The FTC’s recommendations are part of a privacy report that expands on one originally issued in December 2010. It recommends companies improve consumer privacy by implementing privacy protections at every stage of product development and increasing transparency around the collection and use of consumer information. The FTC also recommends Congress consider privacy legislation, data security notification legislation and mandating a “Do Not Track” option for consumers to opt out of online tracking.
In another big piece of regulatory compliance news, the House approved the JOBS Act and sent it to President Obama for his signature. Under the JOBS Act, emerging companies — defined as those with at most $1 billion a year in revenue — would be exempt for five years from external auditors’ review of internal controls as stipulated under Sarbanes-Oxley requirements. It also lessens other compliance regulations that JOBS Act critics say provide checks on corporate misconduct.
An interesting aspect is that both of these issues take into account the burden of small businesses. In the FTC’s preliminary report, it recommended the proposed online privacy rules apply to all commercial entities that collect or use consumer data that can be linked to a specific consumer, computer or other device. But after “recognizing the potential burden on small businesses,” the FTC’s report concludes that the final framework “should not apply to companies that collect and do not transfer only nonsensitive data from fewer than 5,000 consumers a year.” As for the JOBS Act, proponents say loosening compliance regulations for small and emerging companies would boost the economy.
It’s admirable (and necessary) that the federal government is taking small businesses and their limited resources into account when developing these rules. But there are a few questions: Don’t these small and emerging companies have potential infractions? If they don’t have the resources to comply with online privacy rules and compliance regulations, doesn’t this lack of resources make them even more vulnerable? Instead of excluding these smaller and emerging businesses from the rules altogether, perhaps catering regulations to take their plight into account is a better answer. If not, we could be back in the same boat again in a few years, after these types of businesses are found to be in violation of rules designed specifically to protect consumers.]]>
In a post to the PlayStation blog last week, Reitinger said Sony detected attempts on Sony Entertainment Network (SEN), PlayStation Network (PSN) and Sony Online Entertainment (SOE) to test “a massive set” of sign-in IDs and passwords against the company’s network database. The attempts appeared to include a large amount of data obtained from one or more compromised lists from other companies, sites or other sources, Reitinger said.
“As a preventative measure, we are requiring secure password resets for those PSN/SEN accounts that had both a sign-in ID and password match through this attempt,” Reitinger wrote in the blog post.
Less than one-tenth of 1% of the PSN, SEN and SOE audiences may have been affected by the data security breach, and Reitinger assured users that credit card numbers were not at risk. This was a relatively low-risk data security breach, but perhaps Sony’s reaction was a case of lessons learned: After the April breach, Sony was criticized for waiting a week to notify customers that their personal information might have been compromised. In addition, it took more than two weeks to fully restore the network. Needless to say, Sony users (and federal regulators) were not impressed by what some viewed as a lackadaisical reaction.
There has been much public outcry over Sony’s data security breach, and those of other companies, in the past year. This likely influenced the SEC last week to mandate the “disclosure of timely, comprehensive and accurate information” surrounding cybersecurity risks.
Did Sony’s online security overhaul help detect this breach before it became another fiasco? Although critics have said Sony simply hired Reitinger as an insurance policy to pacify investors and customers after the April data security breach, he showed his value here. At least now the Sony brass and their customers have someone to go to for information about any further breaches — what happened, how it happened, how they are going to handle it in the future. (Unfortunately for Reitinger, it also gives them someone to blame.)
But if nothing else, the reaction to last week’s data security breach might be indicative of a new trend of taking a proactive approach and letting online customers know what they can do to protect themselves and their information. Judging by the comments made to Reitinger’s blog post, people are mostly happy with Sony’s reaction to the potential data security breach. Many praised Reitinger and Sony for keeping them informed.
Perhaps Sony and companies like them have learned their lesson about the futility of trying to keep a breach out of the spotlight, and know now that transparency is the best course of action. If the SEC’s recent mandate is any indication, federal regulators and customers are going to be watching companies closely to ensure cybersecurity is kept above board.]]>
For starters, Sen. Richard Blumenthal (D-Conn.) introduced the Personal Data Protection and Breach Accountability Act of 2011. The legislation is designed to protect consumers’ personally identifiable information and improve online data security.
The bill would create a process for companies to establish appropriate online data security, and it would hold companies accountable for failing to comply with those plans. In what may be spurred by Sony’s slow response to a huge data breach earlier this year, Blumenthal’s bill also requires companies to promptly notify consumers after a breach has occurred, and to provide consumers with solutions to alleviate online security threats.
To help prevent future beaches, the bill encourages better information-sharing among federal agencies, law enforcement and the private sector to alert businesses of specific online security threats.
Also last week, an Op-Ed piece in The New York Times highlights an upcoming Supreme Court case that could have huge ramifications for online privacy concerns. But this time, it regards how much information the government should have access to.
The case, United States v. Antoine Jones, concerns a GPS device placed on the car of a suspected drug dealer without a warrant, which the man says was a violation of the Fourth Amendment.
“If the court rejects his logic and sides with those who maintain that we have no expectation of privacy in our public movements, surveillance is likely to expand, radically transforming our experience of both public and virtual spaces,” wrote Jeffrey Rosen, a law professor at George Washington University.
Rosen pointed out that technologies such as Facebook’s facial-recognition tool could be used by law enforcement to help identify criminals. Rosen also referenced a 2008 comment from a Google executive saying that, within a few years, public agencies and private companies could be asking Google to post live feeds from public and private surveillance cameras all around the world.
“If the feeds were linked and archived, anyone with a Web browser would be able to click on a picture of anyone on any monitored street and follow his movements,” Rosen wrote in The New York Times piece.
These news items were among a handful reporting on online data security regulations in the past week. Here are some others:
Federal online privacy concerns and the increased government involvement in online data security may be warranted, at least according to a new PricewaterhouseCoopers survey of 9,600 security executives. The survey found that 43% of global companies think they have an effective information security strategy in place and are proactively executing their plans. However, only 16% of respondents say their organizations are prepared and have security policies that are able to confront an advanced persistent threat attack, creating more online data security concerns.
It appears that most people with a stake in the game are at least aware of the severity of online security threats. Perhaps a combination of legal regulations and private efforts surrounding online data security could have the movement heading in the right direction.]]>
Regulatory compliance was predicted to be the top business issue affecting enterprise information technology in the next 12 months, according to ISACA’s Top Business/Technology Issues Survey Results 2011 report.
“The increase in regulations, data breaches and new technologies such as cloud computing and the rise of personal technology in the workplace are accelerating complexity and risk,” according to an ISACA statement. The problem is exacerbated as enterprises try to manage growth while dealing with the growing number of compliance regulations and standards.
The key business issues affecting IT, according to the survey’s findings, are:
ISACA also noted that new or changed regulations expected to impact enterprise IT in the next 12 to 18 months include the Basel standard for internationally active banks; the Dodd-Frank Wall Street Reform and Consumer Protection Act; regulations related to personally identifiable information; Do Not Track mechanisms for consumers; Solvency II regulatory requirements for insurance firms; and meaningful use standards established by the Health Information Technology for Economic and Clinical Health Act. The report also pointed to “an overall tightening of tax and privacy regulations worldwide.”
The key technology areas that respondents felt would be most important to regulatory compliance include the implementation of technology to support segregation of duties, privileged access monitoring and management of the compliance process.
As enterprises face the need to comply with multiple regulations and standards, they implement automated solutions to track and report upon the varying compliance controls in an attempt to make the compliance process more efficient, according to ISACA. This can cause headaches: The costs associated with managing and implementing systems to protect companies from the loss of personally identifiable information were among the top concerns mentioned by survey respondents.
