[From the desk of Paul G Davis – his opinion and no-one else’s, apart from those of the authors of the articles.]
And so, now the news
* 4 must read major mid-year cyber security reports
* Game of Thrones can teach valuable security lessons
* Meet the chaps who run the Black Hat NoC and let malware roam free
* Malware found in 75% of top 20 commercial banks in the US, says SecurityScorecard
4 must read major mid-year cyber security reports
1) Midyear Cybersecurity Report (Cisco)
2) 1H 2016 Shadow Data Threat Report (Blue Coat)
3) PandaLabs Report Q2 2016 (Panda Security)
4) Cybersecurity Education Efforts Yielding Results (Palo Alto Networks)
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=8a87f9fc9f&e=20056c7556
Game of Thrones can teach valuable security lessons
With new hacking techniques, malware, viruses and threats being created faster than Melisandre’s demon babies, the web is indeed dark and full of terrors.
Here are seven lessons for security managers pulled straight out of Westeros.
1. Small things can become huge problems
Nobody took the dragons or dire wolves seriously in the beginning of Game of Thrones, but by season 3 they were capable of wreaking havoc and wiping out armies.
Small issues can grow into serious complications If left unchecked.
2. Faceless men are everywhere
Much like the faceless assassins of the house of black and white who approach their victims anonymously through seemingly friendly interactions (Season 5 Episode 2), cybercriminals make common practice of seeking out and learning everything they can about a target before phishing for their information.
While a skilled and more often than not lone hacker will often use their talents to breach the gates of companies and corporations alike for the simple purpose of retrieving information for the sake of access to information, networks of cybercriminals, or a particularly malicious individual will break into a network with the intent of interference, surveillance, counter surveillance, cyberlaundering, and the overall goal of bringing a company to its knees.
3. Walls of fire don’t always help
Modern firewalls are complex and take months to become familiar with, but even the most complex firewall is only software and by its very nature has defects.
Unidirectional gateways block attacks from untrusted networks no matter what their IP address is, but without them, it’s easy to bypass firewalls with forged IP addresses, especially if someone has access to the same LAN segment as the network they’re trying to breach.
4. Keeping your friends far and your enemies farther
As seen on Game of Thrones, as Lord “Littlefinger” Baelish and Varys “The Spider” use their networks of information in the form of “Little Birds” to grasp and grip in the power struggle between kingdoms, even the weakest link can bring down, or at the very least contribute to the fall of kings.
5. The dead can come back to haunt you
Many small businesses, midsize companies and even large corporations assume that once the hard drives on their computer systems are wiped, they can sell the computers or throw them away without worry, but as we’ve learned from Game Of Thrones, dead doesn’t always mean dead.
Some ATA, IDE and SATA hard drive manufacture designs include support for the ATA secure erase standard and have been since the dawn of the 21st century.
But research in 2011 found that four out of eight manufacturers did not implement ATA Secure Erase correctly.
6. The iron price
The biggest issue among leading information security experts is a lack of understanding of cloud-based security.
The vast majority of web-based companies put more of their financial resources into security software than they put into hardware and the people working for them.
A trend among elite web-based companies in big data is hybrid storage; private cloud storage, hyperscale compute storage and centralized storage, all of which combine yesterday’s technology with the technology of tomorrow.
The value of data continues to rise, while the value of human beings with access and control of data has remained stagnant.
7. The Old Gods, Or The New Gods
In Game of Thrones, there are many different religions and gods the inhabitants of Westeros and the seven kingdoms pray to, and everyone seems certain that their deities are the greatest, but who can we turn to for protection in the real world?
From mom and pop small businesses to corporate giants, with each new advance in information technology, new threats arise.
From mobile applications to quantum computing, security must develop and adapt in order to cope with the changing times, but how can cloud based security storage handle the massive amounts of data captured without corruption or interference?
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=9f43aa445c&e=20056c7556
Meet the chaps who run the Black Hat NoC and let malware roam free
Black Hat Neil Wyler and Bart Stump are responsible for managing what is probably the world’s most-attacked wireless network.
Wyler, better known as Grifter (@grifter801), heads the network operations centre (NoC) at Black Hat, an event he has loved since he was 12 years old. “I literally grew up among the community,” he says.
