After two CD-ROMs containing personal data on 25 million Brits from Her Majesty's Revenue and Customs office failed to arrive at the National Audit office, questions were asked in Parliament. Yes, AFTER the event. Both the BBC and the Grauniad report on the "gasps of astonishment" from MPs when told of the incident. Given the British tendency for understatement, this is about as close as you'll get to a public expression of outrage. The officials who posted the CD-ROMs evidently did not "follow procedures". If the data hadn't been going to the auditors, there is a very good chance we would never have heard about this incident ... but I can't help asking whether the NAO would have created a stink if the CDs had simply turned up in the ordinary post, instead of being send by a secure courier. I'd be willing to bet that all sorts of juicy stuff turns up in their mail and email every day, but I can't recall seeing them jumping up and dow...

Watchfire's latest awareness video offers advice on choosing a strong password, in the style of a 1950's public service announcement (but with modern day video effects: look out for the steaming hot coffee and more). Watch as hapless Bud makes every password mistake in the book! Shudder as he blunders through one near calamity after another. Chuckle at the painful familiarity of his plight. Will Bud ever succeed in his quest to LOG IN? Short videos like this are good to break up security awareness/training presentations.

Here's a sad tale of woe. A good friend of mine in Singapore is suddenly facing redundancy through absolutely no fault of her own. Her employer is simply cutting costs, slashing the workforce it seems without considering their employees' net value (i.e. business benefits created less salary and other expenses). What makes this really sad is that the organization in question is a bank that really ought to have a better idea of basic economics. So, if anyone out there in Blogoland knows of Singapore-based/regional openings for a highly qualified and experienced IT auditor cum information security manager cum IT governance expert, and understands that value equation, do please get in touch with me (email Gary@isect.com). My friend has a CISSP (with the ISSMP concentration), CISM, CISA and 2 decades in the field with globally-renowned financial services companies. She is also one of the most gracious, friendly and genuinely committed individuals I know. It's hard to thin...

ISSA has a “PCI Compliance” webcast on December 6th 2007. Speakers will present "live and online" giving you the opportunity to interact in real-time from the convenience of your desk. Register for this free event .

A blogger bemoaning the effect of inadequate awareness and training on mobile computing and wireless networking security asks who should be responsible for it? Why do so few organizations run comprehensive security awareness and training? The blooger seems to think the CIO, or possibly HR, should be responsible but I'm not sure about either of those suggestions. Most CIOs naturally focus on IT - as in technical - security, if indeed they take any interest in security. Relatively few HR people I've worked with have had much interest in IT, let alone information security. No, it seems to me the blogger has created a false dichotomy, offering a choice of two inappropriate owners. The more appropriate home for security awareness is surely the Information Security Manager, especially if management are open-minded enough to ensure that the ISM role has influence right across the enterprise, rather than being buried out of sight in the depths of IT. The ISM should be working ha...

The Payment Cards Industry (PCI) Security Standards Council (SSC) is adopting Visa's Payment Application Best Practices (PABP) standard as the Payment Application Data Security Standard (PA-DSS) . It is due to be finalized and released early in 2008. Anyone wishing to access and contribute to the draft standard must join the PCI SSC ( i.e. this is not an open standard). PA-DSS will presumably be implemented by mandating it on those developing commercial credit card applications (not those developed and used internally) and checking their compliance through a network of Qualified Security Assessors (QSAs), accredited by PCI SSC. It will complement the existing PCI Data Security Standard (PCI DSS) .

A Chicago shared data center (a "co-location facility") has been broken into and robbed for the fourth time in two years, despite claiming physical security measures that would put some data centres to shame. Masked robbers allegedly broke in through a wall using a power saw (although this is disputed by customers who visited the site), tazered and hit the center manager, and made off with a hoard of servers worth at least $20k (presumably that's just the hardware cost: the data content could be worth rather more and CI Host customers whose websites are down are fast losing their customers). The following physical security controls are mentioned in the Register piece and on CI Host's website , although the existence of some is doubted by slashdotters : - Multiple layers of 24x7 security cameras with 360-degree perimeter and roof surveillance and Facilities 24 hour DVR systems with 14 day video storage (foiled by masks and by allegedly stealing the CCTV equipment ) ...

A new checklist from the IT Compliance Institute on privacy and data protection suggests some 270 items to check, and offers advice and tips on the associated controls. It also gives hints on what the auditors do/don't expect to see, good for getting your house in order before they call.

Unisys is using market survey techniques to assess public perceptions of the state of security in various nations. I'm not entirely clear quite what the survey tells us (other than the general state of paranoia in the countries surveyed), or what use it is (apart from the pharmaceuticals companies selling brain-calming drugs), but no doubt selected numbers will magically appear in assorted PowerPoint slide decks in due course supporting all sorts of hypotheses.

SecurityCatalyst blogs on two new US information security laws. Minnesota's Plastic Card Security Act adds a legal mandate to PCI DSS. The Identity Theft Enforcement and Restitution Act gives victims of identity theft compensation rights. I'm hunting for more information on both of these and will provide an update if I have add anything to add to SecurityCatalyst's post .