GAO Continues to Express Ongoing Cyber Security Concerns

July 5, 2010

Many postings about information security associated with Cloud computing decisions have indicated that the jury is still out regarding a final decision of how secure the cloud really is – now more than ever, it is very important to take the time to review, evaluate, and test those organization specific components of a cloud decision making process before you make a final decision.  

Compliance and regulatory requirements along with having  information security controls in place before you make a final decision are just a few of the elements to consider in that decision process.

It is with this in mind, that we point your direction to a recent article written by Grant Gross and posted on the Computerworld website.  In this article, you may see concerns about cloud computing or cybersecurity mentioned and summarized from a recent U.S. Government Accountability Office (GAO) report that match risk managment issues over cloud computing expressed in your own organization. 

It is also  likely that your organization and our own U.S. government are both being driven by similar anticipated cost reductions coming from a move to a cloud computing environment. 

Our staff believes that those similarities for both benefits and risks may have some relevancy in all organizational cloud computing decisions, and, should be passed on to information security and risk management team members in your organization.

Click here to read the full article, and let us know your thoughts and comments. 

Is your organization at the same point of review regarding a cloud computing decision? 

After reading this article, have you learned more of what to do or what not to do in order to make a best case decision for moving your organization to the cloud?

Best Practices Offered for Private Cloud Computing

July 3, 2010

In a recent article written by Features Writer Laura Smith, and posted on the SearchCIO website, some developing best practices for the utilization of private cloud computing are presented and offered to our readers. 

That list of best practices starts with three actions – (1) assess, (2) deploy and (3) analyze —  and ends with the following two recommendations —  (4) creating reusable code and (5) stressing  not to forget to charge back those reported metered services provided by private cloud computing providers.

Click here to read Laura Smith’s entire article.

Many of our past postings on this website have focused on the cloud and cybersecurity issues, and, as a result, have initiated readers inputs regarding ongoing concerns about information security and privacy.  Our staff  hopes that the information provided by Laura Smith’s article will offer more perspective 0f and input to the decision making process regarding this current and controversial topic. 

If applicable, please pass this information along to those business continuity and risk managers and management team members in your organization.

Cyber Security Legislation Introduced by Lieberman, Collins and Carper

June 11, 2010

Cybersecurity is an information security topic often discussed in postings on this website.

Many of the information security systems and security policies of organizations that follow this website face (or will face in the future) ever more challenging risk management decisions to be made over cyber security concerns.  Our staff views this legislative support activity as a strong component in the ability of our government to better support U.S. companies who are facing a growing number of cybersecurity related issues.  

To our point —  Senate Homeland Security and Governmental Affairs Chairman Joe Lieberman, Ranking Member Susan Collins and Committee Member Thomas Carper recently introduced legislation to strengthen, modernize and safeguard our nation’s cybersecurity networks today. 

View the video summary of this important development as posted on the Senate Committee on Homeland Security and Governmental Affairs website as well as read additional related articles on this topic — CLICK HERE.

Click here to read the complete letter written by Lieberman, Collins and Carper, posted on the Politico website and submitted in support of their legislative presentation. 

If your organization is affected by cybersecurity risk management issues, then please pass this information along to the appropriate information security management members assigned the responsibility of information technology security.

Do you think this kind of legislation activity is good for U.S. companies?

Revisited Security Trend Report by SANS Institute

April 27, 2010

The most visited pages on our website often have to do with any publication or posting regarding a trend in any of the industry sectors reported under our continuity or compliance management methodologies.  Our posting today references such an issue regarding the topic of organizational and personal information security.

Many of our readers, who are part of business continuity or risk management teams, read, utilize and save such referenced articles and/or postings to keep their resource libraries current – especially regarding today’s topic of information security in a cyberspace environment.  In fact, even though the original report was issued nearly four (4) years ago, many will be surprised to see the same cybersecurity threats still affecting their organizations today.  With so many similar general information security trends and threats still present, it may cause us to rethink how much progress has really been made in fighting these cybersecurity threats.

Very often this website refers to the SANS Institute for referenced postings, research reports, and predicted security trends to provide reading and research resources for those risk management teams. 

As a general background, we wish to remind everyone that the SANS (SysAdmin, Audit, Network, Security) Institute was established in 1989 as a cooperative research and education organization. Its programs now reach more than 165,000 security professionals around the world. A range of individuals from auditors and network administrators, to chief information security officers are sharing the lessons they learn and are jointly finding solutions to the challenges they face. At the heart of SANS are the many security practitioners in varied global organizations from corporations to universities working together to help the entire information security community.

With all those thoughts above in mind, and perhaps, offering a lesson of how to potentially learn from the past, we suggest revisiting and reviewing the SANS’ posting of the ten most important security trends and passing that information along to those information security and risk management specialists in your organization.

Click here to read the complete  Ten Most Important Security Trends Report by the Sans Institute.

Cyberspace and Cybersecurity — The New Battlegrounds

April 22, 2010

Cyberspace and Cybersecurity – The New Battlegrounds

There have been many postings on this website to address the subject of both cyberspace and cybersecurity and the potential threat it poses to organizations and individuals.

Unfortunately, our staff of writers continues to encounter a lack of serious attention paid to this cyber threat on a small and mid-sized enterprise (SME) level.  It appears that until a major disruption or incident actually happens to such organizations, this form of threat does not become a real priority for upper management to properly evaluate as a potential risk to that organization, and then properly mitigate as a real risk against that organization.  We believe the large global enterprise level of organizations and governments understand this concern but more awareness and preventive actions are required by those SME companies — and more effort should be made to incorporate this risk analysis effort by those in-house individuals responsible for internal  business continuity planning, preparedness and risk management activities.

At times, organizations do have to look at other resources to help them better define their risk assessment strategies in this cyberspace area.  It is with this in mind, that we point our readers to a recent article written by Senator Susan Collins and posted as a press release on the Senate Committee on Homeland Security and Governmental Affairs website.

In this article Senator Collins points out very clearly that cyberspace and cybersecurity related dangers pose serious threats to all of us. Hackers could attack critical civilian infrastructures, such as electrical grids, transportation systems, and communications, affecting whole communities. The Senator also states that our military assets are at risk, too. In fact, military officials now describe cyberspace as the fifth domain of war — following land, sea, air, and space. They note that cyberspace is unique because it is the only battlefield to be invented by humans.

The article also asserts that in February, Dennis Blair, the Director of National Intelligence, gave this chilling account before the Senate Select Committee on Intelligence: “The national security of the United States, our economic prosperity and the daily functioning of our government are dependent on a dynamic public and private information infrastructure, which includes telecommunications, computer networks and systems and the information residing within. This critical infrastructure is severely threatened.” Cyberspace, he said, “is exponentially expanding our ability to create and share knowledge, but it is also enabling those who would steal, corrupt, harm or destroy the public and private assets vital to our national interests.”

How vulnerable does our government think we are? Consider these statistics from the Senate’s Sergeant-at-Arms Office, which found that Congress and other government agencies are under a cyber attack an average of 1.8 billion times a month, compared with an average of 8 million times a month in 2008.

The Senate Security Operations Center alone receives 13.9 million of those attempts per day.

“We operate in an escalating attack environment in which threats to our information infrastructure are increasing in both frequency and sophistication,” said Senate Sergeant-at-Arms Terrance Gainer in testimony before a Senate Appropriations subcommittee in March. “Our raw numbers bear this out, so we must remain on guard.”

More gathered data from ongoing survey efforts now seems to be raising a more urgent alarm for SME’s to recognize this cyberspace and cybersecurity risk as a real threat to them too – not only to itself as an organization, but more importantly, to its suppliers, employees, customers and communities which are the foundation of its very existence.

Click here  to read about additional findings revealed by Senator Collins.

