Search Realtime IT Compliance
Entries from Realtime Community | IT Compliance tagged with 'security awareness'
Community Information Security and Privacy Awareness
Today I read a nice article describing a presentation about information security, "Cyber safety tips shared"......
My Son Caught A "Hacker"!
NOTE: Just realized today is Take Your Child To Work Day so this is timely! :) My sons, 12-years-old and 9-years-old, have been with me a lot while I work in my home office over the years, and they have...
2 More Things In History That Could Have Improved Infosec & Privacy
Late last week I blogged about a question I got while at InfoTec in Omaha last week, "2 Things In Computing History That Could Have Improved Information Security and Privacy"......
Breach Notices, Securing PHI & PHR Vendor Responsibilities Under HIPAA/HITECH Act
Last Friday the US Department of Health and Human Services (HHS) released, at the last possible moment to meet their deadline, their interim final regulations to require covered entities (CEs) under the Health Insurance Portability and Accountability Act (HIPAA) and...
HIPAA Requirements Changes & Business Associates Impacts From HITECH Act
Last week I engaged in a very interesting tweetversation with David Mortman about when the U.S. Department of Health and Human Services (HHS) needs to get their guidance documents and rules published for the various HITECH Act requirements......
2 Things In Computing History That Could Have Improved Information Security and Privacy
This past Wednesday I gave a session at Infosec09 in Omaha, Nebraska. What a great event and venue! If you get a chance to attend next year, I highly encourage you to do so....
Pointers to interesting & useful information security, privacy & compliance info
I've been using Twitter for a couple of months now. I never saw the value of using Twitter before this time, and in fact had a completely different view of what it was "all about" until I actually started using...
You aren't in Kansas anymore, ToTo...you're in virtual Kansas!
Oh; and, by the way, what the heck are virtual worlds? Aren't they something that only kids use?...
Measuring The Effectiveness of Information Security & Privacy Awareness & Training
I'm a longtime advocate of creating a wide range of metrics to determine the effectiveness of the various components of information security, privacy and compliance programs....
Privacy Breach Lesson: Encrypt Mobile Digital PII!
Once more, here is an example of how carelessness and/or a mistake leads to a privacy breach......
What Corporate Business Leaders Need To Know About Data Protection
The first chapter of my new ebook, "Understanding Data Protection from Four Critical Perspectives" has been published! The first chapter is "What Corporate Business Leaders Need To Know About Data Protection" and is written to an audience of CEOs and...
Pros & Cons Of Surveillance Cameras For Compliance
We had a very interesting discussion on Twitter this morning about the practice of automatically photographing license plates to use for parking, tickets, etc......
Ongoing Awareness Communications and Regular Training Are Necessary For Effective Information Security & Privacy Programs
Scott Wright over at Streetwise Security Zone graciously invited me to do a podcast interview with him to discuss information security, privacy and compliance training and awareness issues. In the last half of February I had the pleasure of taking...
HIPAA Sanctions and Convictions Will Increase with HITECH Act & New Administration
Upon reading and researching HIPAA and the impact of the HITECH Act upon it, basically broadening its applicability as well as adding new requirements for privacy breach notifications, I recently was compelled to write an article about what I foresee...
Don't let differing authority levels damage info sec, privacy & compliance collaboration
I first realized the need for information security and legal compliance areas to closely collaborate on converging issues in the mid-1990's while establishing the information security and privacy requirements for one of the first online banks. Over the past 5+...
Carnegie Mellon's CyLab Is A Great Resource
I was very happy to be invited to Carnegie Mellon University (CMU) to speak about information security and privacy convergence last month at their CyLab research and education center. It was a great experience!...
Many Motivators For Identity Theft
I've heard far too many business leaders in lesser-regulated industries, of organizations of all sizes, say something to the effect of, "Oh, we don't have any information that hackers would find of any value."...
There Are 47 US State & Territory Breach Notice Laws: 1-Page Listing
Over the weekend I did some research to make sure I am up to date with all the current U.S. state and U.S. territories breach notice laws......
Avoid Information Overload In Your Information Security & Privacy Training!
I've been reviewing some "canned" information security and privacy training offerings in the past few months, and I'm seeing that many of them are trying to dump TOO MUCH information on those taking them; learners can only absorb so much...
Cautionary Tales for Tweeting About Work
I've been using Twitter now (http://www.twitter.com/privacyprof) for three going on four weeks. I've found it to be a very great way to be in touch with the latest news and happenings, and also to get in touch with other folks...
Think and Look Before You Send that Quick Message!
Every month, and sometimes weekly, I see a privacy breach that is a result of a messaging mistake. People need to be more careful about all the types of electronic messages they are sending and not so quick to hit...
