IT Compliance Advisor

January 13, 2012  7:44 PM

EPIC letter questions Google’s online consumer privacy

Ben Cole Ben Cole Profile: Ben Cole

Just last April, Google Inc. settled Federal Trade Commission (FTC) charges that it used “deceptive tactics and violated its own privacy promises” to consumers when it launched Google Buzz in 2010. Now, some critics claim Google still hasn’t learned from its online consumer privacy mistakes.

In a letter to the FTC, the Electronic Privacy Information Center (EPIC) is pushing for an investigation because of more Google Search changes. EPIC said the inclusion in Google Search results of personal data, such as photos and contact details gathered from Google Plus, raises “concerns related to both competition and the implementation of the commission’s consent order.”

Under the settlement reached with the FTC in April, Google was required to implement a comprehensive privacy program and submit regular, independent privacy audits for the next 20 years.

“Google allows users to opt out of receiving search results that include personal data, but users cannot opt out of having their information found by their Google+ contacts by Google Search,” EPIC Executive Director Marc Rotenberg wrote in the letter to the FTC. “In contrast, Google allows content owners to remove pages from Google’s public search results.”

The EPIC letter also contends Google’s changes create potential antitrust violations because the company prioritizes its own content when returning search results.

In Google’s official blog earlier this week, Google fellow Amit Singhal wrote a lengthy post outlining and explaining the benefits of Google Search Plus Your World. Singhal touted what he called the new feature’s “unprecedented” security, transparency and control. The company has also posted accolades from analysts and consumers touting Google’s Search Plus Your World.

The FTC has yet to comment publicly on EPIC’s letter and call for another investigation into Google’s online consumer privacy practices. But it’s worth noting that the last couple of times EPIC made similar complaints against high-profile Internet companies, it resulted in privacy-related FTC settlements for both Google and Facebook with the FTC.

January 6, 2012  7:49 PM

Big online business ‘open’ to Stop Online Piracy Act alternative

Ben Cole Ben Cole Profile: Ben Cole

Internet giants — including eBay, Google, Facebook and Twitter — reportedly are considering a simultaneous “blackout” of their sites in protest of the Stop Online Piracy Act. Now they are throwing their weight behind an alternative bill.

The Stop Online Piracy Act has been slammed publicly by Internet companies since it was released a few months ago. Under the act, the U.S. Department of Justice and copyright holders could seek court orders against websites accused of copyright infringement. Those orders could include bans on networks and payment facilitators that would prevent them from doing business with the allegedly infringing websites, barring search engines from linking to them, and requiring that Internet service providers block access.

The (very vocal) opponents of the Stop Online Piracy Act say compliance amounts to Internet censorship and would increase compliance costs for organizations dramatically.

A compromise could be on the horizon, however: The Online Protection and Enforcement of Digital Trade (OPEN) Act has been introduced by Rep. Darrell Issa (R-Calif.) and Sen. Ron Wyden (D-Ore.) as an alternative to the Stop Online Piracy Act and its Senate counterpart PROTECT IP.

The OPEN Act would allow intellectual property holders to petition the International Trade Commission to investigate whether a foreign website’s only real purpose is to infringe on U.S. copyrights and trademarks. Proponents say OPEN takes a narrower and more targeted approach to combating online infringement than other proposed legislation does.

The OPEN Act ensures that only legitimate cases are pursued, and provides clear standards for companies to follow in enforcing intellectual property rules, supporters add. AOL, eBay, Facebook, Google, LinkedIn, Mozilla, Twitter, Yahoo and Zynga have written a joint letter announcing their support. The Internet companies say OPEN correctly targets “rogue sites” rather than law-abiding Internet companies.

And of course, OPEN has the support of — rather than vitriol from — such Internet giants as Google and Facebook. That’s likely to be a major factor as the infringement laws move through the ranks in the next several months. But OPEN has powerful critics as well: The entertainment industry, for one, says OPEN would not effectively prevent piracy, which was one of the major drivers of SOPA. Stay tuned.

December 8, 2011  8:26 PM

Push for Dodd-Frank Act regulations continues — at least for now

Ben Cole Ben Cole Profile: Ben Cole

With Chris Dodd already in Hollywood, Sen. Barney Frank’s retirement announcement last month led some to speculate the push for Dodd-Frank Act regulations would retire with him. The controversial financial regulation act has faced criticism and pushes for its repeal since it was proposed. With Frank’s retirement, its backers are losing their most outspoken supporter.

