Build engaged audiences through publishing by curation.
Sign up with Facebook
Sign up with Twitter
I don't have a Facebook or a Twitter account
Start a free trial of Scoop.it Business
Research reveals that social networking and mobile are the biggest security concerns for UK enterprises...
Are you sure you want to delete this scoop?
At the IAPP Global Privacy Summit, the IAPP and AvePoint announced the release of a new free privacy impact assessment tool that will allow privacy professionals to better organize PIAs, involve other departments in the organization and complete PIAs more rapidly. Available from the front page of the IAPP’s Resource Center and called the AvePoint Privacy Impact Assessment system, or APIA, it is a piece of software organizations can install on their own servers, which is then accessible through a standard web browser. It allows privacy professionals to assign roles, track progress, offer up different questions for types of products and services and has many other advantages over the standard Word- or Excel-based systems currently in place.
Richard Clarke’s short but very interesting keynote focused on his takeaways from Snowdon and the NSA spying and his top 10 observations in the forty-six recommendations he and his team made about US intelligence gathering.
IT Systems administrators working in an academic setting are often faced with the unenviable task of balancing two seemingly disparate priorities: managing and mitigating security risks, and ensuring a user experience that is intuitive, seamless and reliable. This dilemma is not a new one — Frederick M. Avolio, writing at Networkcomputing.com, notes that “security and usability are often inversely proportional.”
The unique environment of an academic institution presents its own specific set of challenges. While each organization is different, it is possible to address some general concerns that impact how users interact with their IT resources and the security issues that result. Understanding these issues is the first step towards designing systems that are user friendly without compromising security.
To mark Data Privacy Month, the University of Pennsylvania and the National Constitution Center hosted a Town Hall program with some of the nation's leading experts on privacy and surveillance. On February 3, 2014, Peter Swire of the White House NSA Review Board, Anita Allen of the University of Pennsylvania, and Charlie Savage of the New York Times joined Constitution Center's Jeffrey Rosen to discuss the NSA and government surveillance past and future. University of Pennsylvania faculty, staff, and students, as well as members of the public, were invited to participate in this free event.
If you could not attend the discussion in person, a video recording is now publicly available. Please fee free to share this resource on your campus in order to continue the privacy dialog with your colleagues.
Eddie Swartz, Chief Security Officer of RSA, the Security Division of EMC, talks about how big data is transforming information security.
The younger generation's desire to be connected all the time expands the attack surface. But experts say enterprises can, and should, manage the risk.
"President Bill Clinton talked about building a bridge to the new millennium. With that bridge now 14 years in the rear-view mirror, the challenge for enterprises is to build a security bridge to the Millennials who are flooding the workplace."
Yet another bill to create a federal requirement for data breach notification has been introduced, this time by Democratic leaders of the Senate Commerce, Science and Transportation Committee.
The Data Security and Breach Notification Act of 2014 would, for the first time, provide a federal standard for companies to safeguard consumers' personal information throughout their systems and to quickly notify consumers if those systems are breached.
The legislation, introduced Jan. 30 by Committee Chairman Jay Rockefeller, D-W.V., and three co-sponsors, would require the Federal Trade Commission to issue security standards for companies that hold consumers' personal and financial information. In the event of a data breach, companies would be obligated in most instances to notify their affected customers within 30 days of a breach so they can take steps to protect themselves from the risk of identity theftand fraud.
A key challenge for any organization is balancing the protection of institutional data, respecting privacy and enabling trust, when employees access institutional systems with personally owned devices. Any BYOD strategy should address this balance. Personally owned devices usually are not under the control of the institution, and verifying that the devices are securely configured can feel intrusive. Allowing personal devices that are not checked for secure configuration and vulnerabilities to log into protected systems creates potentially serious and unknown risks. Institutional attempts to influence or cause configuration changes on personally owned assets and scanning them for vulnerabilities raises questions about trust and liability.
Institutions that provide employees properly configured mobile devices help reduce the need of employees to access institutional systems with personally owned devices, but this approach does not work in all situations. While the potential cost of a security breach can easily exceed the cost of providing mobile devices to employees, the cost of providing the mobile devices also can exceed available funding. Institutionally issued mobile devices may not address all legitimate needs.