Bart (@stumper55) shares the job.
Wyler’s day job is working for RSA’s incident response team while Stumper is an engineer with Optiv, but their Black Hat and DEF CON experience trumps their professional status.
Wyler has worked with Black Hat for 14 years and DEF CON for 17 years, while Stump has chalked up nine years with both hacker meets.
Some 23 network and security types represent the network operations centre (NoC) and are responsible for policing the Black Hat network they help create.
Come August each member loosens the strict defensive mindset they uphold in their day jobs as system administrators and security defenders to let the partying hackers launch all but the nastiest attacks over their network.
The NoC operators at Black Hat and DEF CON need to check their defensive reflexes at the door in part to allow a user base consisting almost entirely of hackers to pull pranks and spar, and in part to allow presenters to legitimately demonstrate the black arts of malware.
Black Hat’s NoC started as an effective but hacked-together effort by a group of friends just ahead of the conference.
Think Security Onion, intrusion detection running on Kali, and Openbsd boxes.
Now they have brought on security and network muscle, some recruited from a cruise through the expo floor, including two one gigabyte pipes from CenturyLink with both running about 600Mbps on each. “We were used to being a group of friends hanging out where a lot of stuff happened on site, and now we’ve brought in outsiders,” Stump says.
Ruckus Wireless, Fortinet, RSA and CenturyLink are now some of the vendors that help cater to Black Hat’s more than 70 independent networks. “It’s shenanigans,” Wyler says. “But we love it.”
The pair do not and cannot work on the DEF CON networks since they are still being built during Black Hat, but they volunteer nonetheless leading and helping out with events, parties, and demo labs.
I feel a responsibility to give back to the community which feeds me,” Wyler says. “That’s why we put in the late nights.” ®
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=6303b247bb&e=20056c7556
Malware found in 75% of top 20 commercial banks in the US, says SecurityScorecard
Several malware families, including Ponyloader, Vertexnext and Keybase were detected among many of the top 20 banks. “Over 422 malware events over the past year were detected in just one of the commercial banks.
A total of 788 malware events were detected in all 20 commercial banks over the past 365 days,” SecurityScorecard said in its report.
The report also disclosed that financial organisations across the world suffered from 22 “major publicly disclosed data breaches” over 2015-2016. “This is an issue that is becoming more and more common since the massive 2012 LinkedIn data breach recently surfaced again, where over 100 million user accounts and passwords were leaked,” the firm said.
Cybercriminals are taking advantage of the scores of leaked data, in efforts to compromise systems.
Researchers found that a majority of US’s top financial institutions have been using insecure email service providers (ESP), leaving many at risk of spam email campaigns and other targeted cyberattacks.
Coincidentally, the firm’s report also detailed that most financial institutions were found to be running on outdated operating systems.
Given that cybercriminals are wont to constantly test networks to identify and exploit vulnerabilities, it is imperative that organisations be vigilant in updating their security systems.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c2ab132ac3&e=20056c7556
* Best practices in cyber vulnerability assessment
* Are Healthcare CISOs Suffering from Cybersecurity Solution Fatigue? An Expert Probes Some of the Issues
* Will Faster Payments Mean Faster Fraud?
* Accenture : Data theft, malware infection big threat to digital businesses
* Ponemon Institute: External Cyber Attacks Cost Enterprises $3.5M/year, 79% of Businesses Lack Comprehensive Strategies to Manage these Risks
* 2016 Malware Levels Now Stand at Nearly Four Times 2015 Totals
* Twitter Hacking and Social Media’s Risk to Executive Security
* Beyond Data: Why CISOs Must Pay Attention To Physical Security
* $2.7 Million HIPAA Penalty for Two Smaller Breaches
* Using compliance as a tool for change
* In the Breach War, File Protection Is Just as Important as Data
* Data security and breach notification in Finland
* ISO compliance in the cloud: Why should you care, and what do you need to know?
* Federal Privacy Commissioner Provides Submission on New Data Breach Notification and Reporting Regulations
* Breach notification reporting can be complicated without proper skills, tools
* Banks must do better on cyber security: KPMG
* Australia gets one-quarter of a minister for national infosec
* The Case for Continuous Security Monitoring
* Arbor Networks Releases Global DDoS Attack Data for 1H 2016
* 5 Best Practices for Outsourcing Cybersecurity
* Most CISOs and CIOs need better resources to mitigate threats
Best practices in cyber vulnerability assessment
Here are the best practices for cyber vulnerability assessment.
