In today’s’ high tech world, maintaining the privacy and protection of customers and employees’ information grows more and more difficult particularly for many financial institutions. These days’ scammers are getting bolder and more brazen in their abilities to get personal information from banking customers as they aggressively target the smaller locally owned community financial institutions. In fact, a recent customer reported a complex, malicious, and targeted attack took place on their institution’s customers and employees. A well-recognized phishing activity trends website reported that financial institutions saw a continuing rise in phishing activities with 92.5% of attacks targeted on financial institutions. On average, a phishing site stays online for 3.8 days. The relevance to the number of days online is that the longer it remains online, the more possibilities for the scammer to gather personal information. It is imperative that we Read the rest of this entry »
There’s an interesting section in the Wikipedia entry for Acceptable Use Policies called “Is an AUP the best approach?” here.
Here’s an excerpt:
In a well respected essay on the topic of AUP documents, Dave Kinnaman, raises the issue as to whether writing and enforcing AUP documents is the right way to approach the governance as to how Internet connections are to be used at school, at work or in people’s own free time.
In this essay he raises the question with the perspective that the Internet is no different from anywhere we use 3rd party property. Do we write a “users guide” to go to a school, or do we write a user’s guide to shopping in the shopping mall? No, and why we do not is because we are educating young adults to behave in certain ways when at the shopping mall, or at school, or in the library.
Businesses should have a good AUP document that, according to visionGateway, a business implementing secure networks for businesses, should cover the business legally in any situation that the business might need to take to protect its interests. Also privacy and individual rights need to be addressed.
So the question is, do we teach our students at school and encourage our employees at work to maintain self-control, or do we explicitly outline acceptable use policies? Possibly both AUPs and self-control can be encouraged and when used together it could bring the best outcome for both organisations and individuals.
I think it’s an interesting question, but in the end your auditors are going to ask for your AUP. If you don’t have one they’ll probably tell you to get one.
I really like the easy-to-read-and-understand customer data security policy from ING Direct here.
I wish more companies wrote such simple and clear policies.
Here’s an exerpt:
We take every reasonable precaution to protect your information. When you submit information to us through our web site, your information is protected both on-line and off-line. All data transferred to/from the ING DIRECT internal network, from/to an external entity, is encrypted to industry standards (128 bit encryption). Please keep in mind that messages you send to us by Internet e-mail may not be secure. Do not send us any confidential or personal information by Internet e-mail. We maintain appropriate physical, electronic and procedural safeguards to ensure the security, integrity and privacy of your personal information within our company. Only those employees who require your personal information to perform a specific job are granted access to your personally identifiable financial information. Furthermore, all employees are kept up-to-date on our security and privacy practices. If you have any questions about the security of your information at ING DIRECT, you may contact us at 1-800-ING-DIRECT (1-800-464-3473), or at the following address: ING DIRECT, 1 South Orange Street, Wilmington, Delaware 19801.
If you’re planning on deploying Windows Vista, make sure you follow the Windows Vista Security Guide available from Microsoft Technet here.
This is a description of the hardening guide:
This guide focuses on how to help create and maintain a secure environment for desktop and laptop computers that run Windows Vista. The guide explains the different stages of how to secure two different environments, and what each security setting addresses for the desktop and laptop computers deployed in either one. The guide provides prescriptive information and security recommendations.
Here are the chapters:
Chapter 1: Implementing the Security Baseline
Chapter 2: Defend Against Malware
Chapter 3: Protect Sensitive Data
Chapter 4: Application Compatibility
Chapter 5: Specialized Security – Limited Functionality
Appendix A: Security Group Policy Settings
In particular, the Auditor General said that the security policy doesn’t include a disaster recovery plan.
Even if you work in a company you can expect that auditors are going to look for a disaster recovery policy and disaster recovery plan in your corporate security policy.
The educause.edu site has a chapter from the book Computer and Network Security in Higher Education here.
It does a good job of describing how university security policies should be written.
Here’s an excerpt:
If the goal of institutional policies is to direct individual behavior and guide institutional decisions, then the effectiveness of formal policy statements will depend on their readability and usefulness. Many colleges and universities suffer from the lack of a common and consistent approach or format for writing organizational policies. Policy development is often confused and sometimes derailed because of the misunderstanding and misuse of terms with important meanings to a professional policy administrator, legal counsel, and others.
You can download an archive copy of the chapter here.
The IT Security group at the California Department of Techonology Services (DTS) have a security incident response presentation here that describes their incident response plan.
This presentation includes a couple of scenarios where they demonstrate how to implement the Security Incident Lifecycle:
FREE Acceptable Use Policy Template! Fill out this form and I'll send it to you immediately!
(I hate SPAM as much as you do. I will never sell or give your email address to anyone.)
