Tag Archives: compliance

[ISN] Overcoming paralysis – why financial services organisations have to race to update their Windows Server strategy

http://www.bobsguide.com/guide/news/2015/Jul/6/overcoming-paralysis-why-financial-services-organisations-have-to-race-to-update-their-windows-server-strategy.html By Dave Foreman, ECS, Practice Director Bob’s Guide July 6, 2015 Most of the technical support teams we work with know their Microsoft Server operating system inside out and have hardly lifted their phone to call Microsoft support in years. But this well-oiled machine is about to become IT departments’ biggest headache. With the end of Microsoft’s support for Server 2003 on July 14th 2015, migration from this rather old operating system has escalated from being a niggling worry to a high-risk agenda item. Only a handful of businesses have started their migration and even they will have to rely on Microsoft extended support. But this is not a cost-effective or risk-free option in the long term. At some point a new vulnerability in the operating system will be discovered and exploited; businesses will be exposed and the regulators will have a stronger case for non-compliance. According to the credit card industry’s PCI Security Council standards, if an unsupported operating system is Internet-facing, it will be logged as an automatic compliance failure. CIOs are caught between a rock and a hard place. Nobody wants to be caught in a position where they have to answer tough questions about plans to meet compliance and mitigate risk. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] A Review of Common HIPAA Technical Safeguards

http://healthitsecurity.com/news/a-review-of-common-hipaa-technical-safeguards By Elizabeth Snell Health IT Security June 26, 2015 HIPAA technical safeguards are just one piece of the larger health data security plan that covered entities and their business associates must put together. However, it is a very important aspect. Over the next few weeks, HealthITSecurity.com will discuss some common examples of all three HIPAA safeguards, and how they could potentially benefit healthcare organizations. Not all types of safeguards are appropriate or necessary for every covered entity. But by having a comprehensive understanding of what is required by HIPAA and the HITECH Act, and how various safeguards can be used, organizations will be able to identify which ones are most applicable. From there, they can create and implement the right data security protections for their daily workflow and ensure they maintain HIPAA compliance. As previously mentioned, HIPAA technical safeguards are an important part to keeping sensitive health data secure. Whether a small primary care clinic is debating health data encryption options or a large HIE is considering BYOD for employees, understanding the basics of HIPAA technical safeguards is essential. What are HIPAA technical safeguards? The HIPAA Security Rule describes technical safeguards as ““the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” However, an important note is that the Security Rule does not require specific technology solutions. Rather, healthcare organizations need to determine reasonable and appropriate security measures for their own needs and characteristics. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Coast Guard Needs Better PHI Security, Says OIG Report

http://healthitsecurity.com/news/coast-guard-needs-better-phi-security-says-oig-report By Elizabeth Snell Health IT Secutity May 21, 2015 The US Coast Guard (USCG) must do a better job in its PHI security measures, according to a recent report from the Office of the Inspector General (OIG). Specifically, USCG lacks a strong organizational approach to resolving privacy issues, the report stated, which leads to the agency having challenges when it comes to effectively protecting PHI. “We evaluated the safeguards for sensitive personally identifiable information and protected health information (privacy data) maintained by USCG,” OIG explained in its report. “Our objectives were to determine whether the USCG’s plans and activities instill a culture of privacy and whether the USCG ensures compliance with the Privacy Act of 1974, as amended, [HIPAA], and other privacy and security laws and regulations.” OIG outlined five areas that USCG needs to resolve in order to improve its PHI security: […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Singtel acquires Trustwave in $810M security services deal

http://www.zdnet.com/article/singtel-acquires-trustwave-in-810m-security-services-deal/ By Eileen Yu By The Way ZDNet News April 8, 2015 Singtel has inked a deal to acquire a 98 percent equity interest in Trustwave for an estimated US$810 million, as the Singapore carrier looks to beef up its cloud and managed services portfolio. Headquartered in Chicago, U.S.A, Trustwave offers hosted services in threat, vulnerability, and compliance management, and has more than three million business subscribers. It has presence in 26 countries across North America, Europe, and the Asia-Pacific region, with a global headcount of 1,200 that includes security professionals in its forensic and threat research security unit, SpiderLabs. It operates five security operation centers and nine engineering centers. Trustwave Chairman and CEO Robert J. McCullen will retain the remaining 2 percent stake in the company. According to Singtel, Trustwave will continue to operate independently as a separate business unit after the acquisition has been finalized, but will tap the telco’s assets and market presence to expand its portfolio and address market opportunities in the Asia-Pacific region. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] 6 Biggest Blunders in Government’s Annual Cyber Report Card

