|
|
|||
 |
|
|||
Rated #1 TrainingLibrary of Documents Main Library Area  COBIT© Standard Governance ISO Standard 27001/17799/BS7799 Security Awareness Security Policies SSE-CMM© *Quality versus Quantity* Forum Postings MS in information systems security Security Model Question TCSEC A1 = ITSEC F6 + E6 or ITSEC F5 + E6? Min. TSCEC level that require process/resource isolation Accountability Question Are BLP & Biba derived from State Machine or Info flow m Is PKI a must to use SMIME? Passed Exam Expeirnce StudiSecure QUESTIONS CISSP Group Study in Lahore, PakistanCISSP's BlogsHere is a list of Blogs maintained by CISSP's. SECURITY JOBS ISC2 BLOGS CISSP's BLOGS - Allen Baranov LEGAL INFO BLOGS - Bow Tie Law's Blog Recommended PodcastsSecurity BooksSurveysTop10 Links· 1: CISA et CISSP Quizzes
· 2: Exam Introduction and overview · 3: Ben Rothke's Web Site · 4: 1. Information Security and Risks Management CBK Tutorial · 5: Resume of the 10 domains of the CBK · 6: Erik Chang, CISSP Study Resources · 7: China CISSP Study Group · 8: International Information Systems Security Certifications Consortium Inc. · 9: 2. Access Control CBK Tutorial · 10: Rob Slade's CISSP Books reviews Top10 Downloads· 1: CRAM Study guide on the 10 domains of the CBK
· 2: Domain 1.zip · 3: Study Guide for Domain 1 - Access control Systems and Methodologies · 4: Overly Updated.pdf.zip · 5: Great Document on Security Models · 6: Intro1.zip · 7: Domain 3.zip · 8: Cram Study Guide for Domain 1 - Access control Systems and Methodologies · 9: Domain 7.zip · 10: Domain 5.zip Who's OnlineThere are currently, 108 guest(s) and 12 member(s) that are online. You are Anonymous user. You can register for free by clicking here Training Classes CalendarTest of Widget
|  |
Security breach notification law by state
|
| Alaska | 2008 H.B. 65 |
|
Arizona |
Ariz. Rev. Stat. § 44-7501 |
|
Arkansas |
Ark. Code § 4-110-101 et seq. |
|
California |
|
|
Colorado |
Colo. Rev. Stat. § 6-1-716 |
|
Connecticut |
Conn. Gen Stat. 36a-701(b) |
|
Delaware |
Del. Code tit. 6, § 12B-101 et seq. |
|
Florida |
Fla. Stat. § 817.5681 |
|
Georgia |
|
|
Hawaii |
Haw. Rev. Stat. § 487N-2 |
|
Idaho |
Idaho Code §§ 28-51-104 to 28-51-107 |
|
Illinois |
815 ILCS 530/1 et seq. |
|
Indiana |
Ind. Code §§ 24-4.9 et seq., 4-1-11 et seq., 2009 H.B. 1121 |
| Iowa | Iowa Code § 715C.1 (2008 S.F. 2308) |
|
Kansas |
|
|
Louisiana |
La. Rev. Stat. § 51:3071 et seq. |
|
Maine |
Me. Rev. Stat. tit. 10 §§ 1347 et seq., 2009 Public Law 161 |
| Maryland |
Md. Code, Com. Law § 14-3501 et seq. |
| Massachusetts |
Mass. Gen. Laws § 93H-1 et seq. |
|
Michigan |
Mich. Comp. Laws § 445.72 |
|
Minnesota |
|
|
Montana |
Mont. Code § 30-14-1701 et seq., 2009 H.B. 155, Chapter 163 |
|
Nebraska |
Neb. Rev. Stat. §§ 87-801, -802, -803, -804, -805, -806, -807 |
|
Nevada |
Nev. Rev. Stat. 603A.010 et seq. |
|
New Hampshire |
|
|
New Jersey |
N.J. Stat. 56:8-163 |
|
New York |
N.Y. Gen. Bus. Law § 899-aa |
|
North Carolina |
N.C. Gen. Stat § 75-65 |
|
North Dakota |
N.D. Cent. Code § 51-30-01 et seq. |
|
Ohio |
|
|
Oklahoma |
Okla. Stat. § 74-3113.1 and 2008 H.B. 2245 |
| Oregon |
2007 S.B. 583, Chapter 759 |
|
Pennsylvania |
73 Pa. Stat. § 2303 |
|
Rhode Island |
R.I. Gen. Laws § 11-49.2-1 et seq. |
| South Carolina | 2008 S.B. 453, Act 190 |
|
Tennessee |
Tenn. Code § 47-18-2107 |
|
Texas |
Tex. Bus. & Com. Code § 48.001 et seq. |
|
Utah |
Utah Code §§ 13-44-101, -102, -201, -202, -310 |
|
Vermont |
Vt. Stat. tit. 9 § 2430 et seq. |
| Virginia | Va. Code § 18.2-186.6 |
|
Washington |
Wash. Rev. Code § 19.255.010 |
| West Virginia | W.V. Code §§ 46A-2A-101 et seq. |
|
Wisconsin |
Wis. Stat. § 134.98 et seq. |
| Wyoming |
Wyo. Stat. § 40-12-501 to -501 |
| District of Columbia |
D.C. Code § 28- 3851 et seq. |
| Puerto Rico | 10 Laws of Puerto Rico § 4051 et. seq. |
| Virgin Islands | V.I. Code § 2208 |
(comments? | Score: 0)
Senate Legislation Would Federalize Cybersecurity
Posted by boss on Thursday, 02 April 2009 @ 09:48:11 EDT (1152 reads)
Topic Law & Legalities
As seen in the Washington Post online:
Senate Legislation Would Federalize Cybersecurity
Rules for Private Networks Also Proposed
By Joby Warrick and Walter Pincus
Washington Post Staff Writers
Wednesday, April 1, 2009; A04
Key lawmakers are pushing to dramatically escalate U.S. defenses against cyberattacks, crafting proposals that would empower the government to set and enforce security standards for private industry for the first time.
