After two CD-ROMs containing personal data on 25 million Brits from Her Majesty's Revenue and Customs office failed to arrive at the National Audit office, questions were asked in Parliament. Yes, AFTER the event.
Both the BBC and the Grauniad report on the "gasps of astonishment" from MPs when told of the incident. Given the British tendency for understatement, this is about as close as you'll get to a public expression of outrage.
The officials who posted the CD-ROMs evidently did not "follow procedures". If the data hadn't been going to the auditors, there is a very good chance we would never have heard about this incident ... but I can't help asking whether the NAO would have created a stink if the CDs had simply turned up in the ordinary post, instead of being send by a secure courier. I'd be willing to bet that all sorts of juicy stuff turns up in their mail and email every day, but I can't recall seeing them jumping up and down about the risk.
Whether Chancellor Alistair Darling swings for this is presumably in Her Majesty's hands. I believe the death sentence is still on the cards for treason in the UK. Now that's what I call accountability.
Wednesday 21 November 2007
Tuesday 20 November 2007
Password video
Watchfire's latest awareness video offers advice on choosing a strong password, in the style of a 1950's public service announcement (but with modern day video effects: look out for the steaming hot coffee and more).
Short videos like this are good to break up security awareness/training presentations.
Watch as hapless Bud makes every password mistake in the book! Shudder as he blunders through one near calamity after another. Chuckle at the painful familiarity of his plight. Will Bud ever succeed in his quest to LOG IN?
Short videos like this are good to break up security awareness/training presentations.
Monday 19 November 2007
Singapore sling
Here's a sad tale of woe. A good friend of mine in Singapore is suddenly facing redundancy through absolutely no fault of her own. Her employer is simply cutting costs, slashing the workforce it seems without considering their employees' net value (i.e. business benefits created less salary and other expenses). What makes this really sad is that the organization in question is a bank that really ought to have a better idea of basic economics.
So, if anyone out there in Blogoland knows of Singapore-based/regional openings for a highly qualified and experienced IT auditor cum information security manager cum IT governance expert, and understands that value equation, do please get in touch with me (email Gary@isect.com). My friend has a CISSP (with the ISSMP concentration), CISM, CISA and 2 decades in the field with globally-renowned financial services companies. She is also one of the most gracious, friendly and genuinely committed individuals I know. It's hard to think of a better definition of "asset".
So, if anyone out there in Blogoland knows of Singapore-based/regional openings for a highly qualified and experienced IT auditor cum information security manager cum IT governance expert, and understands that value equation, do please get in touch with me (email Gary@isect.com). My friend has a CISSP (with the ISSMP concentration), CISM, CISA and 2 decades in the field with globally-renowned financial services companies. She is also one of the most gracious, friendly and genuinely committed individuals I know. It's hard to think of a better definition of "asset".
ISSA eSymposium on PCI compliance
ISSA has a “PCI Compliance” webcast on December 6th 2007. Speakers will present "live and online" giving you the opportunity to interact in real-time from the convenience of your desk. Register for this free event.
Thursday 8 November 2007
Who's responsible for security awareness?
A blogger bemoaning the effect of inadequate awareness and training on mobile computing and wireless networking security asks who should be responsible for it? Why do so few organizations run comprehensive security awareness and training? The blooger seems to think the CIO, or possibly HR, should be responsible but I'm not sure about either of those suggestions. Most CIOs naturally focus on IT - as in technical - security, if indeed they take any interest in security. Relatively few HR people I've worked with have had much interest in IT, let alone information security.
No, it seems to me the blogger has created a false dichotomy, offering a choice of two inappropriate owners. The more appropriate home for security awareness is surely the Information Security Manager, especially if management are open-minded enough to ensure that the ISM role has influence right across the enterprise, rather than being buried out of sight in the depths of IT. The ISM should be working hand-in-hand with IT, HR, Legal, Risk, Compliance, R&D, Ops ... in fact I can't think of anyone the ISM can safely ignore (is there any department that doesn't rely on information?).
