InfoRiskToday.asia RSS Syndication

Preparing for IPv6

What You Need to Know for Secure Implementation
IPv4 - the protocol the Internet originally was built on - is quickly running out of addresses, and organizations must prepare for IPv6. What should they consider, and what steps can they take now?

Attack Highlights Third-Party Risks

Hack of Online Billing Provider May Have Exposed 500,000 Cards
The hack of online billing provider WHMCS may have exposed 500,000 payment cards. Experts say the incident highlights the persistent risks third parties pose in cardholder data security.

Tips for Contracting Cloud Services

What Organizations Need to Consider Choosing a Vendor
Cloud services contracts often provide little to no wiggle room. What steps do organizations need to take before signing any contract? IT security lawyer Françoise Gilbert offers some key strategies.

Social Engineering: Mitigating Risks

Symantec Recommends Mix of Tech, Education
Why are socially engineered schemes causing so many headaches? Symantec's new Internet Security Threat Report shows attacks are growing. Here's a list of Symantec's recommendations to thwart risks.

RBI: Security Issues and Risk Mitigation Measures Related to Card-Present Transactions

The Reserve Bank of India on Sept. 22, 2011 issued a notification on security issues and risk mitigation measures related to card-present transactions.

RBI: Anti-Money Laundering, Combating of Financing of Terrorism Standards

The Reserve Bank of India on Sept. 22, 2011, issued a letter to financial institutions regarding anti-money laundering and the combating of financing of terrorism standards.

RBI: Know Your Customer Norms - Letter Issued by UIDAI

The Reserve Bank of India on Sept. 28, 2011, issued a statement recognizing a letter issued by Unique Identification Authority of India containing details of name, address and Aadhaar number, as an officially valid document as contained in Rule 2[1][d] of the PML Rules, 2005.

FDIC: Tips on Preparing Financially for a Natural Disaster or a Fire

The summer 2011 issue of 'FDIC Consumer News' features tips on how to prepare financially for a natural disaster, a fire or another tragedy, especially one that requires people to evacuate their home and not return for days or weeks.

2012 Cloud Security Agenda: Expert Insights on Security and Privacy in the Cloud

What are organizations' top cloud security concerns, and how are security leaders addressing these concerns through policy, technology and improved vendor management?

This is the key question posed by the 2012 Cloud Security Survey.

No longer just an emerging technology practice, cloud computing today is embraced globally as a means of gaining efficient access to critical applications, processes and storage. It's now common for organizations to rely on cloud service providers for functions and business applications such as customer relationship management, messaging or storage via a public, private or hybrid cloud. Further, industry-specific cloud-based applications such as electronic health records or mobile banking and payment applications are emerging at an unprecedented pace.

But these engagements come with questions about risks:

What are your cloud service provider's security and privacy measures, and have they been audited?
Where geographically is cloud data being stored, and how do operational practices comply with government, industry and organizational privacy regulations?
How is a multi-tenant cloud environment managed, and in the event of system compromise - what will be the incident response escalation process?

Yes, cloud computing is about efficiencies and new technologies, but it's also about security, privacy and an organization's reputation.

The 2012 Cloud Security Survey was crafted with assistance from leading experts in cloud computing, security and privacy, with a mission to:

Chart the latest cloud trends, including types of cloud implementations most common by industry and region;
Gauge organizations' top cloud security concerns, from vendor security to data governance and breach preparedness;
Predict the top areas of investment for organizations most concerned about cloud security.

This webinar will draw upon survey results and expert insight from a special roundtable panel to discuss:

Top Security Concerns - Are organizations more concerned about where their data is stored, or whether a malicious insider might be a threat to it?
Success Factors - On a scale with cost savings and availability of services, how does security now rank among elements critical to a successful cloud computing implementation?
Protective Measures - What are some of the practices organizations are employing, from instituting more stringent contracts to enforcing third-party audits and even participating in mock security exercises with cloud service providers?

2012 Faces of Fraud Survey: Complying with the FFIEC Guidance

A follow-up to ISMG's 2011 Faces of Fraud Survey, this webinar looks not only at the latest fraud trends and how institutions are fighting back, but also at their progress in putting together layered security controls in conformance with the FFIEC Authentication Guidance.

Given the persistence of fraud threats and the demands of the FFIEC Authentication Guidance, the 2012 Faces of Fraud Survey is crafted with assistance from leading experts in fraud detection and prevention, with a mission to:

Chart the latest fraud trends, including account takeover, skimming and payment card breaches;
Gauge institutions' preparedness to conform to the FFIEC Authentication Guidance, including where they are prioritizing their efforts;
Predict the top areas of focus for 2012, from real-time fraud monitoring tools to new layered security controls.

BYOD: Manage the Risks and Opportunities

From home computers and laptops to cellphones and PDAs, employees have always lobbied to introduce consumer technologies in the workplace.

But with the advent of smart phones, tablets, portable storage and a variety of laptops - powerful computing devices that often rely on unsecured wireless networks - the push today is even greater. Example: Intel, the global computer technologies manufacturer, reports that connected mobile devices grew from 10,000 to 30,000 over the first 10 months of 2011. And by 2014, Intel expects 70% of its employees to use personal devices for some aspect of their job.

