2008
Top 10
Employee Security Gaps to Plug Right Now
Current: If it seems that companies
aren’t learning anything from the front-page security mistakes of
competitors, take heart: Consultants and security experts are.
Based on their experience and observations, here are 10 security
gaps the experts have observed over and over, along with advice
for addressing them. (Read
more...)
Moving
Targets: The Risk of Mobile Devices
Current: "[Businesses face] an
increasing amount of data with greater and greater value, most of
which is created electronically [and] never makes it to paper,
dwells in a variety of places, and increasingly is on smaller and
smaller computing devices, like laptops and PDAs, making
management that much more challenging and failures that much more
likely," he says.
Kahn is founder and principal of
Kahn Consulting, a consulting firm specializing in legal,
compliance, and policy issues of business information and IT.
All of the factors Kahn cites are
combining to create a potential nightmare for any company using
mobile devices without solid controls in place—and that,
unfortunately, describes all but a very few companies. (Read
more...)
Access Control: 10
Best Practices
Current: Properly implemented,
access controls only give employees access to the applications
and databases they need to do their jobs. At many regulated
organizations, such controls are too often manual, outdated, and
largely ineffective. Here’s how to overhaul your access control
program. (Read
more...)
Encryption Isn’t Enough: Five Vital Protection Steps
Current: While still considered the
most crucial aspect of data protection, encryption alone will no
longer keep your data safe from hackers and thieves. If
businesses don’t develop a multi-faceted arsenal of security
weapons, they are easy targets for data theft.
Encryption is a powerful weapon in
the CIO’s data protection arsenal. But the multi-faceted threats
abound today reveal that it is not the only way to reliably
protect your data. (Read
more...)
JANUARY 2008: From the perspective of employees, electronic
monitoring by employers involves important privacy concerns. Electronic
monitoring allows an employer to observe what employees do on the job and
review employee communications, including e-mail and Internet activity,
often capturing and reviewing communications that employees consider
private. (Read
more...)
2007
Information Security Standards: The 10 Keys to Protecting Your
Network
DECEMBER 2007: Information is now
the crucial asset for many companies. Thus, competitive,
operational and compliance factors demand extraordinary steps are
taken to protect data from being compromised-either accidentally
or maliciously. The following are 10 key components to ensuring
the security of network data: (Read
more...)
Confronting the emerging threat: auditors can help their
organization craft a multifaceted approach to preventing
information security breaches
OCTOBER 2007: "DATA BREACH" HAS
BECOME THE CATCH-ALL PHRASE used to describe the endless drumbeat
of information security incidents in recent years. Although this
term may be interpreted in many ways and used in a variety of
contexts, it causes a universal reaction: fear. While it is
difficult to measure the damage that data breaches cause,
organizations exposed to a publicized database intrusion, laptop
theft, or similar incident experience diminished customer
confidence and the accompanying consequences. Individuals
victimized by identify theft due to a data breach spend years
attempting to resolve the harm done to their credit histories and
are often unable to fully reclaim their privacy. The
proliferation of data collection by organizations in all
industries and sectors, coupled with the increasingly
sophisticated tactics used by those seeking to steal sensitive
information, have forced organizations to confront this emerging
threat directly. (Read
more...)
IT professionals pessimistic about privacy and data security
AUGUST 2007: ORGANIZATIONS ARE NOT DOING ENOUGH TO monitor
databases for suspicious activities and to prevent data loss,
according to two recent studies by the Ponemon Institute, a
privacy and data protection research and education firm based in
Traverse City, Mich. Database Security 2007: Threats and
Priorities Within IT Database Infrastructure concludes that IT
professionals face incredible challenges in securing sensitive
data. Additionally, the survey--completed by 649 respondents in
corporate IT departments worldwide--reports that there is a
significant organizational disconnect between knowledge of the
threat and urgency in addressing the threat. The study was
commissioned by information security firm Application Security
Inc. (Read
more...)
Keeping Secrets
JULY 2007: How to protect
your computer from snoops and spies
You may be
able to keep a secret, but how confident are you that your computer
is up to the task?
As a
CPA, you’re entrusted with loads of confidential information, and
your professional reputation depends on your discretion. But your
computer may be vulnerable to someone accidentally or maliciously
prying into or tampering with that confidential data.
This
article examines the dangers and ways to make your information more
secure. Notice I say more secure because security is a
relative condition: The higher the security, the harder it is for a
meddler or a crook to access it; but it also becomes more difficult
for you to access. So, as a practical matter, you probably need a
level of security that keeps out the innocent meddler and all but
the most determined and sophisticated intruder—yet still gives you
access with relative ease. (Read
more...)
What Every IT Auditor Should Know About Auditing Information
Security
2007: Much has been written about
information security and how to manage or audit it. The approach to
auditing any specific information technology (IT) is similar in the
nontechnical aspects: IT auditors complete a risk assessment based
on some "model" of that IT. For information security management and
audits, a commonly used model is confidentiality, availability and
integrity (CAI). These characteristics of information are
considered those most commonly protected.1
Herein, this model will be referred to as the information security
(infosec) triangle. (Read
more...)
2006
Security Roundtable
September 2006: What do the experts
think of The Global State of Information Security 2006 survey
results? Washington Bureau Chief Allan Holmes asked them. (Listen
to Podcast)
Five
Steps to IT Risk management Best Practices
JULY 2006: As individuals,
corporations, and our economy grow increasingly dependent on the
Internet and IT systems, the risks in these systems become far
more visible and significant. Breaches or failures of information
systems cause serious business crises, including reputation
damage caused by identify theft, business losses stemming from
system failures and regulatory restrictions arising from
compliance issues.
The rate of recovery from these
events is a contributing factor in the severity of the business
crises. A recent study by Oxford Executive Research found that
companies that recovered quickly from major operational disasters
increased their share price by 5% on average versus the market.
Companies that struggled to regain their operations took a 20%
drop in relative value. From this research, it appears that
investors factor a company's resilience to adversity into its
stock price.
It is clear to see why corporate
executives in boardrooms around the world want answers to the IT
risk question: (Read
more...)
Computer Fraud And Abuse Act: Another Arrow In The Quiver Of An
Employer Faced With A Disloyal Employee - Part II
JUNE 2006: In International Airport
Centers, L.L.C. v. Citrin1, decided in March, the Seventh Circuit
Court of Appeals examined the difference between "without
authorization" and "exceeding authorized access" under the Computer
Fraud and Abuse Act ("CFAA") and held that, while it is "paper
thin" it is "not quite invisible." (Read
more...)
Computer Fraud And Abuse Act: Another Arrow In The Quiver Of An
Employer Faced With A Disloyal Employee - Part I
MAY 2006: The days when a disloyal
departing employee would sneak into the office at night and, by the
light of a flashlight, pack up a briefcase full of documents
containing his employer's trade secrets and other confidential
information in order to start up a competing business or to give
them to his new employer have, for the most part, passed. Today,
that same employee may download the same information off the very
laptop his employer provided to him to do his job or he may email
it from the office during lunch or via remote access from the
comfort of his home, while watching American Idol.
While the tools available to the
disgruntled employee have multiplied as a result of the computer
revolution, the oft-used arrows in the quiver of the employer -
such as filing for immediate injunctive relief based on theories of
breach of restrictive covenants, breach of duty of loyalty,
misappropriation, conversion, unfair competition, tortious
interference - may be supplemented with a claim under the less
familiar and infrequently used Computer Fraud and Abuse Act ("CFAA").
(Read
more...)
2005
Opportunities for computer crime: considering systems risk from a
criminological perspective
DECEMBER 2005: Systems risk refers to the
likelihood that an Information System (IS) is inadequately
protected against certain types of damage or loss. While risks are
posed by acts of God, hackers and viruses, consideration should
also be given to the 'insider' threat of dishonest employees,
intent on undertaking some form of computer crime. Against this
backdrop, a number of researchers have addressed the extent to
which security managers are cognizant of the very nature of systems
risk. In particular, they note how security practitioners'
knowledge of local threats, which form part of such risk, is often
fragmented. This shortcoming contributes to situations where risk
reducing efforts are often less than effective. (Read
more...)
