By:
On:
In: *Connecting the Dots Blog*, Business Continuity, Information Security, Risk Management

Step 7 is: Develop U.S. Government positions for an international cybersecurity policy framework and strengthen our international partnerships to create initiatives that address the full range of activities, policies, and opportunities associated with cybersecurity. Wow…this is a very complex step when you consider the Cyberspace Policy Review described cybersecurity policy as: cybersecurity policy as used in this document includes strategy, policy, and standards regarding the security of and operations in cyberspace, and encompasses the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities, including computer network operations, information assurance, law enforcement, diplomacy, military, and intelligence missionsRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Security

As May ended, the percentage of SPAM and junk mail jumped to 90.4 percent of e-mail.  Are your people aware and prepared to avoid and prevent risks and threats associated with SPAM? To make matters worse, the spamming techniques are successful because the e-mails are being sent from valid accounts hosted by the social-networking sites and not being spoofed.  And because the e-mails are coming from valid accounts, technology devices checking the validity of e-mail headers are ineffective as a countermeasure.  In many cases, the junk mail contains only a subject line and a hyperlink and many times the links led to social-networking site profiles. Read More →

By:
On:
In: *Connecting the Dots Blog*, Information Security, Risk Management

Step 6 of President Obama’s Cybersecurity plan is a great idea and it states: Step 6 – Initiate a national public awareness and education campaign to promote cybersecurity. Lessons Learned from national public awareness and education campaigns show that they can work very well with “simple and straightforward” issues such as drunk driving, seat-belts or forest fires.  For example, most of us have heard of “over the limit, under arrest” or “click-it or ticket” or “only you can prevent forest fires”.  But cybersecurity is not “simple and straightforward”. Lessons Learned, experts and reports unanimously agree that cybersecurity related attacks are becoming more and more sophisticatedRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Security, Risk Management

Ok, now we are starting to get into the action points that have a lot more complexity and will absolutely require an “intelligent playbook” and innovative tools to implement appropriate mechanisms, priorities, processes, policies, roles, responsibilities, activities and more across the federal government.  Based on Lessons Learned, Inspector General Reports and a recent May 2009 GAO Report that stated 23 out of 24 major federal agencies had weaknesses in their agencywide information security programs…it is obvious that action point 5 is going to be extremely difficult to implement and manage.  Action Point 5 – Convene appropriate interagency mechanisms to conduct interagency-cleared legal analyses of priorityRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Privacy, Information Security

As I mentioned in previous blogs, the new Cybersecurity Adviser will essentially be the “Head Coach” and he/she will need to create an “intelligent playbook” to lead the offense and the defense and to ensure all appropriate individuals are aware of their roles and responsibilities. Action Step 4 in President Obama’s Cybersecurity plan is: Designate a privacy and civil liberties official to the NSC Cybersecurity directorate. On paper, designating an official or officials to focus on privacy and civil liberties makes good sense, however lessons learned have clearly shown that government officials continue to look at privacy and civil liberties as too much of aRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Privacy, Information Security, Risk Management

The good news is that Social Networking is experiencing explosive growth. The bad news is that Social Networking is experiencing explosive growth. According to the third annual Deloitte LLP Ethics & Workplace survey, organizational leaders have some decisions to make when it comes to employee beliefs and management beliefs regarding online Social Networking. 60% of business executives believe they have the right to know how employees portray themselves and their organizations in online social networks 53% of employees disagree and say their social networking pages are not an employer’s concern 63% of younger employees (age 18-34)  say employers have no business monitoring their online activityRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Privacy, Information Security

So the new Cybersecurity Adviser (aka Head Coach) will be announced this week…and as I mentioned previously regarding Step 1 and Step 2, the Head Coach will play a vital role in coordinating people, entities, policies, activities, strategies and ongoing updates as strategies and threats change.  We reviewed how the Head Coach will need to implement an “intelligent playbook” to ensure all appropriate people have access to customized knowledge they need to make better decisions and achieve better results.  The “cybersecurity intelligent playbook” will no doubt need tools that will empower the Head Coach and enable all appropriate personnel to have secure accessibility to theirRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Privacy, Information Security

Part 2 of several to come… Looking over President Obama’s 10-point action plan, there is no doubt that the key to successfully protecting, deterring, preventing, detecting and defending our digital infrastructure and strategic national assets will be the “playbook” and the “execution of the playbook” by all appropriate individuals. Step 1 of the 10-point action plan is to appoint a cybersecurity policy official responsible for coordinating the nation’s cybersecurity policies and activities and coordinate with National Security Council and National Economic Council to coordinate interagency development of cybersecurity- related strategy and policy.  Sounds like a Head Coach and more to me… The Head Coach isRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Privacy, Information Security

Part 1 of several to come… Thank you President Obama! As you probably saw in the news, President Obama presented a 10-point action plan aimed at securing federal government’s critical IT infrastructure. I missed the President’s live press conference that day, so when I returned to the office I found the news story about the President’s 10-point action plan.  There is no doubt that cybersecurity has become a significant concern for government and private organizations too and I wanted to see specifically what President Obama’s 10-point action plan looked like and if it targeted some of the challenges I have seen in my 20+ yearsRead More →

By:
On:
In: *Connecting the Dots Blog*, Business Continuity, Incident Reporting, Information Privacy, Information Security, Legal

In 2007 the Swedish Bank, Nordea was stung for $1.1 million, in the “biggest ever” online bank heist.  250 bank customers were affected by the fraud after falling victim to phishing e-mails.  The e-mail contained a trojan horse that redirected customers to a false home page where they entered important login information.  Most of the customers affected had not been running antivirus applications on their computers. The bank covered the attacks and refunded all the affected customers. In 2009 Credit Union Customers received text messages notifying them that their debit cards had been inactivated.  The message gave a number to call to reactivate the cardRead More →