Welcome to cissp CISSP training Certified Information Systems Security Professional
Search
Nickname Password Security Code Security Code Type Security Code  

You are certified but are your qualified? Become qualified today.
FITSI the certification program for the federal workforce

Rated #1 Training

CyberSecurity NBISE

Library of Documents

Forum Postings

CISSP's Blogs

Recommended Podcasts

MISC Menu

Security Books

Surveys

Where do you find the best price for books?

Amazon.Com
Bookpool.Com
The ISC2 webstore
CISSPS.COM
Cheapbooks.com
Ecampus.com
Other (Please leave a comment with name of site)



Results
Polls

Votes: 1463
Comments: 35

Top10 Links

Top10 Downloads

Who's Online

There are currently, 98 guest(s) and 31 member(s) that are online.

You are Anonymous user. You can register for free by clicking here

Training Classes Calendar

Test of Widget

 

cissp CISSP training Certified Information Systems Security Professional: Law & Legalities

Search on This Topic:   
[ Go to Home | Select a New Topic ]

£2.28 million fine for Zurich Insurance's data loss
Posted by boss on Monday, 30 August 2010 @ 06:03:38 EDT (83 reads)
Topic Law & Legalities

cdupuis writes "

Zurich Insurance's UK branch has been fined £2.27 million by the Financial Services Authority (FSA) as punishment for losing the details of 46,000 customers.

Zurich lost an unencrypted backup tape which contained the data while it was being transferred to a South African data storage centre in 2008. The records included customer identities, bank account, credit card and other financial information.

The company did not become aware of the loss until a year later. The fine is, to date, the largest company fine for a single data loss although HSBC were fined £3 million in 2009 for a number of separate losses of customer data.

Because the company agreed to settle early on in the investigation by the FSA, the fine was reduced by 30%.

Without that cooperation the fine would have been £3.25 million. Margaret Cole, the FSA's director of enforcement and financial crime said the company had "let it's customers down badly" noting that the company failed to effectively oversee its outsourcing and lacked full control of the data being processed in South Africa.

"Firms across the financial sector would do well to look at the details of this case and learn from the mistakes that Zurich UK made" added Cole. The FSA say that, according to Zurich UK, there is no evidence that the lost data has been misused.

"

(Read More... | Score: 0)


Bank fined 9.7 Millions over poor Governance
Posted by boss on Sunday, 29 August 2010 @ 23:41:56 EDT (108 reads)
Topic Law & Legalities

cdupuis writes "Note from Clement:

This shows clearly that IT security is NOT only a technical issue.  If management fail to exercise due care and due diligence and play the role they are supposed to, they will be find guilty and will pay the price dearly.  In this case it is the law that caught them but the next time it might be a large scale compromise.   You have to implement proper security and that include audit, enforcement, and constant review.  See the article below:

Bank fined $9.7m over poor IT governance

Liam Tung | Aug 5, 2010 9:22 AM

RBS' IT systems could have let fraud go unmonitored.

UK financial services regulator the Financial Services Authority [FSA] has fined the Royal Bank of Scotland (RBS) £5.6 million (A$9.7 million) for implementing shoddy IT systems which left it in breach of the country’s money laundering laws.

The bank had implemented its treasury IT system in 2006, which was meant to screen incoming and outgoing cross-border payments.

According to the FSA, RBS neglected to check the accuracy of the systems since its implementation.

“After the initial set up, the results produced by the screening filters were not routinely reviewed or monitored by RBSG to ensure that they were appropriate.

"This meant that over time the ‘fuzzy matching’ parameters initially set by RBSG became significantly less effective at identifying potential matches,” the authority said in its decision notice this week.

For two years the bank failed to screen a single incoming payment from a foreign source. It also missed the bulk of outgoing payments by its customers, except those destined for the US.

“RBSG’s automated screening failed to screen the majority of trade finance SWIFT messages generated in the international trade transactions that it carried out,” said the FSA.

Under UK laws financial institutions are meant to match customer transactions to the government’s treasury list, known as Her Majesty’s Treasury. The Treasury’s Asset Freezing Unit (AFU) maintains a list of people identified by the United Nations, the European Union and the UK. If the financial institution identifies a transaction that may correlate to a person on that list, it must stall the payment until it determines whether it is an exact match. If it is the bank should alert the AFU.

The FSA said it could have fined RBS $13.8 million, but offered RBA a 30 percent discount for not challenging its decision.

"

(Read More... | Score: 0)


Melissa Hathaway's Nine Cybersecurity Bills to Watch
Posted by boss on Saturday, 29 May 2010 @ 11:10:07 EDT (729 reads)
Topic Law & Legalities

cdupuis writes "
NOTE FROM CLEMENT:
As seen on the great GovInfoSecurity web site at:
http://www.govinfosecurity.com/p_print.php?t=b&id=558

A nice report was created by Melissa Hathaway on current cybersecurity bills to watch.  It is definitively a nice high level overview of the many acts, laws, and bills related to cybersecurity.   Do get a copy of the report in PDF format.  You have the link below:

May 21, 2010 - Eric Chabrow
Melissa Hathaway probably knows more about what's going on with cybersecurity legislation before Congress than even the lawmakers who sponsor these bills; heck, she likely understands more about these measure than the key staffers who are the brains behind them.

Since leaving the White House last summer, Hathaway - who led President Obama's 60-day cyberspace review last year - has become involved in a variety of IT security ventures, including becoming a senior adviser at the Belfer Center for Science and International Affair at Harvard University's Kennedy School of Government. There she conducts research and writes about IT security. One of her projects is to track cybersecurity legislation before Congress.

Hathaway this past week completed a 31-page report documenting some 40 IT security bills before Congress. The report provides an analysis on the wide range of topics they address including organizational responsibilities; compliance and accountability; data accountability, personal data privacy, data breach handling and identity theft; cybersecurity education, research and development and grants; critical electric infrastructure protection and vulnerability analysis; international cooperation on cybercrime; and procurement, acquisition and supply-chain integrity.

