Nov 06 2012

New Tools for IT and Security professionals

Category: BCP,Information SecurityDISC @ 11:40 am

IT Governance continually striving to create, source and deliver products that can help IT and Information Security professionals in the real world. Check out their latest on Business Continuity, ITIL & ITSM and Information Security products below to help you in your current and future projects. This is a perfect time of the year to start adding some of these tools in your wish list and stay abreast in your area of expertise.

ISO22301 BCMS Implementation Toolkit
New release

 

ITIL Lite: A Road Map to Full or Partial ITIL Implementation – ITIL 2011 Edition
New release

 

ITIL Foundation Essentials: The exam facts you need
Published on 6th November

 

Resilient Thinking: Protecting Organisations in the 21st Century
Published on 8th November

 

ISO19770 SAM Process Guidance: A kick-start to your SAM programme
Published 13th November

 
 

Tags: Business, business continuity, Information Security, Information Technology, Information Technology Infrastructure Library, it service management, SAM, Software asset management


May 30 2011

California computer glitch releases violent criminals

Category: cyber securityDISC @ 12:33 pm

RT.com

Gang members, sex and drug convicts, and more were accidentally released from California state prisons after computer software designed to reduce prison numbers encountered a glitch.
Around 450 dangerous inmates were let go unsupervised onto the streets of California, the state’s inspector general confirmed.

A glitch in software lead to prison officials accidentally releasing “high risk of violence” inmates from jails as opposed to low risk inmates set for release to elevate the crowded prison system.

In addition, over 1000 inmates deemed high risk for drug and property offenses were also mistakenly released.

The information comes after the US Supreme Court upheld a lower decision and ordered California to alleviate prison overcrowding by releasing prisoners or building more prisons. The decision gives State prison officials only two years to cut the 143,335 prisoner count by around 33,000 either by reductions, new programs outside of prisons or constructing new prisons within the state.
According to Renee Hansen, a spokesperson for the California inspector general, no attempts have been made to find or return the former inmates to prison or at least place them on supervised parole.

The computer error placed all of those who were released on ‘non-revocable parole’ which means they do not have to report to parole officers. It also means they are free to live their lives and can only be sent back to jail if they are caught committing a new crime.

The software was not designed to be discretionary based on the history of inmates and issues releases without consideration to their crimes or their risk of re-offending. It uses a database of arrests that does not correlate information regarding convictions and the facts surrounding a case.

Effective Physical Security, Third Edition

Tags: crime, Information Technology, Law, USA


Sep 15 2010

Cloud Computing: A Treasure Trove for Hackers

Category: Cloud computingDISC @ 10:10 am
IBM Cloud Computing
Image by Ivan Walsh via Flickr

Above the Clouds: Managing Risk in the World of Cloud Computing

By Dick Weisinger
Security usually tops the lists of concerns that people have about the cloud. And now it seems like there is good reason. On a recent survey of 100 “elite” hackers at the 2010 Defcon conferenece, 96 of them said that the cloud offered up more opportunity for them to hack. 89 of them said that they thought that cloud providers weren’t being proactive enough in beefing up their security, and 45 of them admitted to already have engaged in cloud hacking, and 12 of them said that they hack for financial gain.

When asked about what areas of the cloud that they thought were most vulnerable, 21 percent said Software as a Service (SaaS), 33 percent said problems with the Domain Name System (DNS). 16 percent said that cracking the information in log files was on their list of things to hack, and 12 percent said that they’ve hacked into communication profiles.

Barmak Meftah, chief products officer at Fortify, sponsor of the survey, said that “more than anything, this research confirms our ongoing observations that cloud vendors – as well as the IT software industry as a whole – need to redouble their governance and security assurance strategies when developing solutions, whether cloud-based or not, as all IT systems will eventually have to support a cloud resource.”

Another highlight at the Defcon conference was a $1500 device that was able to intercept any GSM mobile phone call.

Tags: Barmak Meftah, Business, Cloud computing, Defcon, Domain Name System, Hacker (computer security), Information Technology, Software as a service


Dec 10 2009

What is a risk assessment framework

Category: Information Security,Risk AssessmentDISC @ 5:46 pm

Computer security is an ongoing threat?!?
Image by Adam Melancon via Flickr

The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments

Definition – A risk assessment framework (RAF) is a strategy for prioritizing and sharing information about the security risks to an information technology (IT) infrastructure.

