Cyber Security Institute
Regulations
Tuesday, December 15, 2009
Sharjah, N.Emirates to Get Cyber Crime Court
A federal court to deal with cyber crime cases in Sharjah and the Northern Emirates will soon be established in Sharjah, according to the Minister of Justice.
Tuesday, March 10, 2009
Massachusetts Data Protection Law Date Extended: What Your Business Needs to Know
For the second time in four months, the Commonwealth of Massachusetts has pushed back the implementation of its new data protection law - one of the toughest in the nation. Yet even with the new deadline of January 2010, many of the businesses impacted by these stringent data protection requirements won’t be compliant, say industry experts familiar with the new regulation. The regulation is described by many as the nation’s most cumbersome data security regulation. It will require all entities that license, store or maintain personal information about a Massachusetts resident to implement a comprehensive information security program—even if the business or entity does not have offices in the state.
Friday, February 27, 2009
PCI council offering “milestones” for compliance
The organization charged with administering the Payment Card Industry Data Security Standard (PCI DSS) is trying to give merchants a compliance blueprint. The Prioritized Approach Tool offers six “milestones” that businesses should try to reach in their pursuit of compliance, said Lib de Veyra, the newly appointed chairman of the PCI Security Standards Council, which manages the guidelines.
Monday, February 02, 2009
S’pore data protection enforcement needs bite
As it puts together its data protection framework, Singapore can learn from economies such as Hong Kong, such as appointing an official or agency for enforcement, according to a Singapore-based consultant. Last month, Minister for Information, Communication and the Arts Lee Boon Yang said in Parliament that the work of an inter-ministry committee formed to review Singapore’s data protection regime, is still ongoing. “We’re currently looking into developing a data protection model that can best address Singapore’s privacy concerns, commercial requirements and national interest,” he said. As data protection is a complex issue, with extensive impact on all stakeholders, this review will take some time.”
Thursday, October 02, 2008
Second bill tackles laptop border searches
Three U.S. lawmakers announced this week that they had proposed a law to limit the searches of laptops or other electronic devices to cases where customs agents have reasonable suspicion of illegal activity. The Travelers Privacy Protection Act, a bill written by U.S. Senators Russ Feingold, D-Wis., and Maria Cantwell, D-Wash., and Representative Adam Smith, D-Wash., would allow border agents to search electronic devices only if they had reasonable suspicions of wrongdoing.
Wednesday, October 01, 2008
UK cybercrime overhaul finally comes into effect
Modifications to the Computer Misuse Act (CMA) - which was enacted in 1990 before the advent of the interweb - were included in the Police and Justice Act 2006. DDoS doubly illegal from 1 October.
New Federal Law Targets ID Theft, Cybercrime
President Bush last week signed into law a bill that seeks to make it easier for prosecutors to go after cybercrooks, while ensuring that identity theft victims are compensated for their time and trouble when convicted identity thieves are forced to cough up ill-gotten gains. The Identity Theft Enforcement and Restitution Act of 2008 lowers the bar prosecutors need to clear before bringing hacking and other cybercrime charges against an individual. The new law allows federal courts to prosecute when the cybercriminal and the victim live in the same state.
Monday, September 15, 2008
UN Agency Working On Tech Standards To Get Rid Of Anonymity
Declan McCullagh has a somewhat scary report about how the UN’s International Telecommunication Union has been quietly working away on a proposal for new core internet technology that would allow a “traceback mechanism” to effectively get rid of anonymity, and allow those with access to identify who provided any particular piece of content.
Thursday, June 26, 2008
Web firewalls trumping other options as PCI deadline nears
Companies scrambling to comply with a Web application security requirement due to take effect next week appear to be heavily favoring the use of Web firewall technologies over the other options that are available under the mandate, according to analysts. The mandate from the major credit card companies is the latest adjustment to the Payment Card Industry Data Security Standard (PCI DSS). Essentially, it requires all entities accepting payment card transactions to implement new security controls for protecting their Web applications.
Saturday, May 03, 2008
Groups warn travelers to limit laptop data
A recent federal district court ruling upholding seizures of electronic devices, such as laptops and iPhones, at the U.S. border has traveler- and civil-rights organizations worried that personal and sensitive data could be put at risk. On Thursday, almost three dozen organizations—including civil-rights advocates, academic groups, and religious and minority groups—sent an open letter to four congressional committees, asking that their members consider legislation to “protect all Americans against suspicionless digital border inspections.”
Thursday, April 24, 2008
US court says IP addresses are private
A US court has ruled that users have a “reasonable expectation of privacy” in their internet surfing records and that police must obtain warrants from higher than usual courts in order to force ISPs to hand over records.
Wednesday, April 23, 2008
Two additional supplements for PCU
The PCI Security Standards Council announced the availability of two Information Supplements providing further clarification for PCI DSS requirement 11.3, regarding penetration testing, and Requirement 6.6, regarding application code review and application firewalls. Both of these information supplements provide guidance to help merchants and service providers meet these two requirements in support of their PCI DSS compliance efforts.
Wednesday, April 16, 2008
PCI Security Standards Council issues Payment Application Data Security Standard
The PCI Security Standards Council, a global, open industry standards body providing management of the Payment Card Industry Data Security Standard (DSS), PCI PIN Entry Device (PED) Security Requirements and the Payment Application Data Security Standard (PA-DSS), announced at the Electronic Transactions Association Annual Meeting and Expo the release of version 1.1 of the Payment Application Data Security Standard (PA-DSS). Following release of the PA-DSS, this fall the Council will also roll out a program to include maintenance of a list of validated payment applications.
Thursday, November 08, 2007
PCI DSS Council adding new standard for payment applications
To force more security into the payment application development process, the Payment Card Industry Security Standards Council is adding a new provision to the PCI Data Security Standard (PCI DSS). “With the PA-DSS managed by the council, we will ensure that payment application providers and their products are subject to data security requirements consistent with the current PCI DSS,” Bob Russo, general manager of PCI Security Standards Council, said in a statement.
Thursday, October 25, 2007
Visa rolls out new payment application security mandates
Amid signs of growing frustration in the retail community over the credit card industry’s Payment Card Industry (PCI) data security requirements, Visa on Tuesday quietly rolled out an additional set of Payment Application Security Mandates for all companies that handle credit and debit card transactions. Under the multiphase initiative, covered entities will have three years to ensure that all their payment applications are compliant with a set of security requirements mandated by Visa (download PDF).
Friday, September 07, 2007
CA Data Protection Rule Moves Forward
Bill would force retailers to provide notice to consumers, telling them which firm lost their credit or debit card information and when it was lost. The California Senate has passed a bill to protect consumer data. The bill, AB 779, goes back to the California State Assembly for ratification. The Assembly approved Assemblyman David Jones’ bill in June by a 55-2 vote. The Senate approved the Consumer Data Protection Act, with 30 votes in favor and six against.
Thursday, August 23, 2007
Minister for Information Technology Awais Ahmad Khan Leghari
Minister for Information Technology Awais Ahmad Khan Leghari Thursday said the adoption of cyber crime bill by the federal cabinet was a major step towards ensuring a secure business environment and
promotion of e-commerce.
Wednesday, August 22, 2007
Hacking Germany’s New Computer Crime Law
Be careful what you joke about at the water cooler in Germany these days—even a dig about a password stuck to a PC monitor could be considered breaking a new anti-hacker law that went into effect this month. Under the new law, such a joke could be construed as making the password “accessible.” If a customer tells a sales clerk at a German office supply store that he’s going to use his newly-purchased Windows XP software to hack into a bank, the clerk could get busted for selling him the OS. These are the types of extreme scenarios being playe d out over and over by German security vendors and researchers who are still trying to figure out just what the controversial new Section 202c StGB of the country’s computer crime laws really means to their business and their research. Many security people say the law is so flawed and so broad and that no one can really comply with it.
Friday, July 27, 2007
UK phone records to be kept for a year
UK telecoms companies will have to keep phone call logs for a year under a new law, which comes into force in October. The law does not apply to records of internet activity, such as web surfing, email, and Voice over Internet Protocol (VoIP) phone calls.
Study: Internet censorship spreading
State restrictions on use of the Internet have spread to more than 20 countries that use catch-all and contradictory rules to help keep people offline and stifle feared political opposition, a new report says. In “Governing the Internet”, the Organization for Security and Cooperation in Europe (OSCE) presented case studies of Web censorship in Kazakhstan and Georgia and referred to similar findings in nations from China to Iran, Sudan and Belarus. “Recent moves against free speech on the Internet in a number of countries have provided a bitter reminder of the ease with which some regimes, democracies and dictatorships alike, seek to suppress speech that they disapprove of, dislike, or simply fear,” the report by the 56-nation OSCE said.
Thursday, July 19, 2007
DoJ Sends ID Theft Bill to Congress
The Bush administration sent proposed legislation to Congress today that aims to update and improve federal identity theft laws. The Identity Theft Enforcement and Restitution Act of 2007 would allow ID theft victims to recover the value of the time lost attempting to repair damage caused by identity theft.
Friday, June 08, 2007
CIOs, Auditors To Get New Software Controls Guide on July 9
The Institute of Internal Auditors’ forthcoming guide lists tests that companies can perform to make sure their controls are correct and working properly. It’s time for an audit of the application controls for every business system throughout your organization, from enterprise resource planning to e-mail programs, document imaging systems and product design software. If you’ve upgraded or modified applications since the last application controls audit, you’d be smart to check out a forthcoming 33-page guide on applications controls to be released July 9 by the Institute of Internal Auditors (IIA). The eighth in the institute’s Global Technology Audit Guide (GTAG) series, “Auditing Application Controls” will be available for free to the institute’s 130,000 members in 160 countries, as well as to nonmembers via the group’s Web site at http://www.theiia.org.
Wednesday, June 06, 2007
House passes restrictive anti-spyware bill
The U.S. House of Representatives passed on Wednesday a second bill aimed at restricting the actions of spyware purveyors and online data thieves, but many government and industry executives have argued that more regulations are not necessary. The act is the second piece of anti-spyware legislation to pass the House in the last month—in late May, legislators gave the go-ahead to the Internet Spyware Prevention (I-SPY) Act.
Monday, May 21, 2007
New Rules May Ease SOX Audits
New guidelines for auditors of Sarbanes-Oxley compliance could take effect later this week, lowering the cost of SOX initiatives and reducing companies’ dependence on auditors to interpret SOX requirements. The Public Company Accounting Oversight Board (PCAOB)—a private, nonprofit entity that gives guidance to the many auditors who evaluate SOX compliance—on Thursday is scheduled to vote on a range of new recommendations, many of which will make it easier and less expensive for companies to meet the legal regulations. “These changes could have a very profound effect on the whole compliance effort,” says Chris Davis, manager of compliance knowledge management at Cybertrust, which offers security and compliance tools and services.
Thursday, April 12, 2007
E-mail monitoring may violate European laws
Monitoring employees’ Internet and telephone use at work may contravene human rights laws in Europe, according to a ruling in a landmark case in the European Court of Human Rights last week. The case involved a public-sector employee who won $5,910 in damages and $11,820 in court costs and expenses after her communications were intercepted by her employer, Carmarthenshire College, based in South Wales. Lynette Copland successfully took the U.K. government to court after her personal Internet usage and telephone calls were monitored by one of her bosses in 1999. The ruling means that the private use of company telecommunications equipment and Internet access may be protected under European human rights legislation, if the company has an acceptable personal-use policy and fails to inform employees that their communications may be monitored.
Wednesday, March 28, 2007
Saudi government gets tough on cybercrime and criminals
According to the Saudi cabinet, there will be new harsher penalties for committing cybercrime inside the country. A bill that was passed on Monday, would charge people who commit crimes online with a $133,000 fine, and one year in prison. The cabinet said in a statement that it passed a proposal from the Shura assembly that was submitted last year.
Wednesday, February 21, 2007
DoS attacks to be made illegal in Sweden
Denial of service attacks will become illegal in Sweden from 1st June this year.
Tuesday, January 02, 2007
Enterprise Search And Destroy
New government regulations often spawn whole new markets. A far-reaching reform of the Federal Rules of Civil Procedure (FRCP) is proving to be no exception. The reform means that electronic documents in all forms, including e-mail, instant messages and even transcripts of video conference and VoIP calls, are fair game for litigants during the discovery phase of a lawsuit.
Tuesday, December 26, 2006
FTC gets broader authority to pursue foreign spammers
Thursday, December 14, 2006
Visa U.S.A. adds financial incentives, fines to PCI program
Visa U.S.A. Inc. is adopting a carrot-and-stick approach to help drive merchant compliance with the Payment Card Industry (PCI) data security standard that it—along with other credit card companies such as MasterCard International Inc. and American Express Co.—is pushing. The company announced that it has created a new $20 million incentive program under which it will monetarily reward “acquiring” financial institutions if their members are fully compliant with PCI requirements by Aug. 31, 2007. At the same time, acquiring banks that fail to ensure compliance by Sept. 30, 2007, will be assessed fines starting at $5,000 a month for each noncompliant merchant.