First and foremost you should have a very clear understanding of why you need a cyber vulnerability assessment.
Research other companies in your industry.
To know exactly which parts of your business structure need an assessment, you need to research your company’s processes with a focus on the systems that are critical to keeping your business running.
Once you’ve identified the systems that need an assessment, you should rank them according to both their importance to your overall business model and to the sensitivity of the information they contain.
Now that you know exactly which systems and software need an assessment and how they rank in terms of priority, you should make sure you’re aware of the security systems you already have in place.
f you’ve completely mapped out both your vulnerabilities and your already-in-place security, and your inter-departmental security task force is in agreement on what’s needed, you’re ready to perform your vulnerability scans.
f you did your homework on what you needed to assess and also on the vulnerability assessment tool you chose, then you should fully trust the results of your cyber vulnerability assessment and act on them.
Don’t wait.
Don’t second guess.
The assessment will produce recommendations for remediation that you should act on right now.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a19272caae&e=20056c7556
Are Healthcare CISOs Suffering from Cybersecurity Solution Fatigue? An Expert Probes Some of the Issues
A recent Institute for Critical Infrastructure Technology report provided some intriguing thoughts about the pressure facing chief information security officers (CISOs) to keep their organizations secure and how they are combating information and vendor solution overload.
“Due to the plague of APTs, malware, ransomware and other malicious initiatives by invisible adversaries, few C-level executive positions are as critical as the CISO,” Scott writes.
In a recent report, James Scott, a senior fellow at the Institute for Critical Infrastructure Technology (ICIT), a Washington, D.C.-based cybersecurity think tank, points out that a well-informed CISO can improve the engagement of the C-suite and improve the cyber posture of the organization.
While the report offers a cross-industry perspective of the CISO role and the challenge of vendor solution overload, the report author does spend moments focusing on healthcare organizations, specifically in a section detailing how CISOs can assess the return on investment of cybersecurity solutions.
The report provides an interesting perspective about the need for CISOs to ignore the hype surrounding “silver bullet” solutions in order find the most effective cybersecurity solutions and strategies for their particular organizations, but at the same time, the report author also highlights the part that the vendor community plays in this problem.
“In many cases, CISOs operate under the unrealistic expectation that they should be able to prevent every breach with a finite budget.
They are expected to have enough technical expertise to develop a strategy to protect the business and enough business acumen to convince the board to adopt that strategy because it aligns with the goals of the organization,” he writes.
And, he asserts that modern CISOs tend to function more as Chief Information Risk Officers, managing the risk to data and technology.
According to the ICIT report, there is rapid burnout among CISOs, as the average turnover rate is 17 months.
“Vendor attempts to offer silver bullet solutions undermine the community at large and poisons the vendor-customer relationship.
The culture promoting these inadequate solutions distracts CISOs, technical personnel and solution developers from the risks and threats in the threat landscape and it distracts them from designing the right solutions to address the market needs.”
In the report, the author offers strategic recommendations for calculating a cybersecurity solution’s ROI and uses a healthcare organization as an example.
The ROI of security solutions can be equated to the fiscal component of the impact that the organization would assume if an adversary exploited the vulnerability that the solution addresses, the author writes.
The report concludes with statistics sourced from the Economist Intelligence Unit that indicates proactive CISO-led strategies can cut the success rate of cyber-breaches by more than 50 percent, hacking successes by 60 percent and ransomware infections by 47 percent.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=fe69128874&e=20056c7556
Will Faster Payments Mean Faster Fraud?
Crowe contends that to ensure global payments interoperability, faster payments are a necessity.
The U.S. will soon be at a competitive disadvantage if it does not enable faster payments, she argues.
Parry says the most fundamental risk to payments is poor identity management.
And it’s a legitimate concern.
After all, poor identity management apparently enabled hackers to steal $81 million from the central bank of Bangladesh in February, as part of a fraudulent transaction that was approved by the Federal Reserve Bank of New York.
And in a real-time or near-real-time environment, once the money is gone, it’s gone.