Let Your Personnel Know Their Messaging Boundaries
Here is the third part of the first article within the June issue of my "IT Compliance in Realtime" journal, "What to Tell Personnel: Messaging Security and Privacy"......
Sending Clear Text Customer Information Is Not Okay Just Because the Customer Says It's "Okay"
As a follow-up to my blog post from last Friday, here is the second part of the first article within the June issue of my "IT Compliance in Realtime" journal, "What to Tell Personnel: Messaging Security and Privacy"......
Something To Tell Your Personnel: Messaging Includes More Than Email
My June issue of "IT Compliance in Realtime" journal is hot off the press! I've heard from some of you that when I post the articles from my journal that the posts are too long. So, what I will do...
HIPAA Humor: Dumb Robber
Here's a story that gave me a bit of a chuckle, "Note leads police to robbery arrest"......
Locational Privacy...And Nonconsenting Research Subjects
Here's an interesting, relatively new, privacy (with regard to publicity any way) issue that was reported today: locational privacy......
Insider Threat Example: Coworkers Accessing Other Coworkers' Email Messages
Back in the mid-1990's, a middle manager knew that the print queue messages for all the emails in the large organization were viewable in clear text; all you had to know was which printer queue to open. He would lurk...
How To Create Information Security & Privacy Case Studies
Over the years I've done a lot of information security, privacy and compliance training and awareness activities; content creation, delivery, tools, and a large variety of other related activities. I've found doing case studies to be one of the most...
Internal Threat Example: Lending Tree Privacy Breach And Civil Suit
Last month (May 2008...yes, it is June already!) Lending Tree got slapped with a civil suit alleging their personnel allowed mortgage lenders access to customer's personally identifiable information (PII) and other confidential information. The suit charges that Lending Tree did...
Let Your Personnel And Family Know About This Phishing Scheme That Spoofs Amazon
When was the last time you warned your family members, friends and/or personnel about the new phishing schemes that are being launched? There are many phishing scams going on right now, and they are widely reported and talked about. I...
Business Leader Primer for Effective Information Disposal
I've been talking a lot lately about the need for business leaders to more effectively address the secure disposal of information, particularly personally identifiable information (PII). Why? Because it seems like more and more attention is being given to security...
BONY Loss Of Backup Tape With Unencrypted PII Is Disappointing...But Not Surprising
Late last week I communicated with Linda McGlasson about a story she was putting together for bankinfosecurity that was published today, "Bank of New York Mellon Investigated for Lost Data Tape: 4.5 Million Customers Potentially Exposed." It's a good and...
Insider Threat Example: Bank Worker Sentenced To 36 Months In Prison; + Prison Terms For Others In Cahoots
I've been doing some research for insider threat training content I'm creating, and I ran across a recent judgment against a bank employee for identity theft. This provides some good lessons to organizations for the insider threat, and would make...
More On The HHS HIPAA Compliance Activities
Today I communicated with Sue Marquette Poremba at SC Magazine for an article she published this afternoon, "Proliferating HIPAA complaints and medical record breaches" She had seen my blog posting from yesterday, "HIPAA Complaints And Associated Resolutions Since 2003" and...
HIPAA Complaints And Associated Resolutions Since 2003
The U.S. Health Insurance Portability and Accountability Act (HIPAA) has required compliance from covered entities (CEs) since 2003. The Department of Health and Human Services (HHS) is the Federal agency with regulatory oversight for compliance; with the Office of Civil...
45 U.S. Breach Notice Laws...And Still Counting
Yesterday I posted a link to my quick reference list of breach notice laws. I created that document at the beginning of this month, and Doug Markiewicz told me today in a comment to that post that there are two...
43 U.S. Breach Notice Laws...And Counting
There are currently 43 breach response laws in the U.S.; this includes the District of Columbia and Puerto Rico....
Do Your Terms Of Use Try To Gut Your Privacy Policy Promises?
I see a growing trend in organizations trying to gut the promises made in their website privacy policies through sneaky wording they place in their rarely read "Terms of Use" statements. Over the past few months I have heard from...
SEC Regulation S-P Proposals To Improve The Security Of Customer Information Within Brokerage Shops
Do you work for a brokage house, have a subsidiary that is a brokerage house, or do any type of work with a brokerage house? If so, then you should be aware of the Securities and Exchange Commission (SEC) proposed...
CAN-SPAM: Record Judgment Along With Updated Rules
I was at the Secure360 conference (a fabulous event, btw) this week, and I'm just getting to an important current topic: CAN-SPAM. On Monday (5/12) the FTC announced an update to the Controlling the Assault of Non-Solicited Pornography and Marketing...