To have any real effect on the organization's security stance and culture, the ISM needs the full support of executive management. My reasoning goes like this:
- Security awareness is part of information security.
- Information security is part of IT governance.
- IT governance is part of corporate governance.
- Corporate governance applies across the whole organization, and is a matter for senior management collectively.
- Ultimately the CEO and the Board are accountable for information security. They have the power to prioritize it, allocate sufficient funding, mandate security policies, standards etc. The CIO is much too far down the food-chain to have teeth.
No, it seems to me the blogger has created a false dichotomy, offering a choice of two inappropriate owners. The more appropriate home for security awareness is surely the Information Security Manager, especially if management are open-minded enough to ensure that the ISM role has influence right across the enterprise, rather than being buried out of sight in the depths of IT. The ISM should be working hand-in-hand with IT, HR, Legal, Risk, Compliance, R&D, Ops ... in fact I can't think of anyone the ISM can safely ignore (is there any department that doesn't rely on information?).
To have any real effect on the organization's security stance and culture, the ISM needs the full support of executive management. My reasoning goes like this:
- Security awareness is part of information security.
- Information security is part of IT governance.
- IT governance is part of corporate governance.
- Corporate governance applies across the whole organization, and is a matter for senior management collectively.
- Ultimately the CEO and the Board are accountable for information security. They have the power to prioritize it, allocate sufficient funding, mandate security policies, standards etc. The CIO is much too far down the food-chain to have teeth.
Wednesday 7 November 2007
New PCI security standard
The Payment Cards Industry (PCI) Security Standards Council (SSC) is adopting Visa's Payment Application Best Practices (PABP) standard as the Payment Application Data Security Standard (PA-DSS). It is due to be finalized and released early in 2008. Anyone wishing to access and contribute to the draft standard must join the PCI SSC (i.e. this is not an open standard).
PA-DSS will presumably be implemented by mandating it on those developing commercial credit card applications (not those developed and used internally) and checking their compliance through a network of Qualified Security Assessors (QSAs), accredited by PCI SSC.
It will complement the existing PCI Data Security Standard (PCI DSS).
PA-DSS will presumably be implemented by mandating it on those developing commercial credit card applications (not those developed and used internally) and checking their compliance through a network of Qualified Security Assessors (QSAs), accredited by PCI SSC.
It will complement the existing PCI Data Security Standard (PCI DSS).
Tuesday 6 November 2007
Chicago data center robbed, again
A Chicago shared data center (a "co-location facility") has been broken into and robbed for the fourth time in two years, despite claiming physical security measures that would put some data centres to shame.
Masked robbers allegedly broke in through a wall using a power saw (although this is disputed by customers who visited the site), tazered and hit the center manager, and made off with a hoard of servers worth at least $20k (presumably that's just the hardware cost: the data content could be worth rather more and CI Host customers whose websites are down are fast losing their customers). The following physical security controls are mentioned in the Register piece and on CI Host's website, although the existence of some is doubted by slashdotters:
- Multiple layers of 24x7 security cameras with 360-degree perimeter and roof surveillance and Facilities 24 hour DVR systems with 14 day video storage (foiled by masks and by allegedly stealing the CCTV equipment)
- Proximity card readers plus biometric access controls and key pads, with double-locking mantraps at data center entrance (bypassed by using a convenient hole in the wall instead of the doors)
- Reinforced walls (vulnerable to a power saw, so "reinforced" seems a bit of artistic license)
- On-site personnel 24x7 (perhaps only one person? It's not entirely clear whether he was already there or responded to an alarm. There's no mention of security guards or alarms being sounded, as far as I've read so far)
- Non-customers enter equipment area by escort only (presumably not the robbers!)
- All cabinets, cages, and suites have locking mechanisms (a.k.a. "locks") and security upgrades are available (padlocks? Cages? Bullet-proof Kevlar vests?)
- Physical audit trails on all entry points (visitor logs?)
- Anti-pass back and tail gating systems (passback is permitted through holes in the wall)
- 24x7 intruder, smoke, heat and fire alarms monitored by police and fire departments for instant reaction (for large values of "instant")
- No signage, nondescript building (the building's street address - 900 North Franklin, 3rd Floor, Chicago, IL 60610 - and photo is provided on CI Host's website, and of course the robberies make the news. Hardly what one would call discreet!).
Banks know a thing or two about physical security, yet bank robberies do still occur. Robbers naturally avoid the strongest controls but exploit the weakest, which often includes the employees. Bank employees are not, as a rule, expected to fight to the death to defend their employer's and customers' assets. Automated security controls such as time-locked vaults and silent intruder/hold-up alarms are designed to at least delay if not foil the robbers while the cavalry trot along. On top of that, many of the security controls in a bank are designed to protect the employees. Maybe CI Host should consider taking advice from local bank security people ... or moving out of Chicago?
Masked robbers allegedly broke in through a wall using a power saw (although this is disputed by customers who visited the site), tazered and hit the center manager, and made off with a hoard of servers worth at least $20k (presumably that's just the hardware cost: the data content could be worth rather more and CI Host customers whose websites are down are fast losing their customers). The following physical security controls are mentioned in the Register piece and on CI Host's website, although the existence of some is doubted by slashdotters:
- Multiple layers of 24x7 security cameras with 360-degree perimeter and roof surveillance and Facilities 24 hour DVR systems with 14 day video storage (foiled by masks and by allegedly stealing the CCTV equipment)
- Proximity card readers plus biometric access controls and key pads, with double-locking mantraps at data center entrance (bypassed by using a convenient hole in the wall instead of the doors)
- Reinforced walls (vulnerable to a power saw, so "reinforced" seems a bit of artistic license)
- On-site personnel 24x7 (perhaps only one person? It's not entirely clear whether he was already there or responded to an alarm. There's no mention of security guards or alarms being sounded, as far as I've read so far)
- Non-customers enter equipment area by escort only (presumably not the robbers!)
- All cabinets, cages, and suites have locking mechanisms (a.k.a. "locks") and security upgrades are available (padlocks? Cages? Bullet-proof Kevlar vests?)
- Physical audit trails on all entry points (visitor logs?)
- Anti-pass back and tail gating systems (passback is permitted through holes in the wall)
- 24x7 intruder, smoke, heat and fire alarms monitored by police and fire departments for instant reaction (for large values of "instant")
- No signage, nondescript building (the building's street address - 900 North Franklin, 3rd Floor, Chicago, IL 60610 - and photo is provided on CI Host's website, and of course the robberies make the news. Hardly what one would call discreet!).
Banks know a thing or two about physical security, yet bank robberies do still occur. Robbers naturally avoid the strongest controls but exploit the weakest, which often includes the employees. Bank employees are not, as a rule, expected to fight to the death to defend their employer's and customers' assets. Automated security controls such as time-locked vaults and silent intruder/hold-up alarms are designed to at least delay if not foil the robbers while the cavalry trot along. On top of that, many of the security controls in a bank are designed to protect the employees. Maybe CI Host should consider taking advice from local bank security people ... or moving out of Chicago?
Saturday 3 November 2007
IT audit checklist on privacy/data protection
A new checklist from the IT Compliance Institute on privacy and data protection suggests some 270 items to check, and offers advice and tips on the associated controls. It also gives hints on what the auditors do/don't expect to see, good for getting your house in order before they call.
National paranoia index
Unisys is using market survey techniques to assess public perceptions of the state of security in various nations. I'm not entirely clear quite what the survey tells us (other than the general state of paranoia in the countries surveyed), or what use it is (apart from the pharmaceuticals companies selling brain-calming drugs), but no doubt selected numbers will magically appear in assorted PowerPoint slide decks in due course supporting all sorts of hypotheses.
New US infosec laws
SecurityCatalyst blogs on two new US information security laws. Minnesota's Plastic Card Security Act adds a legal mandate to PCI DSS. The Identity Theft Enforcement and Restitution Act gives victims of identity theft compensation rights. I'm hunting for more information on both of these and will provide an update if I have add anything to add to SecurityCatalyst's post.
Subscribe to:
Posts (Atom)