Search Realtime IT Compliance
Entries from Realtime Community | IT Compliance tagged with 'insider threat'
Don't Manage Employee Online Activities By Requiring Their IDs & Passwords!
I read a story about a city government agency actually asking job applicants to provide their IDs and passwords for any online social networking type of site they participate in......
Healthcare Worker Gets 1 Year In Prison For Posting HIV Victim's Medical Records On Internet
Today a report discussed how a healthcare worker obtained medical information about a patient with HIV that was then posted on the Internet......
Insider Threat: Horrible Tragedy Highlights Need For Policies & Training
I got the June 1 issue of Newsweek today, and something that's bothered me ever since I first heard about it was on page 4......
HIPAA Company-Applied Sanction: Hospital Employee Fired For Snooping Through 431 Patient Files
I thought it would be a good follow-up to my post from Saturday to point out a recent instance for how HIPAA covered entities (CEs) are applying their own organizational sanctions against personnel who violate their information security and privacy...
Another HIPAA Felony Conviction; 8 To Date
Yesterday a lawyer asked me if there had been any more HIPAA sanctions or convictions from the list I posted a few months ago in August. I hadn't seen any, but I thought I'd do a bit of checking since...
Business Info Fact Of The Day: Insiders Are Huge Information Security Threat
According to a new Cisco study:...
Insider Threat Example: 19,000 Pieces Of Computer Equipment Stolen; Why Didn't Someone Notice?
Okay, this story begs the question, why didn't someone at the Naval Research Laboratory notice disappearing equipment...?...
Insider Threat & More Examples Related To Putting Info on the Internet
Here are some more examples of the dumb things that folks (often times folks within your organization) put on the Internet that had some bad repercussions...remember, once you put something on the Internet, even for a short period of time,...
Insider Threats Even More Significant During Down Economy
I've written a lot about the insider threat, and the many different motivations for insiders to do malicious things (in addition to the other two types of insider threats of mistakes and lack of awareness). Here are a couple of...
Email "Hack" Tells University Students & Staff That U.S. President Vote Is "Tomorrow"
Here's another email incident example to add to your files......
Email "Hack" Tells University Students & Staff That U.S. President Vote Is "Tomorrow"
Here's another email incident example to add to your files......
The Insider Threat For Identity Theft: Watchout For Dead-Beat Parents
Here's a story that points to how vulnerable people are to identity theft and other types of crimes and frauds from slimy family...and ex-family...members......
Insider Threat Example: Obama's Campaign Folks Make Email Mistake
No matter how much technology you throw at trying to prevent security incidents, the weakest link in the organization, your personnel (who could be your strongest link with effective training and ongoing awareness) can defeat that security technology. On purpose,...
The Power of Logs: IRS Examiner Sentenced & Fined For Accessing PII Without Authorization
Now, here's a great example of an organization actually following through on their procedures to review access logs, and then to apply sanctions and take necessary other actions in response to non-compliance with not only organizational policies, but also with...
Laptop Containing PII of 1 Million+ People Sold On eBay for $141
I've been doing a lot of work with data retention and disposal policies and procedures lately, remembering the silly things I have read about with regard to organizations getting rid of their computers, such as selling their computers on eBay...
Insider Threat Examples & 7th HIPAA Criminal Conviction
Yesterday I read about the 7th criminal conviction and sentencing that has been given under HIPAA, "Woman gets 14 months in ID theft case."...
Insider Threat Example: San Fran IT Employee Exploits Poor Security Practices
Okay, why would a large city like San Francisco make such a silly, preventable mistake like allowing one employee to be able to establish a super user type of account and then lock everyone else out of the government network?...
Insider Threat Example: Coworkers Accessing Other Coworkers' Email Messages
Back in the mid-1990's, a middle manager knew that the print queue messages for all the emails in the large organization were viewable in clear text; all you had to know was which printer queue to open. He would lurk...
Insider Threat Example: Bank Worker Sentenced To 36 Months In Prison; + Prison Terms For Others In Cahoots
I've been doing some research for insider threat training content I'm creating, and I ran across a recent judgment against a bank employee for identity theft. This provides some good lessons to organizations for the insider threat, and would make...
Addressing the Insider Threat
My May issue of "IT Compliance in Realtime" is now available! The first article I have within this issue is, "Addressing the Insider Threat." Here is the unformatted text of the article; download the PDF to get the much nicer,...
Risks & Compliance: Giving Personnel Access to Their Own, And Coworkers', Records is Generally a Bad Idea
I get several questions from folks about various information security, privacy and compliance issues. I answer all I can. Most of them are great, thought-provoking questions that help to spawn a nice discussion! I recently got a very good and...
Using PCI DSS-Compliant Log Management to Identify Insider Access Abuse
Today I just finished writing the last of a three paper series, "The Essentials Series: PCI Compliance," in which I discuss and demonstrate three ways in which meeting the PCI DSS requirements for logging also benefits businesses by putting into...
Insider Threat: Ex-Employee Takes Files To New Employer
Here's a good article for your files, and to point out to your legal counsel to point out the very real insider threat to information security and privacy... A Massachusetts trial court recently ruled that the unauthorized transfer of electronic...
U.S. DoD Workers Give Military Secrets To China
Here are two more insider threat incident examples to put into your files and use within your information security and privacy training curriculum and awareness communications:...
Insider Threat: Worker Deletes 7 Years of Files; Lesson? Make Backups!!
Here is another example of what a worker, entrusted with access to business files, can do...and also provides a lesson about business continuity... I just watched a CNN clip, "Cyber Sabotage" that provides a very good example of how costly...
Insider Threat Example: Programmer Sentenced To 30 Months In Jail And $81,200 Fine
Here's a case I blogged about amost exactly a year ago, but it is worth revisiting since the sentencing for the crime was just handed down and it was significant. If you haven't already, put this in your file of...