The proposals, in Senate legislation that could be introduced as early as today, would broaden the focus of the government's cybersecurity efforts to include not only military networks but also private systems that control essentials such as electricity and water distribution. At the same time, the bill would add regulatory teeth to ensure industry compliance with the rules, congressional officials familiar with the plan said yesterday.
Addressing what intelligence officials describe as a gaping vulnerability, the legislation also calls for the appointment of a White House cybersecurity "czar" with unprecedented authority to shut down computer networks, including private ones, if a cyberattack is underway, the officials said.
How industry groups will respond is unclear. Jim Dempsey, vice president for public policy at the Center for Democracy and Technology, which represents private companies and civil liberties advocates, said that mandatory standards have long been the "third rail of cybersecurity policy." Dempsey said regulation could also stifle creativity by forcing companies to adopt a uniform approach.
The legislation, co-sponsored by Senate Commerce Committee Chairman John D. Rockefeller IV (D-W.Va.) and Sen. Olympia J. Snowe (R-Maine), was drafted with White House input. Although the White House indicated it supported some key concepts of the bill, there has been no official endorsement.
Many of the proposals were based on recommendations of a landmark study last year by the Center for Strategic and International Studies.
Currently, government responsibility for cybersecurity is split: The Pentagon and the National Security Agency safeguard military networks, while the Department of Homeland Security provides assistance to private networks. Previous cybersecurity initiatives have largely concentrated on reducing the vulnerability of government and military computers to hackers.
A 60-day federal review of the nation's defenses against computer-based attacks is underway, and the administration has signaled its intention to incorporate private industry into those defenses in an unprecedented way.
"People say this is a military or intelligence concern, but it's a lot more than that," Rockefeller, a former intelligence committee chairman, said in an interview. "It suddenly gets into the realm of traffic lights and rail networks and water and electricity."
U.S. intelligence officials have warned that a sustained attack on private computer networks could cause widespread social and economic havoc, possibly shutting down or compromising systems used by banks, utilities, transportation companies and others.
The Rockefeller-Snowe measure would create the Office of the National Cybersecurity Adviser, whose leader would report directly to the president and would coordinate defense efforts across government agencies. It would require the National Institute of Standards and Technology to establish "measurable and auditable cybersecurity standards" that would apply to private companies as well as the government. It also would require licensing and certification of cybersecurity professionals.
The proposal would also mandate an ongoing, quadrennial review of the nation's cyberdefenses. "It's not a problem that will ever be completely solved," Rockefeller said. "You have to keep making higher walls."
Last week, Director of National Intelligence Dennis C. Blair told reporters that one agency should oversee cybersecurity for government and for the private sector. He added that the NSA should be central to the effort.
"The taxpayers of this country have spent enormous sums developing a world-class capability at the National Security Agency on cyber," he said.
Blair acknowledged there will be privacy concerns about centralizing cybersecurity, and he said the program should be designed in a way that gives Americans confidence that it is "not being used to gather private information."
Posting can be seen at:
http://www.washingtonpost.com/wp-dyn/content/article/2009/03/31/AR2009033103684_pf.html
(Read More... | 1 comment | Score: 0)
FISMA compliance made easier with OpenFISMA
Posted by boss on Tuesday, 28 October 2008 @ 19:30:12 EDT (1842 reads)
Topic Law & Legalities
FISMA compliance made easier with OpenFISMA
Scott Sidel, Contributor
10.27.2008
Managing security in a large corporation can be daunting, which is why the U.S. government has made a concerted effort to standardize best security practices. The Federal Information Security Management Act (FISMA) not only mandates the processes for information systems used by federal agencies and by contractors working with the government, but also provides an excellent security baseline for any large organization.
From an information security perspective, the first step in implementing FISMA guidelines involves gaining an understanding of the processes FISMA mandates, Then, practitioners typically rely on NIST publications, which guide security personnel through the baseline security requirements, detailing the more specific technical and operational controls needed to meet those requirements. Managing the compliance process can quickly become a challenge, however, because working with multiple parties on a broad range of controls overwhelms the typical spreadsheet and manual tracking process.
OpenFISMA can help: it automates the compliance process by using a platform-independent OSS Web application framework (Apache, MySQL, PHP) to manage the workflow. OpenFISMA also guides requirements-gathering activities, such as verifying compliance with requirements, security assessments and vulnerability remediation.
To better understand how OpenFISMA can improve security, one example is the processes associated with a plan of actions and milestones (POA&M), which are the activities used for tracking and fixing security vulnerabilities. OpenFISMA provides a Web-based centralized repository to manage and track vulnerability reporting and remediation activities. Users log in to their role-based accounts to work through or oversee the compliance processes. Typical users would be the security officer (CSO or CISO), technical operations staff and the independent verifiers.
OpenFISMA's business rules provide guidance for the submission of remediation evidence and sign-off for the work performed. The user controls protect the integrity of the audit information from unauthorized access, modification and deletion. Timestamps support the ability to audit and account for each of the steps, and a reporting engine helps track performance against stated completion goals.
Learn how penetration testing can aid compliance efforts
Find out about open-source IDS audit tools
When using OpenFISMA, information about security weaknesses can be entered manually or ingested from automated sources by using popular vulnerability assessment scanners that output their results in XML, CSV or XLS formats. A known vulnerability then follows one of three typical paths: a) the finding is remediated, b) the finding is demonstrated to be a false positive, or c) the risk is accepted. A risk level can be assigned to help prioritize the level of threat to the organization and the mitigation strategy can be reviewed and approved by independent third parties. After the work to remediate the weakness is done, evidence for the remediation can be analyzed by third-party verifiers. Finally, assuming the remediation is accepted, the verifiers would close out the weakness.