And the concerns don’t end there: Technology trends such as cloud computing, mobile devices and social media will also impact the issues discussed above. As ISACA noted, these technologies will increasingly become part of an enterprise’s architecture and surely impact areas such as business continuity, IT risk, regulatory compliance and information security.
The number of data breaches still in the news shows that, despite the increase in regulations, not enough is being done. The slew of new regulations is ultimately aimed at trying to help protect companies and their customers — and having a sound compliance management strategy in place would benefit both of these groups.]]>
Trying to meet regulatory compliance requirements for many user organizations, at least from an IT governance point of view, is a complicated and costly process. Novell is looking to put some salve on those wounds with the next version of its Novell Access Governance Suite, a set of software products that simplify how customers govern users’ access to corporate resources and manage regulatory compliance.
Version 4.1 now includes Novell Access Request and Change Manager, a new solution intended to simplify granting user access to information, as well as closing the compliance gaps caused by multiple methods of requesting access.
Governance would appear to be Novell’s path back into the enterprise by managing the weakest part of the compliance chain: controlling user access to data. The concept is a relatively simple one: If you can control user access, then you can control the flow of data. However, in reality it is not that simple. Not only do you have to worry about user access, but you also need to worry about what users can potentially do with that access. Legitimate access can still lead to compliance violations, whether it is accidental or malicious.
Is governance the answer to that problem? Or does data leakage protection become the solution to that problem? At this stage, it’s hard to tell. Novell is seeking to cover all bases by injecting its technology into the flow and access of data.
This question begs a couple more: How are corporations dealing with data leakage issues today? Are current solutions delivering the protection needed, or is Novell really on to something here? I guess it’s going to take audits and e-discovery requests to truly find out how compliant a particular enterprise is. Until then, one may want to consider what Novell is proposing and see if an answer exists that can address thorny compliance issues.
Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology publications, including Computerworld, TechTarget, PCWorld, ExtremeTech and Tom’s Hardware, and business publications including Entrepreneur and BNET. Ohlhorst was also executive technology editor at eWEEK and director of CRN Test Center.]]>
In this podcast, SearchCompliance.com associate editor Alexander B. Howard interviews Christofer Hoff, director of cloud and virtualization solutions at Cisco Systems, and one of Cloud Audit’s organizers. Prior to his work at Cisco, he was Unisys Corp.’s systems and technology division’s chief security architect. Hoff continues to participate in the Cloud Security Alliance. You can find Hoff’s blog at Rationalsurvivability.com/blog and follow him on Twitter as @Beaker.
Hoff says that forming A6 came out of the need for enterprise security professionals to have better tools for confirming security and cloud computing compliance at providers of these services.
When you listen to this podcast, you’ll learn:
• What Cloud Audit is.
• What problems A6 could solve for CISOs and CIOs faced with ensuring cloud computing compliance challenges.
• How Cloud Audit would map to compliance, regulatory, service-level, configuration, security and assurance frameworks, or third-party trust brokers.
For more information, visit CloudAudit.org, the relevant Google Group or the Cloud Audit code base at Google Code. Hoff has also collected recent press coverage and other information about A6 at his blog.
When you listen to the podcast, moderated by SearchCompliance.com associate editor Alexander B. Howard, you’ll hear Hathaway’s answers to the following questions and more:
TKC Global, a systems integrator, will deploy the system.
I interviewed Mark Orndorff, director of DISA’s Program Executive Office for Information Assurance and NetOps, after the announcement last week.
Why is IPsonar considered necessary?
The short answer is, you can’t defend what you don’t know. We consider leak detection and mapping as key requirements to fully understand DoD’s networks and our external connections. This capability directly supports one of the actions in DISA’s recently signed Campaign Plan, where we want to conduct cross-domain searches for leaks between networks. IPsonar will provide a good start towards that requirement.
What networks will it be used on?
IPsonar will be used on SIPRNet [Secret Internet Protocol Router Network] and NIPRNet [Nonsecure Internet Protocol Router Network].
How well has it worked on the SIPRNet?
