Keeping up with global regulations

The Foreign Corrupt Practices Act (FCPA) has been seemingly more newsworthy than usual recently (even impacting Hollywood elite), with somewhat conflicting accounts of the US cracking down on bribery both here and abroad, and the rationale for the US to accept some level of bribery for the sake of broader national interests.

Read more

Risky by association

The holiday season gave media and industry one more opportunity to discuss Mattel’s massive product recalls this year, and admittedly, I still find myself interested in the story. In this case, it was the World Business Council for Sustainable Development’s article calling out Mattel’s “Epiphany at Christmas”. 

The revelation: “If it's got your company's name on it, it's your problem.”

Read more

New Year's Resolutions for choosing online retailers

With CardSpace and Higgins being in nascant and almost non-existent market adoption mode, you may wonder what authentication features you want to be looking for when shopping online. Usernames and passwords are a thing of the past: you can safely assume that you will use a computer to log in which has a keylogger or trojan capturing your keystrokes, and with it your username and password.

Savvy customers are increasingly turning towards online retailers and financial institutions which provide at least some form of multi-factor authentication to protect against password theft. The following list gives a compass to consumers and vendors to navigate the misty waters of online transactions.

Smart cards / USB tokens (very costly, high level of security, great user inconvenience)

Hardware based solution that contains applications, PKI certificates used to authenticate to a site. These cards can include a magstripe for physical access management and RFID proximity sensors.

Read more

Categories:

Segregation of data protection duties

Business Week recently published a profile of Usama Fayyad, the chief data officer of Yahoo!. In this profile they highlight that his responsibilities are:

Read more

Categories:

Risk Management Lessons from the ‘Mortgage Meltdown’

Great article this morning in the Wall Street Journal about Goldman Sachs’ performance during the credit meltdown. The company has expectations of record income this year, while competitors are faltering left and right.

There are three important issues in this story — and in the sub-prime crisis in general — that all good risk management professionals know, and should keep in mind as often as possible.

Read more

Cyber espionage – something to worry about?

McAfee released their “Virtual Criminology Report” earlier this year and warned that  there is a growing threat to national security, as cyber espionage becomes increasingly sophisticated, moving from simple network probes to well-funded, well-organized, and possibly government backed operations. The intent is not only financial gain, but also political or competitive gain.

Some other interesting news items have appeared in the recent past.

Read more

Categories:

Misconceptions about outsourcing security

As I talk to CISOs and CIOs I find that there are many misconceptions about outsourcing security. Here are the most common ones that I come across:

Read more

Categories:

Facebook backs down on Beacon program

The biggest privacy news lately has been about Facebook's Beacon program. The program was sharing information about purchases made on third-party partner sites with Facebook, even if the user was not signed into Facebook or had deactivated their account. Opt-ing out of the program was a challenge. Facebook, after several weeks has acknowledged their mistake (see above article). As more companies try new forays into online marketing, I expect to see more of these privacy insensitive developments. How can you prevent your organization from making such a blunder? Privacy impact assessments. All new business projects and plans that use or collect data in a new way should be reviewed with an eye for privacy. Ten out of 30 enterprises that I interviewed for research purposes, say that they do privacy impact assessments for all projects, but that still leaves 20 out of 30 who aren't monitoring their new endeavors. For an idea of what they involve, see how the US government has set up a privacy impact assessment program.

Please click on the graph below to see an enlarged version.

Read more

Categories:

Do you trust the merchants to protect your credit cards?

On 4 October 2007,  The National Retail Federation (NRF) Chief Information Officer and Senior Vice President, David Hogan wrote a letter to the Payment Card Industry (PCI) Standards Council requesting that the card industry to stop requiring merchants to store complete card numbers. Currently, some merchants are required to keep credit card numbers for up to 18 months to satisfy card retrieval and dispute requests. The letter said, “"Instead of making the industry jump through hoops to create an impenetrable fortress, retailers want to eliminate the incentive for hackers to break into their systems in the first place." NRF proposes that credit card companies and their banks should provide merchants with the option of keeping nothing more than the authorization code provided at the time of sale and a truncated receipt, rather than requiring merchants to keep the data for an extended amount of time.

Read more

Categories: