As many of you know, Massachusetts has been a leader in the state based information security legislation as of late. The latest law 201 CMR 1700 has a deadline that has already been extended twice due to business pressure however I do believe that legislators will not provide any more cushion. With a March 10th 2010 date looming, security professionals must scramble to apply the law to their environments or face a really tough response if a breach occurs and you are found negligent. Check the new law here.
I know this is off-topic but figured some of you might be interested in my investment ideas for 2010.
Note: I own or intend to own each of these Stocks/ETFs and in no way is this financial advice, invest at your own risk.
Owned Currently:
- AGD
- AOD
- DNP
- GIM
- SNH
- GOV
- O
- XLF
- PLD
- CRM
Considering:
- VVR
- ERF
- PWE
- NLY
- AWP
- IID
- EVT
It appears that the Commodity Futures Trading Commission (CFTC) is disclosing user’s email addresses who post comments on the regulations that they are proposing right on their website. Check their website here: http://www.cftc.gov/lawandregulation/federalregister/federalregistercomments/2010/10-001.html
You would think these days that companies and regulators would have a greater respect for the privacy (at least of a user’s email address) of user’s who comment on regulations. Regulators should be held to the same privacy requirements that companies are. If any company were to post a user’s email address from customer comment form without allowing the user to prevent the disclosure of their email address they would be roasted for it. I don’t object with disclosing someone’s home address, but I feel that disclosing user’s email addresses is a bit over the line especially when the user has no choice on it’s disclosure. I can’t wait for spammers or scammers to target these comments to send malware. This is scary in my opinion.
Send your CFTC privacy concerns to secretary@cftc.gov or informationquality@cftc.gov.
Please accept with no obligation, implied or implicit, my best wishes for an environmentally conscious, socially responsible, low-stress, non-addictive, gender-neutral celebration of the winter solstice holiday, practiced within the most enjoyable traditions of the religious persuasion of your choice, or secular practices of your choice, w ith respect for the religious/secular persuasion and/or traditions of others, or their choice not to practice religious or secular traditions at all. I also wish you a fiscally successful, personally fulfilling and medically uncomplicated recognition of the onset of the generally accepted calendar year 2010, but not without due respect for the calendars of choice of other cultures whose contributions to society have helped make America great. Not to imply that America is necessarily greater than any other country nor the only America in the Western Hemisphere. Also, this wish is made without regard to the race, creed, color, age, physical ability, religious faith or sexual preference of the wishee.
I’m not sure if many of you have heard, but Nevada’s SB227 mandates that all “personal information” be encrypted. During the introduction of this law there originally was a clear definition of what “personal information” was that was later removed by the 716 amendment which stated this bill would rely on the definition provided in NRS 603A.040 which defined Personal Information as the following:
1. Social security number.
2. Driver’s license number or identification card number.
3. Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person’s financial account.
The term does not include the last four digits of a social security number or publicly available information that is lawfully made available to the general public.
THE PROBLEM:
The passed SB227 does not define what is meant by “Personal Information”, which means that it seems they wish to have lawyers define it in case law. Who knows where this will go in our future…..
http://www.leg.state.nv.us/75th2009/reports/history.cfm?ID=629
I’ve not blogged in quite some time, mostly due to being very busy these days. However I felt I should talk a bit about compliance and how it seems to have changed security from eliminating threats to eliminating compliance gaps.
In the last few years, many regulations have emerged that are now controlling our security initiatives and goals. PCI, SOX, HIPAA, SB1386, Massachusetts Privacy Law, and more on the way. Now, I’m not one to say that regulation does not help in some respects, but often it has undesirable effects that cause many security professionals much discomfort.
What I feel has changed in the security landscape is rather than targeting the latest “threats” we find ourselves doing burdensome business processes which do little or nothing to improve the overall security of our companies. One notable pain point is in an area of PCI that I think drives many of us nuts. The “log review” provision.
In PCI 1.2, the requirement for daily log review in and of itself is well intentioned and something that I cannot argue cause most of us don’t do enough of it. What I find difficult is that we find ourselves reviewing things such as “successful logins” or “failed logins” to comply with these stated controls and I feel there is very little value to doing so. Many companies mandate that system owners review these logs on a daily basis, is our investment really giving us a return? For instance, most companies utilize domain policies that cause account lockout to occur at 5 times and complex passwords to be employed. This represents a compensating control and therefore monitoring and reviewing failed logins is burdensome and unnecessary. That being said, there is still residual value if you receive alerts or reports of extremely high numbers of login failures so it does make sense to monitor for those.
Another issue that I see happening across the industry is when executives make financial decisions based on whether or not they meet these minimum regulations. Often my friends have told me that their companies are cutting back their budgets once they receive their PCI ROC, or their HIPAA compliance report etc. This causes security professionals to face the daunting task of justifying their budgets to mitigate threats against a management who’s already met the minimum bar. Quite a quandary for many of us. I am very hopeful that PCI will continue to morph so that it addresses threats more directly by requiring harder line approaches such as actual inline IPS’s being mandatory and in a blocking state. Or ensuring that application Firewalls are mandatory. Gone are the days you can expose an application to the dirty internet without all your defenses in an active state.
Original WSJ Article http://online.wsj.com/article/SB125537784669480983.html
-=-=-=-=-=-==-=- My Response -=-=-=–
Hi Julia,
You know, I am a security professional, and it saddens me when others write stories like this. It’s almost like saying that murder isn’t really a problem cause it only happens to a few people. Bruce is an idiot if he’s going to sit there and say that he’s got no protection for identity theft. I myself have been doing information security work for years and I have dealt with cases of identity theft that have directly affected me and one of my own past businesses.
I just founded a new social network BloopBleep.com and the main reason I’ll probably looking to outsource payment processing is that I don’t want any responsibility (or expense) that goes along with the fraud detection and prevention technologies that are needed to ensure transactions. Payment fraud is very common with credit cards and costs businesses enormous money and it’s not “just the cost of doing business” as you have surmised. Seriously, please don’t do us security folks favors by downplaying real problems like these, we have a tough enough time getting the budgets to deal with the problems we face as it is and don’t need people sitting around making data theft and security a joke in the public.
Hmmm not sure if anyone else is experiencing this but it appears that google went down.
