26 February 2012

MANAGE RISK BEFORE IT DAMAGES YOU: PART ONE...

Neira Jones on Google+
After my part 1 and part 2 posts on incident response and the last post on cloud computing security, a number of you requested I talk about risk assessments. Since it’s currently my favourite topic, I am more than happy to oblige... First, a few facts:
  • Epsilon was breached in the first quarter of 2011. At the time, they built and hosted customer databases for 2,500 well-known brands and sent more than 40 billion emails a year on their behalf.
  • Not long after, the Sony breach ended up compromising personally identifiable information for more than 100 million of its customers.
Obviously, for both organisations, customer information is a key asset...

21 February 2012

UNDERSTANDING CLOUD SECURITY: PART TWO...

Google
I thank you for your attention on the previous post where we had a look at security considerations for the three main cloud service models commonly referred to as SPI (SaaS, PaaS, IaaS). As promised here’s part two looking at other cloud implementation considerations, namely:

  • Cloud deployment model: public vs. private vs community vs hybrid deployments,
  • Cloud location: internal vs. external hosting or combined,

19 February 2012

UNDERSTANDING CLOUD SECURITY: FINDING THE BOUNDARIES...

Google
It seems that my previous post on compliance and third parties struck a chord with a few of you... So I guess it’s about time I dedicated some time to “The Cloud” specifically! Over the past couple of years, we have seen a lot of hype and confusion as to what The Cloud really means and what it can do for you. I think we have now reached the stage where there is perhaps a bit of disappointment that The Cloud, due to inflated expectations, is perhaps not a miracle...

12 February 2012

COMPLIANCE IN THE DIGITAL ERA: WATCH OUT FOR THE 3rd PARTY...

Google
By 2015, there will be more than more than 15 billion interconnected devices on the planet, twice the world population. In that period, the total amount of global Internet traffic will quadruple. (Cisco(R) Visual Networking Index (VNI) Forecast (2010-2015), June 2011)
It is estimated that every year in the UK, identity fraud costs more than £2.7 billion and affects over 1.8 million people (National Fraud Authority, October 2010).
Every year, we share more of ourselves online...

8 February 2012

THE TRUTH BEHIND DATA BREACHES...

Google
I was pleased to see the release of the Trustwave 2012 Global Security Report as I find it always a very good source of information! This year’s report analyses 300 data breach investigations across 18 countries and, unsurprisingly, 89% of the breaches involved the theft of customer records, including payment card data and other personally identifiable information such as email addresses.

6 February 2012

INCIDENT RESPONSE & RISK MANAGEMENT GO HAND IN HAND...

Google
I was delighted with the level of interest generated by my last post on incident response so I thought I’d continue on the same theme... My thanks go yet again to the NIST report previously mentioned as I will explore some aspects of risk management and prioritisation that apply to incident response...

3 February 2012

INCIDENT RESPONSE – HAVE YOU GOT A PLAN?

Google
So, the National Institute of Standards and Technology (NIST) announced a couple of days ago the release for comments of draft Special Publication (SP) 800-61 Revision 2, Computer Security Incident Handling Guide. How very timely that was! With 2011 dubbed the year of the data breach, and the fact that it takes 3 to 8 months on average for an organisation to discover they have been breached, what better New Year’s resolution than to have an effective Incident Response Plan?...

1 February 2012

EU DATA PROTECTION LAWS – WHAT DOES IT ALL MEAN?...

Google
After yesterday’s post on data protection, I thought it would be logical to follow with some info on the EU proposal for new data protection laws...
17 years ago, the EU’s 1995 Data Protection Directive set a milestone in the history of personal data protection, and whilst its principles are still valid, the differences in the way that each EU country implements the law have led to an uneven level of protection for personal data. In addition, the rules were introduced when the Internet was still in its infancy and the digital age has brought with it increasing and sometimes unexpected challenges for data protection. With social networking sites, cloud computing, location-based services and smart cards, we leave digital traces with every move we make. Evidently, we now need a new set of rules that is future-proof and fit for the digital age.