New Survey Results Claim Security Expertise Not Enough for Successful ESRM

April 14, 2010

In April, the CSO Roundtable of ASIS International released the results of a comprehensive survey of its members and of the ASIS membership.  The survey was meant to demonstrate some level of understanding that the security industry has concerning the adoption of an “Enterprise Security Risk Management” (ESRM) methodology.

The survey, conducted in the fall of 2009, asked for information regarding at least the following areas:

1. What risks were the most challenging?
2. Where do organizational support for ESRM initiatives came from?
3. Which business elements of an organization were included in ESRM?
4. What was security’s role in the ESRM process?
5. Who has ultimate responsibility for risk in the organization?

More than 80 Chief Security Officers, and more than 200 other ASIS members from around the world, responded to the survey.

One of the major findings from the survey was best expressed by Timothy L.Williams, CPP, Dir of Global Security for Caterpillar, and a member of the CSO Roundtable Advisory Board, when he stated, “We learned that traditional security issues are rarely the ones that keep security professionals awake at night; instead, risks such as database theft, network failure and economic problems are top concerns.  We discovered that most CSOs and, indeed, nearly half of non-CSOs, are already deeply involved with evaluating and mitigating non-security risks in their organizations.”

Another survey result claims that CSOs reported the greatest non-security risk they face is the downturn of the economy, followed by business issues such as competition and regulatory pressures. More than half of the CSOs surveyed said they and their security departments were involved in researching, prioritizing, mitigating or evaluating these non-security risks.

Additionally, survey results also indicated that the vast majority of security professionals believe that excellent business management, leadership and communication skills—not security expertise—are the traits that will lead to success in ESRM.

If any of these questions listed above or results stated above appear to reflect similar behaviors in your organization or even a basis for how security standards are established in your organization, then please pass this information along to those internal information security and risk management team members or perhaps, outside security consultants, who are responsible for establishing and maintaining a  level of enterprise security risk management most appropriate to  your organization.

Click here to read the full report.

Interoperability Rivals Security as CIO Cloud Concern

April 12, 2010

While CIO’s often mention security as a major concern when reviewing and evaluating cloud computing services, our research has indicated that CIO’s are finding cloud interoperability issues to be a growing matter of concern as well.

In a recent article written by Laura Smith, posted on the SearchCIO.com website and entitled “Cloud Interoperability Standards Aim for Vendor Independence”, you will find valuable information that may be needed to help your organization determine which cloud computing service offering would work best for that organization.

Moving your company’s team of risk assessment managers beyond a predominant cybersecurity concern over the adaption of cloud computing applications will require not only the availability of current ongoing developments in this cloud technology, but, also access to related resource materials, blogs, and website links that address this interoperability and portability aspect of cloud computing.

If keeping in touch with the progress made regarding standards developed for the cloud is important to your business continuity and information security managers, then you may want to visit a cloud standards wiki website, which was created by a standards development organization, and pass this informational link to those managers.

Click here to access a great one-stop resource location and be sure to avail yourself of searching through all of the links and references offered by Laura Smith.

And, as always, please share your comments on the value of the information we are suggesting for you and your organization, as well as, any additional inputs you may have to help keep our readers in touch with this important topic.

Social Networking Threat to Business Security

March 31, 2010

Social networking has long been suspected as being a potential information security threat for business.  And, in a recent Security Threat 2010 report from Sophos, it was announced that after an analysis of all the submitted survey data in this report, businesses believe that social networking  poses one of the biggest threats to information security for their organizations.

The Sophos report lists the order of the top three threats from social networking to be from Facebook (the highest), followed by MySpace and Twitter.  Only 4 percent of the survey results named LinkedIn as a security threat.

An article on this topic was recently written by Carrie-Ann Skinner, and published on the PC World website.  This article expands on the findings of the Sophos report, and, has some interesting links to help your business continuity and risk management team members stay current on this important security system and otherwise enterprise security risk topic. Click here to read Carrie-Ann Skinner’s article.

