Cyber Security Institute
Regulations
Wednesday, August 11, 2010
Small And Midsize Businesses Look For Ways To Cut Compliance Costs
According to The 451 Group, an IT security analyst firm, there are nine different security technologies required for PCI compliance alone: antivirus, firewalls, intrusion detection systems, encryption for data at rest, file integrity, log management, multifactor authentication, a Web application firewall (or a security development lifecycle), and a vulnerability management solution. Then there are the services: a qualified security assessor, an approved scanning vendor, and in the case of a breach, the qualified incident response assessor. For small and medium businesses, the costs can be overwhelming, says Joshua Corman, research director for The 451 Group’s security practice.
Thursday, June 10, 2010
Ireland considers detailed data loss disclosure guidelines
The proposed code of practice has been published by the Office of the Data Protection Commissioner on its Web site and is open for public comment through June 18. The code of practice would require organizations to report a breach within two working days with some exceptions if strong security measures are implemented. All breaches that result in the loss of personal data affecting more than 100 people would have to be reported unless the personal data was encrypted to a “high standard” with a strong password and that password had not been compromised.
Friday, May 28, 2010
Microsoft Official Calls For Updating Two Key Computer Laws
Microsoft is part of a coalition that is pushing Congress to update the Electronic Communications Privacy Act, which governs government access to electronic communications. Microsoft Vice President and General Counsel Brad Smith says lawmakers must also update the 1986 Computer Fraud and Abuse Act, the federal law that addresses computer-related crimes such as hacking.
Wednesday, May 26, 2010
C-29: The Anti-Privacy Privacy Bill
CanadiannIndustry Minister Tony Clement introduced two bills yesterday - the Fighting Internet and Wireless Spam Act (C-28) and the Safeguarding Canadians’ Personal Information Act (C-29). The author has spoken positively about C-28, which is long overdue and should receive swift passage. By contrast, C-29 is a huge disappointment. The bill is also long overdue as it features the amendments to Canadian private sector privacy law from a review that began in 2006 and concluded with a report in 2007. Just over three years later, the government has introduced a bill that does little for Canadians’ privacy, while providing new exceptions for businesses and new powers for law enforcement (David Fraser has helpfully created a redline version of PIPEDA with the proposed changes). The centrepiece of the bill is a new security breach disclosure provision, but the requirements are very weak when compared with similar laws found elsewhere.
Tuesday, May 25, 2010
German watchdog tells firms to do own US privacy checks
German privacy watchdogs have told companies to conduct their own checks of US companies’ conduct before passing personal data to them, even if they are signed up to the EU-US ‘Safe Harbor’ data protection scheme. It has said that companies must not simply take US companies’ word on their compliance with EU privacy principles if they plan to send personal data to them. European Union laws on privacy are amongst the world’s strictest, and companies are not allowed to send personal data to countries outside the European Economic Area unless there is a guarantee that it will be protected as well there as it is in the EU.
Tuesday, May 18, 2010
Cloud Service Users Face Confusing Legal Landscape
Cloud computing has great benefits for businesses but legal uncertainties threaten to hamper adoption, said a group of lawyers speaking during a seminar in Seattle this week “We will have to create a robust legal system and we will have to do it sooner rather than later and before we have the cloud computing equivalent of an offshore oil rig blowout,” said Barry J. Reingold, a partner at Perkins Coie in Washington, D.C.
Monday, April 05, 2010
Firms unprepared for new ICO powers
Experts are warning that many firms may still not be aware of new powers granted to data protection watchdog the Information Commissioner’s Office (ICO) which will enable it to fine businesses up to £500,000 for serious breaches of the Data Protection Act (DPA). The new powers, which it is hoped will act as a deterrent and promote compliance with the DPA, were initially approved by the justice secretary in January after years of lobbying by the ICO, and come into force on Tuesday.
Wednesday, March 24, 2010
Senate Committee OKs Cybersecurity Act
A crucial piece of cybersecurity legislation is one step closer to becoming law after being approved during a Commerce, Science & Transportation Committee hearing Wednesday. The Cybersecurity Act, S. 773, aimed at protecting critical U.S. network infrastructure against cybersecurity threats by fostering collaboration between the federal government and the private sector firms that maintain that infrastructure, is now on its way to the Senate floor.
Tuesday, December 15, 2009
Sharjah, N.Emirates to Get Cyber Crime Court
A federal court to deal with cyber crime cases in Sharjah and the Northern Emirates will soon be established in Sharjah, according to the Minister of Justice.
Tuesday, March 10, 2009
Massachusetts Data Protection Law Date Extended: What Your Business Needs to Know
For the second time in four months, the Commonwealth of Massachusetts has pushed back the implementation of its new data protection law - one of the toughest in the nation. Yet even with the new deadline of January 2010, many of the businesses impacted by these stringent data protection requirements won’t be compliant, say industry experts familiar with the new regulation. The regulation is described by many as the nation’s most cumbersome data security regulation. It will require all entities that license, store or maintain personal information about a Massachusetts resident to implement a comprehensive information security program—even if the business or entity does not have offices in the state.
Friday, February 27, 2009
PCI council offering “milestones” for compliance
The organization charged with administering the Payment Card Industry Data Security Standard (PCI DSS) is trying to give merchants a compliance blueprint. The Prioritized Approach Tool offers six “milestones” that businesses should try to reach in their pursuit of compliance, said Lib de Veyra, the newly appointed chairman of the PCI Security Standards Council, which manages the guidelines.
Monday, February 02, 2009
S’pore data protection enforcement needs bite
As it puts together its data protection framework, Singapore can learn from economies such as Hong Kong, such as appointing an official or agency for enforcement, according to a Singapore-based consultant. Last month, Minister for Information, Communication and the Arts Lee Boon Yang said in Parliament that the work of an inter-ministry committee formed to review Singapore’s data protection regime, is still ongoing. “We’re currently looking into developing a data protection model that can best address Singapore’s privacy concerns, commercial requirements and national interest,” he said. As data protection is a complex issue, with extensive impact on all stakeholders, this review will take some time.”
Thursday, October 02, 2008
Second bill tackles laptop border searches
Three U.S. lawmakers announced this week that they had proposed a law to limit the searches of laptops or other electronic devices to cases where customs agents have reasonable suspicion of illegal activity. The Travelers Privacy Protection Act, a bill written by U.S. Senators Russ Feingold, D-Wis., and Maria Cantwell, D-Wash., and Representative Adam Smith, D-Wash., would allow border agents to search electronic devices only if they had reasonable suspicions of wrongdoing.
Wednesday, October 01, 2008
UK cybercrime overhaul finally comes into effect
Modifications to the Computer Misuse Act (CMA) - which was enacted in 1990 before the advent of the interweb - were included in the Police and Justice Act 2006. DDoS doubly illegal from 1 October.
New Federal Law Targets ID Theft, Cybercrime
President Bush last week signed into law a bill that seeks to make it easier for prosecutors to go after cybercrooks, while ensuring that identity theft victims are compensated for their time and trouble when convicted identity thieves are forced to cough up ill-gotten gains. The Identity Theft Enforcement and Restitution Act of 2008 lowers the bar prosecutors need to clear before bringing hacking and other cybercrime charges against an individual. The new law allows federal courts to prosecute when the cybercriminal and the victim live in the same state.
Monday, September 15, 2008
UN Agency Working On Tech Standards To Get Rid Of Anonymity
Declan McCullagh has a somewhat scary report about how the UN’s International Telecommunication Union has been quietly working away on a proposal for new core internet technology that would allow a “traceback mechanism” to effectively get rid of anonymity, and allow those with access to identify who provided any particular piece of content.
Thursday, June 26, 2008
Web firewalls trumping other options as PCI deadline nears
Companies scrambling to comply with a Web application security requirement due to take effect next week appear to be heavily favoring the use of Web firewall technologies over the other options that are available under the mandate, according to analysts. The mandate from the major credit card companies is the latest adjustment to the Payment Card Industry Data Security Standard (PCI DSS). Essentially, it requires all entities accepting payment card transactions to implement new security controls for protecting their Web applications.
Saturday, May 03, 2008
Groups warn travelers to limit laptop data
A recent federal district court ruling upholding seizures of electronic devices, such as laptops and iPhones, at the U.S. border has traveler- and civil-rights organizations worried that personal and sensitive data could be put at risk. On Thursday, almost three dozen organizations—including civil-rights advocates, academic groups, and religious and minority groups—sent an open letter to four congressional committees, asking that their members consider legislation to “protect all Americans against suspicionless digital border inspections.”
Thursday, April 24, 2008
US court says IP addresses are private
A US court has ruled that users have a “reasonable expectation of privacy” in their internet surfing records and that police must obtain warrants from higher than usual courts in order to force ISPs to hand over records.
Wednesday, April 23, 2008
Two additional supplements for PCU
The PCI Security Standards Council announced the availability of two Information Supplements providing further clarification for PCI DSS requirement 11.3, regarding penetration testing, and Requirement 6.6, regarding application code review and application firewalls. Both of these information supplements provide guidance to help merchants and service providers meet these two requirements in support of their PCI DSS compliance efforts.
Wednesday, April 16, 2008
PCI Security Standards Council issues Payment Application Data Security Standard
The PCI Security Standards Council, a global, open industry standards body providing management of the Payment Card Industry Data Security Standard (DSS), PCI PIN Entry Device (PED) Security Requirements and the Payment Application Data Security Standard (PA-DSS), announced at the Electronic Transactions Association Annual Meeting and Expo the release of version 1.1 of the Payment Application Data Security Standard (PA-DSS). Following release of the PA-DSS, this fall the Council will also roll out a program to include maintenance of a list of validated payment applications.
Thursday, November 08, 2007
PCI DSS Council adding new standard for payment applications
To force more security into the payment application development process, the Payment Card Industry Security Standards Council is adding a new provision to the PCI Data Security Standard (PCI DSS). “With the PA-DSS managed by the council, we will ensure that payment application providers and their products are subject to data security requirements consistent with the current PCI DSS,” Bob Russo, general manager of PCI Security Standards Council, said in a statement.
Thursday, October 25, 2007
Visa rolls out new payment application security mandates
Amid signs of growing frustration in the retail community over the credit card industry’s Payment Card Industry (PCI) data security requirements, Visa on Tuesday quietly rolled out an additional set of Payment Application Security Mandates for all companies that handle credit and debit card transactions. Under the multiphase initiative, covered entities will have three years to ensure that all their payment applications are compliant with a set of security requirements mandated by Visa (download PDF).
Friday, September 07, 2007
CA Data Protection Rule Moves Forward
Bill would force retailers to provide notice to consumers, telling them which firm lost their credit or debit card information and when it was lost. The California Senate has passed a bill to protect consumer data. The bill, AB 779, goes back to the California State Assembly for ratification. The Assembly approved Assemblyman David Jones’ bill in June by a 55-2 vote. The Senate approved the Consumer Data Protection Act, with 30 votes in favor and six against.
Thursday, August 23, 2007
Minister for Information Technology Awais Ahmad Khan Leghari
Minister for Information Technology Awais Ahmad Khan Leghari Thursday said the adoption of cyber crime bill by the federal cabinet was a major step towards ensuring a secure business environment and
promotion of e-commerce.
Wednesday, August 22, 2007
Hacking Germany’s New Computer Crime Law
Be careful what you joke about at the water cooler in Germany these days—even a dig about a password stuck to a PC monitor could be considered breaking a new anti-hacker law that went into effect this month. Under the new law, such a joke could be construed as making the password “accessible.” If a customer tells a sales clerk at a German office supply store that he’s going to use his newly-purchased Windows XP software to hack into a bank, the clerk could get busted for selling him the OS. These are the types of extreme scenarios being playe d out over and over by German security vendors and researchers who are still trying to figure out just what the controversial new Section 202c StGB of the country’s computer crime laws really means to their business and their research. Many security people say the law is so flawed and so broad and that no one can really comply with it.
Friday, July 27, 2007
UK phone records to be kept for a year
UK telecoms companies will have to keep phone call logs for a year under a new law, which comes into force in October. The law does not apply to records of internet activity, such as web surfing, email, and Voice over Internet Protocol (VoIP) phone calls.
Study: Internet censorship spreading
State restrictions on use of the Internet have spread to more than 20 countries that use catch-all and contradictory rules to help keep people offline and stifle feared political opposition, a new report says. In “Governing the Internet”, the Organization for Security and Cooperation in Europe (OSCE) presented case studies of Web censorship in Kazakhstan and Georgia and referred to similar findings in nations from China to Iran, Sudan and Belarus. “Recent moves against free speech on the Internet in a number of countries have provided a bitter reminder of the ease with which some regimes, democracies and dictatorships alike, seek to suppress speech that they disapprove of, dislike, or simply fear,” the report by the 56-nation OSCE said.
Thursday, July 19, 2007
DoJ Sends ID Theft Bill to Congress
The Bush administration sent proposed legislation to Congress today that aims to update and improve federal identity theft laws. The Identity Theft Enforcement and Restitution Act of 2007 would allow ID theft victims to recover the value of the time lost attempting to repair damage caused by identity theft.
Friday, June 08, 2007
CIOs, Auditors To Get New Software Controls Guide on July 9
The Institute of Internal Auditors’ forthcoming guide lists tests that companies can perform to make sure their controls are correct and working properly. It’s time for an audit of the application controls for every business system throughout your organization, from enterprise resource planning to e-mail programs, document imaging systems and product design software. If you’ve upgraded or modified applications since the last application controls audit, you’d be smart to check out a forthcoming 33-page guide on applications controls to be released July 9 by the Institute of Internal Auditors (IIA). The eighth in the institute’s Global Technology Audit Guide (GTAG) series, “Auditing Application Controls” will be available for free to the institute’s 130,000 members in 160 countries, as well as to nonmembers via the group’s Web site at http://www.theiia.org.