Here are nine bills Hathaway characterized as "legislation to watch," along with her analysis of them:

  • Data Breach Notification Act, S 139, would normalize the 46 state data breach laws into one national umbrella. It may be expanded to include more than personal identifiable information. "One issue with this bill is that it would consolidate all reporting to the U.S. Secret Service, which is not helpful for broader information sharing with industry or across government."
  • Data Accountability and Trust Act, HR 2221, was approved by the House in December and requires internet service providers to make victims aware of infections if they see a breach across their networks. "It will be interesting to see if this is extended to those services who may also be able to determine if there is anomalous behavior on the broader backbone."
  • International Cybercrime Reporting and Cooperation Act, S 1438 and HR 4692, requires the president to produce an annual report to Congress providing an assessment of every country's level of information and communications technology utilization and development; assesses how each country's legal, law enforcement and judicial systems address cyber crime and protect commerce and consumers. "This bill met discord from software and hardware companies and their associated lobbying organizations (e.g., BSA, Tech America) because there is language that there will be imposed sanctions on countries who have demonstrated five years of 'bad behavior.'"
  • Cybersecurity Enhancement Act, HR 4061, which passed the House in February. Among its key provisions: creating an office for a national coordinator for IT security research and development. "While this is non-controversial piece of legislation because it supports R&D efforts focused on identity management technologies and usability, authentication methods, and privacy, it's not clear how the new office will interact with the current [White House Office of Science and Technology Policy] responsibilities."
  • FISMA II, S. 921 - also known as the United States Information and Communications Enhancement Act or U.S. ICE - updates the Federal Information Security Management Act of 2002 from compliance driven (check-list) to measures that are performance based and could address IT procurement reform.
  • Intelligence Authorization Act, HR 2071, strengthens America's intelligence capabilities, and improves congressional oversight of our intelligence agencies. The measure also contains multiple congressionally directed actions for the Comprehensive National Cybersecurity Initiative. "It provides our intelligence community with the tools and resources to train more officers, expand language skills, strengthen cybersecurity efforts and more effectively prevent the spread of weapons of mass destruction."
  • Cybersecurity Act of 2009, S 773, combines audits, industry-developed and government-backed standards, increased information-sharing and other mechanisms to bolster private-sector cybersecurity. The measure also known as the Rockefeller-Snowe Bill, establishes a presidential-level cybersecurity advisory panel and a national clearinghouse for information sharing as well as extend the Scholarship for Service program and increases the National Science Foundation's budget for R&D.
  • The Grid Reliability and Infrastructure Defense Act, HR 5026, amends the Federal Power Act and directs the Federal Energy Regulatory Commission to protect the electric transmission and distribution grid from vulnerabilities. In addition to providing authority to address immediate threats, the GRID Act would also give FERC authority to require measures to protect against system vulnerabilities if it finds that the North American Electricity Reliability Corp. standards are insufficient. If enacted, the legislation would provide a security framework for the smart grid.
  • Energy and Water Appropriations Act 2010 has already been signed by President Obama. It appropriates $46.5 million for energy delivery cybersecurity, an increase of $34.5 million from 2009, that will be used to develop secure grid technologies as cyber attacks increase worldwide and the grid becomes increasingly network-connected. It also establishes a National Cyber Center for the grid.

Hathaway concludes her report, calling on congressional leaders to set legislative priorities for cyberspace.

"

(Read More... | 3 comments | Score: 0)


White House Updates Cybersecurity Orders - Stop wasting money and paper
Posted by boss on Sunday, 25 April 2010 @ 22:47:40 EDT (788 reads)
Topic Law & Legalities

Anonymous writes "

As seen on the great Infowarrior mailing list from Attrition.org:

White House Updates Cybersecurity Orders

The three-pronged approach should help federal agencies do away with wasteful compliance spending and encourage improved security, say White House officials.

By J. Nicholas Hoover

http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=224500173

The White House issued new cybersecurity marching orders to government agencies Wednesday, which top officials say will help redirect government efforts from wasteful paperwork compliance toward continuous monitoring and patching and more effective cybersecurity spending.

Many observers both inside and outside government have come to the conclusion that the government’s cybersecurity reporting requirements, as currently implemented, have created an environment in which expensive annual compliance reports that cut into real cybersecurity have become the norm. “These reports ended up being more secure in the cabinets they were living in than were the systems they were meant to protect,” federal CIO Vivek Kundra said in a conference call with reporters and White House cybersecurity coordinator Howard Schmidt.

Agencies have been spending as much as $1,400 per page on those reports under requirements of the Federal Information Systems Management Act. The Department of State alone has spent $133 million in the last six years just on FISMA compliance. However, numerous questions continue to arise about the effectiveness of agencies’ cybersecurity efforts. That kind of waste has led to simultaneous moves by the White House, the National Institute for Standards and Technology (which has power to set FISMA standards), and Congress to overhaul or refocus FISMA and other federal cybersecurity requirements.

The new policy outlines what Kundra described as a “significant departure” from the way cybersecurity has been measured and managed in government. It is contained in an Office of Management and Budget memo penned by federal chief performance officer Jeffrey Zients, Kundra, and Schmidt, and developed with input from federal CIOs.

Kundra and Schmidt said on the conference call that the new policy points toward continuous monitoring and patching of federal systems, and also toward the deployment of cybersecurity systems that better position the government against constantly evolving threats.

The guidance takes a “three-tiered approach” to FISMA that includes automatic reporting of cybersecurity data feeds directly from agency security and management tools to a tool hosted by the Department of Homeland Security; government-wide benchmarking on agencies’ security postures; and agency-specific interviews to help determine the needs and proper metrics for individual agencies.

First, agencies will be required to feed cybersecurity information directly and in near real-time from their own security management tools into the recently implemented Cyberscope security reporting tool, which DHS is now operating. The White House is convening with agencies on May 7 to discuss how they will move forward with this plan, and what new metrics will be included in the new reporting.

This automated reporting should both decrease the amount of money agencies are spending on cybersecurity reporting, and also help the White House best determine where and how resources should be spent on cybersecurity across government, said Kundra and Schmidt. “Capital can and should be used to invest in systems that will be actually enhancing security,” Kundra said.

Agencies will begin feeding this data to Cyberscope by June of this year, but Kundra admitted that some agencies will have to make investments in order to get tools like asset management systems and security information management systems in place to feed data to Cyberscope. Some agencies, like the Departments of Justice, Treasury, State, Veterans Affairs, and NASA are already able to report to Cyberscope, and will be among the first to do so. The due date for reporting through Cyberscope is November 15, and those agencies which can’t yet directly feed information into Cyberscope will be able to provide a data feed as an XML upload to Cyberscope.