The “good” news is that we’ve had limited success with this tool on SIPRNet. I view it as good news because the problems we have getting a network mapping tool to work are directly tied to the security controls we’ve implemented to limit the ability of an adversary to maneuver on our networks. The vendor has made some changes to make it easier to work through some of these issues, plus we are now working a revised CONOPS [Concept of Operations] that will put the tool in the hands of those best able to make the network changes needed for the tool to be fully effective.
Is the software used for one-time or periodic network mapping? Or does it run continuously?
I would like to see this run continuously, at least the portion of the tool that supports leak detection. We are working now with JTF GNO [Joint Task Force-Global Network Operations] and the services to finalize the CONOPS.
Once the network or networks are mapped, then what does DISA do?
DISA’s role here is as the acquisition and support agency for an enterprise information assurance capability that will be operated by the COCOMS [DoD's combatant commands], services and agencies. We are responsible for lifecycle support of the capability.
Is DISA planning other steps to increase network security?
Absolutely. We have a large information assurance program that includes a number of initiatives to reduce the attack surface, improve information sharing and provide the global situational awareness needed to assure mission success in the face of cyberattack.
How will IPsonar relate to the transition from IPv4 to IPv6?
We will always have a requirement to understand our network topology and identify leaks. Today, IPsonar can detect, query and capture info from IPv6 assets. The IPsonar solution is sitting on an IPv4 stack but they have identified in their roadmap and are on track to be IPv6-compliant. We will work with the vendor and IPv6 test efforts in DoD to make sure this and all of our IA [Internal Audit] capabilities remain effective as we transition to IPv6.
How will this deployment relate to complying with the Trusted Internet Connections Initiative?
We have strong policy and procedures to support the Trusted Internet Connection Initiative. The leak-detection capability of IPsonar provides the technology to help identify any unapproved Internet connections.
How will this implementation allow DISA and the DoD to meet FISMA compliance standards?
This will support the FISMA requirement for “asset awareness” by providing a mapping capability.
Why choose IPsonar, vs. other networking mapping software?
Our most critical requirement was leak detection. When we considered that, along with the mapping requirements, we found IPsonar to be the best solution.
How will IPsonar integrate with existing network, storage and endpoint security software at DISA to ensure better cybersecurity?
We have a number of cybersecurity solutions providing valuable data for our network defenders, but integration is largely manual. One of the top priorities for us in FY10 is to address this issue. We have two efforts ongoing: one focused on configuration management and vulnerability management requirements leveraging the SCAP data standards, with the other focused on attack detection, diagnosis and response. Both of these efforts will integrate IPsonar to help put data from other sources into context.
What to do?
1. Build data protection around intrusion detection and access controls.
As contributor John Weathington recommends, begin with a comprehensive data governance and compliance strategy and build data protection practices upon intrusion detection and access controls.
2. Look to the Unified Compliance Framework for common ground.
Compliance professionals and vendors are turning to the Unified Compliance Framework as a common language for overlapping compliance standards.
3. Review our FAQ on mandatory encryption standards and IT operations.
Learn how emerging mandatory encryption standards will affect IT operations.
4. Get a grip on addressing compliance requirements in cloud computing contracts.
As CIOs look to cloud computing for data backup and storage, compliance requirements must be spelled out and met, or the data will be brought back down to earth.
The following compliance resources from SearchSecurity.com will be helpful to IT professionals preparing for renewed security challenges this year.
1. Learn how to create an identity theft prevention plan for FTC Red Flags Rules.
Under the FTC’s Red Flags Rules, all financial institutions and creditors with covered accounts are required to create an identity theft prevention plan. The FTC may have extended the enforcement deadline for the Red Flags Rule to June 1, 2010, but five months will go by quickly.
2. Review this guide to internal and external network security auditing.
Contributor Stephen Cobb covers the baseline network audit processes that a security professional should absolutely conduct regularly.
