Breach disclosure net widens

California State Bill 1386 was the first US bill to insist that organizations disclose to Californian citizens details of privacy breaches affecting their financial data, an idea since extended to around 40 US states.

SB1386 opened the flood gates when privacy breaches affecting millions of data subjects were disclosed. Prior to SB1386, even huge privacy incidents were successfully hushed up or downplayed by embarrassed (borderline unethical) organizations' spin doctors. SB1386 woke up an ignorant or complacent public.

The Californian law is now being extended to include privacy breaches involving medical and health insurance information under AB1298:

" AB 1298 adds two new breach-triggering data categories to the law of “health insurance information” defined as a health insurance policy or subscriber number(s), any information in an individual’s application and claims history, including any appeals records; and “medical information” including any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional."

A little something to browse over lunch

"Today’s information systems are incredibly complex assemblages of hardware, software, firmware, and people, all working together to provide organizations with the capability to process, store, and transmit information on a timely basis to support various organizational missions and business functions. The degree to which organizations have come to depend upon these information systems to conduct routine and critical missions and business functions means that the protection of the underlying systems is paramount to the success of the organization. The selection of appropriate security controls for an information system is an important task that can have major implications on the operations and assets of an organization as well as the welfare of individuals. Security controls are the management, operational, and technical safeguards or countermeasures prescribed for an information system to protect the confidentiality, integrity (including non-repudiation and authenticity), and availability of the system and its information. Once employed within an information system, security controls are assessed to provide the information necessary to determine their overall effectiveness; that is, the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Understanding the overall effectiveness of the security controls implemented in the information system is essential in determining the risk to the organization’s operations and assets, to individuals, to other organizations, and to the nation resulting from the use of the system.

... so starts the latest and greatest draft of NIST SP 800-53A "Guide for Assessing the Security Controls in Federal Information Systems - Building Effective Security Assessment Plans". What a neat way to sum up the whole of information security in just one paragraph!

The standard essentially comprises a large audit checklist for checking a broad range of information security controls against good practice advice in NIST SP 800-53, FIPS 200 and other standards (including ISO27k), topped-and-tailed with background/context, explanation, glossary and references. Being a typical NIST SP, it is well-written and comprehensive.

NIST is seeking feedback on the draft. I'm currently skimming my copy and scribbling a few notes while eating my lunch 'al desco'. We have until the end of July to respond but I'm sure project leader Ron Ross would appreciate comments sooner rather than later.

NIJ guide to investigating hi-tech crimes

The National Institute of Justice is publishing a series of guides for those engaged in responding to, investigating and presenting evidence in US courts about high-technology crimes. In 137 pages, Investigations Involving the Internet and Computer Networks, the latest publication, covers investigations involving email and websites, Instant Mesage, chat rooms and IRC, file sharing networks, network intrusion and denial of service, listservs and newsgroups. It provides basic advice on technology and legal issues, with a brief nod to IT forensics. The guide a little outdated in places but us a useful introduction to the requirements.

More network security resources

MP3 IPR worth more than $1.5bn

A federal jury in San Diego has ordered Microsoft to pay $1.5 billion to Alcatel-Lucent in a patent dispute over MP3 audio technology used in Windows. In its verdict, the jury assessed damages based on each Windows PC sold since May 2003. The case could have broader implications, should Alcatel-Lucent pursue claims against other companies that use the widespread MP3 technology. An Alcatel-Lucent representative praised the ruling.

"Praised the ruling" hardly seems to do it justice. It's not every day your company makes $1.5bn from its IPR!

The jury decision is certainly not the end of the matter. The article in cNet News points out parallel patent disputes involving Lucent and Microsoft. With such huge sums at stake, the IP lawyers are having a field day.

More IPR links

Deep-linking not 'fair use'

Granting a preliminary injunction, a Texan judge has declared it unlawful to hyperlink to an audio webcast against the wishes of the copyright owner. Robert Davis, operator of Supercrosslive.com, had been deep-linking to live streaming audio of motorcycle racing events, bypassing the sponsored advertising on SFX Motorsports' website. The judge said "the link Davis provides on his website is not a 'fair use' of copyright material".