Over the weekend, a group of hackers began claiming to have broken into T-Mobile USA servers, but this wireless phone company says it has no evidence that this group actually has the customer data it claims to. [Link]
T-Mobile confirmed today that confidential internal information obtained by hackers was stolen from T-Mobile's servers, but said that it doesn't appear that customer data has been breached. [Link]
The Information Commissioners Office (ICO) has found insurer Amicus Legal in breach of the Data Protection Act after the firm reported an unencrypted laptop was stolen containing personal information relating to 100,000 customers. [Link]
T-Mobile issued the following statement regarding reports of a breach in its data systems. "To reaffirm, the protection of our customers' information and the security of our systems is paramount at T-Mobile. Regarding the recent claim on a Web ... (follow link to read) [Link]
But denies its signifcance. T-Mobile confirmed that internal information posted on the Internet by hackers was stolen from its systems, but said it does not appear customer data is in jeopardy. [Link]
T-Mobile confirmed on Tuesday that internal information posted on the Internet by hackers was stolen from its systems, but said it does not appear customer data is in jeopardy. [Link]
IDG News Service - T-Mobile confirmed today that internal information posted on the Internet by hackers was stolen from its systems, but said it does not appear customer data is in jeopardy. [Link]
T-Mobile confirmed on Tuesday that internal information posted on the Internet by hackers was stolen from its systems, but said it does not appear customer data is in jeopardy. [Link]
Mobile network investigating forum claims T-Mobile is investigating claims that internal data has been stolen from the mobile network's servers. [Link]
A group of hackers claims to have completely cracked T-Mobile's network in the US, and stolen proprietary operating data, customer databases and financial records. [Link]
A group of hackers is claiming to have completely cracked T-Mobiles network in the Unites States and stolen proprietary operating data, customer databases and financial records. [Link]
Iain Thomson in San Francisco, vnunet.com , Tuesday 9 June 2009 at 02:34:00 Group claims to have completely cracked T-Mobile A group of hackers claims to have completely cracked T-Mobile's network in the US, and stolen proprietary operating data, customer databases and financial records.... [Link]
A security expert at Cyber Infrastructure Protection '09 revealed that most data breaches occur in places on the network that are not monitored or secure. Knowing your network well enables you to block many of these attacks. [Link]
p2pnet news view Mobiles | Security:- There’ve been unconfirmed reports of massive T-Mobile breaches, says p2pnet World Headlines compiler Marc, citing Channelinsider, the first being »»» Early reports indicate that hackers have penetrated the T-Mobile U.S. network and stolen proprietary operating data, customer databases and financial records. According to a post on insecure.org, [...] [Link]
Trend Micro on Monday announced LeakProof 5.0, designed to reduce the complexity and cost often associated with the discovery, monitoring and blocking of sensitive enterprise data. New features are built around the Active Update service and language-independent fingerprinting technology the company calls "DataDNA." Leakproof 5.0 will be available June 22. [Link]
EMC, RSA, VMware and Intel have announced a new collaboration to introduce a framework encompassing security and compliance for cloud computing in the enterprise space. by Kevin Kwang ZDNet Asia [Link]
The The Large Hadron Collider, the world's largest particle accelerator is to restart on Monday following a technical break and glitches in the machine. by Tom Espiner ZDNet UK [Link]
Google has launched a tool to help people locate friends and loved ones who might have been affected by the 8.8 magnitude earthquake in Chile on Saturday. by Steven Musil CNET News [Link]
Skype has announced it is pulling Skype for Windows Mobile phones and Skype Lite for Java handsets, including Android. by Jessica Dolcourt CNET News [Link]
Mozilla has officially decided that the next major version of Firefox will require at least Mac OS X 10.5 when running on Apple computers. by Stephen Shankland CNET News [Link]
The Internet is moving away from being a data transportation and messaging platform, into a space filled with integrated rich-media content, according to Cisco Systems. by Kevin Kwang, ZDNet Asia [Link]
An Italian court handed out guilty verdicts on Wednesday for three of four Google executives charged a case concerning a YouTube video posted of a teenager with Down Syndrome. by Stephen Shankland CNET News [Link]
The speed of technology advancements and rapid pace of today?s business environment often force companies to rely on an application long after it has ceased to provide maximum value, says Keane's Walid Farha. by Walid Farha, Keane, Special to ZDNet [Link]
Neither regulations nor security threats are going away but the right approach to compliance and risk management can be less expensive than the way most organizations tackle these situations today, says Novell's Jay Roxe. by Jay Roxe, Novell, Special to ZDNet [Link]
Today, with a lagging economy, those charged with finding savings within their organizations wonder if opportunities to reduce costs still exist; and if so, where they can be found, says Al Subbloie CEO of Tangoe, Inc. by Al Subbloie, Tangoe, Inc., Special to ZDNet [Link]
Bloom Energy claims its invention, a little power plant-in-a-box you can literally in your backyard, is a power source that's inexpensive and clean, with no emissions. by CBS Interactive Staff [Link]
Mozilla has released fixes for five security holes in older versions of Firefox, while a security company has warned of a zero-day flaw in the latest version of the popular browser. by Matthew Broersma [Link]
More than 74,000 PCs at nearly 2,500 organizations around the world were compromised over the past year-and-a-half, in a botnet infestation designed to steal login credentials to bank sites, social networks and email systems. by Elinor Mills CNET News [Link]
The US International Trade Commission said it will launch an investigation into whether Apple's iPhone and Research In Motion's BlackBerry infringe on a Kodak patent. by Daniel Terdimann CNET News [Link]
Google has made a $2 million donation to the Wikimedia Foundation, the group behind the widely used Wikipedia reference site. by Stephen Shankland CNET News [Link]
Dale Begg-Smith, the former world-champion mogul skier is almost as well known for reports about his involvement with adware, browser pop-ups, and other detritus of the seamier side of the Internet. by Declan McCullagh CNET News [Link]
Although Apple does not currently accept rival browsers onto the iPhone platform, Opera claims its browser runs 6 times faster than Apple's Safari over 3G networks. by David Meyer ZDNet UK [Link]
By Gale Yocom