A Politico headline stated that Dodd-Frank (officially called the Dodd-Frank Wall Street Reform and Consumer Protection Act) now has “a murky future” due to Frank’s announcement. The article went on to say that despite Frank’s retirement having little impact on the act in the short term, “Republicans are salivating” at the chance to repeal it.

Two Senate Banking Committee hearings showed pushing through Dodd-Frank Act regulations is still a goal in some circles. On Dec. 6, the committee held an oversight hearing on the implementation of Dodd-Frank, with representatives from the Treasury, Federal Reserve and the SEC testifying. The hearing was designed to examine progress in implementing the act, and to explore how it could ultimately improve the stability of the U.S. financial system.

Senate Banking Committee Chairman Tim Johnson noted that some of the most complex Dodd-Frank Act regulations remain under consideration, and that he would like a timely resolution of these rules.

“I recognize that these rulemakings are difficult, but this is the time when tough decisions have to be made by our regulators,” Johnson said during opening statements at Tuesday’s hearing. “While our economy is starting to show signs of recovery from the financial crisis, the ongoing turmoil in Europe is a stark reminder that we must continue to monitor threats to financial stability.”

The financial regulation theme continued the following day, when the committee hosted another hearing titled “Enhanced Supervision: A New Regime for Regulating Large, Complex Financial Institutions.” Just the sound of it invoked thoughts of the overarching goals established by Dodd-Frank Act regulations. Also this week, Johnson released a scathing statement lambasting Senate Republicans after they voted to block Richard Cordray’s nomination to be the first director of the Consumer Financial Protection Bureau.

Frank is not likely to spend his last year in office quietly preparing for private life. He will no doubt spend a good portion of it loudly pushing for his namesake bill’s implementation. But implementing the sweeping Dodd-Frank Act regulations has already faced several delays, mostly due to its complexity. What if the financial crisis continues and Dodd-Frank detractors convince more people its rules would hinder job creation? What if President Obama is not re-elected and cannot veto a repeal of the act? If these delays continue, will it be held up long enough for its detractors to water it down in order to pacify the financial institutions the rules are designed to reign in?

With the attention paid to it this week, it at least shows that the Dodd-Frank Act is not going to fall by the wayside. But for it to have any teeth, Democrats and supporters will have to get moving … or find another (loud) voice to replace Barney Frank’s push for financial reform. Tim Johnson, are you listening?

December 6, 2011  7:27 PM

The top 10 compliance risk management questions you should be asking

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

When it comes to IT governance, it’s one thing to have staff completing compliance risk management processes; it’s quite another to be confident that everything is indeed in line and secure. Understanding your level of compliance and how it relates to business risk is more than simply asking IT staff: “How are things?” or “Are we secure?”

The best way to ensure that you’re getting good information surrounding compliance risk management is to trust but verify. Asking the right questions and getting involved with the security management process are sure ways to bring light to some issues that have been shrugged off or even undetected — sometimes for years. Here are some pointed questions you can ask of those responsible for day-to-day network and system administration to ensure that you’re not creating a monster by making high-risk assumptions:

1.       What high-priority items were found during our most recent Web application penetration test? What’s the plan for fixing these issues?

2.       What patches were missing during our last vulnerability scan?

3.       Why are patches continually showing up as missing on our Windows servers and database systems?

4.       How are we managing event logs and correlating potential security incidents? How long are these logs being kept?

5.       Our passwords seem pretty secure for our main network logons, but what about for our Web applications, firewalls and all the random database servers scattered around the network?

6.       Given our current configurations, what’s the business risk of someone losing a laptop or having their smartphone or iPad stolen?

7.       What security incidents have been prevented over the past “X” number of months?

8.       How do we know our traditional desktop antivirus software is actually keeping our endpoints secure?

9.       What are we doing to proactively prevent data from leaking out of the network unnoticed?

10.   Have you seen any protocol anomalies on the network recently when compared with your known baseline? Are any odd systems like workstations, smartphones and rarely-used servers showing up as top talkers on the network?

This is hardly an exhaustive list, but these are some of the major security oversights and risks I see on a consistent basis. If everything appears to be hunky-dory in IT, odds are you need to probe further. Complacency, poor time management and the desire for job security often get in the way of what’s really going on.

One of your main goals for compliance risk management should be to ensure you’re getting the right information at the right time so you, your peers and your executives can make the right decisions. Anything short of this will merely set your compliance program up for failure in the long term.

November 29, 2011  3:04 PM

Private sector inherent to U.K. cybersecurity strategy

Ben Cole Ben Cole Profile: Ben Cole

Federal governments all over the world have become increasingly hands-on with cybersecurity strategy and online privacy, but businesses have sometimes been critical of new rules that they say will hurt their bottom line.