Creating and Enforcing an Effective Information Security Policy
NOVEMBER 2005: Two years ago, several
Internet worms impacted business in a way that had never been seen
before. Slammer, SoBig, Blaster and other fast-spreading worms
leveled networks at private and public organizations and disrupted
services on a global scale. Yet these threats pale in comparison to
the potential dangers of future Internet attacks.
In the future, Warhol threats are
likely to emerge with the ability to spread across the Internet,
infecting vulnerable systems in 15 minutes or less.
For the prevention of dangerous
security threats and also for compliance to a variety of industry
and federally mandated standards, corporations need to implement a
proactive information security strategy. The first step to execute
this strategy should be to create a solid, enforceable security
policy. (Read
more...)
Best Practices for Establishing an Effective Workplace Policy for
Acceptable Computer Usage
NOVEMBER 2005: Providing virtually
unconstrained access to technology tools in the workplace puts
many human resource (HR) departments in a quandary. On one hand,
their dramatic benefits necessitate that employees have broad
access to computing resources. On the other, employees' use of
internal computer resources—including e-mail, the Internet and
software applications—can open an organization to a host of
risks, including security breaches, lost productivity, wasted
computer resources, e-viral infections, business interruption,
and civil and criminal lawsuits.
While controlling the usage of
information technology and communication resources is only one
aspect of e-business security, it is clearly one of the most
important. (Read
more...)
Data Secured?
Taking on Cyber-Thievery
OCTOBER 2005: When hackers broke into
the network of CardSystems Solutions, a credit card payment
processor, last June, it was not just another example of failed
data security. By gaining access to more than 40 million
MasterCard, Visa, American Express and Discover credit card
accounts, these criminals were responsible for what may be the
largest data security breach to date. And for CardSystems, the
fallout has been severe. In the wake of the incident, California
consumers and retailers filed a class-action lawsuit against the
processor, as well as MasterCard and Visa, for violating state law
by failing to properly secure their network and by failing to
quickly notify consumers of the breach after it occurred. Two of
CardSystems' largest clients, Visa and American Express, then
dropped the processor entirely. So as a result of their failure to
adequately protect customer data, CardSystems has said that it now
faces "imminent extinction."
Unfortunately, these occurrences have
become all too common. (Read
more...)
2004
Computer Monitoring
and Surveillance
JULY 2004: Information security and
employee privacy are important issues facing all organizations.
E-mail monitoring software will grow significantly in the next five
years, from $139 million in sales (2001) to $662 million (2006),
according to International Data Corp. (IDC). Federal legislation
mandates that companies actively safeguard personal information.
Standards established by the Federal Trade Commission (FTC) focus
on maintaining the security and confidentiality of personal records
and information, protecting against internal and external threats
to the security or integrity of such records, and protecting
against unauthorized access or use of personal records.
Whereas past information security
efforts centered on protecting systems from external threats (e.g.,
computer hackers), the risk of internal threats to personal
information has spawned both new legislation and new market
opportunities. (Read
more...)
The Weak Link in IT Security
JULY 2004: Increasingly powerful IT
applications have become the mainstay of modern business
technology. The risk of viruses, unauthorized data access and
electronic vandalism, however, all make strong IT a must. But no
mater how many passwords are implemented or how many firewalls are
built, the culprit most likely to crash a company's system is the
one least expected-the company's own employees. (Read
more...)
The Five Pillars
of Information Security
JULY 2004: Establishing an
information security program is much like building a large
structure; for both, you need a solid foundation without which the
entire effort will crumble. When establishing a system for
information security, that foundation needs to set on five crucial
risk management practices or pillars: protection, detection,
reaction, documentation and prevention. (Read
more...)
