counsel the opportunity to no longer have to worry about being the ‘first’ or ‘guinea pig’ for judicial acceptance of computer-assisted review.”

Click here to read about Alison Frankel’s ON THE CASE report on this event.

If applicable, please pass this information along to those affected parties and hopefully this cost reduction trend will continue to grow in use ….

As always, we encourage our readers to share their thoughts and comments with our readership …thank you.

Filed Under: Cybersecurity, Information Security, Regulatory Compliance, Risk Management Tagged With: , , , , , ,

National Cybersecurity Center of Excellence Established by NIST and State of Maryland / Montgomery County

February 25, 2012 By Leave a Comment

National Cybersecurity Center of Excellence Signing Event

A National Cybersecurity Center of Excellence has been established from the efforts of a new partnership of public-private collaboration between the National Institute of Standards and Technology (NIST) and the State of Maryland and Montgomery County, MD.

The purpose of the center is to work to strengthen U.S. economic growth by supporting automated and trustworthy e-government and e-commerce activities.

NIST Director Patrick Gallagher states, “…the center will undertake carefully developed use cases — comprehensive requirements and test plans to address specific cyber security challenges — that will lead to practical, interoperable cyber-security approaches for real-world needs of complex IT systems.

Initially, the development and refinement of use cases would be open to all interested parties, including IT vendors and the public. Results from Center projects will be shared with the broad IT user and vendor communities.

Cyber crime hurts individuals, businesses and government agencies. We want to bring together the best minds and provide them with the best tools to create and test solutions that will make online transactions of all kinds safer,” said Gallagher. “We’re pleased to have the support of our Maryland partners, and look forward to working with additional partners from industry, academia, nonprofit and government sectors.”

Additional articles about this event listed below and can be added to your in-house cyber security related resource library of materials:.

NIST establishes National Cybersecurity Center of Excellence with State of Maryland and Montgomery County “by Jacob Goodwin

NIST Cybersecurity Center Tackles Public and Private Threats” by Elizabeth Montalbano

NIST and state of Maryland establish cyber security lab” by Aliya Sternstein

If applicable, please pass this information along to those individuals in your organization responsible for matters regarding risk management, cyber security related risk strategies and information technology managers trying to mitigate the ongoing development of risks related to cyber security.

Filed Under: Cybersecurity, Information Security, Risk Management Tagged With: , , , , , , , , , , ,

Risk Awareness Concerns and Organizational Risk Management System Potential Integration(s)

February 5, 2012 By Leave a Comment

Photo courtesy of meship.com

By: Lisa DuBrock, CPA, CBCP, MBCI

Recently in an article written by Subrata Guha entitled “New ISO IEC 20000-1: Alignment with ISO 27001”, Guha makes the point that, “…. since ISO 20000-1 and ISO 27001 are so closely linked, there is a strong argument that these two standards should be implemented as a single management system – and, that the new release of ISO 20000-1 makes this process easier than ever before.

I contend that the melding of those 2 standards is certainly an excellent idea —especially since some well-defined areas such as incident management, change management, and security management link up so well. And, I believe that many companies have done just that; whether they implement the standards together or individually and then knit the individual management systems and overlapping control structures together.

What I’d like to propose today is — depending on your own corporate and organizational culture — to consider a coupling of two other standards that have a natural affinity to work together.  Those standards are ISO/IEC 27001:2005 Information Security Management System and ASIS SPC.1 Organizational Resilience:  Security, Preparedness and Continuity Management System.

Both the ISO 27001 and the ASIS SPC.1 standards build their foundation on the concept that management identifies, adopts, implements, monitors, updates and, most importantly, manages their related management system(s) based on that particular organization’s appetite for risk – i.e. Risk Appetite.

As with any organization’s business management system (BMS), the process of implementing that BMS to a standard (i.e. ISO 27001 or ASIS SPC.1) begins with and is based on the scope that the organization sets for its BMS.

In this instance, both ISO 27001 and ASIS SPC.1 adhere to the management system requirements of: Management Commitment (including resourcing, training and awareness, and approval of the system), Internal Audit, Management Review and Continual Improvement.

Both of these standards also require a statement of applicability (SOA).  However they differ in how the SOA is defined.  In SPC.1 the SOA documents the strategic weighting of security management, preparedness, emergency management, disaster management, crisis management and business continuity management.   In ISO 27001 the SOA is a documented statement describing the control objectives and controls that are relevant and applicable to the organizations ISMS.

What really differs between these standards, however, is the context of the risk process.  For ISO 27001, the context is based on the information assets identified within the scope of the management system.  Within SPC.1 the Organizational Resiliency Management System is based on legal and other requirements, information about significant hazards and threats and protection of critical not just information assets (physical, intangible, environmental and human).

By having an organization integrate the implementations of both ISO 27001 and ASIS SPC.1 standards simultaneously, it would almost be a certainty that a stronger and more clear understanding of risk and what is needed for that organization’s mitigation of those risks (i.e. to be more secure) would be achieved.

If you agree or not with this opinion, please share your comments and inputs regarding this potential integrated approach.

Filed Under: Business Continuity Info, Corner Office Viewpoint, Information Security, Organizational Resiliency, Risk Management Tagged With: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Privacy and Security Controls in Your Corporate Board Room — Perhaps a Review is Necessary

January 27, 2012 By Leave a Comment

Photo courtesy of blog.dattobackup.com

In a recent article written by NICOLE PERLROTH a potential risk mitigation event was revealed and should be cause for all organization’s to re-verify that camera’s used in their corporate board rooms are properly and verifiably protected from hackers.

Ten years ago, videoconferencing systems were complicated and erratic, and ran on expensive, closed high-speed phone lines. Over the last decade, however, videoconferencing — like everything else — migrated to the Internet.

Now, many businesses use Internet protocol videoconferencing — a souped-up version of Skype — to connect with colleagues and customers. Most of these new systems were designed with visual and audio clarity — not security — in mind.

Click here to read this full article and become aware of how easily professional security experts were able to hack into the board room conference cameras of unsuspecting companies of all sizes.

If applicable, please pass this info along to those risk management and IT / information security team members in your own organization.

Filed Under: Corner Office Viewpoint, Cybersecurity, Information Security Tagged With: , , , , , , , , , ,

Google Plans to Alter Privacy Policy and Terms of Service

January 25, 2012 By Leave a Comment

Photo courtesy of blog.mclane.com

The actions and decisions of Google can potentially affect many information security teams in organizations across the globe.  With that thought in mind, a recent announcement by Google to alter its privacy policy and terms of service to reflect the fact that it is now going to combine data from its various services into a single user profile may well be an event that requires close study, review and evaluation regarding an organization’s own existing privacy policy – i.e. particularly where services such as Google are involved.

It goes without saying that this privacy change by Google needs to also be closely reviewed where individual use of Google is employed as well.

In a recent article written by Thomas Claburn, Claburn is quick to point out that critics of the change have been quick to question Google’s decision.

This article also references Sen. Richard Blumenthal (D-Conn.) who said in a reaction blog posting that he’s troubled by the lack of an opt-out mechanism, and, David Jacobs, consumer protection fellow at the Electronic Privacy Information Center (EPIC), expressed concerns that Google’s changes decrease the ability of users to control how their personal information is being used.

Click here to read Claburn’s full article, and, be sure to utilize the useful links in that article to dig more deeply into the reference documents and related postings to this potential privacy risks.

Additional stories about this controversial decision by Google are also listed below:

Google Says Privacy Change Won’t Affect Government Users” by Jaikumar Vijayan

Google Stirs Up Privacy Hornet’s Nest” by Sharon Gaudin

Google Privacy Policy: Who Will be Affected and How You Can Choose What Information Gets Shared” by Cecilia Kang

Google Seeks to Clarify New Privacy Policy” by Doug Gross

Lawmakers Press Google on Privacy Policy Changes” (Reuters)

If applicable, please pass this information along to those information security and risk management team members in your organization, those members of privacy rights protection groups in your community and to members of your family who use Google on a daily basis.

Filed Under: Cybersecurity, Information Security, Risk Management Tagged With: , , , , , , , , , ,

Business Continuity Planners May Face “Frictionless Sharing” Risks from New Facebook Apps

January 19, 2012 By Leave a Comment

Photo courtesy facebook.com

While information security and privacy rights protection teams within organizations continue to monitor the potential privacy risks that Facebook may be presenting to their employees, a new announcement was made today indicating that Facebook is now adding over 60+ new applications within their auto-share technology.