Today, more than ever, businesses and organizations need to stay one step ahead of online attackers and other malicious actors.
There’s ample evidence all around us that proves adversaries are coming up with new and much more sophisticated methods for distributing malware, while remaining undetected for long periods and stealing sensitive customer data, intellectual property or disrupting critical systems.
This 3rd annual Cyber Data Risk Managers 2014 report (PDF), released on Data Privacy Day, includes many invaluable insights and recommendations offered by Data Privacy and Information Security industry experts that will prove useful for businesses and organizations, regardless of industry or sector.
Today's EDUCAUSE Policy Digest features blogs about Data Privacy Month, the NIST Draft Cybersecurity Framework, Senator Leahy's Personal Data Privacy and Security Act, Net Neutrality, and more.
January 28 promises to be the most widely recognized Data Privacy Day since its first observation in 2008.
This, of course, is one effect of the many stories over the past year that has put data privacy in headlines across the world. These stories have reinvigorated old debates, and prompted new questions, about the increasingly complex relationship between individuals, online data they create or is about them, and how data is protected and shared.
Technology is not evil, only its use or misuse. But in the case of this dirty dozen, the potential for abuse is frightening.
“123456” is finally getting some time in the spotlight as the world's worst password, after spending years in the shadow of “password.”
Security firm Splashdata, which every year compiles a list of the most common stolen passwords, found that “123456” moved into the number one slot in 2013. Previously, “password” had dominated the rankings.
In Dragnet Nation, Julia Angwin describes an oppressive blanket of electronic data surveillance. "There's a price you pay for living in the modern world," she says. "You have to share your data."
Data stored in an insecure online location for nearly a year exposed personal information on 146,000 students and recent graduates of Indiana University, officials said on Tuesday. The lapse occurred in the registrar’s office when a data file was placed in the wrong folder; it was discovered by an employee last week.
There is no evidence that the university was the target of a cyberattack, said Bradley C. Wheeler, vice president for information technology and chief information officer for the eight-campus system. No servers or systems were hacked.
“A sophisticated computer-security attack” on the University of Maryland on Tuesday gave hackers access to more than 300,000 records of students, faculty and staff members, and others who have been issued university IDs on two of the system’s campuses since 1998.
According to a letter by Wallace D. Loh, the system’s president, experts are trying “to determine how our sophisticated, multilayered security defenses were bypassed,” and a criminal investigation is under way.
The University of Maryland has created a page about the recent data breach that includes an FAQ: http://www.umd.edu/datasecurity/
The Massachusetts Institute of Technology is still trying to figure out how to answer criticism of its response to the controversial federal prosecution of Aaron Swartz, the hacker and activist who was arrested on the MIT campus in 2011.
On Thursday university officials charged with reviewing MIT’s existing policies and practices flagged several ways the university could do more to protect digital privacy and encourage open-access publishing, according to an update from MIT’s news office.
Today the Obama Administration is announcing the launch of the Cybersecurity Framework, which is the result of a year-long private-sector led effort to develop a voluntary how-to guide for organizations in the critical infrastructure community to enhance their cybersecurity. The Framework is a key deliverable from the Executive Order on “Improving Critical Infrastructure Cybersecurity” that President Obama announced in the 2013 State of the Union.
Through the development of this Framework, industry and government are strengthening the security and resiliency of critical infrastructure in a model of public-private cooperation. Over the past year, individuals and organizations throughout the country and across the globe have provided their thoughts on the kinds of standards, best practices, and guidelines that would meaningfully improve critical infrastructure cybersecurity. The Department of Commerce's National Institute of Standards and Technology (NIST) consolidated that input into the voluntary Cybersecurity Framework that we are releasing today.
The Framework gathers existing global standards and practices to help organizations understand, communicate, and manage their cyber risks. For organizations that don’t know where to start, the Framework provides a road map. For organizations with more advanced cybersecurity, the Framework offers a way to better communicate with their CEOs and with suppliers about management of cyber risks. Organizations outside the United States may also wish use the Framework to support their own cybersecurity efforts.
Each of the Framework components (the Framework Core, Profiles, and Tiers) reinforces the connection between business drivers and cybersecurity activities. The Framework also offers guidance regarding privacy and civil liberties considerations that may result from cybersecurity activities.