Implementing government standards for security can be a huge task, but OpenFISMA provides structure and automation to help manage the process.
About the author:
Scott Sidel is an ISSO with Lockheed Martin.
For more recommendations from the author, check out Scott Sidel's Downloads
(Read More... | 5 comments | Score: 5)
Nevada Deadline on E-Mail Encryption Looming
Posted by boss on Monday, 22 September 2008 @ 10:22:26 EDT (1383 reads)
Topic Law & Legalities
Friday, September 19, 2008 2:14 PM/EST
What happens in Vegas, may stay locked down in Vegas.
On October 1, the state of Nevada will be requiring the encryption of all transmissions, like email, for all businesses that send personal identifiable information over the Internet. The statute was signed in to law in 2005, and is about to kick in as an enforceable law next month. Three years flies when your raking in chips at casinos and enjoying the rising popularity of poker.
The Nevada law is stated as such:
NRS 597.970 Restrictions on transfer of personal information through electronic transmission. [Effective October 1, 2008.]
1. A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.
As with any law about to go in effect, this one could be bound to catch many Nevada businesses off guard. In parallel, a few IT security vendors who sell encryption software and hardware are lining up to tell the technology media about it.
Think about all the hotels, resorts, golf courses, pawn shops, nightclubs, check cashing, ski lodges and small businesses this is going to effect. Not to mention all the businesses--the vice-ridden ones legal to Nevada-only and otherwise--that incorporate in the tax-friendly state. Nevada is the West's version of Delaware (albeit a much sexier state, sorry Delaware).
Beyond the infrastructure impact, the statute itself looks like swiss cheese. Bryce K. Earl, a Las Vegas-based attorney with Santoro, Driggs, Walch, Kearney, Holley & Thompson has been following the issue closely and believes there are some problems with the statute as it is on the books right now, namely, the broad definition of encryption, the lack of coordination with industry standards and the unclear nature of penalties both criminal and civil.
"The statutes lack of specificity with regard to penalties will perhaps create the unintended consequence of opening up more liability," said Earl. That doesn't sound good, but again, nothing has happened just yet.
Earl explained why the broad definition of "encryption" by the state is potentially problematic. Here is the definition from the state's website:
NRS 205.4742 "Encryption" defined. "Encryption" means the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant, to:
1. Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound;
2. Cause or make any data, information, image, program, signal or sound unintelligible or unusable; or
3. Prevent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system or network.
Earl said an argument could be made that a password-protected document sent in an email might be good enough to hold up with the state's broad definition of encryption here. Is that good enough?
Moreover, how the heck will Nevada enforce this?
Earl said at this time it was unclear, but he thinks that the state--who holds legislative session every other year--could address the statute for more clarity next year when the Nevada state government reconvenes. A possible-pending lawsuit may also help to better define the law for clearer interpretation, but as Earl hinted, that doesn't necessarily mean it will help that potential lawsuit.
The challenge for Nevada is that its intentions were good in trying to stem the tide of identity theft and criminal behavior online. But once again, the legal system and the IT industry are faced with potentially bigger compliance and liability issues than they probably intended. The disconnection is real.
As of posting time, representatives of the state had not gotten back to me with comment.
What should business do about this issue?
UPDATE: A spokesman for the state has directed me to a state assemblyman (who I will follow up with), but more interestingly, has pointed out this provision in the law:
"NRS 193.170 Prohibited act is misdemeanor when no penalty imposed. Whenever the performance of any act is prohibited by any statute, and no penalty for the violation of such statute is imposed, the committing of such act shall be a misdemeanor.
CLICK HERE to see original posting on the Baseline Magazine website
(Read More... | 1 comment | Score: 0)
Aussies follow Canadian lead on breach notification
Posted by boss on Tuesday, 29 April 2008 @ 13:03:05 EDT (1732 reads)
Topic Law & Legalities
ComputerWorld Canada (22 Apr 2008)
Canadian Data breach notification guidelines – jointly created by the Information and Privacy Commissioners for British Columbia and Ontario – have made their way to the land down under.
Last week, Australian Privacy Commissioner Karen Curtis released the Voluntary Information Security Breach Notification Guide, which aims to assist organizations in effectively responding to information security breaches. The draft guide credits voluntary guidelines by both the Privacy Commissioners of Canada and New Zealand.
“We had worked with the New Zealand privacy commissioner and showed her our breach notification assessment tool,” Ann Cavoukian, Information and Privacy Commissioner of Ontario, said. “She took it and developed one in New Zealand similar to ours. It’s great to see Australia follow suit.” The jointly created Canadian breach notification guide was created in December 2006 and outlines steps on when and how to notify affected individuals.
“When you’re notifying somebody of a breach relating to their data, you’ve got to be perfectly clear and concise,” Cavoukian said. “In regards to the preferred method of notification, we think direct contact either by phone, letter or in person are the most effective methods.”
As for what to include in the notification, the assessment tool advises organizations provide a general description of what happened without a lot of legal jargon, outline the steps taken thus far (and will be taken in the future) to control or reduce the harm, and the steps the individual can take to further protect themselves.
“You’ve got to be practical and do things as quickly as possible,” Cavoukian said. “You need to contain the damages, get the notices out, fix the problem and prevent it from reoccurring. You’ve also have to be practical about it and notify people in a way that’s not full of legal legalese and provides clear notice as to what you’re doing.”