Click here to read a Facebook company blog covering this news as released by Facebook’s director of platform Cal Sjogreen.

As you will read, Facebook users can now immediately begin adding these new apps to their timelines.

As Sjogreen states, “…the apps are all set up to use the “frictionless sharing” function on the social network, meaning that users only have to give an app permission to share information once. After that, the app updates automatically to a user’s profile, letting their friends know instantly what they may be eating, studying or listening to at any given moment.”

While it may be too early to accurately assess any additional risks these apps may present to existing business continuity plans, it may be a good idea to inform information security specialists, risk managers and HR privacy managers of this event.

PS-Prep strategy planning teams in the private sector, in local community disaster preparedness groups and even risk mitigation discussions among family and friends may warrant a close watching of this recent announcement.

Filed Under: Business Continuity Info, Information Security, Organizational Resiliency, PS-Prep Program, Risk Management Tagged With: , , , , , , , , , , , , , , , ,

E-Discovery No Stranger on Campus

January 18, 2012 By Leave a Comment

Photo courtesy of sonian.com

In response to a few recent inquiries and comments from readers working in the educational field, and, in particular for those readers working in a university campus information security department, who requested that more discussions and information be presented on the topic of e-discovery relevant to a university campus environment, our staff would like to present a listing of recent postings and articles addressing this growing dynamic within the “discovery” process itself.

Dian Schaffhauser, a writer who covers technology and business related topics for a number of various publications, has recently written and posted an article entitled “An e-Discovery Primer”  — and, this information may be a great reference resource to offer anyone who wants to learn the basics of e-Discovery.

To this point, it is also important to realize that the “discovery” process is neither something new nor is this process limited to the digital era.  As Seth Gilbertson, associate counsel for the State University of New York states, “…discovery is the process of saving and producing records and other evidence pertaining to an activity that may be the subject of litigation.”

If applicable, or even if you are new to the discussions and risk mitigation potentials embedded in the e-discovery process, click here  to read Schaffhauser’s full article.

E-Discovery Guideline and Toolkit offering posted on the EDUCAUSE website presents e-discovery issues for universities to consider.

E-Discovery Trends: Potential ESI Sources Abound in Penn State Case” by Doug Austin

E-Discovering Reference” article by Spolanka

School districts wrestling with ABCs of electronic discovery, compliance” by Beth Pariseau, Senior News Writer

“Hey @wfryer looking for the 411 on eDiscovery: http://bit.ly/9hcxe9 (your wiki) Bottom line: do schools have to archive STUDENT email?”

The E-Discovery Question   – Don’t panic over the new regulations, but make sure your school’s policy is clear.

If applicable, please add your inputs, comments and experiences of e-discovery challenges you might have had to face in your university campus environment.

Filed Under: Cybersecurity, Information Security, Risk Management Tagged With: , , , , , , , , , ,

Information Security Lesson from Recent Zappos Breach Incident

January 16, 2012 By 1 Comment

Photo courtesy of searchtimes.com

In the event that anyone on your organization’s information security team becomes complacent about the need to be ever diligent about maintenance and updating of information security levels in your organization — a privacy breach incident recently announced at Zappos.com should be adequate reminder that risk mitigation in this area is a 24/7 ongoing area of responsibility.

Zappos CEO Tony Hsieh had to recently notify customers by email stating that the Zappos web marketplace system location that houses customer privacy centric information was compromised — asking them to create a new password for their accounts immediately.

We’ve spent over 12 years building our reputation, brand, and trust with our customers,” Hsieh said in his email. “It’s painful to see us take so many steps back due to a single incident. I suppose the one saving grace is that the database that stores our customers’ information was not affected or accessed.”

Click here to view a copy of that email along with Hsieh’s email message to Zappo’s employees.

Although you never want to face such a situation in your own organization, certainly, Zappos’ reaction to this incident may contain valuable lessons to pass along to your own in-house information security, crisis and risk management and disaster preparedness teams.

Filed Under: Cybersecurity, Information Security Tagged With: , , , , , , ,
« Older Posts
Newer Posts »