Regulations – Page 3 – CyberSecurity Institute

Indian cyber laws lack teeth to bite data hackers

Posted on January 31, 2013December 30, 2021 by admini

The death of web-freedom activist Aaron Swartz, has once again turned the limelight on the Cyber security issues and laws governing the virtual world. While, Swartz, could have encountered over 30 years in prison if convicted following his trial under US laws, in India he could have gotten away with just three years imprisonment and Rs 5 lakh fine for the same charges.

In case, any university or institute network is hacked by someone, the maximum punishment is 3 years and Rs 5 lakhs fine under Section 66, read with 43 (I). Moreover, it is a bailable offence in India, while in the US it is a non-baliable offence,” Cyber Security expert Pavan Duggal said.

According to Salman Warris, a New Delhi-based cyber law expert, the current legislations are not suffice to deal with data hacking incidents in India. “In the US and Europe there is a complete legislation dedicated to data protection, while under Indian Act there are only two provisions related to data protection.

Aaron Swartz could also have had to shell out a penalty worth millions of dollar for allegedly downloading material from JSTOR. According to a senior professor associated with a leading university,”There has been instances in the past, where the university website has been hacked into. Whatever happen to MIT could happen to any institute, said Kamalesh Bajaj, CEO of Data Security Council of India (DSCI), a Nasscom initiative.

Link: http://www.business-standard.com/india/news/indian-cyber-laws-lack-teeth-to-bite-data-hackers/204728/on

Pandora’s Box – New US Cyber Security Bills Create a Worm Hole in the Internet Galaxy

Posted on January 26, 2013December 30, 2021 by admini

US Representatives Mike Rogers (R-Mich) and Dutch Ruppersberge (D-Md) took the Cyber Intelligence Sharing and Protection Act (CISPA) to the floor last year, despite the threats that President Obama would veto the Bill on the version that it was then. “Legislation should address core critical infrastructure vulnerabilities without sacrificing the fundamental values of privacy and civil liberties for our citizens, especially at a time our Nation is facing challenges to our economic well-being and national security.”

The two Bills are controversial because on one hand, they address an important aspect of security and it is critical that countries work towards securing cyber space through having relevant legislative framework in place but what is also equally important is that considerations such as human rights provisions such as rights to privacy and other issues such as data protection rights be a part of the equation. It is also important that lawmakers remember that the foundation of freedoms and rights is also based on the notion that individuals are protected from arbitrariness otherwise there is a devolution to a Police State. Given the interdependencies of the Internet through its architecture and the series of relationships and transactions, the enforcement of US control over other states through these two Bills means that every Policy made by the global community within Multistakeholder organizations’ like Internet Corporation for Assigned Names and Numbers (ICANN) will be subject to these laws if passed.

Last year the US Government decided to return two domain names, namely Rojadirecta.com and Rojadirecta.org which it improperly seized and held in its possession for well over a year, without so much as an explanation. … The courts in the US disagreed holding that the US government did not have to return the domains and Puerto 80 appealed and then late last year the US Government mysteriously dropped the matter without an explanation.

Even if the Bills were to contain provisions to protect the privacy rights and civil liberties of Americans, there is no guarantee that the rights and protections would extend to non-Americans.

Link: http://www.circleid.com/posts/20130126_pandoras_box_new_us_cyber_security_bills_worm_hole_internet/

Federal agency issues new security rules for financial institutions

Posted on June 28, 2011December 30, 2021 by admini

The FFIEC also instructs banks and financial institutions to focus their network defense on layered security protections that involve fraud monitoring; use of dual customer authorization through different access devices; the use of out-of-band verification; and the use of “positive pay,” debit blocks and other technologies to appropriately limit the transactional use of the account. The FFIEC guidelines also tell financial institutions they must use “two elements at a minimum” as “process designed to detect anomalies and effectively respond to suspicious and anomalous activity.”

Since 2005 when the FFIEC, on behalf of other federal government agencies with regulatory oversight of banks, issued its initial guidelines, banks have moved to deploy some different types of two-factor authentication more broadly.

The new guidance is more specific, and the FFIEC says that’s because cybercrime against the banking industry and its customers is worse now. “Fraudsters have continued to develop and deploy more sophisticated, effective and malicious methods to compromise authentication mechanisms and gain unauthorized access to customer accounts,” the FFIEC says.

http://www.computerworld.com/s/article/9217999/Federal_agency_issues_new_security_rules_for_financial_institutions?source=CTWNLE_nlt_dailyam_2011-06-29

Kerry-McCain privacy bill: What you need to know

Posted on April 13, 2011December 30, 2021 by admini

If this bill becomes law, companies would have to explain why they want to collect, use and store your personal data.

The bill would forbid companies from collecting data that isn’t necessary to deliver or improve a service, or to make a transaction. If data is transferred to a third party, that party would have to sign a contract agreeing to the terms of the bill.

Last year, the Federal Trade Commission called for a “Do Not Track” list that would prevent Internet companies from following users around the Web, and all browsers would be required to offer this feature. The bill from Kerry and McCain ignores the FTC’s advice, leaving the issue of “Do Not Track” in the hands of individual Web browsers, all of which tackle the problem differently. If you discover that a company was covertly gathering your personal information and sending it to who-knows-where, you wouldn’t be allowed to take the case to court. The FTC and state attorneys general would be the only entities that could take action against a company for privacy violations.

Consumer groups that take a hard line on user privacy don’t think the Kerry-McCain bill goes far enough. … And they don’t like how the Commerce Department, which primarily promotes the interests of businesses, can make exceptions for businesses that come up with alternative privacy plans. … The consumer groups also claim that Facebook and other “social media marketers” get special treatment because they can continue to gather data without sufficient safeguards.

http://www.csoonline.com/article/679529/kerry-mccain-privacy-bill-what-you-need-to-know?source=CSONLE_nlt_update_2011-04-14

Small And Midsize Businesses Look For Ways To Cut Compliance Costs

Posted on August 12, 2010December 30, 2021 by admini

While a large company can shell out hundreds of thousands of dollars for assessment and compliance solutions, that sort of money is not in the budget of most smaller firms. Yet, even small companies may need to comply with at least one — and sometimes more — security regulations that govern the data that they store on their servers.

Medical firms need to abide by the Health Insurance Portability and Accountability Act (HIPAA). Small banks have to comply with the Gramm-Leach-Bliley Act (GLBA). And any firm holding credit-card data needs to be compliant with the Payment Card Industry (PCI) Data Security Standards.

For small and midsize businesses, perusing the PCI standards is a good first step, Corman says, because most businesses accept credit cards and because many other standards use the PCI requirements as a starting point. The first is initial design and implementation of systems to collect the data and create the reports needed to pass future audits. Because many smaller businesses do not have dedicated IT staff — never mind IT security staff — the company usually has to pay a security consultant or assessor to do this work.

The second major cost is the ongoing effort needed to collect the data necessary for compliance validation. “One client kept track of the time spent on compliance and found that, in year one, they spent 60 percent of staff time on collecting log data for reports,” he says.

Finally, SMBs must pay an auditor to verify that they are complying with regulations. Many companies look to minimize their compliance costs and go for the checkboxes, without really paying much attention to real security — even though fixing their security problems can mean avoiding a costly breach. Companies that minimize the number of systems that handle data can significantly reduce the cost of an audit as well, Corman says.

“SMBs might want one-stop shopping to save money, but it is a healthy practice to make sure that you are not getting your auditing from companies the sell products,” he says.

http://www.darkreading.com/smb-security/security/management/showArticle.jhtml?articleID=226700099

Ireland considers detailed data loss disclosure guidelines

Posted on June 10, 2010December 30, 2021 by admini

In comparison, the U.K.’s disclosure guidelines are less specific than the proposed Irish code of practice, Malcolm said. However, the U.K.’s Information Commissioner does expect organizations to report serious data breaches, he said.

In April, the U.K. Information Commissioner for the first time gained the power to fine organizations for violating the Data Protection Act. The European Union has a data breach disclosure law on the books, but it only applies to telecommunication companies.

http://news.idg.no/cw/art.cfm?id=21BB489B-1A64-6A71-CE1333F9221EF072