Who Are the Privacy and Security Cops on the Beat? (Part 3)

Daniel J. Solove by Daniel Solove, TeachPrivacy
Monday, October 13, 2014

In the United States, a variety of different regulators are responsible for overseeing and enforcing different laws that impact different types of information. Some laws are exclusively enforced by agencies. Some are also enforced by state attorneys general. Others are enforced exclusively with a private right of action – the ability of individuals to bring lawsuits. Several laws have criminal penalties, which are typically enforced by the Department of Justice (DOJ). And then there are laws that are enforced by a combination of means, such as the Fair Credit Reporting Act (FCRA) which is enforced by two agencies plus private rights of action.

The Privacy Pillory and the Security Rack: The Enforcement Toolkit (Part 2)

Daniel J. Solove by Daniel Solove, TeachPrivacy
Thursday, October 09, 2014

Are privacy and security laws being enforced effectively? What kind of sanctions do privacy and security laws use for enforcement? In this post, I will discuss the various tools that are frequently used in the enforcement of privacy/security laws.

Can CDM change the game?

John Moore, FCW,  Thursday, October 09, 2014

The Continuous Diagnostics and Mitigation program represents a dramatic shift from the government's traditional focus on certifying systems as secure and then rechecking them every so often. An effective cybersecurity strategy requires more than a periodic safety check. That's the thinking behind continuous monitoring, a risk management approach that seeks to keep organizations constantly apprised of their IT security status.

Why Enforce Privacy and Security Laws? (Part 1 of a new series)

Daniel J. Solove by Daniel Solove, TeachPrivacy
Tuesday, October 07, 2014

How are privacy and security laws enforced? How should they be enforced? What enforcement works well? What doesn’t? What are the various agencies that are enforcing privacy laws doing? How do the agencies compare in their enforcement efforts? I plan to explore these questions in a series of posts. Collectively, I’ll call this series “Enforcing Privacy and Security Laws.”

Losing The Cyberwar To Hackers

CloudTweaks,  Tuesday, October 07, 2014

Much of the discussion lately has been around the JP Morgan security breach. There are also growing concerns that other companies may have been infiltrated as well which is not a surprise considering the ruthless nature of cyberwar. Security will always be an issue and something businesses must continuously prepare for in order to minimize damage. Here is an infographic discovered at IDG which take a closer look at Cyberwar in the U.S.

Players picked for first federally-funded R&D center for cybersecurity

Aaron oyd, FederalTimes,  Tuesday, October 07, 2014

With cyber attacks being volleyed at U.S. infrastructure daily, the National Cybersecurity Center of Excellence (NCCoE) has awarded the first federally-funded research and development center (FFRDC) contract designed specifically to enhance the nation's cybersecurity. The new FFRDC — part of the National Institute of Standards and Technology’s (NIST) NCCoE — will be managed by non-profit MITRE Corp. with assistance from the University System of Maryland (USM), which includes campuses in College Park (UMCP) and Baltimore County (UMBC).

OMB changes security incident reporting procedures, tweaks FISMA metrics

Molly Bernhart Walker, FierceGovernmentIT,  Monday, October 06, 2014

The Office of Management and Budget said Oct. 3 that new guidelines issued to federal civilian agencies will improve the government's information security posture. The new guidelines update how agencies will report security incidents to the Homeland Security Department's computer emergency readiness team, or US-CERT, a process that will be tested for one year before a more permanent update is considered, an OMB memo (pdf) said. The new guidance – detailed in incident notification guidelines – establishes a standard set of data elements for reporting incidents, updated incident notification requirements, impact classifications and threat vectors used to categorize and address incidents, said OMB Director Shaun Donovan, in the Oct. 3 memo.

How Does the Cloud Change Cybersecurity?

Steve Towns, Government Technology,  Friday, October 03, 2014

When organizations say they’re “going to the cloud,” that oversimplifies it. You start to see business processes happening in a lot of different places. An organization may have applications running in Salesforce. It may have an outsourced HR solution somewhere else in the cloud, and it may have an ERP solution somewhere else. So it’s not adding one thing; it’s adding numerous things into the equation. How do I detect an attack across this very diverse set of environments — I see that as our next challenge. Most of our work around event monitoring and response addresses things inside the data center. Now we need to correlate things that happen in outside environments run by cloud providers that aren’t necessarily going to send raw data to us.

The Importance of Cybersecurity in the Age of the Cloud and Internet of Things

Colin Wood, Government Technology,  Wednesday, October 01, 2014

Cloud and mobile computing are pushing the IT landscape further away from the organization, and an emerging Internet of Things is expanding the surface area of a defensive front already riddled with holes. Any member of an organization is subject to social engineering attacks for which leadership will increasingly be held accountable before an unforgiving public. Today’s cybersecurity trends are evolving at an overwhelming pace, but it’s not a lost cause. The enemy is not an invincible genius — he’s smart and organized, and the key to winning is simply to beat him at his own game. Here’s a look at some of the biggest trends and what they mean for security professionals, CIOs and government leaders.

CloudFlare’s New Keyless SSL Could Unlock Cloud For Financial Institutions

Ron Miller, TechCrunch,  Thursday, September 18, 2014

Financial institutions crave cloud scalability, but have been reluctant to jump on the cloud bandwagon because of security concerns. In particular, they have been hesitant to expose their precious SSL keys to the open internet. The key identifies them as a financial institution and lets the other party know they can accept or send funds. As you can imagine, they don’t ever want this information escaping their control. CloudFlare, a company that is trying to move all of the traditional networking hardware you typically have in an on-premises data center into the cloud, figured out how to let financial institutions have have it both ways.