Along with this new reporting structure will also come new metrics for agencies to use. Those metrics have been developed in concert with the private sector, academic community, and federal CIOs and CISOs. The new data feeds will include summary information about inventory, systems and services, hardware, software, external connections, security training, and identity management and access.

In terms of government-wide benchmarking, CyberScope will be asking agencies a set of questions on their security posture online, rather than in the submission of an annual signed letter to do the same task. The White House will also be carrying out agency-by-agency interviews on cybersecurity. “We recognize not all agencies perform the same mission and function,” Kundra said. “Historically it was just a lowest common denominator approach, but the nature of the threat can be unique to each agency.”

Finally, in addition to the three-pronged approach to overhauling FISMA reporting, the White House memo answers dozens of potential agency questions about FISMA, including some issues outside the scope of the new approach, like whether national security systems fall under this guidance (not typically), who should have the ultimate say over an agency’s security posture (the agency head), and whether SAS 70 compliance audits often used by private sector to determine whether third-party systems are secure is sufficient for FISMA compliance (it depends).
_______________________________________________
Infowarrior mailing list
Infowarrior@attrition.org
https://attrition.org/mailman/listinfo/infowarrior

"

(Read More... | 8 comments | Score: 0)


SANS founder slams 'terribly damaging' US cyber security law
Posted by boss on Tuesday, 30 March 2010 @ 11:15:05 EDT (625 reads)
Topic Law & Legalities

cdupuis writes "

 

As seen at computerweekly.com at:
http://www.computerweekly.com/Articles/2010/03/25/240719/Sans-founder-slams-39terribly-damaging39-US-cyber-security.htm?printerfriendly=true
Ian Grant
Thursday 25 March 2010 08:05

Federal guidelines on how to protect computer systems did just the opposite, a US congressional committee heard.

In a scathing attack on the Federal Information Security Management Act (Fisma), Alan Paller, founder of the Sans Institute, told the subcommittee on government management organisation and procurement, part of the committee on oversight and government reform, that Fisma slowed down every security process and took away key resources from projects that would allow agencies to act and react quickly to cyber attacks.

Paller welcomed government plans for continuous monitoring of IT systems. "This is the single most important element [of cyber security] you will write into the new law," he said.

'); //--> Paller said protecting IT systems was like an arms race. "Each time the defenders build a new wall, the attackers create new ways to scale that wall," he said.

He said four "terribly damaging" provisions in federal law had led to wasteful processes that slowed down US defences and "threw away billions of dollars that were acutely needed to protect systems".

The law required clear audit trails, but these had led to "reports that answered the wrong questions", said Paller.

"[They] rewarded ineffective behaviour and created a cadre of people who call themselves security professionals but who proudly admit they cannot implement security settings on systems and network devices or find a programming flaw," he said.

Fisma had created and rewarded a culture of compliance rather than security," Paller said. Federal and state governments were "radically short of money", but they were forced to spend it on reporting rather than security, he said. "Writers who know how a few words about security and federal regulations now make 50% to 80% more money than the people who actually secure systems and networks and applications," he said. "It is as if we paid the compliance staff at a hospital more than the surgeons.

"The four processes that had led to this situation were the federal information security controls and audit manual, the annual report implemented by federal CIOs and inspectors-general, the certification and accreditation report-writing process and the security controls assessment under Special Publications 800-53, Paller said.

"The people who wrote Fisma, and the people who set up these wasteful processes did not know, and do not know, how the attacks are being carried out and how the threat is changing, so they ask the wrong questions," Paller said.

He said the audit missed key steps in the Centre for Strategic and International Studies' Consensus Audit Guidelines. These steps were critical in the eyes of the National Security Agency, US-CERT, the Department of Energy Labs, the Department of Defense Cyber Crime Center, and forensic IT security specialists "who clean up after attacks and who actively penetrate systems on behalf of the nation".

He said the nation's attention should be on real-time monitoring of its information systems and networks to prevent or mitigate attacks as they happened. "Oversight must be focused on the effectiveness of the agencies' real time defences," he said. "Anything less continues to waste scarce resources and leaves us unacceptably vulnerable." he said.

 

"

(Read More... | 4 comments | Score: 0)


Security breach notification law by state
Posted by boss on Thursday, 23 July 2009 @ 06:15:22 EDT (1447 reads)
Topic Law & Legalities

cdupuis writes "NOTE FROM CLEMENT:

I very often get asked in class about which state has or does not have breach notification law.  It seems we are doing well and only a few states have not enacted such law.

The following states does not have laws as of this writing:

Alabama, Kentucky, Mississippi, New Mexico, and South Dakota

Missouri has just passed a law.  See below for a summary and some links to each of that state law. As I was looking at the announcement of the Missouri law, I have found other interesting informaiton as well presented below.

1.  The New Missouri law

Missouri has become the 45th state to enact data breach notification legislation. Governor Jay Nixon signed House Bill 62 into law on July 9, 2009. The new law goes into effect on August 28, 2009.

The law contains a broad definition of personal information. In addition to the more common elements of first name or initial and last name in combination with unencrypted Social Security Number, driver’s license number, financial account number, or credit or debit card number, the statute also includes in the definition of personal information first name or initial and last name in combination with an unencrypted:

  • Unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to an individual's financial account;
  • Medical information, which includes any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; and
  • Health insurance information, which includes an individual's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual.

Other provisions of interest:

  • If an entity must notify more than 1000 residents, it must notify the Missouri Attorney General’s office and the nationwide consumer reporting agencies of the breach.
  • Civil penalties for violating the statute may reach up to $150,000 per breach of the security of the system.

The full text of the bill is available here.

Original article at:  http://www.digestiblelaw.com/datasecurity/blogQ.aspx?entry=6064&id=34

 

2. Chart showing details of laws enacted in different states.  From the Perkins Coe Web site:

http://www.perkinscoie.com/files/upload/LIT_09_07_SecurityBreachExhibits2.pdf

 

3.  A nice table with a summary of the laws in different states.  You can find it online on the NCSL website at:

http://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/SecurityBreachNotificationLaws/tabid/13489/Default.aspx

State Security Breach Notification Laws

As of May 26, 2009

Forty-four states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. 

