Archive for the ‘privacy and security’ Category

Anthem Data Breach: How Safe Is Health Information Under HIPAA?, CRS Insights (February 24, 2015)

March 5, 2015 Comments off

Anthem Data Breach: How Safe Is Health Information Under HIPAA?, CRS Insights (PDF)
Source: Congressional Research Service (via Federation of American Scientists)

The recent data breach at Anthem Inc.—the nation’s second-largest health insurer, with more than 37 million enrollees in its health plans—raises new concerns about the vulnerability of electronic health information. Security experts question whether the Health Insurance Portability and Accountability Act (HIPAA) privacy and security standards are sufficiently protective of sensitive patient information.

New Guidance to Help Protect Student Privacy in Educational Sites and Apps

March 3, 2015 Comments off

New Guidance to Help Protect Student Privacy in Educational Sites and Apps
Source: U.S. Department of Education

When signing up for a new technology, digital service, or app, there’s a simple little check box near the end that most of us don’t give much thought. But for schools and districts, agreeing to a terms of service agreement could have big implications for student privacy.

Earlier today, the U.S. Department of Education released model terms of service guidance to help schools identify which online educational services and apps have strong privacy and data security policies to protect our students.

Some terms of service agreements are a tough read, even for lawyers, so the hope is that our new guidance will help school officials decide what’s right for their school and students.

Today’s guidance helps officials look for provisions that would allow the service or company to market to students or parents, provisions on how data is collected, used, shared, transferred, and destroyed, and it also guides schools on making sure they’re satisfying parental access requirements, as well as proper security controls.

Equation Group: Questions and Answers

March 3, 2015 Comments off

Equation Group: Questions and Answers (PDF)
Source: Kaspersky

The Equation group is a highly sophisticated threat actor that has been engaged in multiple CNE (computer network exploitation) operations dating back to 2001, and perhaps as early as 1996. The Equation group uses multiple malware platforms, some of which surpass the well-known “Regin” threat in complexity and sophistication. The Equation group is probably one of the most sophisticated cyber attack groups in the world; and they are the most advanced threat actor we have seen.

Foreign Intelligence Gathering Laws

February 27, 2015 Comments off

Foreign Intelligence Gathering Laws
Source: Law Library of Congress

This report contains information on laws regulating the collection of intelligence in the European Union, United Kingdom, France, Netherlands, Portugal, Romania, and Sweden. The report details how EU Members States control activities of their intelligence agencies and what restrictions are imposed on information collection. All EU Member States follow EU legislation on personal data protection, which is a part of the common European Union responsibility.

Report on Cybersecurity Practices

February 26, 2015 Comments off

Report on Cybersecurity Practices (PDF)
Source: Financial Industry Regulatory Authority

Like many organizations in the financial services and other sectors, broker-dealers (firms) are the target of cyberattacks. The frequency and sophistication of these attacks is increasing and individual broker-dealers, and the industry as a whole, must make responding to these threats a high priority.

This report is intended to assist firms in that effort. Based on FINRA’s 2014 targeted examination of firms and other related initiatives, the report presents FINRA’s latest work in this critical area. Given the rapidly evolving nature and pervasiveness of cyberattacks, it is unlikely to be our last.

A variety of factors are driving firms’ exposure to cybersecurity threats. The interplay between advances in technology, changes in firms’ business models, and changes in how firms and their customers use technology create vulnerabilities in firms’ information technology systems. For example, firms’ Web-based activities can create opportunities for attackers to disrupt or gain access to firm and customer information. Similarly, employees and customers are using mobile devices to access information at broker-dealers that create a variety of new avenues for attack

The landscape of threat actors includes cybercriminals whose objective may be to steal money or information for commercial gain, nation states that may acquire information to advance national objectives, and hacktivists whose objectives may be to disrupt and embarrass an entity. Attackers, and the tools available to them, are increasingly sophisticated. Insiders, too, can pose significant threats.

This report presents an approach to cybersecurity grounded in risk management to address these threats. It identifies principles and effective practices for firms to consider, while recognizing that there is no one-size-fits-all approach to cybersecurity.

The Challenge of Preventing Browser-Borne Malware

February 26, 2015 Comments off

The Challenge of Preventing Browser-Borne Malware (PDF)
Source: Ponemon Institute

We surveyed 645 IT and IT security practitioners who are familiar and involved in their company’s efforts to detect and contain malware. Survey participants were from U.S. businesses with an average of more than 14,000 employees. All of the organizations represented in this research have built a multilayer defense-in-depth architecture in an effort to prevent these types of attacks.

Despite having such technologies in place, over the past 12 months, these organizations experienced an average of 51 security breaches because of a failure in malware detection technology. The findings also reveal the average cost to respond to and remediate just one security breach because of a failure in malware detection technology is approximately $62,000. This means organizations could have spent an average of $3.2 million to remediate a security breach caused by web-borne malware.

Privacy and Civil Liberties Oversight Board Releases Recommendation Assessment Report

February 26, 2015 Comments off

Privacy and Civil Liberties Oversight Board Releases Recommendation Assessment Report
Source: Privacy and Civil Liberties Oversight Board

To mark the one-year anniversary of its report on the Section 215 telephone records program and the six-month anniversary of its report on the Section 702 surveillance program, the Privacy and Civil Liberties Oversight Board has released an assessment of the implementation of its recommendations. In its two reports, the Board made a total of 22 recommendations directed at the Executive Branch, Congress, and the Foreign Intelligence Surveillance Court. In its assessment, the Board discusses the status of each recommendation’s implementation.

Key findings include:

  • Overall, the Administration has accepted virtually all recommendations in the Board’s Section 702 report and has made substantial progress toward implementing many of them, while also accepting most of the recommendations in the Board’s Section 215 report.
  • The Administration has not implemented the Board’s recommendation to halt the NSA’s telephone records program, which it could do at any time without congressional involvement. Instead, the Administration has continued the program, with modifications, while seeking legislation to create a new system for government access to telephone records under Section 215.
  • The Administration has made substantial progress in implementing some of the Board’s recommendations regarding transparency.
  • The Administration has not yet developed, as the Board recommended, a methodology for gauging the value of its counterterrorism programs.

Get every new post delivered to your Inbox.

Join 1,015 other followers