Accurate, Focused Research on Law, Technology and Knowledge Discovery Since 2002

Category Archives: Cybersecurity

FTC- Start with Security: A Guide for Business

“When managing your network, developing an app, or even organizing paper files, sound security is no accident. Companies that consider security from the start assess their options and make reasonable choices based on the nature of their business and the sensitivity of the information involved. Threats to data may transform over time, but the fundamentals of sound security remain constant. As the Federal Trade Commission outlined in Protecting Personal Information: A Guide for Business, you should know what personal information you have in your files and on your computers, and keep only what you need for your business. You should protect the information that you keep, and properly dispose of what you no longer need. And, of course, you should create a plan to respond to security incidents. In addition to Protecting Personal Information, the FTC has resources to help you think through how those principles apply to your business. There’s an online tutorial to help train your employees; publications to address particular data security challenges; and news releases, blog posts, and guidance to help you identify – and possibly prevent – pitfalls. There’s another source of information about keeping sensitive data secure: the lessons learned from the more than 50 law enforcement actions the FTC has announced so far. These are settlements – no findings have been made by a court – and the specifics of the orders apply just to those companies, of course. But learning about alleged lapses that led to law enforcement can help your company improve its practices. And most of these alleged practices involve basic, fundamental security missteps. Distilling the facts of those cases down to their essence, here are ten lessons to learn that touch on vulnerabilities that could affect your company, along with practical guidance on how to reduce the risks they pose.

  1. Start with security.
  2. Control access to data sensibly.
  3. Require secure passwords and authentication.
  4. Store sensitive personal information securely and protect it during transmission.
  5. Segment your network and monitor who’s trying to get in and out.
  6. Secure remote access to your network.
  7. Apply sound security practices when developing new products.
  8. Make sure your service providers implement reasonable security measures.
  9. Put procedures in place to keep your security current and address vulnerabilities that may arise.
  10. Secure paper, physical media, and devices.

OPM – Actions to Strengthen Cybersecurity and Protect Critical IT Systems

“The recent intrusions into U.S. Office of Personnel Management (OPM) systems that house personnel and background investigation data for Federal employees and other individuals have raised questions about the security of OPM data and the integrity of its Information Technology (IT) assets. Since Director Archuleta arrived at OPM, she has led the agency in takingContinue Reading

DoD Critical Technology ID and Protection

Critical Program Information (CPI) Identification and Protection Within Research,Development, Test, and Evaluation (RDT&E), NUMBER 5200.39. May 28, 2015.

GAO Report – Recent Data Breaches Illustrate Need for Strong Controls across Federal Agencies

Cybersecurity: Recent Data Breaches Illustrate Need for Strong Controls across Federal Agencies, GAO-15-725T: Published: Jun 24, 2015. Publicly Released: Jun 24, 2015 “GAO has identified a number of challenges federal agencies face in addressing threats to their cybersecurity, including the following: Designing and implementing a risk-based cybersecurity program. Enhancing oversight of contractors providing IT services.Continue Reading

GAO Reports – Accessible Communications, Bank Regulation, Chemical and Biological Defense, Combating Terrorism, DHS IT Contracting

Accessible Communications: FCC Should Evaluate the Effectiveness of Its Public Outreach Efforts, GAO-15-574: Published: Jun 25, 2015. Publicly Released: Jun 25, 2015. Bank Regulation: Lessons Learned and a Framework for Monitoring Emerging Risks and Regulatory Response, GAO-15-365: Published: Jun 25, 2015. Publicly Released: Jun 25, 2015. Chemical and Biological Defense: Designated Entity Needed to Identify,Continue Reading

Massive Government Data Breach Even Worse than Reported

EPIC:  “A Congressional hearing on the Office of Personnel Management data breach has now revealed one of the worst data breaches in US history. The agency initially reported that the personal information of 4 million government employees was obtained, but news reports suggest the breach was much larger–exposing the social security numbers of more thanContinue Reading

UK: Information Security Breaches Survey 2015

PWC: “We have been commissioned by the Department for Business, Innovation and Skills (BIS) to survey companies across the UK on cyber security incidents and emerging trends…The key observations from the 2015 survey were: The number of security breaches has increased, the scale and cost has nearly doubled. Eleven percent of respondents changed the natureContinue Reading

Government Credentials on the Open Web

Follow up to Massive hack of federal personnel files included security-clearance database – related news – “Recorded Future identified the possible exposures of login credentials for 47 United States government agencies across 89 unique domains. As of early 2015, 12 of these agencies allowed some of their users access to computer networks with no form of two-factorContinue Reading

OPM IG Report – Infrastructure and IT Controls Improvement

“The U.S. Office of Personnel Management (OPM) Office of the Inspector General (OIG) is issuing this Flash Audit Alert to bring to your immediate attention serious concerns we have regarding the Office of the Chief Information Officer’ s (OCIO) infrastructure improvement project (Project). This Project includes a full overhaul ofthe agency’s technical infrastructure by implementing additional information technologyContinue Reading

Report – hacker had access to U.S. security clearance data for one year

Follow up to previous posting, Massive hack of federal personnel files included security-clearance database, again via Washington Post: “The recently disclosed breach of the Office of Personnel Management’s security-clearance computer system took place a year ago, giving Chinese government intruders access to sensitive data for a year, according to new information. The considerable lag time between breachContinue Reading

Cybersecurity Issues for the Bulk Power System

CRS – Cybersecurity Issues for the Bulk Power System, Richard J. Campbell, Specialist in Energy Policy. June 10, 2015. “In the United States, it is generally taken for granted that the electricity needed to power the U.S. economy is available on demand and will always be available to power our machines and devices. However, inContinue Reading

Amazon belatedly issues report on Privacy and Data Security

Via Amazon Security Blog: “Amazon knows customers care deeply about privacy and data security, and we optimize our work to get these issues right for customers. With this post I’d like to provide a number of observations on our policies and positions: Amazon does not http://www.bespacific.com/wp-admin/post-new.phpdisclose customer information unless we’re required to do so toContinue Reading