Category: News

These include: Leadership and High Level Objectives; Audit and Risk Management; Design and Implementation; Systems Acquisition; Operational Management; IT Staff Management and Outsourcing; Records Management; Technical Security; Physical Security; Systems Continuity; Monitoring, Measurement and Reporting; and Privacy.

Each IT Impact Zone features: IT control objectives mapped to over 60 standards and regulations; query functionality to identify what types of control objectives are required for multiple sets of regulations and standards; foundation-building webinars; original articles, related news, and white papers; and information on leading technologies.

http://www.compliancepipeline.com/showArticle.jhtml?articleID=165701740

The Domain Keys Identified Mail (DKIM) specification is the combination of two related, competing, technologies: Yahoo’s Domain Keys and Cisco’s Identified Internet Mail (IIM).

While the two technologies are similar in concept in that they both use signature-based public key technology to authenticate e-mails, they had some hurdles to overcome before they could be merged.

Talks to get the specification approved as an Internet standard stalled last year in a working group following concerns over Microsoft’s licensing of the technology and the patents found in the technology.

Both Yahoo and Cisco had intellectual property rights attached to their individual technologies, though officials were unavailable at press time to say whether they remain in the combined technology.

It’s also uncertain what type of license will be attached to the technology, though Crocker said Yahoo has been working to make sure the license is compatible with the open source community.

http://www.internetnews.com/bus-news/article.php/3519066

Arlen Specter (R-Pa.), the chairman of the Judiciary Committee, and that committee’s ranking member, Sen. Patrick Leahy (D-Vt.) rolled out the most aggressive bill yet in reaction to the wave of security gaffes that have exposed millions of Americans’ identities since the first of the year.

Among its provisions, the Personal Data Privacy and Security Act of 2005 would create a new computer crime classification — aggravated fraud — that would add two years of additional jail time for obtaining or access another’s digital ID; severely restrict the use of Social Security numbers as account identifiers or numbers; and hold company executives responsible if they hide a data breach.

Both Leahy and Specter predicted quick passage of the bill, which is the first to sport a Republican as sponsor.

Several other bills that take on the data exposure problem have come from several prominent Democrats, including Dianne Feinstein (D-Calif.) and Charles Schumer (D-N.Y.).

— Add new penalties to the books by extending computer fraud to cover unauthorized access of data brokers’ systems (the statute already covers financial institutions and credit card issuers), meaning that criminals could face up to 10 years in jail; giving the government the power to invoke racketeering charges using the RICO statue to prosecute criminal gangs trading in identities; and putting company officials in prison for up to 5 years if they conceal a data breach.

— Enact a bevy of new regulations that cover “data brokers,” defined as business or non-profits “in the practice of collecting, transmitting, or otherwise providing personally identifiable information on a nationwide basis on more than 5,000 individuals.”

Among the regulations: data brokers would have to allow consumers the chance to change their information, and as with a credit report, receive a copy of that information at their request.

— Require businesses not already covered by the Gramm-Leach-Bliley Act or HIPPA (Health Insurance Portability and Accountability Act of 1996) to create a data privacy and security program.

That part of the Leahy-Specter bill also expands disclosure rules nationwide, and mandates that customers be informed of any security breach involving more than 10,000 people, or that revolved around a database with more than a million entries. And forces the General Services Administration (GSA) to review government contractors’ the privacy and security programs before awarding contracts.

http://www.techweb.com/wire/security/164904367

The scandal has shaken India’s booming outsourcing industry, which provides telemarketing services, call center operations, payroll accounting, and credit card processing for hundreds of Western companies.

The government’s actions follow a report last week by a British newspaper that an Indian call center employee allegedly supplied details on the Britons’ bank accounts, credit cards, passports and drivers’ licenses to an undercover reporter for the Sun newspaper.

Karan Bahree was sacked from his job at Web designer Infinity eSearch on Saturday after the tabloid said it paid Bahree 3 pounds (US$5.40; euro4.20) for each person’s details, which included phone numbers, addresses, and pass codes.

NASSCOM said it is building a central database of all outsourcing industry employees to prevent criminals from getting jobs in the sector and threatening the data security of global companies.

http://www.securitypipeline.com/164903890

All major agencies are required to submit implementation plans to the White House Office of Management and Budget that describe how they intend to meet the smart-card requirements outlined in Federal Information Processing Standard 201. The cards must support two-factor authentication via digital certificates, a password or personal identification number, and biometric identifiers.

The effort required for most agencies to conform to the mandates makes meeting the two October deadlines “very challenging,” said John Moore, chairman of the Federal Smart Card Project Managers Group and director of the Office of Governmentwide Policy at the General Services Administration in Washington.

Because the Personal Identity Verification (PIV) cards will control access to both physical and IT assets, IT departments within agencies have to work with their counterparts on the physical security side, as well as with badging and access-control staffers and human resources personnel, Moore said. The specification is designed to make the smart cards more interoperable than existing ones, said Curt Barker, NIST’s FIPS-201 program manager.

For instance, the U.S. Department of Defense has rolled out more than 4 million of the previous-generation cards. Although Barker said the transition is intended to be “evolutionary,” he noted that agencies such as the DOD could find things “a bit more complex” than agencies that are implementing smart-card technology for the first time.

Some of the technical details of the smart cards themselves are still in draft form, said Neville Pattison, director of technology and government affairs at Axalto Inc., a smart-card manufacturer in Austin. Large-scale manufacturing of PIV cards is unlikely to happen before the second half of next year, said Pattison, who was on a team that acted as a liaison between agencies and technology vendors.

http://www.computerworld.com/securitytopics/security/story/0,10801,102778,00.html

One of several seminars being featured during Ziff Davis Internet’s SMB (small and midsize business) Solutions Virtual Tradeshow, a hot-button virtual panel titled “Security Priorities: Getting the Most Protection for Your Dollar” featured three presenters.

Each presenter examined different aspects of the SMB security issue, along with polls and a question-and-answer interactive box for participants to type in questions relating to the topic.

The first speaker, Michael Grieves, consulting partner for channel strategies firm Core Strategies and director of research of the MIS department at the University of Arizona, said that because smaller businesses don’t have the resources of their larger brethren, members of such organizations “have got to go look in the mirror” to find somebody to handle their security needs, adding that it is a fairly lonely proposition. Grieves went on to present a set of what he called “realistic security steps” that SMBs can use to protect themselves and to sense and respond to incidences without needing the sorts of resources to which larger enterprises have access. According to Grieves, these four steps are making IT security a priority; taking obvious steps such as keeping systems up-to-date and implementing virus protection; being paranoid about security; and developing an emergency plan of action before any emergencies arise.

John Norman, a systems engineer at Advanced Systems Group, focused on sensible security strategies for SMBs, said that perhaps the biggest problem SMBs face in developing a security strategy is one of prioritization. In determining these priorities, Norman noted that it may not be feasible to protect some of a company’s assets and to weigh security costs against the time, money and convenience required.

SMBs may need to hire consultants to obtain expertise and outsource such services as regular audits and firewall maintenance, he said.

Meanwhile, Forrester Research analyst Paul Stamp discussed data his group has collected about the importance of security among SMBs. According to Stamp, about 28 percent of North American SMBs spend between 2 percent and 4 percent of their budgets on IT security, while another 28 percent spent less than 2 percent. In addition, about 12 percent of decision-makers for the SMBs Stamp surveyed “didn’t know” how much their companies spent on security.

http://www.eweek.com/article2/0,1759,1830641,00.asp?kc=EWRSS03119TX1K0000594