Another resource for addition to your team’s information security risk library of reading might be two interesting blog entries by Graham Cluley  as also published on the Sophos website, entitled: (1) “Do You Support Facebook’s Proposed Privacy Policy Changes?”  and (2) “Facebook Privacy Settings: What You Need to Know”  

With Facebook reported as the highest social networking potential risk to many organizations, the information provided by Graham Cluley should be required reading for those security analyst members of any company’s risk management teams responsible for writing and enforcing internal information security policies and procedures. 

Click here to read blog entry #1 and click here to read blog entry #2.

All of the referenced websites above also include many connecting links that offer additional resource materials — please let us know if this referenced information has helped your organization deal with its own real world social networking risks …..Thank you.

Getting Our Storage Fix!

March 23, 2010

Many business continuity and risk management planners have covered the topic of information storage – e.g. what data do we save, how and where do we save it, and how quickly and completely can we retrieve it when needed? — as they try to include this critical IT function into their business continuity and disaster recovery plans.    

One of our contributing writers, Don Byrne, has written his take on the subject of data storage and we invite you to read and comment on his article as follows: 

Getting Our Storage “Fix”!

By, Donald Byrne CBCP, CDCP, CBRO-M, Lead Auditor 

While the cost of data storage continues to drop at an amazing rate, the world’s appetite for this commodity is growing at a phenomenal 60% per year according to a recent study by the research group IDC. and entitled, “Storage is a Narcotic”. 

The more you get the more you want,” says Greg Kenley, a leading data management expert. Kenley points out that the amount of information being generated is truly staggering. Each week, the New York Times contains as much information as a typical 18^th century adult would have been exposed to over the course of an entire lifetime. 

Today, more information is generated in one year than was discovered in the previous five thousand and the pace of knowledge creation in some disciplines grows at near exponential rates. For example, scientific discoveries, engineering breakthroughs, medical advances, and other technological insights more than double every year. 

Much of this knowledge explosion can be traced to the near ubiquitous nature of the Internet and its place in the fabric of our lives. Consider that in 1984 there were approximately 1,000 devices connected to an early version of the World Wide Web. By 1992 that number had grown one thousand-fold to 1,000,000 and by 2008 it increased to 1,000,000,000 devices. With widespread access comes increased usage. Consider, Google estimates that there are now 31 billion online searches conducted every month. In 2006, that number was 2.7 billion – an eleven-fold increase in three years! 

So what is happening to all this information? 

Much of it is ephemeral such as the three billion text messages sent every day. Few people have a need or interest in keeping a record of these highly abbreviated exchanges. But enough of the information is deemed worthy of filing that the storage market continues to grow seemingly without bounds. In 2010 over four exabytes (or 4,000,000,000 gigabytes) of unique information will be generated and much of it will be retained. 

Incredibly, unique material may represent only one-third of the total information stored online; implying that two-thirds of computer disks are filled with redundant material, rarely accessed and often outdated. It seems that most humans are data hoarders and have much in common with the unfortunates whose compulsion to retain material eventually can crowd them out of their homes. 

Perhaps it is in our nature to be storage junkies who clutter our online lives with redundant data and obsolete files. Just as narcotic addicts need enablers to help them support their habit, technology continues to deliver lower cost/high capacity devices that allow us to continue our “bad habit” without fear of exposure. Need another five hundred gigabytes? No problem, simply drop into any shopping mall and for less than $100, you can get your storage fix. 

Will these technical advances eventually cause us to change our attitudes toward what constitutes good and bad storage behavior? Is it time to rethink our view of storage ethics and not view data hoarding as bad behavior but rather something akin to antique collecting? 

Maybe we should reverse the question and ask “What is wrong with keeping one or more copies of everything we ever wrote, read, saw, photographed, or thought?” If it is now technically feasible never to have to delete any bit of information that you create, send or receive, why not do it? 