More links on IPR and laws, regulations and standards

Cheap source of ISO security standards

Here's some news to cheer your new year. ANSI is selling ISO 17799:2005 as a PDF download for just US$30. Bargain! The normal price elsewhere is at least $100 more so either they are having a January clearance sale prior to its imminent re-badging as ISO 27002 or someone made a typo on the pricing page (an integrity failure!).

A PDF of ISO 27001:2005 is also just $30.

The license permits installation and use of the PDFs on a single PC but I believe site licenses are also available.

More info on ISO 27001 and ISO 17799/27002

A legal argument for security awareness

An article by Ryan Sulkin on Law dotcom starts thus: "As headlines continue to report data security breaches at an alarming rate, discussion often focuses on the need for enhanced technical controls, such as two-factor authentication and encryption, to protect sensitive, personally identifiable information. The role of the company employee, both as the cause of, and the first line of defense against, security breaches is often lost in the analysis. Yet developing law is increasingly requiring administrative or procedural controls, particularly those directed at employees, as a component of a legally compliant security program." Making the case for security training/awareness, it continues: "However, employees need not be viewed as an expensive companion threat to outsiders. Instead, if companies properly focus on key employee-related security controls and implement those controls in a reasoned and responsive manner, employees can be powerful assets to data security. Employees can assist companies with compliance requirements and, at the same time, help serve as an important line of defense from insider and outsider threats." Ryan picks out GLBA, HIPAA, PCI, FFIEC and ISO 17799 as examples of laws, regulations and standards that require employees awareness, training and education in security. "Finally, in light of all the evolving legal requirements and technological threats to security discussed above, it is important for companies to ground security in the culture of their organization. This begins with the training process, but also requires an ongoing emphasis on the importance of security." Well said Ryan!

More resources for security awareness and laws, regulations and standards

Under cover for 23 years

A remarkably successful identity thief was eventually brought to justice in Britain when an alert immigration officer spotted false documentation, sparking checks that revealed a fraudulent passport application. The self-styled Earl of Buckingham (not his real name) lived for some 23 years under an assumed name. The genuine Christopher Edward Buckingham died as a child. The fraudster's real identity remains hidden, thanks partly to Switzerland’s privacy laws since he was working in Zurich as an IT security consultant for an insurance company ... which itself raises all sorts of interesting insider threat questions.

More identity theft resources

When SysAdmins go bad

Information Week reports that "A federal prosecutor says the sentencing of a former IT systems administrator to eight years in prison for an insider attack should sound a warning to hiring managers that they need to be more vigilant about who they're putting in critical IT positions. ... The March 4, 2002 attack brought down about 2,000 servers both in the company's data center, as well as in branch offices around the country. The financial giant reported that simply cleaning up the mess and getting back online cost UBS more than $3.1 million. ... Duronio [the guilty party] has a criminal record that includes charges of burglary and assault. A presentencing report from the Probation Office in U.S. District Court also lists charges against Duronio from the 1960s, 1970s, 1980s, and 1990s. ... A spokeswoman for UBS said that when Duronio was hired in 1999, the company only ran background checks on a select number of people. Duronio was not one of them". Background checks aren't perfect but, in this case at least, should have raised concerns about the candidate prior to his employment in such a responsible position. The attack was sparked by Duronio getting a $15k lower than expected bonus in the aftermath of 911.

More links on hacking, malware, accountability, roles & responsibilities, incident management and laws, standards & regulations

Data protection in Japan

In Japan, "More than 71 percent of people worry their personal information will be leaked as a result of inadequate security measures, according to a recent government survey." The article summarizes an opinion survey regarding awareness of and support for Japan's data protection laws introduced last year. Judging by the large number of Japanese companies already certified against ISO 27001, Japan is taking information security very seriously but the Japanese populace is not yet comfortable.
More links on ISO 27001 and data protection