A good RAF organizes and presents information in a way that both technical and non-technical personnel can understand. It has three important components: a shared vocabulary, consistent assessment methods and a reporting system.

The common view an RAF provides helps an organization see which of its systems are at low risk for abuse or attack and which are at high risk. The data an RAF provides is useful for addressing potential threats pro-actively, planning budgets and creating a culture in which the value of data is understood and appreciated.

There are several risk assessment frameworks that are accepted as industry standards including:

Risk Management Guide for Information Technology Systems (NIST guide) from the National Institute of Standards.

Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) from the Computer Emergency Readiness Team.

Control Objectives for Information and related Technology (COBIT) from the Information Systems Audit and Control Association.

To create a risk management framework, an organization can use or modify the NIST guide, OCTAVE or COBIT or create a framework inhouse that fits the organization’s business requirements. However the framework is built, it should:

1. Inventory and categorize all IT assets.
Assets include hardware, software, data, processes and interfaces to external systems.

2. Identify threats.
Natural disasters or power outages should be considered in addition to threats such as malicious access to systems or malware attacks.

3. Identify corresponding vulnerabilities.
Data about vulnerabilities can be obtained from security testing and system scans. Anecdotal information about known software and/or vendor issues should also be considered.

4. Prioritize potential risks.
Prioritization has three sub-phases: evaluating existing security controls, determining the likelihood and impact of a breach based on those controls, and assigning risk levels.

5. Document risks and determine action.
This is an on-going process, with a pre-determined schedule for issuing reports. The report should document the risk level for all IT assests, define what level of risk an organization is willing to tolerate and accept and identify procedures at each risk level for implementing and maintaining security controls.

Tags: Business, COBIT, Computer security, Data, Fire and Security, Information Technology, iso 27001, iso 27002, National Institute of Standards and Technology, NIST, OCTAVE, Risk management, Security, security controls, Technology


Nov 03 2009

Healthcare Organizations May Not Be Prepared for HITECH and Other Security Challenges

Category: hipaaDISC @ 6:22 pm

medical-symbol
Healthcare Organizations May Not Be Prepared for HITECH and Other Security Challenges
HIMSS News
The Healthcare Information and Management Systems Society releases its 2nd Annual Security Survey, sponsored by Symantec

CHICAGO (November 3, 2009) – With the American Recovery and Reinvestment Act underway, healthcare organizations face new challenges to maintain privacy and security of patient health data. However, data gathered from healthcare IT and security professionals indicate that many organizations may not be ready to meet some of the HITECH components of the ARRA legislation and other security challenges, according to the results of the 2009 HIMSS Security Survey, sponsored by Symantec Corp. (Nasdaq: SYMC).

While healthcare organizations recognize that patient data must be protected, the survey results show that:

  • Security budgets remain low
  • Organizations often don’t have a response plan for threats or a security breach
  • A designated Chief Security Officer or Chief Information Security Officer is not in place
  • In addition, the survey reveals that healthcare organizations are not using the current security technologies available to keep patient data safe. Respondents to this survey widely use audit logs with data from firewalls, application logs and server logs as common information sources. Yet, when analyzing the log data, only 25 percent of respondents reported electronic analysis of that data. Respondents indicate they are using firewalls and user access controls, but are not implementing all available technologies to secure data. Only 67 percent of responding organizations use encryption to secure data in transmission, and fewer than half encrypt stored data.

    “Healthcare organizations are continually looking for ways to save money,” said David Finn, health IT officer, Symantec Corp. “One of the best ways to accomplish these goals is through investing in technologies that will automate and reduce the risks of a security incident and lower the chances of a compliance issue. Although awareness about these issues is high, many providers have not yet made significant moves to the address these concerns.”

    Other key survey results include:

    Security Budget: Approximately 60 percent of respondents reported that their organization spends three percent or less of their organization’s IT budget on information security. This is consistent to the level of spending identified in the 2008 study.

