T2P Rules, Regulations & Standards News

Consent will be required for cookies in Europe

2009-11-09T16:50:02Z

An editorial at Out-Law.com written by Struan Robertson, editor:

The fate of Europe’s cookie law became improbably entwined with a debate over file-sharing. To cut a long story short, it broke free. On 26th October, it was voted through by the Council of the EU. It cannot be stopped and awaits only the rubber-stamp formalities of signature and publication.

The vote’s result was announced by way of a whisper. It featured at the tail end of an 18-page Council press release (PDF) that first had to address fishing quotas, train driving licences and a maritime treaty with China. I’m afraid we missed it.

There was no attempt to bury this news – but the hushed tones of its reporting were consistent with the media attention it has received to date. There has been almost no fuss about this little law, despite the harm it could do to advertising, the lifeblood of online publishing. It also threatens to irritate all web users by appearing at every new destination like an over-zealous security guard.

Data Breach Bills Clear Senate Panel

2009-11-09T23:14:54Z

Legislation Heads for a Senate Vote
The Senate Judiciary Committee approved two companion bill that would require businesses and government agencies to notify individuals of security breaches involving their sensitive personally identifiable information.

Major SSL Flaw Find Prompts Protocol Update

2009-11-05T21:05:00Z

Vendors, IETF, have been working on a fix since last month for a newly discovered vulnerability in the SSL protocol that spans browsers, servers, smart cards, and other products

Six Steps to Pull App Security Back to the Future

2009-11-05T20:55:00Z

OWASP will host its 2009 AppSec DC conference next week, hoping to arm IT security practitioners with knowledge to improve application security. For a taste of what to expect, organization member Matt Fisher discusses what's wrong with app security today and six ways to make it better.

US government fails to publish social networking guidelines as former US-CERT ... - SC Magazine UK

2009-11-05T13:00:35Z

US government fails to publish social networking guidelines as former US-CERT ...
SC Magazine UK
With regard to privacy and dealing with information control and access, Kwon claimed that this is a 'shared responsibility' of both the department and ...

Analyst: PCI Security a Devil, 'Like No Child Left Behind'

2009-11-04T05:00:00Z

By obsessing about PCI security compliance and spending money on overly complex and underperforming defenses, companies are ignoring risk management and making themselves a target of state-sponsored cyber villains.

Delayed Again: Red Flags Rule Deadline Now June 1, 2010

2009-11-02T05:00:00Z

Bowing to Congressional pressure, the FTC is delaying enforcement of the Red Flags Rule until June 1, 2010, for financial institutions and creditors. Here, IT security pros weigh in on what the rule means for them.

SEC Denies Sarbanes-Oxley Exemption

2006-05-18T04:00:00Z

Small public cos. will need to comply.

SEC Sarbanes-Oxley Changes to Give Small, Public Firms a Break

2006-12-11T05:00:00Z

The U.S. Securities and Exchange Commission (SEC) is on Wednesday expected to start the process to modify existing auditing provisions for small, public firms within the Sarbanes-Oxley Act of 2002 (Sarbox) when it presents new rules related to section 404 of the act, The New York Times reports.Under section 404 of Sarbox, publicly-traded firms are required to evaluate and document the ...

SOX and Micromanagement

2007-01-31T05:00:00Z

Organizational consultant N. Dean Meyer reveals how regulations are used as an excuse for costly disempowerment.

SP 800-53 is Essential for Security in Federal Government IT Systems

2009-11-04T05:00:00Z

The National Institute of Standards and Technology (NIST) Special Publication (SP) SP 800-53 provides a unified information security framework to achieve information system security and effective risk management across the entire Federal Government.

UK to Push for Law to Retain All Communications Data

2009-11-09T05:00:00Z

The U.K. government said Monday it plans to push for a law requiring service providers such as ISPs to retain data about instant messages, e-mail and other electronic communications.

Microsoft to release security guidelines for Agile

2009-11-09T08:03:00Z

Microsoft will release on Tuesday guidelines for developers building online applications and for those utilizing the Agile code-development process.

Opinion: Red Flags Rule deadline delayed again, now June 1

2009-11-02T16:07:00Z

ID Theft Red Flags Rule: What Have Exams Uncovered? - BankInfoSecurity.com

2009-11-09T14:44:32Z

ID Theft Red Flags Rule: What Have Exams Uncovered?
BankInfoSecurity.com
It's been one year since federal regulators started examining banks and credit unions for compliance with the Identity Theft Red Flags Rule. ...
Red flags rule delayed until June 2010American Medical News

all 2 news articles »

Users misbehave, IT gets punished

2009-11-04T20:50:02Z

Another reason to take employee computer monitoring seriously: Lawyers say IT pros could be on the hook for employees’ online behavior.

Based on several state laws and court decisions, employers could have a duty to monitor Web use and tell police about employees who access child pornography, according to employment attorney Gina M. Smith.

So far, seven states have laws on the books requiring companies to report those crimes: Arkansas, Illinois, Missouri, North Carolina, Oklahoma, South Carolina and South Dakota. Failure to do so can result in jail time for IT pros.

Also, in 2005, a company was sued for negligence by the mother of a child pornography victim.

The plaintiff’s husband was arrested after posting inappropriate pictures of his step-daughter online. Apparently, the company monitored his Internet access and saw child pornography sites listed, but never did anything about it. The woman claimed the conduct would have stopped much earlier if the company had stepped in.

A New Jersey court decided in her favor, ruling that a company on notice that a law is being broken with its equipment has a duty to investigate and inform police (Cite: Doe v. XYC Corp.).

To avoid liability, Smith recommends companies:

Designate one person to be a point of contact with police if necessary
Tell all IT staffers about the legal risks and outline a formal report procedure, and
Let all employees know what they should do if they find someone committing a crime on compant-owned devices.

New COSO Thought Paper Supports Integration of Strategy and ERM

2009-11-05T01:30:00Z

COSO highlights specific areas where management can work with its board to enhance the board’s risk oversight capabilities for strategic advantage ALTAMONTE SPRINGS, Fla. – The Committee of Sponsoring Organizations of the Treadway Commission (COSO) - an organization providing thought leadership and guidance on internal controls, enterprise risk management and fraud deterrence – has released a new thought paper, Strengthening Enterprise Risk Management for Strategic Advantage, that highlights specific areas where senior management can work with its board of directors to enhance the board’s risk oversight capabilities and the organization’s strategic value. This document builds upon four specific board risk oversight responsibilities outlined in a recently released COSO thought paper, Effective Enterprise Risk Oversight: The Role of the Board of Directors, to provide more detail on ways senior management can work with the board and others in the organization to strengthen risk management in all types of organizations. “Management is often being asked to provide their boards with more information regarding key risk exposures,” said COSO Chairman David Landsittel. “The challenge facing management is designing and implementing an enterprise wide approach to risk management that is both strategic and value-adding so that the board and senior management have a rich understanding of the organization’s top risk exposures. This thought paper highlights four specific areas where management can work with their board to provide appropriate risk oversight related to strategies and objectives.” This thought paper calls attention to COSO’s Enterprise Risk Management – Integrated Framework (2004), COSO’s definition of ERM, and the key elements of effective board risk oversight. The paper builds upon four critical areas, which are also highlighted in COSO’s Effective Enterprise Risk Oversight: The Role of the Board of Directors, to provide a basis for introspection about current approaches to risk management and to be a catalyst for management to strengthen its overall approach to enterprise wide risk management to help boards fulfill their risk oversight responsibilities. “Through our hands-on work with boards and senior executives of organizations of all sizes and industries, we observe a desire for stronger integration of strategy execution and risk oversight,” said Mark Beasley, Deloitte Professor of Enterprise Risk Management and Director of NC State’s ERM Initiative. “This COSO thought paper provides a rich discussion of the many ways management and boards can work to capture the strategic advantage of an enterprise-wide approach to risk management.” COSO has developed these two thought papers on enterprise risk management to provide more in-depth discussion on how senior management can strengthen risk management processes for strategic advantage. Both thought papers can be downloaded for free at www.coso.org, in addition to the executive summary of COSO’s Enterprise Risk Management – Integrated Framework (2004). ### About COSO Originally formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, COSO is a voluntary private sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance. COSO comprises the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), the Institute of Management Accountants (IMA), and The Institute of Internal Auditors (IIA). About NC State’s ERM Initiative The ERM Initiative in the College of Management at North Carolina State University is pioneering thought-leadership about the emergent discipline of enterprise risk management, with a particular focus on the integration of ERM in strategy planning and governance. The ERM Initiative conducts outreach to business professionals through executive education and hands-on advising, its internet portal (www.erm.ncsu.edu); research, advancing knowledge and understanding of ERM issues; and undergraduate and graduate business education for the next generation of business executives.

Almost half ISO 27001 'compliant' firms break basic security requirements

2009-11-05T18:36:42Z

InfoSec News: Almost half ISO 27001 'compliant' firms break basic security requirements: http://www.computerworlduk.com/management/security/data-control/news/index.cfm?newsid=17211
By Leo King Computerworld UK October 22, 2009
Almost half of businesses that claim compliance with ISO 27001 are sharing privileged user accounts and breaking other standard guidance, [...]

FDIC Warns Banks to Watch for 'Money Mules' Duped by Hackers

2009-11-05T18:36:01Z

InfoSec News: FDIC Warns Banks to Watch for 'Money Mules' Duped by Hackers: http://www.wired.com/threatlevel/2009/10/money_mules/
By Kevin Poulsen Threat Level Wired.com October 29, 2009
Bank customers are increasingly being duped into acting as 'money mules' for hackers, unwittingly laundering cash stolen from business bank [...]

Beyond PCI Checklists - CIO UK

2009-10-26T14:59:51Z

Beyond PCI Checklists
CIO UK
Exploring security requirements under HIPAA and the privacy and security rules, and reviewing deadlines, penalties and sanctions for non compliance. ...

and more »