Unlike in the United Kingdom, Australia and other economically advanced parts of the world, faster payments are not the norm in the U.S.
Crowe declined to touch the interchange issue. “Cost is not the No. 1 worry for the Fed when it comes to faster payments,” she noted during the summit.
The top concern, she says, is “a faster process that is still secure for business.”
The Secure Payments Task Force’s goals differ from the goals of the Faster Payments Task Force.
And the Secure Payments Task Force has identified four areas that must be addressed to ensure the ongoing security of the payments system in the U.S. going forward.
Faster payments will be part of that, but not all.”
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c34b643a3f&e=20056c7556
Accenture : Data theft, malware infection big threat to digital businesses
The new report from Accenture and HfS Research say that 69 percent of respondents experienced an attempted or successful theft or corruption of data by insiders during the prior 12 months, with media and technology organizations reporting the highest rate (77 percent).
This insider risk will continue to be an issue, with security professionals’ concerns over insider theft of corporate information alone rising by nearly two-thirds over the coming 12 to 18 months.
The survey, “The State of Cyber security and Digital Trust 2016′”, was conducted by HfS Research on behalf of Accenture.
More than 200 C-level security executives and other IT professionals were polled across a range of geographies and vertical industry sectors.
The survey examined the current and future state of cyber security within the enterprise and the recommended steps to enable digital trust throughout the extended ecosystem.
The findings indicate that there are significant gaps between talent supply and demand, a disconnect between security teams and management expectations, and considerable disparity between budget needs and actual budget realities.
Despite having advanced technology solutions, nearly half of all respondents (48 percent) indicate they are either strongly or critically concerned about insider data theft and malware infections (42 percent) in the next 12 to 18 months.
When asked about current funding and staffing levels some42 percent of respondents said they need more budget for hiring cyber security professionals and for training.
More than half (54 percent) of respondents also indicated that their current employees are underprepared to prevent security breaches and the numbers are only slightly better when it comes to detecting (47 percent) and responding (45 percent) to incidents.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=fcb5b1afbf&e=20056c7556
Ponemon Institute: External Cyber Attacks Cost Enterprises $3.5M/year, 79% of Businesses Lack Comprehensive Strategies to Manage these Risks
TORONTO–(BUSINESS WIRE)–Despite acute awareness of the millions of dollars in annual costs, and the business risks posed by external internet threats, security leaders highlight the lack of staff expertise and technology as a key reason that these attacks are unchecked, according to results from a new Ponemon Institute study sponsored by BrandProtect.
Seventy-nine percent of the IT and IT security practitioners polled indicated their defensive infrastructure to identify and mitigate those threats are either non-existent, ad hoc or inconsistently applied throughout the enterprise.
The findings reveal that the companies represented in this research averaged more than one cyber attack per month and incurred annual costs of approximately $3.5 million because of these attacks.
The report “Security Beyond the Traditional Perimeter,” sponsored by internet risk detection and mitigation expert BrandProtect, examined the threats, costs and responses of companies to external internet cyber attacks.
These threats include executive impersonations, social engineering exploits, and branded attacks arising outside a company’s traditional security perimeter.
Security professionals cited an acute need for expertise, technology, and external services to address their growing concerns about these external threats.
Some of the key findings include:
– Fifty-nine percent of respondents say the protection of intellectual property from external threats is essential or very important to the sustainability of their companies.
– External internet attacks are frequent and the financial costs of these attacks are significant.
Respondents in this study report they experienced an average of 32 material cyber attacks or slightly more than one per month, costing their companies an average $3.5 million annually.
– Seventy-nine percent of respondents described their security processes for internet and social media monitoring as non-existent (38 percent), ad hoc (23 percent) or inconsistently applied throughout the enterprise (18 percent).
– Sixty-four percent of security leaders (directors or higher) feel that they lack the tools and resources they need to monitor, sixty-two percent lack the tools and resources they need to analyze and understand, and sixty-eight percent lack the tools and resources they need to mitigate external threats.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=4992b9622e&e=20056c7556
2016 Malware Levels Now Stand at Nearly Four Times 2015 Totals
GULF BREEZE, Fla., July 19, 2016 (GLOBE NEWSWIRE) — via PRWEB – Necurs is back with a vengeance, according to the security research team at AppRiver.
In its Q2 Global Security Report, the company notes that the infamous botnet’s return was one of the major reasons behind the escalation in malware activity–which clocked in at 4.2 billion malicious emails and 3.35 billion spam emails between April 1, 2016, and June 30, 2016.
For the first time, the report also includes metrics from Web-borne threats, reporting an average of 43 million unique threats daily throughout the second quarter.
AppRiver’s security analyst team quarantined 4.2 billion emails containing malware in Q2, pointing to a continued increase in malware traffic this year and resulting in total of 6.6 billion emails quarantined during the first half of 2016.
For comparison, analysts observed 1.7 billion emails containing malware during all of 2015.
Ransomware levels, as predicted in the Q1 Global Security Report, have increased this quarter–and arguably pose the greatest threat to netizens.
AppRiver’s security researches predict that the massive volume of malware isn’t likely to subside anytime soon.
With the likes of Locky and Zepto kidnapping users’ files until they pay a ransom, malware–especially ransomware–has become a business of its own.
The popular channels that malware, like ransomware, travel through include obfuscated JavaScript, malicious macros, and OLEs (Object Linking and Embedding).
Fifty-five percent of spam and malware traffic originated in North America, with Europe coming in second place.
Additionally, AppRiver’s SecureSurf™ Web filtering detected a spike in phishing attempts in June.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=93b63e3083&e=20056c7556
Twitter Hacking and Social Media’s Risk to Executive Security
The use of social media as a means for targeting victims – whether through phishing or social engineering scams – is nothing new.
However, in the past month or so we’ve seen a new trend in threat actors’ tactics: hacking high-profile executives’ social media accounts with the purpose of publishing embarrassing and controversial posts.
This was recently seen in the Twitter hacks of Twitter co-founder Jack Dorsey, Yahoo CEO Marissa Mayer, Google CEO Sundar Pichai, and Oculus CEO Brendan Iribe.
Executives can do a number of things to help minimize the risk of exploitation, including:
– Invest in a Monitoring Service
– Use Multi-Factor Authentication
– Remove Geo-Location Data
– Limit Personal Information Disclosure
– Verify Online Content
– Do Not Reuse Passwords
– Create Official and Verified Accounts
– Use Separate Accounts
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=eb5a66c1c9&e=20056c7556
Beyond Data: Why CISOs Must Pay Attention To Physical Security
IT and InfoSec tend to think in terms of networks, endpoints and outside attacks, but they risk missing the big picture if they think of vulnerabilities and threats only in terms of wider internet threats.
IT departments often consider the security of a physical building as a separate domain, but it is becoming increasingly difficult to delineate physical security from data security.
Technology professionals needs to get back to basics.
While it’s important to focus on vulnerability mitigation, the Open Systems Interconnection (OSI) model begins with the physical layer.
Security must be considered at every step, even when no networked communication is taking place.
Despite a rapidly evolving cybersecurity landscape, malicious actors possess only a limited number of physical entry points, and IT departments must ensure reasonable precautions are taken to deny unauthorized access.
Organizations should establish multiple lines of physical defense (mirroring best practices for data security), placing several obstacles in the path of an intruder.
By unifying both physical and data security, IT departments are better equipped to defend against the multi-front attacks that threaten organizations today.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a0202a27b7&e=20056c7556
$2.7 Million HIPAA Penalty for Two Smaller Breaches
In the wake of two 2013 breaches that affected a total of 7,066 individuals, Oregon Health & Science University says it will pay $2.7 million in a HIPAA settlement with federal regulators that includes a three-year corrective action plan.
The first incident, which impacted 4,022 individuals, involved an unencrypted laptop that was stolen from a surgeon’s vacation rental home in Hawaii in February 2013 (see Stolen Laptops Lead Breach Roundup).
The second 2013 breach, which affected 3,044 individuals, involved OHSU’s use of a cloud-based storage service without a business associate agreement, OHSU says.
So far in 2016, two other HIPAA settlements also focused on the absence of business associate agreements.
Those include a $1.55 million settlement in March with North Memorial Health Care and a $750,000 settlement in April with Raleigh Orthopaedic Clinic, P.A. of North Carolina.