    Maturity of Environment: Respondents characterized their environment at a middle rate of maturity, with an average score of 4.27 on a scale of one to seven, where one is not at all mature and seven is a high level of maturity.

    Formal Security Position: Fewer than half of respondents indicated that their organization has either a formally designated CISO (Chief Information Security Officer) or CSO (Chief Security Officer).

    Patient Data Access: Surveyed organizations most widely implement user-based and role-based controls to secure electronic patient information. Approximately half of respondents reported that their organization allows patients/surrogates to access electronic patient information. Patients/surrogates are most likely to be granted access to high level clinical information, such as diagnosis or lab results.

    Management of Security Environment: Nearly all respondents reported that their organization actively works to determine the cause/origin of security breaches. However, only half have a plan in place for responding to threats or incidents related to a security breach.

    Security Controls: Most respondents reported that they use the information generated in their risk analysis to determine which security controls should be used at their organization. About 85 percent of respondents reported that they monitor the success of these controls and two-thirds of these respondents measure the success of these controls.

    Risk Analysis: Three-quarters of surveyed organizations conduct a formal risk analysis (only half of these conduct this assessment on a yearly basis or more frequently), which has remained the same in the past year. Three-quarters of organizations that did conduct risk assessments found patient data at risk due to inadequate security controls, policies and processes. Conducting this analysis positions organizations to identify gaps in their security controls and/or policies and procedures.

    Security in a Networked Environment: Nearly all respondents reported that their organizations share patient data in electronic format. Respondents are most likely to report that they share data with state government entities. Respondents also reported that the area in which they are most likely to share data in the future is with Health Information Exchanges (HIEs)/Regional Health Information Organizations (RHIOs). Approximately half of these organizations (41 percent) indicated that these sharing arrangements have resulted in the use of additional security controls beyond those that were already in place at their organization. This is consistent with the data reported in the 2008 survey.

    Future Use of Security Technologies: E-mail encryption and single sign on and were most frequently identified by respondents as technologies that were not presently installed at their organization but were planned for future installation.

    Medical Identity Theft: One-third of respondents reported that their organization has had at least one known case of medical identity theft at their organization. However, only a handful of these organizations experienced direct consequences from the breach.

    “Healthcare organizations must approach all IT activities, including data security, with effective management and efficient use of their budgets, staff and technologies,” said Lisa Gallagher, HIMSS Senior Director, Privacy and Security. “IT and security professionals must recognize the need for securing patient data by using available technologies and preparing for compliance with current ARRA laws and future regulations. This complex operating environment, as well as our national goals for health IT, demands such action to ensure quality, safety and improved healthcare delivery.”

    Targeting Chief Information Officers and Chief Security Officers and other Information Technology (IT) executives, the 2009 HIMSS Security Survey focused on an assessment of 196 information technology (IT) and security professionals in the healthcare field of their own readiness for today’s risks and security challenges.

    About Symantec
    Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. More information is available at www.symantec.com.

    About HIMSS
    The Healthcare Information and Management Systems Society (HIMSS) is a comprehensive healthcare-stakeholder membership organization exclusively focused on providing global leadership for the optimal use of information technology (IT) and management systems for the betterment of healthcare. Founded in 1961 with offices in Chicago, Washington D.C., Brussels, Singapore, and other locations across the United States, HIMSS represents more than 23,000 individual members, of which 73% work in patient care delivery settings. HIMSS also includes over 380 corporate members and nearly 30 not-for-profit organizations that share our mission of transforming healthcare through the effective use of information technology and management systems. HIMSS frames and leads healthcare public policy and industry practices through its educational, professional development, and advocacy initiatives designed to promote information and management systems’ contributions to ensuring quality patient care. Visit www.himss.org for more information.

    For more information, contact:
    Joyce Lofstrom/HIMSS
    312-915-9237 – jlofstrom@himss.org

    Pamela Reese/Symantec
    424-750-7858 – pamela_reese@symantec.com

    Reblog this post [with Zemanta]

    Tags: arra and hitech, arra hitech provisions, arra hitech security "business associate", Chief Information Security Officer, Chief security officer, Computer security, Health care, Healthcare Information and Management Systems Society, hipaa laws, Information Technology, Security, status of arra and hitech, Symantec