Look at the controversy surrounding the U.S. House of Representatives’ Stop Online Piracy Act. The act would allow the Attorney General to seek injunctions against foreign websites that steal and sell American innovations and products, and would increase criminal penalties for individuals who traffic in counterfeit medicine and military goods. While these traits may sound like music to online businesses’ ears, a letter protesting the act (signed by representatives from names you may have heard of like AOL, eBay, Facebook, Google and Twitter) expresses concern that it poses a “serious risk to our industry’s continued track record of innovation and job creation, as well as to our nation’s cybersecurity.”

But in announcing new details that are part of its new £650m cybersecurity strategy, the U.K. government is trying to strike a balance between protecting consumers, online information and good business sense. Just look at the government’s tagline when heralding the initiative, which it calls “a new era of unprecedented cooperation between the government and the private sector on cybersecurity.”

The cybersecurity strategy is unique in that it sets up a joint public/private-sector cybersecurity “hub” designed to allow the U.K. government and the private sector to exchange actionable information on cyberthreats and manage cyberattack response. A pilot program surrounding this initiative will begin in December with five business sectors: Defense, telecommunications, finance, pharmaceuticals and energy.

The strategy is also encouraging industry-led cybersecurity standards for private-sector companies. Instead of just selling this as new mandatory regulations, the U.K. cabinet says the standards would give businesses a competitive edge by promoting themselves as certifiably cybersecure. The U.K. will also develop a program to certify cybersecurity specialists by March, with the ultimate goal to increase the skill levels of information assurance and cybersecurity professionals.

Minister for Cyber Security Francis Maude said a closer partnership between the public and private sectors is crucial to the success of the cybersecurity strategy, and this is what some of the U.S. efforts are missing. When working to strike this proper balance between the interests of cybersecurity and business, it’s obviously important to take into consideration the best interests of both parties. The U.S. and other countries could learn from the U.K.’s cybersecurity initiative. Working closely with the private sector will likely create a more congenial environment by demonstrating that the government is trying to help, rather than impose heavy-handed restrictions to secure online information.

November 21, 2011  5:14 PM

Address information risk management now — before the going gets tough

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

Information risk management impacts each and every one of us both professionally and personally. Yet we still can’t seem to properly grasp managing information risk and put it into action. The problem is the bad guys — external hackers, organized cybercrime rings, malicious employees and the like — know what’s really going on.

They know that compliance is a joke in many enterprises. They know that security audits often gloss over the real issues. They know they have free reign and that the odds are in their favor. The reality is that many people don’t know which side of the risk equation they’re on. They assume they have the clarity, context and visibility they need for managing information risk. But in reality, they’re way behind the eight ball — and don’t realize it until it’s too late.

As IT professionals, we all have a choice of how information risk management is handled in our business. It really boils down to when we address the critical issues. We can do it before an incident occurs, which is not done often enough. We can do it during an incident, which is unrealistic because odds are we aren’t even going to know when it’s taking place. We can do it after an incident, which is still the most common effort I see. Finally, we can just ignore the problem and hope we don’t get bitten.

Savvy IT professionals who see the big picture and think long term choose the first option. They put the proper information risk management systems and processes in place to handle the issues immediately, before the going gets tough.

The essence of effective information risk management involves perspective and good old-fashioned common sense. It’s easy to get caught up in the minutiae and overlook the fact that information risk can be tied directly to business risk. The formula for making information risk management work is to highlight that this control satisfies this requirement or risk, and meets this business need. You have to use this in every IT and security-related decision you make — periodically and consistently over time.

The inability to stop doing things that are no longer working is the primary failure of information security. In IT security, you cannot change that which you tolerate. In most cases, there is no “right” or “wrong” way of managing information risk.

Every business and every situation is different. The key is to do whatever it takes to get the job done in your own environment based on your own circumstances. Taking a proactive information risk management approach is the only viable way to keep things in check over the long haul.

November 17, 2011  9:31 PM

Coordinated Facebook spam attack raises eyebrows, alienates users

Ben Cole Ben Cole Profile: Ben Cole

It was the shot heard round the social media world: This week, a Facebook spam attack resulted in pornographic and violent images showing up on users’ news feeds. Facebook has always prided itself on avoiding such attacks, and this was a big one. There are predictions that the site will lose some of its more prudish users because of the attack, which could hurt the social media juggernaut’s business model.

During the “coordinated spam attack,” users were tricked into pasting and executing malicious JavaScript in their browser URL bar, causing them to share the content, according to a Facebook statement. Facebook is now in the process of identifying those responsible for the spam attack, has built security measures to shut down the malicious pages, and is working to educate users on how to protect themselves from similar spam attacks.