Alaska 2008 H.B. 65 

Arizona

Ariz. Rev. Stat. § 44-7501

Arkansas

Ark. Code § 4-110-101 et seq.

California

Cal. Civ. Code §§ 56.06, 1785.11.2, 1798.291798.82 

Colorado

Colo. Rev. Stat. § 6-1-716

Connecticut

Conn. Gen Stat. 36a-701(b)

Delaware

Del. Code tit. 6, § 12B-101 et seq.

Florida

Fla. Stat. § 817.5681

Georgia

Ga. Code §§ 10-1-910, -911

Hawaii

Haw. Rev. Stat. § 487N-2

Idaho

Idaho Code §§ 28-51-104 to 28-51-107

Illinois

815 ILCS 530/1 et seq.

Indiana

Ind. Code §§ 24-4.9 et seq., 4-1-11 et seq., 2009 H.B. 1121
Iowa Iowa Code § 715C.1 (2008 S.F. 2308)

Kansas

Kan. Stat. 50-7a01, 50-7a02

Louisiana

La. Rev. Stat. § 51:3071 et seq. 

Maine

Me. Rev. Stat. tit. 10 §§ 1347 et seq., 2009 Public Law 161
Maryland

Md. Code, Com. Law § 14-3501 et seq.
Massachusetts

Mass. Gen. Laws § 93H-1 et seq. 

Michigan

Mich. Comp. Laws § 445.72

Minnesota

Minn. Stat. §§ 325E.61, 325E.64

Montana

Mont. Code § 30-14-1701 et seq., 2009 H.B. 155, Chapter 163

Nebraska

Neb. Rev. Stat. §§ 87-801, -802, -803, -804, -805, -806, -807

Nevada

Nev. Rev. Stat. 603A.010 et seq. 

New Hampshire

N.H. Rev. Stat. §§ 359-C:19, -C:20, -C:21

New Jersey

N.J. Stat. 56:8-163

New York

N.Y. Gen. Bus. Law § 899-aa

North Carolina

N.C. Gen. Stat § 75-65

North Dakota

N.D. Cent. Code § 51-30-01 et seq.

Ohio

Ohio Rev. Code §§ 1347.121349.19, 1349.191, 1349.192

Oklahoma

Okla. Stat. § 74-3113.1 and 2008 H.B. 2245
Oregon

2007 S.B. 583, Chapter 759

Pennsylvania

73 Pa. Stat. § 2303

Rhode Island

R.I. Gen. Laws § 11-49.2-1 et seq.
South Carolina 2008 S.B. 453, Act 190

Tennessee

Tenn. Code § 47-18-2107

Texas

Tex. Bus. & Com. Code § 48.001 et seq.

Utah

Utah Code §§  13-44-101, -102, -201, -202, -310

Vermont

Vt. Stat. tit. 9 § 2430 et seq.
Virginia Va. Code § 18.2-186.6 

Washington

Wash. Rev. Code § 19.255.010
West Virginia W.V. Code §§ 46A-2A-101 et seq.

Wisconsin

Wis. Stat. § 134.98  et seq. 
Wyoming

Wyo. Stat. § 40-12-501 to -501
District of Columbia

D.C. Code § 28- 3851 et seq.
Puerto Rico 10 Laws of Puerto Rico § 4051 et. seq.
Virgin Islands V.I. Code § 2208
"

(Read More... | 7 comments | Score: 0)


Senate Legislation Would Federalize Cybersecurity
Posted by boss on Thursday, 02 April 2009 @ 09:48:11 EDT (1340 reads)
Topic Law & Legalities

cdupuis writes "

As seen in the Washington Post online:

Senate Legislation Would Federalize Cybersecurity
Rules for Private Networks Also Proposed

By Joby Warrick and Walter Pincus
Washington Post Staff Writers
Wednesday, April 1, 2009; A04

Key lawmakers are pushing to dramatically escalate U.S. defenses against cyberattacks, crafting proposals that would empower the government to set and enforce security standards for private industry for the first time.

The proposals, in Senate legislation that could be introduced as early as today, would broaden the focus of the government's cybersecurity efforts to include not only military networks but also private systems that control essentials such as electricity and water distribution. At the same time, the bill would add regulatory teeth to ensure industry compliance with the rules, congressional officials familiar with the plan said yesterday.

Addressing what intelligence officials describe as a gaping vulnerability, the legislation also calls for the appointment of a White House cybersecurity "czar" with unprecedented authority to shut down computer networks, including private ones, if a cyberattack is underway, the officials said.

How industry groups will respond is unclear. Jim Dempsey, vice president for public policy at the Center for Democracy and Technology, which represents private companies and civil liberties advocates, said that mandatory standards have long been the "third rail of cybersecurity policy." Dempsey said regulation could also stifle creativity by forcing companies to adopt a uniform approach.

The legislation, co-sponsored by Senate Commerce Committee Chairman John D. Rockefeller IV (D-W.Va.) and Sen. Olympia J. Snowe (R-Maine), was drafted with White House input. Although the White House indicated it supported some key concepts of the bill, there has been no official endorsement.

Many of the proposals were based on recommendations of a landmark study last year by the Center for Strategic and International Studies.

Currently, government responsibility for cybersecurity is split: The Pentagon and the National Security Agency safeguard military networks, while the Department of Homeland Security provides assistance to private networks. Previous cybersecurity initiatives have largely concentrated on reducing the vulnerability of government and military computers to hackers.

A 60-day federal review of the nation's defenses against computer-based attacks is underway, and the administration has signaled its intention to incorporate private industry into those defenses in an unprecedented way.

"People say this is a military or intelligence concern, but it's a lot more than that," Rockefeller, a former intelligence committee chairman, said in an interview. "It suddenly gets into the realm of traffic lights and rail networks and water and electricity."

U.S. intelligence officials have warned that a sustained attack on private computer networks could cause widespread social and economic havoc, possibly shutting down or compromising systems used by banks, utilities, transportation companies and others.

The Rockefeller-Snowe measure would create the Office of the National Cybersecurity Adviser, whose leader would report directly to the president and would coordinate defense efforts across government agencies. It would require the National Institute of Standards and Technology to establish "measurable and auditable cybersecurity standards" that would apply to private companies as well as the government. It also would require licensing and certification of cybersecurity professionals.

The proposal would also mandate an ongoing, quadrennial review of the nation's cyberdefenses. "It's not a problem that will ever be completely solved," Rockefeller said. "You have to keep making higher walls."

Last week, Director of National Intelligence Dennis C. Blair told reporters that one agency should oversee cybersecurity for government and for the private sector. He added that the NSA should be central to the effort.

"The taxpayers of this country have spent enormous sums developing a world-class capability at the National Security Agency on cyber," he said.

Blair acknowledged there will be privacy concerns about centralizing cybersecurity, and he said the program should be designed in a way that gives Americans confidence that it is "not being used to gather private information."

Posting can be seen at:
http://www.washingtonpost.com/wp-dyn/content/article/2009/03/31/AR2009033103684_pf.html

"

(Read More... | 3 comments | Score: 0)


FISMA compliance made easier with OpenFISMA
Posted by boss on Tuesday, 28 October 2008 @ 19:30:12 EDT (2129 reads)
Topic Law & Legalities

FISMA compliance made easier with OpenFISMA
Scott Sidel, Contributor
10.27.2008

Managing security in a large corporation can be daunting, which is why the U.S. government has made a concerted effort to standardize best security practices. The Federal Information Security Management Act (FISMA) not only mandates the processes for information systems used by federal agencies and by contractors working with the government, but also provides an excellent security baseline for any large organization.

From an information security perspective, the first step in implementing FISMA guidelines involves gaining an understanding of the processes FISMA mandates, Then, practitioners typically rely on NIST publications, which guide security personnel through the baseline security requirements, detailing the more specific technical and operational controls needed to meet those requirements. Managing the compliance process can quickly become a challenge, however, because working with multiple parties on a broad range of controls overwhelms the typical spreadsheet and manual tracking process.

OpenFISMA can help: it automates the compliance process by using a platform-independent OSS Web application framework (Apache, MySQL, PHP) to manage the workflow. OpenFISMA also guides requirements-gathering activities, such as verifying compliance with requirements, security assessments and vulnerability remediation.

To better understand how OpenFISMA can improve security, one example is the processes associated with a plan of actions and milestones (POA&M), which are the activities used for tracking and fixing security vulnerabilities. OpenFISMA provides a Web-based centralized repository to manage and track vulnerability reporting and remediation activities. Users log in to their role-based accounts to work through or oversee the compliance processes. Typical users would be the security officer (CSO or CISO), technical operations staff and the independent verifiers.

OpenFISMA's business rules provide guidance for the submission of remediation evidence and sign-off for the work performed. The user controls protect the integrity of the audit information from unauthorized access, modification and deletion. Timestamps support the ability to audit and account for each of the steps, and a reporting engine helps track performance against stated completion goals.

Learn how penetration testing can aid compliance efforts

Find out about open-source IDS audit tools

When using OpenFISMA, information about security weaknesses can be entered manually or ingested from automated sources by using popular vulnerability assessment scanners that output their results in XML, CSV or XLS formats. A known vulnerability then follows one of three typical paths: a) the finding is remediated, b) the finding is demonstrated to be a false positive, or c) the risk is accepted. A risk level can be assigned to help prioritize the level of threat to the organization and the mitigation strategy can be reviewed and approved by independent third parties. After the work to remediate the weakness is done, evidence for the remediation can be analyzed by third-party verifiers. Finally, assuming the remediation is accepted, the verifiers would close out the weakness.

Implementing government standards for security can be a huge task, but OpenFISMA provides structure and automation to help manage the process.

About the author:
Scott Sidel is an ISSO with Lockheed Martin.
For more recommendations from the author, check out Scott Sidel's Downloads

(Read More... | 6 comments | Score: 5)


Nevada Deadline on E-Mail Encryption Looming
Posted by boss on Monday, 22 September 2008 @ 10:22:26 EDT (1613 reads)
Topic Law & Legalities

cdupuis writes "

Friday, September 19, 2008 2:14 PM/EST

What happens in Vegas, may stay locked down in Vegas.

On October 1, the state of Nevada will be requiring the encryption of all transmissions, like email, for all businesses that send personal identifiable information over the Internet. The statute was signed in to law in 2005, and is about to kick in as an enforceable law next month. Three years flies when your raking in chips at casinos and enjoying the rising popularity of poker.

The Nevada law is stated as such:

NRS 597.970 Restrictions on transfer of personal information through electronic transmission. [Effective October 1, 2008.]

1. A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.


As with any law about to go in effect, this one could be bound to catch many Nevada businesses off guard. In parallel, a few IT security vendors who sell encryption software and hardware are lining up to tell the technology media about it.

Think about all the hotels, resorts, golf courses, pawn shops, nightclubs, check cashing, ski lodges and small businesses this is going to effect. Not to mention all the businesses--the vice-ridden ones legal to Nevada-only and otherwise--that incorporate in the tax-friendly state. Nevada is the West's version of Delaware (albeit a much sexier state, sorry Delaware).

Beyond the infrastructure impact, the statute itself looks like swiss cheese. Bryce K. Earl, a Las Vegas-based attorney with Santoro, Driggs, Walch, Kearney, Holley & Thompson has been following the issue closely and believes there are some problems with the statute as it is on the books right now, namely, the broad definition of encryption, the lack of coordination with industry standards and the unclear nature of penalties both criminal and civil.

"The statutes lack of specificity with regard to penalties will perhaps create the unintended consequence of opening up more liability," said Earl. That doesn't sound good, but again, nothing has happened just yet.

Earl explained why the broad definition of "encryption" by the state is potentially problematic. Here is the definition from the state's website:

NRS 205.4742 "Encryption" defined. "Encryption" means the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant, to:

1. Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound;

2. Cause or make any data, information, image, program, signal or sound unintelligible or unusable; or

3. Prevent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system or network.

Earl said an argument could be made that a password-protected document sent in an email might be good enough to hold up with the state's broad definition of encryption here. Is that good enough?

Moreover, how the heck will Nevada enforce this?

Earl said at this time it was unclear, but he thinks that the state--who holds legislative session every other year--could address the statute for more clarity next year when the Nevada state government reconvenes. A possible-pending lawsuit may also help to better define the law for clearer interpretation, but as Earl hinted, that doesn't necessarily mean it will help that potential lawsuit.