3. Consider the benefits of ISO 27001 and ISO 27002 certification for your enterprise.
If your enterprise is considering becoming ISO 27001 and 27002 certified, there are several important questions to ask.
4. Get up to speed on privileged account management.
Sarbanes-Oxley compliance requirements and data security concerns are accelerating growth of the privileged account management market.
5. Weigh the pros and cons of end-to-end encryption and tokenization.
Tokenization and end-to-end encryption have emerged as promising technologies, but both have benefits and drawbacks that organizations must weigh.
6. Learn how frameworks and technology can help your PCI DSS compliance efforts.
This mini-guide offers a variety of tips on how organizations can use several frameworks, technologies and standards to help manage PCI DSS efforts and ease the compliance burden.
… that is, if health care compliance is your responsibility.
If you work in healthcare, SearchSecurity.com published a helpful HIPAA compliance manual that will be useful for IT professionals entrusted with health care compliance. Included in the guide is a HIPAA compliance training, audit and requirement checklist, including advice on how to prepare for a security audit.
Here are several other useful stories and tips on health care compliance:
1. Personal health records not measuring up in privacy, say advocates
The federal government has called for greater use of personal health records as part of electronic health record systems. Advocates say PHRs fall short in data control, privacy and security.
2. Growing health information exchanges show lower costs, better care
Some health care organizations such as health information exchanges are showing improved efficiency, lower costs and better patient care using EHRs.
3. Encryption tops new rules of electronic health records compliance
When it comes to electronic health records and personal health information, secure storage can have many meanings, but only one that counts: Encrypt data as many ways as you can.
For more on HITECH and HIPAA compliance, also review:
Schmidt was formerly chief information security officer (CISO) at eBay and chief security officer at Microsoft and has worked with federal and local law enforcement and the Defense Department. As Ellen Nakashima reported in The Washington Post, the new cybersecurity coordinator also served as special adviser for cyberspace security from 2001 to 2003, where he shepherded the National Strategy to Secure Cyberspace, a plan that Nakashima writes “was largely ignored.” Schmidt was also the president and CEO of the Information Systems Security Association, an international nonprofit organization that focuses on risks and research in the cyberworld. The question now will be whether a man hailed as a good communicator can also ensure better cybersecurity across industry and government.
“Howard is a good match for this task,” said Vint Cerf, Google’s chief Internet evangelist, as quoted by The Atlantic Monthly’s Marc Ambinder. “I’ve been impressed by his consensus-building style. He’s thoughtful, knowledgeable and he knows Washington.”
Cerf, as quoted in the New York Times article on the cybersecurity coordinator, said that “I’ve come away with a strong sense that Vivek Kundra, chief information officer, and Aneesh Chopra, the chief technology officer, and participants at the N.S.C. are aligned on this effort.”
Filling the position at the National Security Council was overdue, given the time that has elapsed since Melissa Hathaway delivered a cybersecurity report that called for a cybersecurity coordinator to coordinate the nation’s efforts. As SearchSecurity.com Editorial Director Mike Mimoso reported, “Obama announced on May 29 he intended to personally select a cybersecurity coordinator who would coordinate cybersecurity policies across government agencies.”
In May, Threatpost Editor Dennis Fisher recorded a podcast with Schmidt. In the podcast, the incoming cybersecurity coordinator talks about the role, cybercrime and how to fix federal cybersecurity.
CSO Online Senior Editor Bill Brenner enjoyed excellent timing yesterday when he published an email interview with Schmidt. Schmidt made a number of predictions for 2010, including that he believed that cloud computing will be a security enabler. Schmidt wrote that “2010 will be the tipping point as to much wider adaption in all sectors. The overall net effect will give us a better chance to develop more security in the cloud using better vulnerability management/reduction, strong authentication, robust encryption and closer attention to legal jurisdictions.”