Of course such a decision does lead to a different and currently more difficult question. If you kept everything you ever created, how would you find anything? Let me suggest we leave that question to be answered by whatever company eventually succeeds search engine giant Google.

For now, I would be content to find all my tax information.

Cloud Computing Terminology List Now Available

March 18, 2010

 In a recent article written by Jody Gilbert and posted on the TechRepublic website, you will find a valuable listing of some common Cloud-related terms and their meanings.

We assume that the technology of Cloud computing has either already been a topic of discussion or else soon will be for our business continuity and risk management team members.  For each of our readers’ organizations, this topic of cloud computing and cybersecurity will most likely mean something unique to each company, and, to that point, we believe that the list organized by Jody Gilbert represents a fairly good starting point and rundown of Cloud computing terms that everyone is most likely to come across.

For some business continuity planning professionals, such a  terminology list may already be part of the compliance technology component written into their compliance plan(s) or compliance report(s).

Please take advantage of this list and share with us if you think the list is lacking in any terminology that should be added or if you believe there is a better way to get this kind of information out to those individuals in your organization that may already be in need of this information.

CLICK HERE to read the full article on this topic.

Next Page »

• 
• 
• 
• 

• Subscribe

  • Subscribe to RSS
  • Comments

• Recent News

  • Career Options and the PS-Prep Program
  • E-Discovery – Compliance and Privacy Challenges
  • “Career Options and the PS-Prep Program” – July 27th, 2010 Webinar Reminder
  • Can Resilience be Enshrined in a Standard?
  • PS-Prep Developing Liability Protection?
  • PS-Prep Career Options Webinar
  • Emergency Plans and Behavioral Accuracy
  • Business Continuity Testing Guidance
  • Federal Cybersecurity Guidelines Document Update Released by NIST
  • Checklist Offered to Mitigate Project Related Risk Factors

• Categories

  • Events
  • Information
    • Auditing
    • Business Continuity Info
    • IT Service Management
    • Organizational Resiliency
    • PS-Prep Program
    • Regulatory Compliance
    • Standards & Best Practices
  • Security
    • Cybersecurity
    • Environmental Security
    • Executive Protection
    • Homeland Security Dpt
    • Information Security
    • Physical Security
    • Regulatory Compliance
    • Safety
  • Tools & Resources
    • Community Projects
      • Forms & Checklists
      • Glossary
    • First Timers
      • FAQs
  • Uncategorized

• Archives

  • July 2010
  • June 2010
  • May 2010
  • April 2010
  • March 2010
  • February 2010
  • January 2010
  • December 2009
  • November 2009
  • October 2009
  • September 2009
  • August 2009

• What Others Are Reading About

  ANAB ASIS ASIS SPC.1-2009 best practices Business Continuity business continuity management business continuity planning Business Continuity Plans compliance compliance risk contingency planning corporate security crisis management cybersecurity cyber security data breach Department of Homeland Security DHS disaster recovery disaster recovery planning e-Discovery emergency response enterprise risk management FEMA Information Security information systems security network security NFPA 1600 organizational resilience Organizational Resiliency Physical Security preparedness privacy Private Sector Preparedness PS-Prep PS-Prep Program readiness Regulatory Compliance resilience Resiliency risk assessment risk management Security security management security policies Auditing (4)
  Business Continuity Info (89)
  Community Projects (2)
  Cybersecurity (26)
  Environmental Security (2)
  Events (3)
  Executive Protection (1)
  FAQs (1)
  Forms & Checklists (1)
  Glossary (2)
  Homeland Security Dpt (11)
  Information (2)
  Information Security (57)
  IT Service Management (6)
  Organizational Resiliency (12)
  Physical Security (15)
  PS-Prep Program (57)
  Regulatory Compliance (16)
  Regulatory Compliance (9)
  Safety (4)
  Standards & Best Practices (9)
  Tools & Resources (4)
  Uncategorized (2)
  

  WP Cumulus Flash tag cloud by Roy Tanck and Luke Morton requires Flash Player 9 or better.