The challenge for Nevada is that its intentions were good in trying to stem the tide of identity theft and criminal behavior online. But once again, the legal system and the IT industry are faced with potentially bigger compliance and liability issues than they probably intended. The disconnection is real.

As of posting time, representatives of the state had not gotten back to me with comment.

What should business do about this issue?

UPDATE: A spokesman for the state has directed me to a state assemblyman (who I will follow up with), but more interestingly, has pointed out this provision in the law:

NRS 193.170 Prohibited act is misdemeanor when no penalty imposed. Whenever the performance of any act is prohibited by any statute, and no penalty for the violation of such statute is imposed, the committing of such act shall be a misdemeanor.

CLICK HERE to see original posting on the Baseline Magazine website

"

(Read More... | 9 comments | Score: 0)


Aussies follow Canadian lead on breach notification
Posted by boss on Tuesday, 29 April 2008 @ 13:03:05 EDT (1916 reads)
Topic Law & Legalities

cdupuis writes "
Both New Zealand and Australia have modeled their guidelines for telling customers about IT security incidents on a jointly-created British Columbia and Ontario privacy document. Is Ottawa paying attention?
By: Rafael Ruffolo
ComputerWorld Canada (22 Apr 2008)

Canadian Data breach notification guidelines – jointly created by the Information and Privacy Commissioners for British Columbia and Ontario – have made their way to the land down under.

Last week, Australian Privacy Commissioner Karen Curtis released the Voluntary Information Security Breach Notification Guide, which aims to assist organizations in effectively responding to information security breaches. The draft guide credits voluntary guidelines by both the Privacy Commissioners of Canada and New Zealand.

“We had worked with the New Zealand privacy commissioner and showed her our breach notification assessment tool,” Ann Cavoukian, Information and Privacy Commissioner of Ontario, said. “She took it and developed one in New Zealand similar to ours. It’s great to see Australia follow suit.” The jointly created Canadian breach notification guide was created in December 2006 and outlines steps on when and how to notify affected individuals.

“When you’re notifying somebody of a breach relating to their data, you’ve got to be perfectly clear and concise,” Cavoukian said. “In regards to the preferred method of notification, we think direct contact either by phone, letter or in person are the most effective methods.”

As for what to include in the notification, the assessment tool advises organizations provide a general description of what happened without a lot of legal jargon, outline the steps taken thus far (and will be taken in the future) to control or reduce the harm, and the steps the individual can take to further protect themselves.

“You’ve got to be practical and do things as quickly as possible,” Cavoukian said. “You need to contain the damages, get the notices out, fix the problem and prevent it from reoccurring. You’ve also have to be practical about it and notify people in a way that’s not full of legal legalese and provides clear notice as to what you’re doing.”

Currently, Australia’s privacy legislation does not specifically require an agency or organization to notify individuals, or even the privacy commissioner, of a data breach. However, an amendment to the Australian Privacy Act to require mandatory data breach notification is under way.

The same story is playing out in Canada. Last year, the federal government recommended that data protection laws – specifically the Personal Information Protection and Electronic Documents Act (PIPEDA) – be amended to include requirements for companies to notify individuals when their personal information was subject to a security breach.

Cavoukian hopes the breach notification assessment tool, along with the influence it is having on the other side of globe, will inspire the federal government to implement an effective and common sense approach on breach notification.

“They’re certainly aware of our guidelines, so I’m sure it’s food for fodder for them,” she said. “We’ve had very good feedback on our guidelines and I’m sure it’ll be one of the things that they take into consideration.”

But some organizations such as the University of Ottawa’s Canadian Internet Policy and Public Interest Clinic (CIPPIC) want the government to go even further. Responding to an Industry Canada request for public consultation on data security laws earlier this year, CIPPIC recommended that mandatory reporting of data breaches to a publicly-accessible electronic registry is the most effective way to persuade corporations to shore up their potential security risks.

“We’ve been pushing for notification requirements for years, because it’s obvious to me and my colleagues that, by and large, corporations are not doing as much as they should be to secure the personal information in their possession,” Pippa Lawson, executive director at CIPPIC, told ComputerWorld Canada earlier this year. “Our conclusion from years of research is that the market does not provide efficient incentives for effective security precautions, because in most cases, companies can hide the breaches and they are never publicly known about.”

Lawson said that while the government’s interest in drafting better data breach notification laws is positive, Ottawa needs to take it a step further and require mandatory public reporting as well.

“There’s two ways that you can create incentives for companies to take strong security measures: one is to make them pay financially through penalties and fines, and two is to give them bad publicity that can be even more costly,” Lawson said. “If there is a real risk of negative publicity for these companies, the CEOs will make sure that they put more resources into security.”

David Senf, director of security and software research at Toronto-based IDC Canada Ltd., said Canada would benefit greatly from similar privacy legislation passed in California, which mandates organizations to reveal to customers that personal data has been compromised.

“Organizations in this country don't fear the repercussions of PIPEDA,” Senf said earlier this year. “Stronger legislation will go a long way in convincing organizations to tighten up security for better privacy protection.”

Cavoukian, however, disagreed on taking such a punitive approach. As a regulator, she said, her concern is to ensure when something happens that it’s addressed immediately and as quickly as possible to benefit the affected individuals.

“You can almost take as a given that over time, virtually every company is going to make an oversight or a mistake and have some kind of data breach,” Cavoukian said. “My experience in working with organizations is that as soon as they know there’s a breach, they’re really motivated to cure the harm and prevent it. If you create a database of who did what and how many times they did it, I just don’t know how effective it would be.”

Copyright © 2007
ITworldcanada.com

Click HERE to see original article on IT World Canada web site

"

(Read More... | 4 comments | Score: 0)


Online Libel & Google Reputation
Posted by boss on Friday, 25 April 2008 @ 23:10:51 EDT (1526 reads)
Topic Law & Legalities

cdupuis writes "A very low technology end to business and career.

Reputation is what others say about you.

Character is what you really are as evidenced by your actions when no one is observing.

IMPORTANT DISCLAIMER: Readers are advised that this essay be considered as common sense advice, not legal advice. For that you need to go to a lawyer.