Addressing the Insider Threat
My May issue of "IT Compliance in Realtime" is now available! The first article I have within this issue is, "Addressing the Insider Threat." Here is the unformatted text of the article; download the PDF to get the much nicer,...
At the Secure 360 Conference
Tomorrow and Wednesday I'm doing some sessions at the Secure 360 conference in St. Paul, Minnesota. I'm really looking forward to also seeing the other sessions while here (yes, I've arrived and getting some work done in my room)!...
Happy Mother's Day!
Happy Mother's Day! It was a gorgeous day here in central Iowa! I did business work all morning, but then took off at 3:00pm, went out with my family to a restaurant we all love, and then did some gardening;...
A Couple Of Little Known HIPAA Facts
Last week I was contacted by Corey Goodman, a reporter for HCPro, about a story he is doing that sounds like it will be quite interesting! He is collecting examples and anecdotes about "little know HIPAA facts" and asked me...
Another Example Of How Internet Information Impacts Employment Decisions
I've blogged several times about how employers are inreasingly using information found on the Internet to make hiring, and firing, decisions, such as here and here. I've also written about it several times, such as here. Here's another example to...
Revisiting Two Viewpoints Of Outsourcing Vendor Security
While at CSI SX last week, we covered the need to ensure business partners, to whom we outsource information processing and handling, have good security and privacy programs in place within the class I provide with Chris Grillo, "Executive Summit:...
Click Wrap Contracts: Creating Them And Agreeing To Them
There was an interesting article in this week's issue of Privacy and Security Law, "Clickwrap Notifying Software Recipients Of Pop-Up Installation Is Valid, Enforceable" (a subscription site)....
What Business Leaders Need To Know About Employee Privacy
Here it is May, and I'm just now getting all of my April IT Compliance in Realtime Journal articles blogged about! Being in Las Vegas for a week at CSI SX / Interop really put a monkey wrench in my...
Using DNA Of Family Members To Catch Criminals
I just read an interesting article, "Using kin's DNA to track suspects."...
Corporate Communications Officers Tying The Hands Of Information Security and Privacy Pros
I've been here at the CSI SX conference for the past few days, and I've had the great opportunity and pleasure of speaking with a large number of folks while here. I was finally able to meet Ron Woerner in...
P2P Security Study Released
The results of an interesting study, "The Ignored Crisis in Data Security: P2P File Sharing," performed by the Ponoman Institute and sponsored by Tiversa, were recently released on April 21. Here are a few interesting tidbits from the report......
Do We REALLY Need Doctors To Do Consultations Via Email?
A few months ago I had some lively back-and-forth blog postings with a doctor who used email and instant messaging (IM) a lot in his practice; here, here and here. Today my good friend Alec forwarded me another interesting news...
Smart Business Leaders Support Effective Log Management Practices and Necessary Resources
The second article in this month's IT Compliance in Realtime Journal is, "Smart Business Leaders Support Log Management." I wrote this with an audience of information security and privacy personnel, along with IT managers, in mind. Download the formatted PDF...
My Information Security and Privacy Convergence Webcast Now Available
Yesterday the ISSA posted on their website a free webcast I did, "Information Security and Privacy Convergence" Here is the synopsis......
Improve Program Change Controls To Reduce Incidents
Recently in my Norwich MSIA class we were discussing the importance of program change controls, and I wanted to continue the discussion here because as important as it is, it typically does not get the attention it deserves in most...
Revisiting Online Medical Information Storage Houses Points To Consistent Need For *1* Federal Privacy Law
Last fall I blogged about Microsoft's HealthVault, "Why Would You Trust Microsoft To Store Your Sensitive Health Information?" It didn't take long before Google got in on the game. Today an interesting story ran in the New York Times, "Warning...
Addressing Application Vulnerabilities With PCI DSS Log Management Compliance
The third and final paper in my PCI DSS log management compliance series is now available! I encourage you to download the much nicer-looking formatted PDF version. :) However, the following is the unformatted version of "Addressing Application Vulnerabilities with...
Great New Risk Management Document From The U.S. GAO
There is a new document from the U.S. Government Accountability Office (GAO), "STRENGTHENING THE USE OF RISK MANAGEMENT PRINCIPLES IN HOMELAND SECURITY" It includes discussions of current risk management practices from non-government industries that are really quite interesting, not to...
Privacy and Security Lost And Found
Today I've been participating in a very interesting discussion on the Security Catalyst Community about a very interesting project that Scott Wright is doing with Honey Sticks at his site. Part of the discussion led to the possibility that one...