Also of note: "Though the adoption of the Framework is voluntary, the Department of Homeland Security (DHS) has established the Critical Infrastructure Cyber Community (C3) Voluntary Program as a public-private partnership to increase awareness and use of the Cybersecurity Framework. The C3 Voluntary Program will connect companies, as well as federal, state, local, tribal, and territorial partners, to DHS and other federal government programs and resources that will assist their efforts in managing their cyber risks. Participants will be able to share lessons learned, get assistance, and learn about free tools and resources that can help them."
Data Privacy Month 2014 Guest blogger Mike Corn:
"Within the privacy community it is commonly said that privacy is tightly coupled to societal notions of respect. We advocate for our local, national, and international institutions to protect personal information, to collect only the minimum needed, and to do so not merely to prevent financial loss or compliance with regulations, but because it demonstrates respect for individuals.
But what is the basis for this respect? We show respect for one another's feelings, we respect an individual's rights, and when we confront people in moments of great suffering or joy, we show respect for their privacy — we allow individuals the right to decide whether or not to share with us.
This is the point I want to focus on: By respecting individual privacy, we protect each person's right to choose whom they wish to speak with, to assemble with, and to worship with. Basic human rights codified in the first amendment to the Constitution of the United States of America. By looking at privacy through this lens, we change the color of the conversation, raising the bar quite a bit higher than compliance with the red flag rule or protection from identity theft."
The year's barely started, and we've already had enough data breaches at major retailers to make a barter economy seem like a good idea. Unfortunately there are yet more security threats to look forward to in 2014. Here are the biggest ones we anticipate.
In his recent remarks on the NSA and surveillance, President Barack Obama grabbed the Big Data bull by the horns. We commend the president’s decision to task the Council of Advisors on Science and Technology (PCAST) to reach out to privacy experts, technologists and business leaders to examine the challenges inherent in Big Data. Government surveillance raises distinct civil liberties concerns that commercial and scientific use of Big Data does not; still, it is appropriate to address the profound impact of new technologies on Big Data business opportunities.
Big Data was all the rage in privacy circles in 2013, and now it is achieving appropriate broad policy attention. It implicates modern day dilemmas, which transcend privacy and impact a variety of delicate balancing acts at the core of free market democracy. The examination requires engagement not only by privacy professionals but also by ethicists, scientists and philosophers to address what may very well be the biggest public policy challenge of our time.
When I or my team members meet with CISOs, sometimes we need a simple set of questions to assess how they’re doing in security. I worked with a bunch of our experts here to get to a core group, and thought I’d share.
Ones that get the CISO really to think: am I secure? We organized these along the dimensions of People, Data, Applications, and Infrastructure. Why? Cause if you think about People, the Data they Access, the Applications they use and the Gear they’re on (Infrastructure) then you have a decently holistic view of their security posture.
Do these questions work in the higher education environment? Are there questions you would replace or add?
For Data Privacy Month this year, our theme is “Respecting Privacy, Safeguarding Data, Enabling Trust.” If I were re-writing the theme, I would add “Privacy Matters.” It matters a lot.
Data Privacy Month (January 28–February 28) presents an opportunity for universities to collaborate with one another, and to raise awareness on our campuses about the importance of protecting privacy rights.
On our campuses, privacy is not simply a legal obligation. Our privacy policies and practices pave the way for us to build trust and demonstrate respect for our faculty, staff, and students.
Security is all about the big picture now. Here are some pointers from George Viegas on how the "CSO 2.0" can take a more effective approach to security in 2014 and the future.
What "2.0" ideas would you include? What should CISOs be doing this year and in future years to enhance information security programs?
An information security metric is an ongoing collection of measurements to assess security performance, based on data collected from various sources. Information security metrics measure a security program’s implementation, effectiveness, and impact, enabling the assessment of security programs and justifying improvements to those programs. Effective metrics can bring visibility and awareness to the underlying issue of information security and highlight effective efforts through benchmarking, evaluation, and assessment of quantified data. This can put institutions in a proactive stance regarding information security and demonstrate support for leadership’s priorities.
Read more in this new 2-page resource.