The timing of the White House appointment of a cyber coordinator is, as Ambinder wrote, something of an early Christmas gift, though perhaps not for Schmidt himself. As Ambinder observed, “It’ll be a thankless job: given the near-certainty that the government will experience some massive data breach or a major cyber terrorism attack, Schmidt will be both the point person — and the person seen as responsible, even though he lacks the statutory authority to prevent these catastrophes.”
In the security industry, reactions to the appointment have been generally positive. Like Ambinder, Dave Lewis, a Canada-based IT security practitioner and editor at Liquidmatrix Security Digest, also sees a tough challenge ahead for Schmidt. “I think that this is an extremely unenviable position for him to take,” he said. “There are numerous turf wars that he will be at risk of becoming collateral damage in the crossfire. I would like to see him succeed. There needs to be a central point of control for IT security.”
George Moraetes, an information security and enterprise architect, related a similar sentiment: “I really don’t know if congratulations or even condolences are in order.”
Moraetes supports the appointment of Schmidt, stating he “is the best advocate and most experienced individual to take on this incredibly difficult job that basically has no teeth or jurisdiction to preside over federal agencies. He is the only person capable of this job, having solid federal government and corporate experience at top levels, and knows the ropes.”
Patricia Titus, former CISO for the Transportation Security Administration and now CISO for Unisys Federal Systems, is similarly supportive. “He comes with exactly the type of credentials to rally the right people at the needed levels. His private- and public-sector background lends itself well to knowing who needs to sit at the table. There hasn’t been that level of IT credentials and security experience in a similar position before.”
Titus sees the position of the cybersecurity coordinator directly under the deputy NSA as “critical to the success of the position. The fact that John has publicly stated that Howard will have regular access to the president shows that cybersecurity is a national priority.” Schmidt will be charged with assessing and mitigating a complex mix of threats and authorities. ‘I think that all of us in cybersecurity look at the difference between compliance and verifiable security carefully. Are we spending too much time writing documents, versus in real-time monitoring of security controls? Howard’s role may be to address that from a policy standpoint, with regards to securing critical infrastructure, government websites and agencies.”
“I’m cautiously pessimistic about anyone in that job, but I think Howard has a better shot than most,” said David Mortman, CSO-in-residence at Mason, Ohio-based security consultancy Echelon One. “Howard is a known quantity and knows how to play the game. Gives him a huge advantage, since it’s like he’s simultaneously an insider and an outsider. Hopefully the best of both worlds.”
Dan Kennedy, CISO of the Praetorian Security Group, also wrote in to share his take on the appointment of the new cybersecurity coordinator: “I am familiar with Howard, having watched him speak numerous times, being introduced to him a few times, having sat at a dinner round table across from him, and having been an ISSA member for years who reads his introductions every month. I think Howard Schmidt is both a smart guy and one who understands the issues of information security. I don’t always agree with what he has to say, but if you are quoted as much as Howard is that will happen. He doesn’t say completely crazy things, as a few senior security executives do now and then, and has a conservative approach to IS concerns. Howard is a competent choice, and clearly better than many alternatives having worked in the private sector and having been involved very closely and nearly exclusively in the infosec industry. This is much better than, say, a competent technologist, a lawyer who understands technology at a high level, or related choices taking on their first big information security job with this position.”
“That said, he is a safe choice, one who has had an opportunity already in what was a very similar position under the Bush administration. I, like many folks, wanted to be excited by the choice of cybersecurity czar, to see someone I thought would really shake things up. A safe choice doesn’t do that. I voted for Obama to make competent but also pushing the envelope decisions. I hoped for an appointment that would inject some discomfort into an established information security hierarchy in need of a change agent. Howard may be that; perhaps he wasn’t given enough of a chance or shackled by a lack of organizational power the last time around.”
“Don’t get me wrong: this appointment is a positive. There’s a more empowered position (especially now that the nonsense on reporting line is resolved) and a competent person in it helps information security. It was a long time coming. Howard is not afraid to speak uncomfortable truth to power, one of the hallmarks of a great CISO. I congratulate him and look to this appointment with optimism.”