http://www.nextgov.com/cybersecurity/2015/03/6-biggest-blunders-governments-annual-cyber-report-card/106512/ By Aliya Sternstein Nextgov.com March 2, 2015 The White House has released its yearly assessment of agency compliance with the governmentwide cyber law known as the Federal Information Security Management Act. And given the spate of breaches and hacks that hit both government and the private sector, the results may not be all that surprising. Sensitive agency data is often not encrypted. Many departments do not use two-step verification for accessing government networks, despite post-Sept. 11 requirements that employees carry login smart cards. And cyber training is deficient in one of the most unlikely areas… 2014’s Biggest Federal Computer Security Blunders 1. Federal agencies reported 15 percent more information security incidents in fiscal 2014 compared to fiscal 2013, rising from 60,753 to nearly 70,000 events. These incidents included phishing attempts, malware infections and denial-of-service attacks, as well as leaks of paper records and sensitive emails sent without encryption. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] 3 things CSOs can learn from CPOs

http://www.csoonline.com/article/2877972/security-leadership/3-things-csos-can-learn-from-cpos.html By Maria Korolov CSO Jan 29, 2015 The role of the CSO and CIO has been changing dramatically as technology becomes more and more vital to business strategies. Sometimes, it can be hard to keep up. Amol Joshi, SVP of business development at Redwood City, Calif.-based Ivalua Inc., suggests that CSOs and CIOs can pick up a few tricks from Chief Procurement Officers. 1. Create and use contract templates Many CIOs and CSOs are faced with the responsibility of creating or reviewing contracts with outsourcers, contractors, part-time help, software vendors, data centers, cloud services providers and other vendors and suppliers. CPOs have been doing this for a long time, and one trick that the use is create a library of clauses that they can put into a contract when needed. These clauses have to be kept up to date, Joshi said. For example, cloud SLAs evolve all the time, as do compliance requirements. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Cyber Security Audit: Washington Agencies Not In Full Compliance

http://boisestatepublicradio.org/post/cyber-security-audit-washington-agencies-not-full-compliance By AUSTIN JENKINS NPR Radio December 15, 2015 The state of Washington has good cyber security standards, but state agencies don’t always adhere to those standards. That’s the finding of a performance audit released Monday. Cyber security has emerged as a leading threat to the U.S government and corporate America. Sony Pictures is the latest high-profile victim, but state and local governments are also potential targets. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] The 10 Biggest Bank Card Hacks

http://www.wired.com/2014/12/top-ten-card-breaches/ By Kim Zetter Threat Level Wired.com 12.02.14 The holiday buying season is upon us once again. Another event that has arrived along with the buying season is the season of big box retailer data breaches. A year ago, the Target breach made national headlines, followed shortly thereafter by a breach at Home Depot. Both breaches got a lot of attention, primarily because the number of bank cards affected was so high—more than 70 million debit and credit card numbers exposed in the case of Target and 56 million exposed at Home Depot. Luckily, very little fraudulent activity occurred on the stolen card numbers, primarily because the breaches were caught fairly soon, making them relatively minor incidents in the scheme of things, compared with other breaches that have occurred over the years that resulted in losses of millions of dollars. The Target breach was notable for one other reason, however: when it came to security, the company did many things right, such as encrypting its card data and installing a multi-million-dollar state-of-the-art monitoring system not long before the breach occurred. But although the system worked exactly as designed, detecting and alerting workers when it appeared that sensitive data was being exfiltrated from its network, workers failed to act on these alerts to prevent data from being stolen. Below, we look back on a decade of notable breaches, many of which happened despite the establishment of Payment Card Industry security standards that are supposed to protect cardholder data and lessen the chance that it will be stolen or be useful to criminals even when it’s nabbed. The PCI security standard (.pdf) which went into effect in 2005, is a list of requirements — such as installing a firewall and anti-virus software, changing vendor default passwords, encrypting data in transit (but only if it crosses a public network) — that companies processing credit or debit card payments are required by card companies to have in place. Companies are required to obtain regular third-party security audits from an approved assessor to certify ongoing compliance. But nearly every company that was victim to a card breach was certified as compliant to the PCI security standard at the time of the breach, only to be found noncompliant in a post-breach assessment. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail