By:
On:
In: *Connecting the Dots Blog*, Information Privacy, Information Security, Risk Management

  Lessons learned from a recent hacking competition at Defcon revealed yet again that your employees are the biggest threat to your organization. With just two phone calls, a hacker posing as a Louisiana-based employee handling claims involving the Gulf oil spill was able to trick a computer support employee at BP into divulging sensitive information that could have proved crucial in launching a network attack.  The employee provided information to the caller including the model of laptops BP used, the specific operating system, browser anti-virus and VPN software.  The hacker also convinced the employee to visit an unknown web site, Social-Engineer.org. Other hackers inRead More →

By:
On:
In: *Connecting the Dots Blog*, Business Continuity, Information Privacy, Information Security, Regulatory Compliance

  Last week financial executives received some valuable advice on ways to significantly reduce costs associated with an expensive non-budgeted item – cybercrime. Greg Schaffer heads up DHS’s Office of Cybersecurity and Communications and his comments on cybercrime included: “Cybercrime is not a problem that is growing, or coming, or off in the future.  This is a problem right now.” Mr. Schaffer also cited some statistics from reports and surveys: A single cyber breach costs companies an average of $6.75 million  27 countries have claimed to have experienced financial losses related to cybercrime In 2009, 30 million examples of new malicious software were released  Read More →

By:
On:
In: *Connecting the Dots Blog*, Business Continuity, Human Resources, Incident Reporting, Information Privacy, Risk Management

  A recent follow up article in Federal Computer Week (FCW) highlighted the porn scandal at the Securities Exchange Commission (SEC) and suggested this was a dramatic wake-up call for any government agency who doubted the need for and importance of an airtight security policy. Good for Teri Robinson… who wrote the article!! However…the steps Teri laid out that an agency should take to build and enforce a security policy are missing a couple of critical steps based on lessons learned and legal defensibility.  Teri suggested the following steps: Review existing policy Social media guidelines should be included and should be specific Assign responsibility becauseRead More →

By:
On:
In: *Connecting the Dots Blog*, Human Resources, Incident Reporting, Information Privacy, Information Security, Risk Management

  Recently, Awareity’s CEO, Rick Shaw, was asked to present at the Infotec conference in Omaha.   During his presentation, “The Truths (and Myths) About Assessments, Planning and Implementing”, Rick discussed the three-legged stool each organization is sitting on, and the importance of all three legs (Assessments, Planning/Developing and Implementing). Most organizations understand the importance of assessments and planning, but where many fail to deliver is in the implementation phase.   As we have seen with numerous headlines and lessons learned, a failure to implement can lead to expensive fines, lawsuits, breaches and losses.  Rick used a case study for CVS Caremark.   Due to employees carelessly tossingRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Privacy, Information Security, Risk Management

Teachable Moments vs. Ongoing Awareness Reminders As a follow up to the previous blog regarding the sensitive ethics document from the Committee on Standards that ended up in the hands of The Washington Post, I wanted to take a look at teachable moments vs. ongoing awareness reminders. If you go to the Committee on Standards of Official Conduct web site and look up their training requirements for 2009 you will see an example of once-a-year training requirements and you will see individual training requirements are based on pay scales.  This seems ironic to me since the Committee on Standards blamed a low-level staffer for theRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Privacy, Information Security, Risk Management

Low-Level Staffer Blamed for Committee on Standards Breach In case you missed the story last week, multiple lessons learned and teachable moments have emerged from an incident involving a sensitive ethics committee document that ended up in the hands of the Washington Post.  The ethics document exposed numerous ongoing investigations into the conduct of more than two dozen House members.   Most articles seem to be blaming the unauthorized access to the sensitive ethics document on a low-level staffer working from home on their personal laptop using a peer-to-peer file-sharing program which provided unauthorized access to the ethics document.  Asking good questions can be a greatRead More →

By:
On:
In: *Connecting the Dots Blog*, Incident Reporting, Information Privacy, Information Security, Regulatory Compliance

We have all heard the wise old saying….’One man’s trash is another man’s treasure’ and potentially we have yet another lesson learned for organizations who are obligated to protect their client’s personal information. In this lesson learned from Ohio, three large storage bins were stolen from outside of three different bank branches in three different cities.  Each of the three large storage bins contained paper that was waiting to be shredded and at least one of the storage bins contained personal documents of bank customers. A few questions this incident brings to mind: Should personal data be stored outside of buildings? Should trash/storage bins beRead More →

By:
On:
In: *Connecting the Dots Blog*, Incident Reporting, Information Privacy, Regulatory Compliance

If you were busy getting your costume ready for Halloween, you might have missed the news release from HHS on October 30, 2009.  This news release should be taken seriously by all covered entities and organizational leaders that have responsibilities for protected health information (PHI) The news release announces that HHS has issued an interim final rule to strengthen its enforcement of the rules within HIPAA to conform to the HIPAA enforcement regulations made by the HITECH Act. As you may remember, the Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted as part of the American Recovery and Reinvestment Act (ARRA)Read More →

By:
On:
In: *Connecting the Dots Blog*, Human Resources, Incident Reporting, Information Privacy, Information Security, Legal, Risk Management

Did you see the story today involving CalOptima (a Medicaid managed care plan) who has notified 68,000 of their members of a potential loss of past medical claims information?  According to CalOptima, the information includes substantial identifying information, such as member names, home addresses, dates of birth, medical procedure codes, diagnosis codes and member identification numbers and even some Social Security numbers. Do you wonder how many other organizations are sending personally identifiable information (PII) and protected health information (PHI) in packages through parcel carriers? Do you wonder how many organizations are sending YOUR personal information through the mail? This story is one of hundredsRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Privacy, Legal, Regulatory Compliance, Risk Management

In this Network World article, a US District Court Judge in California ordered Google to deactivate the Gmail account of a User who accidentally received personally identifiable information.  An employee of Rocky Mountain Bank sent an e-mail to the User’s account in error containing names, Social Security Numbers and loan information of more than 1300 bank customers.  Once the employee realized their mistake, they quickly sent a follow-up e-mail requesting that the recipient destroy the previous e-mail and contact Rocky Mountain Bank as soon as possible.  After receiving no reply from the recipient, the bank contacted Google and asked for information on the Gmail accountRead More →