DoS attacks outlawed in the UK

Amongst other police reforms, the new Police and Justice Act 2006 makes Denial of Service attacks illegal under British law and clarifies other aspects of computer misuse. The Computer Misuse Act 1990 made it an offence to alter a computer without authority, covering most hacking attacks but not explicitly DoS attacks. Criminal hackers who commit, for example, DoS-based extortion ("Send us loads of money or we will continue disrupting your online betting service ...") can now be called to account under the new Act.
More links on laws, regulations and standards and accountability

Information Protection Made Easy

Information Protection Made Easy: A guide for employees and contractors is a new security awareness book by David Lineman. In just 96 pages, it covers the basics of information security with an emphasis on its relevance to individual employees. Chapter titles are: Desktop and Personal Data Security • Electronic Records • Secure Web Browsing • Protecting Customer Privacy • Email and Instant Messaging Security • Compliance with Laws and Regulations • Handling Confidential Information • Employee right to privacy • Managing Passwords • Corporate governance.
More security awareness advice

New NIST documents

NIST has released Special Publication 800-88 Guidelines for Media Sanitization and Interagency Report (IR) 7337 Personal Identity Verification Demonstration Summary. If you are a security professional, it's worth signing-up for NIST's high signal-to-noise computer security publications mailing list to keep up with new security standards.
More links on information security standards, laws and regulations

A solid information security manual

NIST Special Publication 800-100 "Information Security Manual: A Guide for Managers" is a 174-page draft released in June 2006 for public comment. It refers throughout to [US Government] agencies but in fact is broadly applicable, containing sound guidance on important areas such as information security governance, investment and metrics, planning, contingency, C&A, incident management and, of course, awareness training and education. It's a good-un, well worth a serious look.
More infosec laws, regulations and standards

BS 7799 / ISO 17799 / ISO 27002

Through ISO27001security.com we are helping to spread good information security practices and promote the use of the new ISO 27000-series information security management standards. We have finally published an update to the page describing the latest version of the information security management standard ISO 17799:2005 (which is due to become ISO 27002 next year). We have documented the history and outlined the content of the standard with a brief summary of the main sections and subsections.
Explore links to further web resources on the standards, regulations and laws applying to information security on the NoticeBored.com website.

ISO 27000-series security standards

ISO has earmarked the ISO 27000-series for the information security management standards including ISO 17799, BS 7799-2 and a new standard currently in preparation on security management metrics. This new website gives an overview and will gradually become a useful public resource for those implementing the ISO security standards.
More security standards links here

New threats and impacts

ComputerWorld points out that new/changing laws such as those concerning the protection of vital information in effect create new liabilities (we would say "impacts") and new threats such as employees or business partners failing to comply with the new laws - in other words they affect information security risks.
More information security risk management and legal resources

ISO 17799 newsletter

The fifth newsletter from the ISMS (Information Security Management System) IUG (International User Group) contains two pages by Angelica Plate on the changes in ISO 17799:2005, due for publication in a month or two.
More security standards links

ISO17799 FAQ

A public Wiki has been set up for people to contribute to an FAQ on ISO17799, BS7799-2 and so on. This is a collaborative community project, a good opportunity to information security professionals with '7799 experience to share best practice with our peers. It's early days yet but that means there's plenty of scope for you to add questions and, most of all, add useful answers.
More links to information security standards, laws and regulations

Rash of new infosec laws

An article in USA Today lists quite a few security-related US laws that are in progress or planned. Multiply this list by N to cover similar initiatives in the rest of the world and the scale of the legal compliance issue starts to become clear.
More IT governance and IT law resources

Visa Cardholder Information Security Program

The VISA Cardholder Information Security Program includes a security standard designed to ensure that all VISA merchants conform to a common security baseline, plus the associated training, validation and certification processes.
More standards and laws links here

Blogging could cost you your job

A story prompted by comments from a US employment law firm warns about the dangers of publishing confidential information in weblogs - fair enough - but then goes on to warn that employers may be within their rights to dismiss employees whose blog comments imply disloyalty. [Funny, I thought the American Constitution protected the right to free speech! It could be argued that employers in this position have bigger problems than employee blogs to worry about].
More IT law links here