California Privacy Breach Law Changes Go Into Effect January 1, 2008: Redefines & Broadens "Personal Information" Definition
California's privacy breach notification law SB1386 started the ball rolling with regard to what is now at least 40 U.S. states, including the District of Columbia, that have breach notice laws. Most of the subsequent state laws largely based theirs...
Insider Threat, the Value of Computer Logs & the Need for Consistent Policy Enforcement
In recent years many organizations have implemented the use of computer logs on their networks to be in compliance with multiple laws. However, here's a perfect example of the value of computer logs beyond just to be in compliance; using...
Insider Threat Lessons: Posting Threats And Personnel PII On The Internet Establishes Federal Jurisdiction
Here's another insider threat example to know and to discuss with your legal counsel and HR folks. It highlights the need for information security and privacy policies, shows how information security and privacy must work with multiple areas on an...
Microsoft's Charney Agrees That Information Security and Privacy Pros Must Work Together
Yesterday (Wednesday) was the final day of the IAPP Privacy Academy, and it was a great conference for me! I have been preaching about information security and privacy collaboration within a 2-day training seminar over the past 2 years, so...
Average Cost of ID Theft Per Victim is $31,356
Finally, a report that looks much more accurate with regard to how much identity theft costs the VICTIMS of a privacy breach. Most reported victim costs that I have seen in the past seemed much too low considering all the...
Data Will Always Be Less Safe In The Future...I Don't Want To Get Gussied Up To Talk On The Phone
I have a blog problem...there are way too many things I want to blog about and not enough hours in the day to do it! Throughout each day I note news items from the TV, or website news articles, or...
New FTC Report Provides Organizations Good Guidance For Protecting PII
Today the U.S. Federal Trade Commission (FTC) released a report, "Combating Identity Theft: Implementing a Coordinated Plan."...
Insider Threat: Contractor Sabotages Space Shuttle Endeavour
It feels like I've been writing a lot about the insider threat lately, but then again, it seems I read about a new incident caused by insiders almost daily. So much time, effort and money is spent on keeping the...
Insider Threat and Cowboys: The Wall Street Journal Tells Your Personnel How To Get Around Your Security
Oh, boy, reading this Wall Street Journal story, "Ten Things Your IT Department Won't Tell You" brought back some memories of personnel who went to great lengths to get around security requirements!...
Insider Threat Example: Payroll Employee Threatens To Illegally Use Other Employees' PII If Not Given a Good Review
Here's another example of the insider threat similar to situations that I've heard of happening many times throughout the years through conversations with folks at conferences and other professional meetings....
Medical Identity Theft and Bill Requiring Criminal Background Checks In LTC Facilities
I have had relatives very close to me who, because of degenerative diseases and medical problems, have had to go to long term care (LTC) facilities. I always worried about the care they were receiving when I was not around....
Another Study Supports The Need for Awareness and Executive Support
I'm always interested to read survey results related to information assurance. Of course the readers need to take the interpretations and summaries with a grain of salt; very few surveys are statistically representative of all organizations....
It's Hard to Keep Secrets When You Entrust Them To Others
When you entrust sensitive information to a contracted company or individual, you are also accepting risk. If you do not perform due diligence to ensure your contractor has effective safeguards in place, and understands that your information is sensitive, and...
The Eyes of IT are Upon You! Curiosity Often Trumps Do The Right Thing According to New Study
At a company I did work for there was a middle manager in the IT area who liked to be the person "in the know." At meetings he always would talk about ideas or plans that otherwise he should not...
Insider Threat Example: Leaked Clinton Memo Provides At Least 5 Good Security Lessons
Mid-last week it was widely reported, probably more so in the national news than here in Iowa, that one of Hillary Clinton's top campaign folks had written a memo to her urging her to skip Iowa and focus on other...
Insider Threat Example: Ex-Coca-Cola Employees Sentenced to Prison For Trying To Sell Trade Secrets To Pepsi
An article broke yesterday that closely mirrors one of the discussion topics within the Human Factors seminar that I teach for the Norwich University MSIA program....
Insider Threat Example: Engineer Leaks U.S. Military Secrets
There has been a lot of talk and blogging recently about whether or not there is a need for an information security industry/profession. Um sure, and there is no need for the physical security industry/profession either, is there? As long...
SMBs, Identity Theft & Insider Threat: Bad SMB Security Impacts Organizations of All Sizes
There are many articles written about the insider threat, several have been done, and often the focus is on large organizations where those employees with malicious intent are often either in positions of trust way down in the org chart,...
Insider Threat Example: Former Wal-Mart Employee Spied Because His Managers Told Him To
I have seen organizations where management and staff members were so fixated on protecting the company, to the disregard of observing laws and complying with policies, that they ended up doing completely inappropriate actions that involved infringing on privacy and...
Insider Threat Example: Wal-Mart Fires "System Technician" for Snooping On Text Messages and Taping Phone Calls
Today CNN reported Wal-Mart fired a systems technician who was "intercepting text messages of people who were not Wal-Mart employees and for recording telephone conversations with a New York Times reporter without authorization."...
Insider Threat Example: Medco Employee Indicted for Planting Computer Logic Bomb
On December 19, 2006, a computer systems administrator, Andy Lin, for Medco Health Solutions, Inc. was indicted by a federal grand jury in the U.S. District Court for the District of New Jersey for attempting to disable his employer's corporate...
U.S. Naval War College Network and Website Still Down From Hack Over Two Weeks Ago
Tuesday Silicon Valley reported the U.S. Naval War College's network and website had been down for over two weeks as a result of a hacker. The hacker apparently didn't take the site and network down, but the Navy Cyber Defense...