Monday, October 13, 2014
In the United States, a variety of different regulators are responsible for overseeing and enforcing different laws that impact different types of information. Some laws are exclusively enforced by agencies. Some are also enforced by state attorneys general. Others are enforced exclusively with a private right of action – the ability of individuals to bring lawsuits. Several laws have criminal penalties, which are typically enforced by the Department of Justice (DOJ). And then there are laws that are enforced by a combination of means, such as the Fair Credit Reporting Act (FCRA) which is enforced by two agencies plus private rights of action.
Thursday, October 09, 2014
Are privacy and security laws being enforced effectively? What kind of sanctions do privacy and security laws use for enforcement? In this post, I will discuss the various tools that are frequently used in the enforcement of privacy/security laws.
John Moore, FCW, Thursday, October 09, 2014
The Continuous Diagnostics and Mitigation program represents a dramatic shift from the government's traditional focus on certifying systems as secure and then rechecking them every so often. An effective cybersecurity strategy requires more than a periodic safety check. That's the thinking behind continuous monitoring, a risk management approach that seeks to keep organizations constantly apprised of their IT security status.
Tuesday, October 07, 2014
How are privacy and security laws enforced? How should they be enforced? What enforcement works well? What doesn’t? What are the various agencies that are enforcing privacy laws doing? How do the agencies compare in their enforcement efforts? I plan to explore these questions in a series of posts. Collectively, I’ll call this series “Enforcing Privacy and Security Laws.”
CloudTweaks, Tuesday, October 07, 2014
Much of the discussion lately has been around the JP Morgan security breach. There are also growing concerns that other companies may have been infiltrated as well which is not a surprise considering the ruthless nature of cyberwar. Security will always be an issue and something businesses must continuously prepare for in order to minimize damage. Here is an infographic discovered at IDG which take a closer look at Cyberwar in the U.S.
Aaron oyd, FederalTimes, Tuesday, October 07, 2014
With cyber attacks being volleyed at U.S. infrastructure daily, the National Cybersecurity Center of Excellence (NCCoE) has awarded the first federally-funded research and development center (FFRDC) contract designed specifically to enhance the nation's cybersecurity. The new FFRDC — part of the National Institute of Standards and Technology’s (NIST) NCCoE — will be managed by non-profit MITRE Corp. with assistance from the University System of Maryland (USM), which includes campuses in College Park (UMCP) and Baltimore County (UMBC).
Molly Bernhart Walker, FierceGovernmentIT, Monday, October 06, 2014
The Office of Management and Budget said Oct. 3 that new guidelines issued to federal civilian agencies will improve the government's information security posture. The new guidelines update how agencies will report security incidents to the Homeland Security Department's computer emergency readiness team, or US-CERT, a process that will be tested for one year before a more permanent update is considered, an OMB memo (pdf) said. The new guidance – detailed in incident notification guidelines – establishes a standard set of data elements for reporting incidents, updated incident notification requirements, impact classifications and threat vectors used to categorize and address incidents, said OMB Director Shaun Donovan, in the Oct. 3 memo.
Steve Towns, Government Technology, Friday, October 03, 2014
When organizations say they’re “going to the cloud,” that oversimplifies it. You start to see business processes happening in a lot of different places. An organization may have applications running in Salesforce. It may have an outsourced HR solution somewhere else in the cloud, and it may have an ERP solution somewhere else. So it’s not adding one thing; it’s adding numerous things into the equation. How do I detect an attack across this very diverse set of environments — I see that as our next challenge. Most of our work around event monitoring and response addresses things inside the data center. Now we need to correlate things that happen in outside environments run by cloud providers that aren’t necessarily going to send raw data to us.
Colin Wood, Government Technology, Wednesday, October 01, 2014
Cloud and mobile computing are pushing the IT landscape further away from the organization, and an emerging Internet of Things is expanding the surface area of a defensive front already riddled with holes. Any member of an organization is subject to social engineering attacks for which leadership will increasingly be held accountable before an unforgiving public. Today’s cybersecurity trends are evolving at an overwhelming pace, but it’s not a lost cause. The enemy is not an invincible genius — he’s smart and organized, and the key to winning is simply to beat him at his own game. Here’s a look at some of the biggest trends and what they mean for security professionals, CIOs and government leaders.
Ron Miller, TechCrunch, Thursday, September 18, 2014
Financial institutions crave cloud scalability, but have been reluctant to jump on the cloud bandwagon because of security concerns. In particular, they have been hesitant to expose their precious SSL keys to the open internet. The key identifies them as a financial institution and lets the other party know they can accept or send funds. As you can imagine, they don’t ever want this information escaping their control. CloudFlare, a company that is trying to move all of the traditional networking hardware you typically have in an on-premises data center into the cloud, figured out how to let financial institutions have have it both ways.