CareersInfoSecurity.co.uk RSS Syndication

Breach Info Sharing Tool Enhanced

Consortium Offers Free Framework for Vulnerability Reporting
The Industry Consortium for Advancement of Security on the Internet has introduced an enhanced version of its free security vulnerability reporting framework designed to ease the sharing of breach information.

Tips for Contracting Cloud Services

What Organizations Need to Consider Choosing a Vendor
Cloud services contracts often provide little to no wiggle room. What steps do organizations need to take before signing any contract? IT security lawyer Françoise Gilbert offers some key strategies.

Responding to Insider Fraud

Ponemon Study Sheds New Light on Internal Risks
"You need to educate people, and you need to have the right control procedures in place to ensure that people are aware of insider fraud," says Larry Ponemon, offering tips to reduce insider risks.

In an interview about the insider threat, Ponemon discusses:

Key findings from this new research;
What needs to be communicated to C-level executives;
Tools to detect and prevent inside attacks.

Breaking Down a Hacktivist Attack

Learn How a DDoS Assault Went Down, and Was Prevented
Security firm Imperva had the opportunity to watch a hacktivist attack play out. Learn what the three phases of the attack were and how it was stopped.

2012 Cloud Security Agenda: Expert Insights on Security and Privacy in the Cloud

What are organizations' top cloud security concerns, and how are security leaders addressing these concerns through policy, technology and improved vendor management?

This is the key question posed by the 2012 Cloud Security Survey.

No longer just an emerging technology practice, cloud computing today is embraced globally as a means of gaining efficient access to critical applications, processes and storage. It's now common for organizations to rely on cloud service providers for functions and business applications such as customer relationship management, messaging or storage via a public, private or hybrid cloud. Further, industry-specific cloud-based applications such as electronic health records or mobile banking and payment applications are emerging at an unprecedented pace.

But these engagements come with questions about risks:

What are your cloud service provider's security and privacy measures, and have they been audited?
Where geographically is cloud data being stored, and how do operational practices comply with government, industry and organizational privacy regulations?
How is a multi-tenant cloud environment managed, and in the event of system compromise - what will be the incident response escalation process?

Yes, cloud computing is about efficiencies and new technologies, but it's also about security, privacy and an organization's reputation.

The 2012 Cloud Security Survey was crafted with assistance from leading experts in cloud computing, security and privacy, with a mission to:

Chart the latest cloud trends, including types of cloud implementations most common by industry and region;
Gauge organizations' top cloud security concerns, from vendor security to data governance and breach preparedness;
Predict the top areas of investment for organizations most concerned about cloud security.

This webinar will draw upon survey results and expert insight from a special roundtable panel to discuss:

Top Security Concerns - Are organizations more concerned about where their data is stored, or whether a malicious insider might be a threat to it?
Success Factors - On a scale with cost savings and availability of services, how does security now rank among elements critical to a successful cloud computing implementation?
Protective Measures - What are some of the practices organizations are employing, from instituting more stringent contracts to enforcing third-party audits and even participating in mock security exercises with cloud service providers?

2012 Faces of Fraud Survey: Complying with the FFIEC Guidance

A follow-up to ISMG's 2011 Faces of Fraud Survey, this webinar looks not only at the latest fraud trends and how institutions are fighting back, but also at their progress in putting together layered security controls in conformance with the FFIEC Authentication Guidance.

Given the persistence of fraud threats and the demands of the FFIEC Authentication Guidance, the 2012 Faces of Fraud Survey is crafted with assistance from leading experts in fraud detection and prevention, with a mission to:

Chart the latest fraud trends, including account takeover, skimming and payment card breaches;
Gauge institutions' preparedness to conform to the FFIEC Authentication Guidance, including where they are prioritizing their efforts;
Predict the top areas of focus for 2012, from real-time fraud monitoring tools to new layered security controls.

Using the NIST HIPAA Security Rule Toolkit for Risk Assessments

The National Institute of Standards and Technology, a non-regulatory agency of the Department of Commerce, is responsible for providing standards and technology to protect against threats to the confidentiality, integrity and availability of information and information systems. NIST's Computer Security Division is positioned to ensure that new technologies are selected, deployed and operated in a manner that reduces risk.