But who should really be held responsible for the Facebook spam attack? Do people using Facebook really not realize that they should avoid copying and pasting a suspicious-looking link from an unknown source into their browsers? I know a gift certificate to a themed chain restaurant is enticing, but come on. Facebook says it’s providing users with “educational checkpoints” to protect themselves. Is one of these points “Don’t be stupid?”

I think Helen A.S. Popkin said it best in the Technolog blog: “Viral scams persist on Facebook because Facebook users continue to click malicious links.” A study this week by the National Cyber Security Alliance and McAfee found that of 2,337 U.S. adults surveyed, 24% are not confident at all in their ability to use privacy and security account settings in their social networks. Another 15% of respondents have never checked their social networking privacy and security account settings and only 18% said the last time they checked their settings was in the last year.

These findings are just an example of the disconnect between the threats to everyday Internet users and what these users consider “safe and secure” Internet use. As more incidences like the Facebook spam attack occur, companies will no doubt try to comply with consumer protection rules and establish their own policies to protect customers. But perhaps users need to do a little more to protect themselves as well.

November 14, 2011  8:38 PM

Regulators renew focus on Facebook, consumer data protection practices

Ben Cole Ben Cole Profile: Ben Cole

A few months ago, it was Google in regulators’ crosshairs. In the past couple of weeks, however, it seems that Facebook is regulators’ new focus, as they push for consumer data protection.

Facebook is close to a settlement with the U.S. government over charges that it misled users about its use of their personal information, according to The Wall Street Journal. The settlement — currently waiting for Federal Trade Commission (FTC) approval — reportedly would require Facebook to submit privacy audits for 20 years and to obtain users’ consent before making “material retroactive changes” to its privacy policies.

The report comes as the FTC and other global regulators continue their consumer data protection efforts. In March Google agreed to adopt a privacy program (which also included 20 years of privacy audits) in response to charges that it deceived users and potentially violated user privacy when it launched the social networking service Buzz. And today the FTC announced that the Asia-Pacific Economic Cooperation forum has approved an initiative to create cross-border data privacy protection among APEC members. Companies that wish to participate in the APEC privacy system will undergo a third-party review and certification process that will examine their corporate privacy practices.

The New York Times reported last week that the European justice commissioner is planning to insert wording into a revision of the European Commission’s Data Protection Directive law that would require non-European Union companies to abide by Europe’s rules on data collection or face fines and prosecution. The move could create a global commerce dispute surrounding Internet privacy, the Times reported. Facebook is also being examined by Ireland, Germany, Sweden, Finland, Norway and Denmark for potential violations of consumer data protection regulations.

Speaking of consumer data protection in the U.K., there was another noteworthy news item from the past couple of weeks: The U.K. Parliament’s Justice Select Committee has suggested jail terms for violations of the country’s Data Protection Act. Although fines are used to punish breaches of U.K. data protection laws, they provide little deterrent when the financial gain exceeds the penalty, Sir Alan Beith, the committee’s chairman, said in a recent report. “Magistrates and judges need to be able to hand out custodial sentences when serious misuses of personal information come to light,” he added. “Parliament has provided that power, but ministers have not yet brought it into force — they must do so.”

Although it seems Facebook is the prime target in these consumer data protection inquiries, perhaps it’s being used as a very high-profile example. If companies see their own vulnerabilities in the lapses of one with seemingly endless resources, they might start taking a long look at their own consumer data protection practices. They probably will soon have to anyway, as regulators increase their vigilance.

November 7, 2011  7:01 PM

How architecture best practices can help develop smarter GRC patterns

Abowles Profile: Abowles

Early in my career I was influenced by the work of Christopher Alexander, an architecture professor at the University of California, Berkeley.  Alexander and his team researched and cataloged patterns representing building, city and community construction best practices that had evolved over a considerable period of time. I used their seminal work, A Pattern Language, to guide the construction of my own home, and many of their principles to teach software engineering as a discipline.

Alexander, et al., note that, “Each pattern describes a problem which occurs over and over again in our environment, and then describes the core of the solution to that problem, in such a way that you can use this solution a million times over, without ever doing it the same way twice.”

Each of the architectural patterns includes a picture and a paragraph explaining how it works in context. Architectural patterns don’t constrain or inhibit creativity as much as they free designers to focus on the differentiations that have the greatest impact on the end user.