Also, since 2008, OCR has issued several resolution agreements with covered entities related to breach investigations stemming from the theft or loss of unencrypted mobile computing devices and storage media.
One of the largest such settlements was a $1.7 million OCR resolution agreement with Alaska Department of Health and Human Services in 2012 over a 2009 breach involving a stolen USB drive containing protected health information of only 501 people.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=1b3c088253&e=20056c7556
Using compliance as a tool for change
One of my guiding principles is that compliance does not equal security.
Compliance isn’t a true representation of how well companies use security to protect themselves.
It can be little more than checking all the boxes and telling the auditors what they want to hear.
After all, many compromised banks were PCI-compliant, and several breached healthcare organizations were compliant with HIPAA.
Using compliance shortfalls to upgrade our security practices isn’t unusual.
Last year, I was able to use compliance to justify several initiatives, including signing up for a service and buying associated tools that will allow us to establish baseline security configurations for technology assets such as Linux, Windows, Apache, Oracle and firewalls.
And relying on findings from our PCI audit related to encryption, I was able to deploy Bitlocker for Windows PCs and File Vault for Apple Macs.
PCI regulations state that all credit card information that is stored must be encrypted, and such information can show up anywhere in our company, since many of our employees assist customers, who often provide credit card and other sensitive data even though we advise against it.
So now we’re enforcing encryption for 100% of our company-owned PCs.
Such widespread use of encryption has a beneficial side effect, since many states now provide a “safe harbor,” meaning that a company that has been breached might not have to notify customers and provide breach remediation services if all the data involved was encrypted.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=5a965f2d97&e=20056c7556
In the Breach War, File Protection Is Just as Important as Data
Earlier this year, the Federal Deposit Insurance Corp. (FDIC) narrowly avoided disaster when sensitive information for 44,000 agency customers was stored without proper security measures…on a personal storage device.
In what was coined an ‘inadvertent data breach,’ a former staffer left the agency with the device, and lucky for the FDIC, returned it without incident three days later.
Not all financial services organizations or payment companies would fare so well.
According to the 2015 State of File Collaboration Security report by Enterprise Management Associates, 75% of IT and infosec professionals at mid-tier enterprises expressed a high or very high level of concern about sensitive, regulated or confidential data leakage due to inappropriate file sharing or unauthorized access.
Fully half said there were frequent instances of inappropriately shared documents or unauthorized access to files containing sensitive, confidential, or regulated information.
A whopping 84% had a moderate or total lack of confidence in their organization’s file security monitoring, reporting and policy enforcement capabilities.
Emerging file security solutions aimed at reducing file mishandling and collaboration data leakage risks address this gap with strong file encryption and usage controls that, once applied, persist for the life of the file, including after it traverses to various networks, recipients and devices.
Past information rights management (IRM) solutions were costly, often tied to specific applications or required specific infrastructure to function, and were cumbersome for IT and departmental users alike to use and manage.
While these IRMs worked internally, they were especially challenging to enforce users outside the organization.
New technology solutions enable very granular controls over who can access files, under what conditions and what they can do with them.
Users can easily apply required controls on file viewing, editing, saving, printing, and watermarking that persist for the life of the file.
More so, the file owner can change the file security policy dynamically and even remotely delete files after they have been shared.
These security policy controls are enforced wherever the file goes and every time the sensitive file is opened.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=0c5cd2f422&e=20056c7556
Data security and breach notification in Finland
Finland has no general data security law and no specific security obligations.
The Personal Data Act includes a general obligation requiring the controller to carry out technical and organisational measures which are necessary to secure personal data against:
In general, the data security obligations set out by Finnish law are technology neutral (ie, they do not define technical or organisational measures specifically).
No general obligation to notify individuals of data breaches exists.
Sector-specific obligations to notify individuals apply to telecoms operators, as set out in the Information Society Code.
No general obligation to notify the regulator of data breaches exists.
Sector-specific obligations to notify the Finnish Communications Regulatory Authority of data breaches apply to telecoms operators, as set out in the Information Society Code.
Click here to view the full article.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=99ed6bd3e1&e=20056c7556
ISO compliance in the cloud: Why should you care, and what do you need to know?
ISO 27001 is a widely adopted global security standard and framework that sets out requiremen