Will new commercial mobile encryption affect BYOD policy?

Adam Mazmanian, FCW,  Monday, October 20, 2014

While law enforcement is up in arms about new default data encryption on Apple iOS and Google Android devices, experts say the policy could have some benefits for federal mobility as well.

Stop worrying about mastermind hackers. Start worrying about the IT guy.

Andrea Peterson and Craig Timberg, Washington Post,  Friday, October 17, 2014

Mistakes in setting up popular office software have sent information about millions of Americans spilling onto the Internet, including Social Security numbers of college students, the names of children in Texas and the ID numbers of intelligence officials who visited a port facility in Maryland. The security problem, researchers say, has affected many hundreds of servers running popular Oracle software, exposing a peculiar melange of data to possible collection by hackers. Most of the institutions affected have been universities or government agencies, though they hold a wide range of information on individuals and private companies.

Who Are the Privacy and Security Cops on the Beat? (Part 3)

Daniel J. Solove by Daniel Solove, TeachPrivacy
Monday, October 13, 2014

In the United States, a variety of different regulators are responsible for overseeing and enforcing different laws that impact different types of information. Some laws are exclusively enforced by agencies. Some are also enforced by state attorneys general. Others are enforced exclusively with a private right of action – the ability of individuals to bring lawsuits. Several laws have criminal penalties, which are typically enforced by the Department of Justice (DOJ). And then there are laws that are enforced by a combination of means, such as the Fair Credit Reporting Act (FCRA) which is enforced by two agencies plus private rights of action.

The Privacy Pillory and the Security Rack: The Enforcement Toolkit (Part 2)

Daniel J. Solove by Daniel Solove, TeachPrivacy
Thursday, October 09, 2014

Are privacy and security laws being enforced effectively? What kind of sanctions do privacy and security laws use for enforcement? In this post, I will discuss the various tools that are frequently used in the enforcement of privacy/security laws.

Can CDM change the game?

John Moore, FCW,  Thursday, October 09, 2014

The Continuous Diagnostics and Mitigation program represents a dramatic shift from the government's traditional focus on certifying systems as secure and then rechecking them every so often. An effective cybersecurity strategy requires more than a periodic safety check. That's the thinking behind continuous monitoring, a risk management approach that seeks to keep organizations constantly apprised of their IT security status.

Why Enforce Privacy and Security Laws? (Part 1 of a new series)

Daniel J. Solove by Daniel Solove, TeachPrivacy
Tuesday, October 07, 2014

How are privacy and security laws enforced? How should they be enforced? What enforcement works well? What doesn’t? What are the various agencies that are enforcing privacy laws doing? How do the agencies compare in their enforcement efforts? I plan to explore these questions in a series of posts. Collectively, I’ll call this series “Enforcing Privacy and Security Laws.”

Losing The Cyberwar To Hackers

CloudTweaks,  Tuesday, October 07, 2014

Much of the discussion lately has been around the JP Morgan security breach. There are also growing concerns that other companies may have been infiltrated as well which is not a surprise considering the ruthless nature of cyberwar. Security will always be an issue and something businesses must continuously prepare for in order to minimize damage. Here is an infographic discovered at IDG which take a closer look at Cyberwar in the U.S.

Players picked for first federally-funded R&D center for cybersecurity

Aaron oyd, FederalTimes,  Tuesday, October 07, 2014

With cyber attacks being volleyed at U.S. infrastructure daily, the National Cybersecurity Center of Excellence (NCCoE) has awarded the first federally-funded research and development center (FFRDC) contract designed specifically to enhance the nation's cybersecurity. The new FFRDC — part of the National Institute of Standards and Technology’s (NIST) NCCoE — will be managed by non-profit MITRE Corp. with assistance from the University System of Maryland (USM), which includes campuses in College Park (UMCP) and Baltimore County (UMBC).

OMB changes security incident reporting procedures, tweaks FISMA metrics

Molly Bernhart Walker, FierceGovernmentIT,  Monday, October 06, 2014

The Office of Management and Budget said Oct. 3 that new guidelines issued to federal civilian agencies will improve the government's information security posture. The new guidelines update how agencies will report security incidents to the Homeland Security Department's computer emergency readiness team, or US-CERT, a process that will be tested for one year before a more permanent update is considered, an OMB memo (pdf) said. The new guidance – detailed in incident notification guidelines – establishes a standard set of data elements for reporting incidents, updated incident notification requirements, impact classifications and threat vectors used to categorize and address incidents, said OMB Director Shaun Donovan, in the Oct. 3 memo.

How Does the Cloud Change Cybersecurity?

Steve Towns, Government Technology,  Friday, October 03, 2014

When organizations say they’re “going to the cloud,” that oversimplifies it. You start to see business processes happening in a lot of different places. An organization may have applications running in Salesforce. It may have an outsourced HR solution somewhere else in the cloud, and it may have an ERP solution somewhere else. So it’s not adding one thing; it’s adding numerous things into the equation. How do I detect an attack across this very diverse set of environments — I see that as our next challenge. Most of our work around event monitoring and response addresses things inside the data center. Now we need to correlate things that happen in outside environments run by cloud providers that aren’t necessarily going to send raw data to us.