Currently, Australia’s privacy legislation does not specifically require an agency or organization to notify individuals, or even the privacy commissioner, of a data breach. However, an amendment to the Australian Privacy Act to require mandatory data breach notification is under way.
The same story is playing out in Canada. Last year, the federal government recommended that data protection laws – specifically the Personal Information Protection and Electronic Documents Act (PIPEDA) – be amended to include requirements for companies to notify individuals when their personal information was subject to a security breach.
Cavoukian hopes the breach notification assessment tool, along with the influence it is having on the other side of globe, will inspire the federal government to implement an effective and common sense approach on breach notification.
“They’re certainly aware of our guidelines, so I’m sure it’s food for fodder for them,” she said. “We’ve had very good feedback on our guidelines and I’m sure it’ll be one of the things that they take into consideration.”
But some organizations such as the University of Ottawa’s Canadian Internet Policy and Public Interest Clinic (CIPPIC) want the government to go even further. Responding to an Industry Canada request for public consultation on data security laws earlier this year, CIPPIC recommended that mandatory reporting of data breaches to a publicly-accessible electronic registry is the most effective way to persuade corporations to shore up their potential security risks.
“We’ve been pushing for notification requirements for years, because it’s obvious to me and my colleagues that, by and large, corporations are not doing as much as they should be to secure the personal information in their possession,” Pippa Lawson, executive director at CIPPIC, told ComputerWorld Canada earlier this year. “Our conclusion from years of research is that the market does not provide efficient incentives for effective security precautions, because in most cases, companies can hide the breaches and they are never publicly known about.”
Lawson said that while the government’s interest in drafting better data breach notification laws is positive, Ottawa needs to take it a step further and require mandatory public reporting as well.
“There’s two ways that you can create incentives for companies to take strong security measures: one is to make them pay financially through penalties and fines, and two is to give them bad publicity that can be even more costly,” Lawson said. “If there is a real risk of negative publicity for these companies, the CEOs will make sure that they put more resources into security.”
David Senf, director of security and software research at Toronto-based IDC Canada Ltd., said Canada would benefit greatly from similar privacy legislation passed in California, which mandates organizations to reveal to customers that personal data has been compromised.
“Organizations in this country don't fear the repercussions of PIPEDA,” Senf said earlier this year. “Stronger legislation will go a long way in convincing organizations to tighten up security for better privacy protection.”
Cavoukian, however, disagreed on taking such a punitive approach. As a regulator, she said, her concern is to ensure when something happens that it’s addressed immediately and as quickly as possible to benefit the affected individuals.
“You can almost take as a given that over time, virtually every company is going to make an oversight or a mistake and have some kind of data breach,” Cavoukian said. “My experience in working with organizations is that as soon as they know there’s a breach, they’re really motivated to cure the harm and prevent it. If you create a database of who did what and how many times they did it, I just don’t know how effective it would be.”
Copyright © 2007
ITworldcanada.com
Click HERE to see original article on IT World Canada web site
"(comments? | Score: 0)
Online Libel & Google Reputation
Posted by boss on Friday, 25 April 2008 @ 23:10:51 EDT (1351 reads)
Topic Law & Legalities
Reputation is what others say about you.
Character is what you really are as evidenced by your actions when no one is observing.
IMPORTANT DISCLAIMER: Readers are advised that this essay be considered as common sense advice, not legal advice. For that you need to go to a lawyer.
IT security is a multibillion dollar industry which has necessitated new and constantly revised laws in almost every state on earth. These laws address the criminal aspects of aggressive and deliberate business or personal privacy invasion and information disruption or destruction via various technology mediums; commonly referred to as “hacking”, or more accurately “cracking”.
So what is the “low” technology threat that goes largely unnoticed by the community, ignored by criminal prosecutors and yet the cause of billions of dollars in irreparable damage to business goodwill, personal reputation, and very significantly to the emotional well being of the human victims? The threat is called “LIBEL”; a form of the ancient legal theory of “SLANDER” with origins in Roman jurisprudence.
This issue is close to my heart because I have had a very frustrating and bitter experience therein. I have purposed to collaborate with experts from various fields including psychology, technology, legal and public relations to produce resources to assist victims in their efforts to remedy the wrongs and for potential victims to mitigate the risks. These resources will be made available for free as they become available through the Mile2 website. Victims of online libel are invited to contact me if they would like access to templates, resources and specific advice.
"Defamation" is the term used internationally to generally describe an injury to reputation. “Slander” and “Libel” are false or malicious claims that may harm someone's reputation. Slander and libel both require publication with the fundamental distinction between the two lying solely in the form in which the defamatory material is published. If published in some fleeting form, such as spoken words or sounds, sign language, gestures and the like, then this would be slander. If it is published in more durable form, such as in written words, film, data disc (CD or DVD), blogging, web sites and the like, then it is considered libel. The key to these definitions is that the statements must be false. If someone published the truth about a person, it IS NOT slander or libel. Slander and libel are not protected forms of free speech under the US First amendment.
In law, defamation is the communication of a statement that makes a false or deceptive claim, expressively stated or implied to be factual, that may harm the reputation of an individual, business, product, group, government or nation. Most jurisdictions allow legal actions, civil and/or criminal, to deter various kinds of defamation and retaliate against groundless criticism. Related to defamation is public disclosure of private facts where one person reveals information which is not of public concern and the release of which would offend a reasonable person. Unlike libel or slander, truth is not a defense for invasion of privacy.