The Health Insurance Portability and Accountability Act Security Rule establishes national standards to protect individuals' electronic personal health information that is created, received, used or maintained by a covered entity. Covered entities include hospitals, physician groups, health plans and claims clearinghouses. Soon, the rule also will apply to business associates - business partners that have access to sensitive patient information. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of electronic protected health information.

To help organizations better understand the requirements of the HIPAA Security Rule, implement those requirements, and assess those implementations in their operational environments, NIST has developed a HIPAA Security Rule Self Assessment Toolkit.

In this session, Kevin Stine, manager of the Security Outreach and Integration Group within NIST's Computer Security Division, will:

Introduce participants to NIST and its role in information security;
Provide a detailed overview of the toolkit application;
Discuss how the toolkit can be used to support an organization's risk management process, help improve security safeguards and aid security assessment and compliance activities; and
Identify additional NIST information security resources, such as risk assessment and security control guidelines, which can help organizations to manage risk and safeguard health information.

Risk Assessment Framework for Online Channel: Learn from an Expert

Risk assessments are the foundation of risk management and information security, and since 2005 U.S. banking regulators have urged institutions to conduct periodic risk assessments of their online banking products and services.

But institutions failed to follow that guidance, and as a result they and their customers were victimized by sophisticated schemes such as ACH/Wire fraud and corporate account takeover.

These high-profile fraud incidents helped inspire 2011's updated FFIEC Authentication Guidance, which re-enforces regulators' expectations of periodic risk assessments. Specifically, the guidance says:

"Financial institutions should review and update their existing risk assessments as new information becomes available, prior to implementing new electronic financial services, or at least every twelve months. Updated risk assessments should consider, but not be limited to, the following factors:

Changes in the internal and external threat environment, including those discussed in the Appendix to this Supplement;
Changes in the customer base adopting electronic banking;
Changes in the customer functionality offered through electronic banking; and
Actual incidents of security breaches, identity theft, or fraud experienced by the institution or industry."

In this session, Joe Rogalski, VP and information security officer at New York's First Niagara Bank ($44 billion in assets), will detail how his institution conducts period risk assessments, including:

An overview of the FFIEC guidance and what examiners will expect to see in your approach to risk assessments;
How to conduct an effective risk assessment, including qualitative and quantitative approaches;
What to do about risks, vulnerabilities and threats identified in your assessments.

Five Application Security Tips

Many organizations aren't devoting enough resources to ensure that applications for mobile devices are secure, says security expert Jeff Williams. He offers five tips for adequately addressing mobile application security.

Understanding Electronically Stored Info

For years, David Matthews, Deputy CISO of the City of Seattle, has been immersed in securing electronically stored information. Now he's written the book on the topic. What are the key themes addressed?

Why Boards of Directors Don't Get It

IT risk management, cyber insurance, privacy - these are hot topics for security leaders, but not for their boards of directors. Why do senior executives still fail to see IT risks as business risks?

How to Respond to Hacktivism

Hacktivist attacks will increase, and researcher Gregory Nowak says organizations can take proactive steps to reduce exposure and protect brand reputation. Why, then, are many organizations failing?

Fighting Hackers With Public Relations

Understanding Hacktivists' Goals is Key to Thwarting Attacks
By understanding the motivations behind hacktivism, organizations can learn why good public relations can play an important role in thwarting attacks or minimizing their impact.

The Facts on Occupational Fraud

How to Detect and Prevent Insider Crime
The statistics revealed in the ACFE's new 2012 Report on Occupational Fraud and Abuse are all very real. Here are my insights on occupational fraud and steps leaders can take to detect these crimes.

The Business Case for Continuity Planning

Small, Mid-Size Enterprises Especially Need to Develop Strategy
Why do so many small and mid-sized enterprises continue to believe that business continuity planning is just for the big guys? And how do we go about convincing them otherwise? Here are some tips.

Can You Define Cybersecurity?

Answering That Question Isn't So Easy
The lack of common definitions, understandings and approaches among countries may hamper international cooperation on cybersecurity, a need acknowledged by most countries.