IT security is a multibillion dollar industry which has necessitated new and constantly revised laws in almost every state on earth. These laws address the criminal aspects of aggressive and deliberate business or personal privacy invasion and information disruption or destruction via various technology mediums; commonly referred to as “hacking”, or more accurately “cracking”.

So what is the “low” technology threat that goes largely unnoticed by the community, ignored by criminal prosecutors and yet the cause of billions of dollars in irreparable damage to business goodwill, personal reputation, and very significantly to the emotional well being of the human victims? The threat is called “LIBEL”; a form of the ancient legal theory of “SLANDER” with origins in Roman jurisprudence.

This issue is close to my heart because I have had a very frustrating and bitter experience therein. I have purposed to collaborate with experts from various fields including psychology, technology, legal and public relations to produce resources to assist victims in their efforts to remedy the wrongs and for potential victims to mitigate the risks. These resources will be made available for free as they become available through the Mile2 website. Victims of online libel are invited to contact me if they would like access to templates, resources and specific advice.

"Defamation" is the term used internationally to generally describe an injury to reputation. “Slander” and “Libel” are false or malicious claims that may harm someone's reputation. Slander and libel both require publication with the fundamental distinction between the two lying solely in the form in which the defamatory material is published. If published in some fleeting form, such as spoken words or sounds, sign language, gestures and the like, then this would be slander. If it is published in more durable form, such as in written words, film, data disc (CD or DVD), blogging, web sites and the like, then it is considered libel. The key to these definitions is that the statements must be false. If someone published the truth about a person, it IS NOT slander or libel. Slander and libel are not protected forms of free speech under the US First amendment.

In law, defamation is the communication of a statement that makes a false or deceptive claim, expressively stated or implied to be factual, that may harm the reputation of an individual, business, product, group, government or nation. Most jurisdictions allow legal actions, civil and/or criminal, to deter various kinds of defamation and retaliate against groundless criticism. Related to defamation is public disclosure of private facts where one person reveals information which is not of public concern and the release of which would offend a reasonable person. Unlike libel or slander, truth is not a defense for invasion of privacy.

See the full essay here: Michael Roberts of Mile2 IT Security Discusses Libel & Google Reputation

"

(comments? | Score: 5)


Generally Accepted Privacy Principles
Posted by boss on Sunday, 09 December 2007 @ 18:53:29 EST (1988 reads)
Topic Law & Legalities

cdupuis writes "

NOTE FROM CLEMENT:

Here is a posting from my friend Dan Swanson. Join his mailing list at:

Click here to subscribe to Dan's mailing list

 

Generally Accepted Privacy Principles (GAPP) is a comprehensive privacy framework that is designed to assist management in creating an effective privacy program that addresses privacy risks and business opportunities. It was developed under a joint effort of the CICA and the American Institute of Certified Public Accountants (AICPA) through the AICPA/CICA Privacy Task Force.

Formerly known as the AICPA/CICA Privacy Framework, it is founded on a single privacy principle that is supported by 10 principles and over 60 objective and measurable criteria. Click here for a description of GAPP’s overall privacy objective and its 10 principles.

GAPP can be used by organizations to perform a thorough review of their privacy practices, such as:

  • Privacy policy design and implementation
  • Performance Measurement
  • Benchmarking
  • Monitoring and auditing privacy programs

http://www.cica.ca/index.cfm/ci_id/36529/la_id/1.htm

note - More information is provided below.

http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=privacy&articleId=9051459&taxonomyId=84&intsrc=kc_feat

Enjoy.

Dan

________________________________________________________________

 

December 06, 2007 (Computerworld) -- If you haven't heard of the Generally Accepted Privacy Principles (GAPP), take stock: They're likely to become the most important new source of requirements for your IT projects since Y2k and Sarbanes-Oxley. Why is this? The accounting industry has closed ranks around the idea that the GAPP is the best international framework for assessing the privacy health of an organization. So when it comes to IT projects, any system or related business process touching personal data will have new rules to play by.

What is the GAPP? I have to agree with the auditors on this one. It's the best attempt so far to address the main point of pain for global chief privacy officers: the growing complexity of privacy regulations around the world.

for full article - see

http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomy
Name=privacy&articleId=9051459&taxonomyId=84&intsrc=kc_feat

Marilyn Prosch, Ph.D.
School of Global Management & Leadership
Associate Professor, Department of Accounting
Arizona State University
4701 W. Thunderbird Road
Glendale, AZ 85306-4908
602.543.6219 phone
602.543.6303 fax

"

(Read More... | 4 comments | Score: 0)


Major compromise of security results from use of Gmail account by employee
Posted by boss on Monday, 17 September 2007 @ 21:48:05 EDT (1931 reads)
Topic Law & Legalities

cdupuis writes "

I am forwarding an important article highlighting the security implications of employees reflecting business e-mail to a Web-based e-mail account:

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9036938&source=NLT_PM&nlid=8

In this case, an employee of MediaDefender, Inc., a company specializing in assisting movie studios and recording companies in preventing illegal copying of their copyrighted materials online, forwarded highly sensitive corporate e-mail to his Google e-mail account. A group that opposes MediaDefender’s activities hacked the Gmail account (most likely because of simple password on the account) and made nearly 6,000 of MediaDefender’s e-mail available to the public. This should serve as a reminder to have clear policies with employees regarding the forwarding of business e-mail to Gmail and other types of personal accounts that could seriously compromise corporate security.

Michael R. Overly, Esq., CISSP
Foley & Lardner LLP
2029 Century Park East
35th Floor
Los Angeles, California 90067-3021
Telephone: 310-277-2223
Facsimile: 310-557-8475

"

(Read More... | 1 comment | Score: 0)


California Considers New Law Holding Merchants Liable for Costs of Data Breaches
Posted by boss on Friday, 27 July 2007 @ 20:59:52 EDT (1529 reads)
Topic Law & Legalities

cdupuis writes "
California may join Minnesota and, possibly, New Jersey as one of the very first states to enact a law holding merchants responsible for the cost of notifying consumers in the event a security breach results in a compromise of personal information. On June 26, the California Senate Judiciary Committee passed A.B. 779 by a 3-2 vote.

A.B. 779 was proposed in response to the wide ranging security breaches at the TJX Companies Inc., which affected more than 46 million credit and debit card holders. The proposed law would allow businesses required to notify individuals of data breaches to seek reimbursement from the third party responsible for the breach of all "reasonable and actual costs," including the cost of providing notice, and replacing their credit or debit cards. The law is receiving strong opposition from a coalition of 30 groups and businesses representing retailers, financial institutions, information technology companies, marketers, and others.