See the full essay here: Michael Roberts of Mile2 IT Security Discusses Libel & Google Reputation
"(comments? | Score: 5)
Generally Accepted Privacy Principles
Posted by boss on Sunday, 09 December 2007 @ 18:53:29 EST (1756 reads)
Topic Law & Legalities
| |
| NOTE FROM CLEMENT: Here is a posting from my friend Dan Swanson. Join his mailing list at: |
|
Generally Accepted Privacy Principles (GAPP) is a comprehensive privacy framework that is designed to assist management in creating an effective privacy program that addresses privacy risks and business opportunities. It was developed under a joint effort of the CICA and the American Institute of Certified Public Accountants (AICPA) through the AICPA/CICA Privacy Task Force. Formerly known as the AICPA/CICA Privacy Framework, it is founded on a single privacy principle that is supported by 10 principles and over 60 objective and measurable criteria. Click here for a description of GAPP’s overall privacy objective and its 10 principles. GAPP can be used by organizations to perform a thorough review of their privacy practices, such as:
|
http://www.cica.ca/index.cfm/ci_id/36529/la_id/1.htm
note - More information is provided below.
Enjoy.
Dan
________________________________________________________________
December 06, 2007 (Computerworld) -- If you haven't heard of the Generally Accepted Privacy Principles (GAPP), take stock: They're likely to become the most important new source of requirements for your IT projects since Y2k and Sarbanes-Oxley. Why is this? The accounting industry has closed ranks around the idea that the GAPP is the best international framework for assessing the privacy health of an organization. So when it comes to IT projects, any system or related business process touching personal data will have new rules to play by.
What is the GAPP? I have to agree with the auditors on this one. It's the best attempt so far to address the main point of pain for global chief privacy officers: the growing complexity of privacy regulations around the world.
for full article - see
http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomy
Name=privacy&articleId=9051459&taxonomyId=84&intsrc=kc_feat
Marilyn Prosch, Ph.D.
School of Global Management & Leadership
Associate Professor, Department of Accounting
Arizona State University
4701 W. Thunderbird Road
Glendale, AZ 85306-4908
602.543.6219 phone
602.543.6303 fax
(comments? | Score: 0)
Major compromise of security results from use of Gmail account by employee
Posted by boss on Monday, 17 September 2007 @ 21:48:05 EDT (1786 reads)
Topic Law & Legalities
I am forwarding an important article highlighting the security implications of employees reflecting business e-mail to a Web-based e-mail account:
In this case, an employee of MediaDefender, Inc., a company specializing in assisting movie studios and recording companies in preventing illegal copying of their copyrighted materials online, forwarded highly sensitive corporate e-mail to his Google e-mail account. A group that opposes MediaDefender’s activities hacked the Gmail account (most likely because of simple password on the account) and made nearly 6,000 of MediaDefender’s e-mail available to the public. This should serve as a reminder to have clear policies with employees regarding the forwarding of business e-mail to Gmail and other types of personal accounts that could seriously compromise corporate security.
Michael R. Overly, Esq., CISSP
Foley & Lardner LLP
2029 Century Park East
35th Floor
Los Angeles, California 90067-3021
Telephone: 310-277-2223
Facsimile: 310-557-8475
(comments? | Score: 0)
California Considers New Law Holding Merchants Liable for Costs of Data Breaches
Posted by boss on Friday, 27 July 2007 @ 20:59:52 EDT (1411 reads)
Topic Law & Legalities
A.B. 779 was proposed in response to the wide ranging security breaches at the TJX Companies Inc., which affected more than 46 million credit and debit card holders. The proposed law would allow businesses required to notify individuals of data breaches to seek reimbursement from the third party responsible for the breach of all "reasonable and actual costs," including the cost of providing notice, and replacing their credit or debit cards. The law is receiving strong opposition from a coalition of 30 groups and businesses representing retailers, financial institutions, information technology companies, marketers, and others.
In May of this year, Minnesota became the first and currently only state to have enacted a similar merchant breach liability law. New Jersey is currently considering a similar data breach liability bill.
Drafting Toolbox: Developing a Fair Use Policy
Employees are constantly copying materials they find in journals, newspapers, and, of course, online. With few exceptions, all of those materials are copyrighted. If the materials are accompanied by information relating to the owner of the copyright and additional terms and conditions regarding use of the materials, removal of that information may subject the user to substantial civil and criminal penalties under the Digital Millennium Copyright Act. Given the potential for copyright infringement and other claims, businesses are adopting fair use policies to reduce the potential for liability resulting from these activities. An example of a basic policy is attached.
Click HERE to download a copy of the Fair Usage Policy
Blog News
The following are recent topics discussed in my blog on Chief Security Officer Magazine’s Website:
- Newton’s Laws of Motion for Information Security
- Server Memory Subject to Search
- The Care and Feeding of Forensic Experts
In The Press/Useful Links:
The following hyperlinks lead to articles you may find useful:
Univ. of California hit with proposed 3M fine for Los Alamos breach
European task force lists RFID privacy threats
Software Testing Best Practices
Public and Private Entities Face Challenges in Addressing Cyber Threats
Michael R. Overly, Esq., CISSP, ISSMP
Foley & Lardner LLP
2029 Century Park East
35th Floor
Los Angeles, California 90067-3021
Telephone: 310-277-2223
Facsimile: 310-557-8475
© Copyright 2007 Foley & Lardner LLP
The information reported should not be construed as legal advice, nor utilized to resolve legal problems.
If you believe you are receiving this email in error or you do not wish to receive further communication, please send an e-mail to me at the above address.
If you know of someone who would like to be added to our mailing list for this update, please send their name to me at the above address.
(comments? | Score: 0)
Encryption key laws could soon be activated
Posted by boss on Tuesday, 10 July 2007 @ 20:56:29 EDT (1138 reads)
Topic Law & Legalities
Police powers included in 2000 legislation could finally be put in place
Legislation to force the release of software encryption keys could be activated soon, according to new Home Secretary Jacqui Smith.