Policy VALUE versus Policy COST
I've been doing a lot of student grading for the Norwich MSIA program, along with a lot of communications with folks new to information security and privacy over the past several years. Policy cost versus policy value has been a...
Effectively Working with IT Auditors
The April edition of my "IT Compliance in Realtime" e-journal is now available! There are three papers within this month's issue. The first is, "Effectively Working with IT Auditors." Communicating well with your IT auditors will help ensure that your...
Striving For PCI DSS Log Management Compliance Also Helps To Identify Attacks From The Outside
The second paper in my series on PCI DSS log management compliance, "Using PCI DSS Compliant Log Management To Identify Attacks From The Outside" is now available. And, as I've been blogging about over the past few days, log management...
One Word Makes A World Of Difference...To Auditors and To Practitioners
I want to continue the discussion I started yesterday. Is there a difference between "log management" and a "log management system"?...
Misquotes and Misinformation on PCI DSS Log Management
I always invite feedback and comments about my articles and books. I like to know what people have found useful as well as hear how I can improve upon my writing and see if there is any more information I...
Going Topless...I Like It!
A few weeks ago I was at a meeting for a professional organization I belong to, giving a talk about privacy breach response, and the audience was great; around 40 in attendance, all visibly listening and interested and participating. I...
Risks & Compliance: Giving Personnel Access to Their Own, And Coworkers', Records is Generally a Bad Idea
I get several questions from folks about various information security, privacy and compliance issues. I answer all I can. Most of them are great, thought-provoking questions that help to spawn a nice discussion! I recently got a very good and...
Using PCI DSS-Compliant Log Management to Identify Insider Access Abuse
Today I just finished writing the last of a three paper series, "The Essentials Series: PCI Compliance," in which I discuss and demonstrate three ways in which meeting the PCI DSS requirements for logging also benefits businesses by putting into...
This Is Business Continuity Awareness Week!
Business Continuity Awareness Week (BCAW) is March 31st - April 4; at least it is in the UK and throughout Europe. Business Continuity Awareness Week in Australia is the week from Monday, April 28th - Friday, May 2nd....
Employee Fined $13,096 for Drunken Hacking
Dan Swanson sent me this news story (thanks Dan!), which gave me a chuckle... "Employee Fined $13,000 for Drunken Hacking" A rather interesting part of his judgment:...
Who Had The Brilliant Idea To Outsource U.S. Passports?
Okay, after the recent passport files snooping debacle I found today's news story, "Outsourcing passports 'profound liability'" very ironic and concerning. Not only for the reported huge waste of taxpayers' dollars, but also for the security risks......
The Benefits of a Privacy Ombudsman
The folks from Cutter just notified me that an excerpt from a recent article I wrote, "Learning from a Privacy Ombudsman: A Case Study to Establish a Healthcare Services Ombudsman," will soon be featured in the "Quote of the Day"...
Yet Another Stolen Laptop With Clear Text Patient PII
Yet another in a long procession of laptop thefs, "Stolen laptop contains personal info of 2,500 patients". Here are the first few paragraphs......
Passport Breach: Poor Security Practices Lead To Privacy Breaches
The breach of the presidential candidates' passport files were widely reported over the past few days, such as here and here, not to mention the many postings referencing it as "passport-gate" throughout the blogosphere and the political implications. However, based...
The Emperors' New Clothes Lack Privacy
Over the past few weeks I've talked to several privacy officers and information security officers about how things are going with their initiatives, funding, and so on. Many from the financial industry, but otherwise a wide range of businesses from...
Useful Data Protection (Privacy) Law Sites
This morning I took a little time to update my long listing of world-wide data protection (privacy) laws. Here are some of them you may find helpful:...
HIPAA *HAS* Impacted Healthcare Providers...Despite Lack Of Enforcement
I have written many times about how the U.S Department of Health and Human Services (HHS) has severely weakened the planned privacy and security goals of the Health Insurance Portability and Accountability Act (HIPAA) to require healthcare covered entities (CEs)...
Spitzer Downfall Spotlights Surveillance In Mainstream
In case you haven't heard, now ex-New York-governor Elliot Spitzer recently was found to be the frequent customer of a "high end call girl service" for the past couple of years. How was he caught? Through an electronic path he...
Information Security and Privacy Areas MUST Collaborate For Their Initiatives To Be Effective
For the past several years I have written often, and given much training, to demonstrate and emphasize the need for information security and privacy areas to collaborate in their efforts. There are just too many topic overlaps between the two...