In May of this year, Minnesota became the first and currently only state to have enacted a similar merchant breach liability law. New Jersey is currently considering a similar data breach liability bill.

Drafting Toolbox: Developing a Fair Use Policy

Employees are constantly copying materials they find in journals, newspapers, and, of course, online. With few exceptions, all of those materials are copyrighted. If the materials are accompanied by information relating to the owner of the copyright and additional terms and conditions regarding use of the materials, removal of that information may subject the user to substantial civil and criminal penalties under the Digital Millennium Copyright Act. Given the potential for copyright infringement and other claims, businesses are adopting fair use policies to reduce the potential for liability resulting from these activities. An example of a basic policy is attached.

 

Click  HERE   to download a copy of the Fair Usage Policy

Blog News

The following are recent topics discussed in my blog on Chief Security Officer Magazine’s Website:

  • Newton’s Laws of Motion for Information Security
  • Server Memory Subject to Search
  • The Care and Feeding of Forensic Experts

In The Press/Useful Links:

The following hyperlinks lead to articles you may find useful:

Univ. of California hit with proposed 3M fine for Los Alamos breach

European task force lists RFID privacy threats

Software Testing Best Practices

Public and Private Entities Face Challenges in Addressing Cyber Threats

 

Michael R. Overly, Esq., CISSP, ISSMP
Foley & Lardner LLP
2029 Century Park East
35th Floor
Los Angeles, California 90067-3021
Telephone: 310-277-2223
Facsimile: 310-557-8475

© Copyright 2007 Foley & Lardner LLP

The information reported should not be construed as legal advice, nor utilized to resolve legal problems.

If you believe you are receiving this email in error or you do not wish to receive further communication, please send an e-mail to me at the above address.

If you know of someone who would like to be added to our mailing list for this update, please send their name to me at the above address.

"

(comments? | Score: 0)


Encryption key laws could soon be activated
Posted by boss on Tuesday, 10 July 2007 @ 20:56:29 EDT (1241 reads)
Topic Law & Legalities

cdupuis writes "

Police powers included in 2000 legislation could finally be put in place

Parliamentary reporter, Computing 10 Jul 2007

Legislation to force the release of software encryption keys could be activated soon, according to new Home Secretary Jacqui Smith.

The Regulation of Investigatory Powers Act (RIPA) provides police and security services with the power to require the production of keys, with a maximum prison sentence of up to five years. The power was included in the legislation five years ago but has not yet been activated.

In response to a question in the Commons from Conservative MP Sir Paul Beresford, Smith said a review is underway and a decision will be made soon.

‘I understand that we are looking at that specific matter to bring it forward,’ she said.

Beresford said that paedophiles often encrypt material so the police cannot gain access to it.

‘The police have been waiting about five years for the statutory instrument relating to encryption and the RIPA act. When will they get it?’ he said.

www.activehome.co.uk/2193852"

(Read More... | 1 comment | Score: 0)

Our Sponsors

Login here

Nickname

Password

Security Code:
Security Code
Type Security Code

Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.

Recommended

CCCure Partners

USA

Security University

Security University

MIDDLE EAST

Dubai, Qatar, Kuwait, Oman

THE OISSG GROUP
The OISSG serving the Middle East security needs

EUROPEAN UNION

Dublin, Ireland
ESPION

Best security training you can get in Ireland

AFRICA

Yaounde-Cameroun
GetSec

The best training one can get in Cameroon

Lagos, Nigeria
Digital Encode

The best security training in Lagos and Nigeria

Most Active Members

· 1: webplu9
Total points: 15228
· 2: side_winder
Total points: 12295
· 3: Lopezco
Total points: 8510
· 4: cissp_newbie
Total points: 7593
· 5: cdupuis
Total points: 6701
· 6: mikeyoung_fla
Total points: 5490
· 7: Vladimir
Total points: 4611
· 8: MMM
Total points: 2969
· 9: damoose
Total points: 2881
· 10: educk
Total points: 2353

Today's Big Story

Random Headlines

Past Articles

Monday, July 09
· Server Memory Subject to Search
Saturday, June 16
· A travesty of justice involving information technology
Thursday, May 31
· Directors, managers set company's ethical tone
Thursday, May 24
· Microsoft seek license from Linux Users
Wednesday, May 09
· Newsletter from Micheal Overly
Friday, February 09
· New Mailing list by Michael Overly
Wednesday, November 22
· Interesting court cases to watch
Thursday, August 10
· The definitive guide to achieve complaince with OMB memo M-06-16
Tuesday, May 02
· The carrot-and-stick approach
Thursday, March 30
· Committee Today Approved the Data Accountability and Trust Act
Monday, February 20
· Sox Overview: More than 404
Tuesday, January 24
· Security Breach Notification Laws in the different states
Thursday, December 15
· SOX, Basel II, HIPAA and Laws, regulations and secure SSO
Monday, December 05
· Email archiving, auditing, and data protection regulatory requirements
Saturday, September 10
· Compliance taking over IT security CIO and CISO schedules
Thursday, August 18
· New York new Information Security Breach and Notification Act
Friday, July 08
· The Price of Not Complying with GLBA
Thursday, June 30
· Personal liability for corporate fault
Sunday, April 10
· FISMA tied to funding
Thursday, April 07
· Sarbanes-Oxley compliance and Identity and Access Management

Older Articles

All logos and trademarks in this site are property of their respective owner.
The comments are property of their posters, all the rest © 2007 by CCCure.Org, and the site maintainers Clement Dupuis and Nathalie Lambert. Reuse is strictly prohibited without written permission of CCCure.Org or it's maintainers.

This web site is not associated directly or indirectly with ISC2, the SANS Institute, ISACA, or other certification authority. The GCFW, CISSP, SSCP, ISSEP, ISSMP, CISA, and CISM are all the property of their respecful owners. The content of this site is provided to you freely due to the generosity of our sponsors.


  • Career
  • Magazines
  • Conferences
  • Study Books
  • Certifications
  • Training
  • Tutorials
  • Quizzes
  • Forums

    • Page Generation: 0.70 Seconds