The Regulation of Investigatory Powers Act (RIPA) provides police and security services with the power to require the production of keys, with a maximum prison sentence of up to five years. The power was included in the legislation five years ago but has not yet been activated.
In response to a question in the Commons from Conservative MP Sir Paul Beresford, Smith said a review is underway and a decision will be made soon.
‘I understand that we are looking at that specific matter to bring it forward,’ she said.
Beresford said that paedophiles often encrypt material so the police cannot gain access to it.
‘The police have been waiting about five years for the statutory instrument relating to encryption and the RIPA act. When will they get it?’ he said.
www.activehome.co.uk/2193852"(comments? | Score: 0)
Server Memory Subject to Search
Posted by boss on Monday, 09 July 2007 @ 22:41:25 EDT (1574 reads)
Topic Law & Legalities
A new court decision for those working in forensics and for anyone else that has a server in their business (that means all of us).
Recently, a court in the Central District of California confirmed that even the random access memory (RAM) in a Web server is "electronically stored information" subject to discovery under Rule 34 of the Federal Rules of Civil Procedure. (Columbia Pictures Indus. v. Bunnell, C.D. Cal., No. CV 06-1093, 5/29/07).
This cases makes clear courts are taking an increasingly broad approach to the range of locations in which discovery of electronic evidence will be permitted.
As the breadth of discovery increases, so too will the costs and invasiveness of the process. In some instances, the costs of identifying and marshalling relevant electronically stored data can run into the hundreds of thousands of dollars.
Given the foregoing, businesses should take time now to get their “electronic houses in order.” This means, among other things, getting a far better handle on where electronic information is being stored and for how long. It also means thinking about ways to decrease the costs of responding to a discovery request for electronic information (e.g., using software to constantly index files, particularly e-mail, stored on the business’ systems; decreasing the number of locations in which information is stored; and implementing appropriate document destruction programs).
Michael R. Overly, Esq., CISSP
Foley & Lardner LLP
2029 Century Park East
35th Floor
Los Angeles, California 90067-3021
Telephone: 310-277-2223
Facsimile: 310-557-8475
(comments? | Score: 0)
A travesty of justice involving information technology
Posted by boss on Saturday, 16 June 2007 @ 15:12:57 EDT (1289 reads)
Topic Law & Legalities
The Julie Amero Tragedy
Many of you are somewhat familiar with the Julie Amero Tragedy (JAT) and some of you are very close to it as you have been following it or are possibly involved with it as I have been. Simply stated it is the matter of a 7th grade substitute school teacher whose classroom teacher’s only computer and the only computer in the classroom with an Internet connection, encountered a pop-up storm of pornographic images marketing various porno websites.
Ms. Amero was tried and convicted of 4 counts of “risk of injury to a minor” in the State of Connecticut Norwich District Superior Court on January 4th, 2007. This case drew little attention in Connecticut or elsewhere from the time of occurrence until conviction with the exception of the immediate vicinity of the City of Norwich, CT[1] where the event occurred on October 19th, 2004. One could describe the sordid details[2] regarding what happened later but others have preceded me with that information and why should I be redundant.
While you might be able to sift the following information out of the many blogs and periodical reports regarding the JAT, hopefully this will be a bit more succinct and to the point. But, before I do, I would like for you to realize the frustration that those of us working on the case after the conviction were enduring and what became the turning point. As March 2nd, 2007 approached, her sentencing date, the best we could hope for was the sentencing to be deferred pending appeal which is rare. However, we were able to acquire a competent pro bono appeals attorney who obtained a delay until March 29th, 2007 so that he would have time to become familiar with the case. Still, we were concerned as to what the sentence might be.
CLICK HERE TO READ THE FULL STORY IN MS WORD FORMATCLICK HERE TO READ THE FULL STORY IN PDF FORMAT
"
(comments? | Score: 0)
Directors, managers set company's ethical tone
Posted by boss on Thursday, 31 May 2007 @ 00:00:00 EDT (1331 reads)
Topic Law & Legalities
From: Dans_SECemails@yahoogroups.com
Sent: Monday, May 28, 2007 7:03 PM
Subject: Directors, managers set company's ethical tone
Nothing great in the world has ever been accomplished without passion.
- George Wilhelm Hegel.
"You must constantly ask yourself these questions: Who am I around? What are they doing to me? What have they got me reading? What have they got me saying? Where do they have me going? What do they have me thinking? And most important, what do they have me becoming?
Then ask yourself the big question: Is that okay?" Jim Rohn
____________________________________________________________________________
____________________________________________________________________________
The business scandals of the 1990s and early 2000s revealed ignorance by business leaders and employees about ethical and legal behavior.
Congress responded by passing the Sarbanes-Oxley Act of 2002, which all but mandates corporate codes of conduct for the top managers of publicly traded corporations. The New York Stock Exchange and Nasdaq require those same corporations to create corporate codes applicable to all employees.
To encourage compliance and ethics training, Congress amended Section 8B2.1(B)(4) of the federal sentencing guidelines. (see below for more information).
All organizations are to take reasonable steps periodically to communicate their standards and procedures to employees, high-level personnel and members of the governing body.
Compliance with the guidelines is valuable to organizations. Effective compliance and ethics programs impact employee behavior and often prevent illegal and unethical actions. If wrongdoing occurs, compliance with the guidelines can lessen penalties by 95 percent.
The article is at:.
http://www.sbj.net/article.asp?aID=89132349.3215556.1007188.40424702.2217355.090&aID2=77467
Information regarding the Federal Sentencing Guidelines is at:
1. Federal Sentencing Guidelines Manuals
http://www.ussc.gov/guidelin.htm
2. Site Map
http://www.ussc.gov/Sitemap.HTM
3. An overview
http://www.ussc.gov/TRAINING/GLOverview04.pdf
4. Organizational Guidelines
http://www.ussc.gov/orgguide.htm
Regards.
Dan
You can subscribe to Dan's great mailing list at:
http://finance.groups.yahoo.com/group/Dans_SECemails/
(comments? | Score: 0)
Microsoft seek license from Linux Users
Posted by boss on Thursday, 24 May 2007 @ 07:57:44 EDT (1242 reads)
Topic Law & Legalities
NOTE FROM CLEMENT:
Here is a message I have received from our long time contributor and supporter Michael Overly. Michael is the author of the best cram study guide we have on www.cccure.org. Yesterday Microsoft announce they did not have intentions to sue the open source world but I think the case is not totally closed yet. An interesting story to follow, a few years ago it was SCO versus IBM and now it is MS versus the Open Source community. Here is the message from Michael:
Clement:
I thought the following article from Computerworld would be of interest. It details the latest comments from Microsoft regarding its intent to redouble its efforts to seek license fees from Linux users. Specifically, Microsoft alleges Linux infringes some 235 of its patents. Until now, Microsoft’s licensing efforts have been relatively low-key. These latest comments from Microsoft, however, suggest that approach is about to change. We have already assisted several clients in negotiating license agreements with Microsoft relating to these patents.
Update: Microsoft demands royalties for open-source software (May 13 2007, 12:00AM) http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9019238
Michael R. Overly, Esq., CISSP, ISSMP
Foley & Lardner LLP
2029 Century Park East
35th Floor
Los Angeles, California 90067-3021
Telephone: 310-277-2223
Facsimile: 310-557-8475
MOverly@foley.com
(comments? | Score: 0)
Newsletter from Micheal Overly
Posted by boss on Wednesday, 09 May 2007 @ 22:02:31 EDT (1734 reads)
Topic Law & Legalities
A recent decision by a California federal court (Therapeutic Research Faculty v. NBTY Inc., E.D. Cal., No. 05-2322, 1/25/07) is just the latest in a string of decisions making clear that using a Website or online service or database may not only constitute a breach of contract and copyright infringement, but may also constitute computer fraud under the federal Computer Fraud and Abuse Act.
Whenever a user accesses Web sites or purchases access to an online service or database, they are required to accept certain contractual terms and conditions. One of the key points covered by those terms and conditions is the “scope of license” – that is, the scope of license defines the rights the user is granted to use the site, service, or database. For example, in the most recent California case, the user had purchased a single-user subscription to a database of medical articles. The scope of the license was, therefore, limited to a single user. The user failed to comply with the scope of license and distributed multiple copies to unlicensed persons.
Only a few years ago, this type of excess, unlicensed use would result in claims for breach of contract and possibly copyright infringement, but, now we are seeing claims for violation of a wide range of state and federal laws relating to abuse of computer systems. Specifically, anytime someone exceeds the scope of their authority in accessing a computer system, they may have violated both state and federal computer abuse laws. Since those laws frequently afford the injured party strong remedies, they provide businesses with an extra arrow in their quiver when their systems and data are abused.
On the flip side, these same laws can create substantial liability for businesses when they fail to adequately educate their employees regarding the need to strictly comply with online agreements and licenses they enter into on their employer’s behalf. For example, an employee may be authorized to purchase a single-user license to a database such as the one described above. If that employee fails to comply with the license and distributes information obtained from the database throughout the company, the company may be liable for the employee’s actions, including substantial liability for violating a statute like the federal Computer Fraud and Abuse Act.
The recent California case makes clear businesses should (i) always consider their rights under state and federal computer abuse laws whenever assessing instances in which one of their licensed users accesses the business’ systems and/or data in excess of the rights granted to the user; (ii) make sure they draft online terms and conditions to clearly define the specific, limited rights they are granting users; and (iii) educate their own employees to ensure they do not create liability for the company as result of their failure to comply with online agreements they enter into on the company’s behalf.
Drafting Toolbox: Holding Vendors Accountable for the Costs of a Data Breach
Since the beginning of the year, we have seen a number of significant data-breach cases in which thousands, sometimes millions, of consumer records were compromised. Forrester Research recently completed a survey that found the average security breach can cost a company between 90 and 305 dollars per lost record. Because the cost of assessing the breach, notifying consumers of the breach, and providing consumers some level of identity theft protection can be significant, businesses have started adding specific language to their agreements with vendors who will have possession of consumer information specifically addressing the issue of reimbursement of costs incurred for breaches of security. The following is an example of that language.
In the event any breach of security or confidentiality by Vendor or its agents requires notification to an XYZ Corp. customer or employee under any privacy law, XYZ Corp. shall have sole control over the timing, content, and method of such notification and Vendor shall reimburse XYZ Corp. for its out-of-pocket costs in providing the notification and the provision of identity theft protection to the relevant customers and/or employees for at least one year.
Blog News
The following are recent topics discussed in my blog on Chief Security Officer Magazine’s Website:
- Poor Security Practices Can Lead to Loss of Trade Secret Protection
- E-mail Everywhere – Better Management of E-mail Risk
- The Rumors of WEP’s Demise are Greatly Exaggerated
In The Press/Useful Links:
The following hyperlinks lead to articles you may find useful:
Breaking 104 bit WEP in less than 60 seconds
Financial Crimes Report To The Public Fiscal Year 2006
FFIEC Handbook Regarding Best Practices for Technology Contracting for Financial Services Companies
Why Cell Phones are Still Grounded From Use in Planes
Listing of Current Laws Regarding Identity Theft
Michael R. Overly, Esq., CISSP, ISSMP
MOverly [at] foley [dot] com
Foley & Lardner LLP
2029 Century Park East
35th Floor
Los Angeles, California 90067-3021
Telephone: 310-277-2223
Facsimile: 310-557-8475
© Copyright 2007 Foley & Lardner LLP
The information reported should not be construed as legal advice, nor utilized to resolve legal problems.
(comments? | Score: 0)
Login here
Our Sponsors
Recommended
CCCure Partners
USA
MIDDLE EAST
Dubai, Qatar, Kuwait, Oman
EUROPEAN UNION
Dublin, Ireland
ESPION
AFRICA
Yaounde-Cameroun
GetSec
Lagos, Nigeria
Digital Encode
Most Active Members
Total points: 11916
· 2: Lopezco
Total points: 8506
· 3: cissp_newbie
Total points: 7593
· 4: cdupuis
Total points: 6442
· 5: mikeyoung_fla
Total points: 5440
· 6: Vladimir
Total points: 4611
· 7: MMM
Total points: 2969
· 8: damoose
Total points: 2275
· 9: educk
Total points: 2171
· 10: vijayu
Total points: 1931
Today's Big Story
Random Headlines
Past Articles
Older Articles
The comments are property of their posters, all the rest © 2007 by CCCure.Org, and the site maintainers Clement Dupuis and Nathalie Lambert. Reuse is strictly prohibited without written permission of CCCure.Org or it's maintainers.
This web site is not associated directly or indirectly with ISC2, the SANS Institute, ISACA, or other certification authority. The GCFW, CISSP, SSCP, ISSEP, ISSMP, CISA, and CISM are all the property of their respecful owners. The content of this site is provided to you freely due to the generosity of our sponsors.
- EDPACS
- Hackin9
- Information Security Magazine
- Information System Management Magazine
- The official journal of ISC2
- InfoSecurity Magazine UK Version
- InfoSecurity Magazine US Version
- Journal of Digital Forensics
- Journal of OC and Electronic Commerce
- ISC2 Certifications
- CISSP
- CISSP CBT By Shon Harris
- CISSP Total Learning Package
- CISSP Documents
- CISSP FAQ
- CISSP in the news
- CISSP Quizzes
- CISSP Study Books
- Official ISC2 Book Errata
- CISSP Study Forums
- CISSP Study Guides
- CISSP Study Group HOWTO
- CISSP Study Links
- CISSP Study Mailing List
- CISSP Study Tips
- CISSP Training
- CISSP Tutorials
- CCCure
- SearchSecurity Shon Harris Tutorials
- DOMAIN 1 - SECURITY MANAGEMENT PRACTICES
- DOMAIN 2 - ACCESS CONTROL
- DOMAIN 3 - CRYPTOGRAPHY
- DOMAIN 4 - SECURITY MODELS AND ARCHITECTURE
- DOMAIN 5 - TELECOMMUNICATIONS AND NETWORKING
- DOMAIN 6 - APPLICATIONS AND SYSTEMS DEVELOPMENT
- DOMAIN 7 - BUSINESS CONTINUITY
- DOMAIN 8 - LAWS, INVESTIGATIONS AND ETHICS
- DOMAIN 9 - PHYSICAL SECURITY
- DOMAIN 10 - OPERATIONS SECURITY
- Veridon
- SearchSecurity CISSP Webcasts
- ISC2 Official Webstore
- How to get CPE's
- LinkedIn for CISSP
- SSCP
- ISC2 CAP
- ISC2 ISSEP
- ISC2 Information
- CISSP
- ISACA
- SANS GIAC
- GCFW Certification
- Onsite Training
- Online Classes
- 8570 Training
- GI Bill
- GSA Schedule
- CNSS Training
- CISSP Classes
- CompTIA Security+
- Security+ & SSCP Bootcamp
- Q/EH - Qualified Ethical Hacker
- Q/FE - Qualified Forensic Expert
- Q/ND - Qualified Network Defender
- Q/SA - Qualified Security Analyst and Pen Testing
- Q/SSE - Qualified Security Expert
- Q/WAD - Qualifed Wireless Analyst and Defender
- Certified ISO 27001 Implementation Course
- ISM Lead Auditor Certification Class
- CWNA - Certified Wireless Network Admin
- CWSP - Certified Wireless Security Expert
- CWNA & CWSP Bootcamp
- CND Training
- Intro Classes
- Specialty Training
- Special Discount Page
- CISSP Tutorials
- CCCure
- SearchSecurity Shon Harris Tutorials
- DOMAIN 1 - SECURITY MANAGEMENT PRACTICES
- DOMAIN 2 - ACCESS CONTROL
- DOMAIN 3 - CRYPTOGRAPHY
- DOMAIN 4 - SECURITY MODELS AND ARCHITECTURE
- DOMAIN 5 - TELECOMMUNICATIONS AND NETWORKING
- DOMAIN 6 - APPLICATIONS AND SYSTEMS DEVELOPMENT
- DOMAIN 7 - BUSINESS CONTINUITY
- DOMAIN 8 - LAWS, INVESTIGATIONS AND ETHICS
- DOMAIN 9 - PHYSICAL SECURITY
- DOMAIN 10 - OPERATIONS SECURITY
- Veridon
- CISSP Quizzes
- CISA Quizzes
- Contributed Quizzes
- CISSP
- Coming Soon
- CISSP
- CGEIT Certification by ISACA
- CISA Certification by ISACA
- CISM Certification by ISACA
- CAP Certification by ISC2
- CISSP Certification by ISC2
- CSSLP certification by ISC2
- ISSMP Certification by ISC2
- ISSEP Certification by ISC2
- SSCP Certification by ISC2
- HIPAA Certification
- ITIL Certification
- SANS GIAC GCFW
- Enterprise Risk Management
- Jobs & Career
- PCI DSS
- Real Life Security Issues
- Sarbanes-Oxley
- VOIP
Page Generation: 0.71 Seconds