So, it's no longer a question of whether to allow employees to use their own devices - no corporate policy can stem the tide of consumerization. The questions now are about:

Inventory - How do you properly account for all of the consumer devices introduced by your employees? Know how to lock down your corporate wireless networks and desktop computers, so you'll also know when employees are trying to access corporate resources via connecting new devices.
Security - How do you protect your systems and data from unauthorized access - and in the event of lost or stolen devices? From identification to proper authentication, appropriate access control, data storage and detecting un-authorized activities - all controls implemented by an organization on 'corporate-owned' resources over the last decade can potentially be rendered useless on an employee-owned device. Learn the importance of each control and the implementation challenges in a large-scale environment.
Privacy - The controls you place on an employee-owned device could potentially compromise the individual's privacy (knowing which sites they visit, or whom they e-mail in their off-hours, for instance). How do you achieve the right balance to protect the enterprise's security and the employee's privacy?
Compliance - Certain international regulations and standards spell out standards for how data is collected and stored, as well as how it must be made available for legal requests. Are you prepared to address these and other top-level compliance issues when it comes to employees storing enterprise data on their own devices? Learn how to weigh the risks and benefits.
Policy - Beyond making employees aware of your policy, how do you enforce it? Awareness is key - make sure employees understand your policies around device usage, access, software licensing and other critical issues. But you also need to articulate specific areas of non-compliance and then monitor appropriately for violations subject to disciplinary action, including termination.
Opportunity - Beyond securing devices, BYOD is an opportunity to improve data and access security in the enterprise, web, mobile, and SaaS applications. The opportunity is for organizations to still have strong security and authentication, but in a way that is "outsourced" to the device owner for all of their applications. This outsourcing can save the company IT budget, as well as reduce help desk support.

In this session, mobile security experts will discuss these topics and more, sharing insights on how today's leading-edge organizations are embracing BYOD as a means of improving employee productivity and creating new business value.

Fundamental Security: The Power of GLBA and FFIEC Compliance

The adage "Compliance doesn't ensure good security, but good security almost always ensures compliance" continues to ring true in 2012, as financial institutions seek to comply with the updated FFIEC guidance on online banking.

"Layered security" is a requirement of the new guidance released in 2011, but what does that really mean to banks and credit unions that are preparing for examinations? While financial institutions with an establised GLBA information security program and culture most likely were compliant with the new requirements before they were published, many banks and credit unions are still ill prepared to meet the examiners - and as a result, may lack fundamental security controls.

Consider the core requirements of GLBA's Safeguards Rule, which requires institutions to:

Develop a written information security plan;
Appoint at least one employee to manage the safeguards;
Conduct a risk assessment of on each department handling private information;
Develop, monitor, and test the information security program;
Amend safeguards as necessary with changes in how information is collected, stored and used.

Risk assessments, security controls and monitoring all are core components of the updated FFIEC Authentication Guidance, as well.

In this session, George Tubin, noted expert in banking security, fraud and compliance, will discuss the key elements of GLBA and the FFIEC guidance with an eye toward offering new insights on:

Strategies for ensuring both security and compliance;
A practical approach to layered security;
Regulatory trends - what to expect next for guidance.

Following Tubin's presentation, Jeff Multz, Director of North America Midmarket Sales for Dell SecureWorks, will discuss the banking and security trends Dell SecureWorks is seeing and how institutions can respond to them.

Why Boards of Directors Don't Get It

IT risk management, cyber insurance, privacy - these are hot topics for security leaders, but not for their boards of directors. Why do senior executives still fail to see IT risks as business risks?

How to Respond to Hacktivism

Hacktivist attacks will increase, and researcher Gregory Nowak says organizations can take proactive steps to reduce exposure and protect brand reputation. Why, then, are many organizations failing?

4 Security Priorities for Banks

From mobile and the cloud to DDoS attacks and risks surrounding big data, what should banks and credit unions do now to mitigate exposure? Gartner's Anton Chuvakin offers his top recommendations.

Intelligent Defense Against Intruders

Imagine a computer network that can fool intruders into seeing configurations that in reality don't exist, making it hard for them to invade the system. That's what Scott DeLoach is trying to figure out how to do.

The Facts on Occupational Fraud

How to Detect and Prevent Insider Crime
The statistics revealed in the ACFE's new 2012 Report on Occupational Fraud and Abuse are all very real. Here are my insights on occupational fraud and steps leaders can take to detect these crimes.

The Business Case for Continuity Planning

Small, Mid-Size Enterprises Especially Need to Develop Strategy
Why do so many small and mid-sized enterprises continue to believe that business continuity planning is just for the big guys? And how do we go about convincing them otherwise? Here are some tips.

Measuring the Immeasurable: IT Security

A Year After Its Debut, Index of Cybersecurity Rises by 30 Percent
Factors driving up the index vary from month to monthly, but the clear takeaway of the survey of IT security practitioners is that they're getting more apprehensive about safeguarding IT.

Can You Define Cybersecurity?

Answering That Question Isn't So Easy
The lack of common definitions, understandings and approaches among countries may hamper international cooperation on cybersecurity, a need acknowledged by most countries.