What Business Leaders Need to Know About Privacy Breach Notifications
The third article in my March e-journal issue of "IT Compliance in Realtime" is "What Business Leaders Need to Know About Privacy Breach Notifications." Here it is, unformatted:...
The "Reasonable Belief" of a Privacy Breach
The second article in my March e-journal issue of "IT Compliance in Realtime" is "The "Reasonable Belief" of a Privacy Breach." Here it is, unformatted:...
Iowa Privacy Breach Bill Has Much Of Its Teeth Pulled
Iowa introduced a new bill, SSB 3200, on February 20 to establish a state privacy breach notification law. As originally worded it would have also required merchants to follow credit and debit card industry data security rules and make them...
Twelve Messaging Risks to Address Now
The first article within the March issue of my new e-journal, "IT Compliance in Realtime" is "Twelve Messaging Risks to Address Now." Here are a few excerpts......
Warnings Of New Phishing Threat Hitting Mainstream
Recently I blogged about getting a phishing scam message that threatened my life. I was pleasantly surprised this morning to see the Iowa Attorney General's office and law enforcement warning the public about this scam here. The general public should...
My New E-Journal For March Now Available!
Remember when I mentioned in January that I would be devoting more time in 2008 to writing papers to post to this site instead of spending as much time writing long blog postings? Well, the papers I wrote in February...
Another Messaging Risk To Keep In Mind
Many of the business folks I've talked to in the past year or two are increasingly using text messaging more while doing their business. And they are using their business cell phones more for sending personal text messages. A few...
Did You Know This Was National Consumer Protection Week?
Here's another event related to compliance, information security and privacy to put on your calendar... This is National Consumer Protection Week (NCPW) in the U.S....
FREE Resource Overflowing With Great Info Sec & Privacy Articles Just Published
Long time dear friends and colleagues of mine, Tom and Justin Peltier, just published their "2007 Year in Review." It is a great, FREE, resource to add to your information security, privacy and compliance files. Here are the folks who...
3rd HIPAA Criminal Indictment; Another Insider Job
On February 15, Leslie A. Howell, from Oklahoma City, OK, was indicted for violating the Health Insurance Portability and Accountability Act (HIPAA) of 1996 as part of an identity theft scheme....
Will Bad News Come in 3's For Health Net?
In the past several days Health Net made the news...in ways they would rather not have... First this on 2/22:...
Promoting Science and Technology
I participate in the LinkedIn community, and I was intrigued this morning to find a question posted by Bill Gates (yes Microsoft Bill)! "How can we do more to encourage young people to pursue careers in science and technology?"...
Are You Taking The Panda Security Challenge?
I was very intrigued to get an email yesterday from a security software vendor announcing a contest daring information security practitioners to find a malware-free network and they'll give you $10,000. Here's the text of the message:...
New HIPAA Security Information on the CMS website
I just got a notice from the U.S. Department of Health and Human Services (HHS)... New HIPAA Security Information on the CMS website...
Great Information Security and Awareness Event Coming In April
There's a great information security and privacy awareness event coming up, Internet Safety Night on April 23, 2008, 6:30-8:30 p.m....
Have You Reviewed the FTC's Proposed Privacy Principles Yet?
If you are responsible for information security or privacy at your organization, and your organization does marketing, here is something you need to know about and discuss with your marketing folks. I blogged about this in December....
Example privacy breach response plan
Too few organizations are prepared to respond to a privacy breach when it happens. Too many naively believe a privacy breach will not happen to them. It is helpful to look at existing privacy breach notice plans when creating your...
Educational Security Incidents Year in Review 2007
Since I'm talking about "The Anatomy of a Privacy Breach" at Berkeley today, I thought it would be timely to point out a great resource that details the very many privacy breaches that occur within colleges and universities....
The Anatomy of a Privacy Breach
Today I'm flying from the very frigid sub-zero temps of Iowa out to the University of California at Berkeley. I was invited to give a lecture, and considering the ongoing increase in privacy breaches, I chose to talk about "The...
Insider Threat: Ex-Employee Takes Files To New Employer
Here's a good article for your files, and to point out to your legal counsel to point out the very real insider threat to information security and privacy... A Massachusetts trial court recently ruled that the unauthorized transfer of electronic...
Have You Looked In Your Trash Bins Lately?
It shouldn't still amaze me, but it does, how often so many organizations just dump huge amounts of printed paper containing tons of personally identifiable information (PII) right into their dumpster sitting behind their building, in the alley, or some...
Identity Theft #1 Consumer Fraud Complaint To FTC in 2007
This week the FTC released the list of the top 20 consumer fraud complaints they received in 2007. Not surprisingly, identity theft topped their list, accounting for 32% of all the complaints....