Twenty years ago, I documented some of my thoughts on software development patterns in an article titled “Systems Design: Lessons from Architecture.” I have been recently writing about the relationship between enterprise risk management and sustainability, and it occurred to me that GRC managers could benefit from taking a pattern-based approach to their work — especially for organizing their teams and system architecture.

Patterns are like musical forms — there are infinite varieties and parts to be created, but the overall structure is known to “stand the test of time.” We already have well-established sets of controls for GRC, such as COBIT and ISACA’s Risk IT. These are all important, but not an alternative to patterns because their intent is to support auditing rather than to provide a creativity framework. Instead, patterns should complement controls.

A GRC pattern language, like a programming language or even a natural language, would be a shared resource to enable faster and more reliable enterprise system development. GRC patterns should include all the key constructs needed to ensure best governance and compliance practices (in this context, controls would be embedded in each pattern).

They also must be flexible. For example, with governance we know that it’s alright to have exceptions as long as there is a repeatable, auditable process for justifying and documenting them. Given the pace of technological advancement that drives business model changes, any pattern repository must allow for rapid changes, too.

I believe we need a GRC pattern guidebook, similar in spirit to Alexander’s work but one that leverages a broad community supported by collaboration tools and assembled by a flexible process. Changes in the environment may lead to the identification of new patterns based on analytics, and pattern retirement when conditions change is equally important. In other words, we need a Wiki to capture, catalogue, review and update patterns as a community.

With that in mind, SIG411 LLC is launching an open source patterns project that will include GRC patterns contributed by practitioners and academics who will be recognized for their contributions. The scope of the project is broader than GRC, as it will include patterns for all aspects of sustainable enterprises and societies. But given my personal interest in the intersection of enterprise risk management and sustainability, GRC will be an early focal point. I encourage all interested parties to get involved and contribute, as well as use, the patterns from this Wiki.

Adrian Bowles has more than 25 years of experience as an analyst, practitioner and academic in IT, with a focus on strategy and management. He is the founder of SIG411 LLC, a Westport, Conn.-based research and advisory firm. Write to him at

October 31, 2011  7:00 PM

Cybersecurity threats pose big problems for small businesses

Ben Cole Ben Cole Profile: Ben Cole

National Cybersecurity Awareness Month has drawn to a close, but it’s clear that much still needs to be done to protect information online. One recent survey has found that small businesses – which likely don’t have the resources to bounce back from a major data breach — could be particularly vulnerable to cybersecurity threats.

The online survey of 1,045 small business owners, sponsored by Symantec Corp. and the National Cyber Security Alliance, found that 70% have no formal Internet security policy for employees and that of those, 49% do not have even an informal policy. In addition, 45% of the small business owners surveyed said they do not provide Internet safety training to their employees.

These findings are in stark contrast to SMBs’ apparently false sense of security. Eighty-five percent of the survey respondents said they believe their company is safe from hackers, viruses, malware or a cybersecurity breach; and 69% agreed that Internet security is “critical to their business’s success.”

It’s clear that the survey respondents aren’t following the main theme of this year’s Cybersecurity Awareness Month: the importance of educating everyone and making them aware that they need to do their part to protect their information online.

Other survey highlights (or lowlights, as the case may be):

  • 56% of respondents have no Internet use policies to clarify which websites and Web services employees can use; 52% have a plan in place for keeping their business cybersecure.
  • 67% have become more dependent on the Internet in the last year; 66% depend on it for day-to-day operations.
  • 57% of respondents say a loss of Internet access for 48 hours would be disruptive to their business, and 76% say that most of their employees use the Internet daily.
  • 37% have an employee policy or guidelines in place for the remote use of company information on mobile devices, and 36% have a policy outlining employees’ acceptable use of social media.
  • 59% do not use multifactor authentication to access their networks.
  • 50% report they always wipe data off their machines completely before they dispose of them; 21% never do.

The survey also found that SMBs are woefully unprepared to react after a data breach. Forty percent of respondents said they don’t have a contingency plan outlining procedures for handling and reporting a data breach or loss of information.

Ignoring the problem of cybersecurity threats can be very costly. Data released by Symantec shows that 40% of all targeted cyberattacks are directed at companies with fewer than 500 employees. In 2010, the average annual cost of cyberattacks to SMBs was $188,242. Business Insider reported in September that approximately 60% of small businesses will close within six months of a cyberattack.

What is it going to take for these small businesses to realize the impact of cybersecurity threats? They need to realize that lax cybersecurity measures, combined with their sparse resources, make them particularly vulnerable. It might be costly and time-consuming to shore up online security, but these businesses need to take these threats seriously, before it’s too late.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: