In today’s’ high tech world, maintaining the privacy and protection of customers and employees’ information grows more and more difficult particularly for many financial institutions. These days’ scammers are getting bolder and more brazen in their abilities to get personal information from banking customers as they aggressively target the smaller locally owned community financial institutions. In fact, a recent customer reported a complex, malicious, and targeted attack took place on their institution’s customers and employees. A well-recognized phishing activity trends website reported that financial institutions saw a continuing rise in phishing activities with 92.5% of attacks targeted on financial institutions. On average, a phishing site stays online for 3.8 days. The relevance to the number of days online is that the longer it remains online, the more possibilities for the scammer to gather personal information. It is imperative that we Read the rest of this entry »
There’s an interesting section in the Wikipedia entry for Acceptable Use Policies called “Is an AUP the best approach?” here.
Here’s an excerpt:
In a well respected essay on the topic of AUP documents, Dave Kinnaman, raises the issue as to whether writing and enforcing AUP documents is the right way to approach the governance as to how Internet connections are to be used at school, at work or in people’s own free time.
In this essay he raises the question with the perspective that the Internet is no different from anywhere we use 3rd party property. Do we write a “users guide” to go to a school, or do we write a user’s guide to shopping in the shopping mall? No, and why we do not is because we are educating young adults to behave in certain ways when at the shopping mall, or at school, or in the library.
Businesses should have a good AUP document that, according to visionGateway, a business implementing secure networks for businesses, should cover the business legally in any situation that the business might need to take to protect its interests. Also privacy and individual rights need to be addressed.
So the question is, do we teach our students at school and encourage our employees at work to maintain self-control, or do we explicitly outline acceptable use policies? Possibly both AUPs and self-control can be encouraged and when used together it could bring the best outcome for both organisations and individuals.
I think it’s an interesting question, but in the end your auditors are going to ask for your AUP. If you don’t have one they’ll probably tell you to get one.
I really like the easy-to-read-and-understand customer data security policy from ING Direct here.
I wish more companies wrote such simple and clear policies.
Here’s an exerpt:
We take every reasonable precaution to protect your information. When you submit information to us through our web site, your information is protected both on-line and off-line. All data transferred to/from the ING DIRECT internal network, from/to an external entity, is encrypted to industry standards (128 bit encryption). Please keep in mind that messages you send to us by Internet e-mail may not be secure. Do not send us any confidential or personal information by Internet e-mail. We maintain appropriate physical, electronic and procedural safeguards to ensure the security, integrity and privacy of your personal information within our company. Only those employees who require your personal information to perform a specific job are granted access to your personally identifiable financial information. Furthermore, all employees are kept up-to-date on our security and privacy practices. If you have any questions about the security of your information at ING DIRECT, you may contact us at 1-800-ING-DIRECT (1-800-464-3473), or at the following address: ING DIRECT, 1 South Orange Street, Wilmington, Delaware 19801.
If you’re planning on deploying Windows Vista, make sure you follow the Windows Vista Security Guide available from Microsoft Technet here.
This is a description of the hardening guide:
This guide focuses on how to help create and maintain a secure environment for desktop and laptop computers that run Windows Vista. The guide explains the different stages of how to secure two different environments, and what each security setting addresses for the desktop and laptop computers deployed in either one. The guide provides prescriptive information and security recommendations.
Here are the chapters:
Chapter 1: Implementing the Security Baseline
Chapter 2: Defend Against Malware
Chapter 3: Protect Sensitive Data
Chapter 4: Application Compatibility
Chapter 5: Specialized Security – Limited Functionality
Appendix A: Security Group Policy Settings
In particular, the Auditor General said that the security policy doesn’t include a disaster recovery plan.
Even if you work in a company you can expect that auditors are going to look for a disaster recovery policy and disaster recovery plan in your corporate security policy.
The educause.edu site has a chapter from the book Computer and Network Security in Higher Education here.
It does a good job of describing how university security policies should be written.
Here’s an excerpt:
If the goal of institutional policies is to direct individual behavior and guide institutional decisions, then the effectiveness of formal policy statements will depend on their readability and usefulness. Many colleges and universities suffer from the lack of a common and consistent approach or format for writing organizational policies. Policy development is often confused and sometimes derailed because of the misunderstanding and misuse of terms with important meanings to a professional policy administrator, legal counsel, and others.
You can download an archive copy of the chapter here.
The IT Security group at the California Department of Techonology Services (DTS) have a security incident response presentation here that describes their incident response plan.
This presentation includes a couple of scenarios where they demonstrate how to implement the Security Incident Lifecycle:
FREE Acceptable Use Policy Template! Fill out this form and I'll send it to you immediately!
(I hate SPAM as much as you do. I will never sell or give your email address to anyone.)
SANTA BARBARA, Calif.----Holiday travelers beware: Laptop theft is on the increase and thousands of Americans may be vulnerable to loss – not only of their laptops, but also of the critical information they contain. [Link]
First off, what is TSA? The Transportation Security Administration, aka guys that rifle through your Nintendo DS games and give you a hard time about your toothpaste at the airport, is a division of Homeland Security created after 9/11 and "is responsible for security of the nation's transportation systems." [Link]
CREDANT Technologies, the market leader in data protection solutions, and Safend, a leading provider of enterprise endpoint Data Leakage Prevention solutions, today announced a partnership that will provide CREDANT customers with an unprecedented level of protection for their sensitive data. [Link]
The government is investing heavily in the generation and distribution of electricity - Gatt. Infrastructure, Transport and Communications Minister Austin Gatt yesterday accused the opposition of daily trafficking in data leaked and stolen from government departments. [Link]
The setting could pass for a high-tech trading floor: Men in dark suits sitting at tiered banks of desks, studying a steady stream of video and data on floor-to-ceiling monitors. The initiative will rely largely on 3,000 closed-circuit security cameras carpeting the roughly 1.7 square miles south of Canal Street. So far, about 150 cameras are in place, with another ... [Link]
The setting could pass for a high-tech trading floor: Men in dark suits sitting at tiered banks of desks, studying a steady stream of video and data on floor-to-ceiling monitors. The initiative will rely largely on 3,000 closed-circuit security cameras carpeting the roughly 1.7 square miles south of Canal Street. So far, about 150 cameras are in place, with another ... [Link]
The setting could pass for a high-tech trading floor: men in dark suits, sitting at tiered banks of desks, studying a steady stream of video and data on floor-to-ceiling monitors. But the front doors to the 28th-floor office near Wall Street are unmarked, and the men aren't fixated on stock market fluctuations. The stakes in their line of business, they ... [Link]
The setting could pass for a high-tech trading floor: Men in dark suits sitting at tiered banks of desks, studying a steady stream of video and data on floor-to-ceiling monitors. [Link]
Boxes containing loan applications, Social Security numbers and bank account information for residents of a Gilbert neighborhood were discovered in a ransacked model home abandoned by a bankrupt developer. [Link]
Stability and security releases for the browser will end next month, despite ongoing problems with Firefox 3 The Mozilla Foundation is planning to end support for the Firefox 2 browser in mid-December, despite the persistence of significant flaws in the most-recent version of the popular browser. ... [Link]
Online networks suffered their heaviest brute force attacks to date this year, with more sites than ever coming under sustained assault. Online networks suffered their heaviest brute force attacks to date this year, with more sites than ever coming under sustained assault. IP networks were... [Link]
The Department of Homeland Security has disputed Bruce Schneier's claim that the US-Visit program has had no impact on reducing criminal and terrorist threats. Security expert and BT chief security-technology officer Bruce Schneier has attacked the US-Visit border-biometrics program, saying it has had "zero benefit" in terms of security.... [Link]
RSA says cloud-computing crimeware means networks of zombie machines can be hired to steal online-banking details for as little as $299 a month. Cloud-computing crimeware means networks of zombie machines can be hired to steal online-banking details for as little as $299 (£185) per month.... [Link]
Atos Origin explains how risk-management tech helped to prioritize the real risks hidden within. The security team behind the Beijing 2008 Olympic Games has revealed how it found the real risks hidden within the millions of alerts received every day. Faced with 12 million alerts per... [Link]
Companies that play a key role in the Britain's national infrastructure are facing sustained cyber-espionage attacks, says a UK cyber-defense chief. Sustained cyber-espionage attacks are being waged on companies that play a key role in the Britain's national infrastructure, a UK cyber-defense chief has warned.... [Link]
A Microsoft security expert warns that scammers will try to exploit the global financial crisis with e-mails that promise money but deliver fraud. LONDON--Internet fraudsters will try to exploit the global financial crisis by sending fraudulent emails purporting to offer cash-strapped consumers new mortgages, loans or money from failed... [Link]
Application downtime, whether you're measuring intermittent availability or fully downed systems, is too costly to ignore. The best way to avoid trouble is to view the infrastructure through the eyes of your transactions says OpTier's Motti Tal. Application downtime, whether you're measuring intermittent... [Link]
The company's tech will judge whether an app is unsafe by looking at where it can be found across the database of Symantec users and categorizing those machines as safe or otherwise. Symantec will soon introduce a "reputation-based" software-rating technology that it has claimed can accurately differentiate malicious malware... [Link]
European lawmakers called Airport full-body scanners that show people's private parts a virtual strip search and voted for a detailed study of the technology. STRASBOURG, France--Airport full-body scanners that show people's private parts are a virtual strip search, European Union lawmakers said Thursday, calling for detailed study of the... [Link]
Jim Whitehurst has claimed the proprietary software-development model is coming to an end, as open source better meets customer needs Big software releases like Windows Vista mark the end of "planned software" for the industry, according to Red Hat chief executive Jim Whitehurst. Speaking at a... [Link]
Magshoe has introduced a step-on scanner that spares airline travelers the nuisance of having to remove their shoes so they can be X-rayed for hidden weapons. LOD, Israel--Israel has introduced a step-on scanner that spares airline travelers the nuisance of having to remove their shoes so they can be... [Link]
The PowerVault DL2000 will simplify and accelerate data backup by offering disk storage and backup in one unit, Dell says. Dell has introduced the Dell PowerVault DL2000, a disk-to-disk system that places backup and recovery alongside the main data storage within one unit, with the aim of... [Link]
Most members of a silicon.com CIO jury say they're not even testing Google's Chrome--choosing to stay with Microsoft's Internet Explorer. In silicon.com's latest exclusive CIO Jury poll, the respondents revealed they were still steering clear of the application, with 10 out of 12 saying their IT teams are not... [Link]
Amazon.com has fixed a glitch in its video streaming service by adopting Adobe Systems encryption on all television shows and movies found on its site, software maker Adobe said. SEATTLE--Amazon.com has fixed a glitch in its video streaming service by adopting Adobe Systems encryption on all television shows and... [Link]
A security hole in Adobe Systems' software is giving users free access to record and copy from Amazon.com's video streaming service. NEW YORK--A security hole in Adobe Systems' software, used to distribute movies and TV shows over the Internet, is giving users free access to record and copy from... [Link]
The credit crunch has dominated the front pages in 2008, and claimed a number of high-profile scalps, such as that of the 158-year-old Lehman Brothers bank. As job losses mount, and with HP announcing it will lay off tens of thousands of workers following its purchase of EDS, here's... [Link]
A memo from the US Department of Homeland Security has recommended that corporate and government leaders do not travel with mobile equipment carrying sensitive information. A document emphasizing mobile-data security threats has appeared online after being leaked from the US Department of Homeland Security. The... [Link]
The answer to many of our security problems could be found in chips that are used to store credentials and user certificates says Wave Systems CEO Steven Sprague. Commentary--While static passwords are still the most widely employed type of user authentication credential today, they are fast losing... [Link]
To quell privacy fears, Google says IP addresses and other data stored through use of Google Suggest will be rendered anonymous within a day. See all ZDNet Chrome coverage. Google says it will anonymize user data received through search requests entered in the company's search engine... [Link]
By Gale Yocom