Category: Regulations

The bill addresses a perceived shortcoming of FISMA, which promoted a checkbox mindset in the federal government, where grading agencies on the security items they can check off a list to impress auditors seemed more important than monitoring systems continuously to determine if they’re secure.

Absent from the Federal Information Security Amendments Act are provisions that would grant the Department of Homeland Security increased authority to oversee federal civilian agencies in the implementation of information security. The Obama administration, backed mostly by Senate Democrats, has ceded some of the Office of Management and Budget oversight of government IT security to DHS, and the Cybersecurity Act of 2012 would have codified that. Distrust exists among some lawmakers about giving that kind of authority to DHS, and contention last year over Homeland Security’s role in governing IT among civilian agencies is one (but not the only) reason the Cybersecurity Act never came up for a vote.

Under the Cybersecurity Enhancement Act, approved 402-16, the National Science Foundation, National Institute of Standards and Technology and other key federal agencies would develop and implement a strategic plan for federal cybersecurity research and development. NIST would be required to have a specific focus on the security of the industrial control systems that run critical infrastructure, such as the power grid, and identity management systems that protect private information.

Link: http://www.govinfosecurity.com/fisma-reform-passes-house-on-416-0-vote-a-5694?rf=2013-04-19-eb&elq=5a344ab33c544dcaa0986c8c9693692a&elqCampaignId=6502

“This is huge,” said Stewart Room, partner at FFW, because the directive recognises that anything on the web that permits anyone to sell anything, offer information or engage with the rest of the world requires as much regulation as a telecommunications company.

This is the logical next step of an EU directive introduced in 2009 that required telcos and internet service providers not only to report all breaches of personal data, but also introduced a separate legal obligation to report all other data breaches in the interests of cyber security.

The important thing to note is that the proposed directive introduces the idea of a “market operator” which currently covers not only providers of information society services and critical infrastructure, but also organisations that fall into six broad categories.

In addition to the obvious large firms like Amazon, iTunes, PayPal, Google, LinkedIn and Facebook, the proposed directive will affect a whole range of other smaller organisations, potentially even down to the level of small family-owned businesses, said Room.

Theoretically, this will have the positive effect of improving the security and resilience of all networks and information systems, but this is a classic case of having to “be careful what you wish for,” he said, because the cost implications for businesses large and small could be enormous.

Whether or not the cyber threat is as bad as the EU, US and security technology suppliers are making it out to be, network and information system security will be the cost of doing business in a cyber-enabled world as old business models fade away and slip into history.

Not every company is as rich as Google, Facebook and the like, and this proposed directive will not only affect those big companies, much smaller ones will be covered too “The big problem is not every company is as rich as Google, Facebook and the like, and this proposed directive will not only affect those big companies, much smaller ones will be covered too,” said Room.

Link: http://www.computerweekly.com/news/2240178256/How-will-EU-cybersecurity-directive-affect-business?utm_medium=EM&asrc=EM_ERU_20700092&utm_campaign=20130220_ERU%20Transmission%20for%2002/20/2013%20(UserUniverse:%20635379)_myka-reports@techtarget.com&utm_source=ERU&src=5109056

Announcing the changes, Ms Kroes said: “Europe needs resilient networks and systems and failing to act would would impose significant costs on consumers, businesses and society.”

According to the EU, only one in four European companies has a regularly-reviewed, formal ICT security policy.

A recent study by accountants PwC suggested that three quarters of UK small businesses, and 93% of large ones, had recently suffered a cybersecurity breach.

Link: http://www.bbc.co.uk/news/technology-21366366

The death of web-freedom activist Aaron Swartz, has once again turned the limelight on the Cyber security issues and laws governing the virtual world. While, Swartz, could have encountered over 30 years in prison if convicted following his trial under US laws, in India he could have gotten away with just three years imprisonment and Rs 5 lakh fine for the same charges.

In case, any university or institute network is hacked by someone, the maximum punishment is 3 years and Rs 5 lakhs fine under Section 66, read with 43 (I). Moreover, it is a bailable offence in India, while in the US it is a non-baliable offence,” Cyber Security expert Pavan Duggal said.

According to Salman Warris, a New Delhi-based cyber law expert, the current legislations are not suffice to deal with data hacking incidents in India. “In the US and Europe there is a complete legislation dedicated to data protection, while under Indian Act there are only two provisions related to data protection.

Aaron Swartz could also have had to shell out a penalty worth millions of dollar for allegedly downloading material from JSTOR. According to a senior professor associated with a leading university,”There has been instances in the past, where the university website has been hacked into. Whatever happen to MIT could happen to any institute, said Kamalesh Bajaj, CEO of Data Security Council of India (DSCI), a Nasscom initiative.

Link: http://www.business-standard.com/india/news/indian-cyber-laws-lack-teeth-to-bite-data-hackers/204728/on

The FFIEC also instructs banks and financial institutions to focus their network defense on layered security protections that involve fraud monitoring; use of dual customer authorization through different access devices; the use of out-of-band verification; and the use of “positive pay,” debit blocks and other technologies to appropriately limit the transactional use of the account. The FFIEC guidelines also tell financial institutions they must use “two elements at a minimum” as “process designed to detect anomalies and effectively respond to suspicious and anomalous activity.”

Since 2005 when the FFIEC, on behalf of other federal government agencies with regulatory oversight of banks, issued its initial guidelines, banks have moved to deploy some different types of two-factor authentication more broadly.

The new guidance is more specific, and the FFIEC says that’s because cybercrime against the banking industry and its customers is worse now. “Fraudsters have continued to develop and deploy more sophisticated, effective and malicious methods to compromise authentication mechanisms and gain unauthorized access to customer accounts,” the FFIEC says.

http://www.computerworld.com/s/article/9217999/Federal_agency_issues_new_security_rules_for_financial_institutions?source=CTWNLE_nlt_dailyam_2011-06-29