Archive for the ‘Policy and Governance’ Category
December 17, 2011
Electronic Authentication Guideline (NIST Special Publication 800-63-1), from the NIST expands the options for government agencies that need to verify the identity of users of their Web-based services.
This recommendation provides technical guidelines for Federal agencies implementing electronic authentication and is not intended to constrict the development or use of standards outside of this purpose. The recommendation covers remote authentication of users (such as employees, contractors, or private individuals) interacting with government IT systems over open networks. It defines technical requirements for each of four levels of assurance in the areas of identity proofing, registration, tokens, management processes, authentication protocols and related assertions. This publication supersedes NIST SP 800-63.
Posted in Authentication, Laws and Regulations, Policy and Governance, Risk Management | Leave a Comment »
December 10, 2011
This report outlines the Obama Administration’s road map of priorities for government agencies that sponsor research and development on cyber-security.
As recommended in the Cyberspace Policy Review’s near-term action plan, Trustworthy Cyberspace replaces the piecemeal approaches of the past with a set of coordinated research priorities whose promise is to “change the game,” resulting in a trustworthy cyberspace. As called for in the policy review’s mid-term action plan, this plan identifies opportunities to engage the private sector in activities for transitioning promising R&D into practice. In addition, and consistent with the PCAST recommendations, it prioritizes the development of a “science of security” to derive first principles and the fundamental building blocks of security and trustworthiness.
Posted in Laws and Regulations, Policy and Governance, Security Strategy | Leave a Comment »
November 5, 2011
Eric Chabrow / BankInfoSecurity
The National Institute of Standards and Technology said the draft publication defines high-priority requirements for standards, official guidance and technology developments that need to be met in order for agencies to accelerate their migration of existing IT systems to the cloud computing model. “A key contribution of the roadmap effort is to focus the discussion to achieve a clear understanding between the government and private sector, particularly on the specific technical steps – standards, guidance and technology solutions – needed to move federal IT from its current early-cloud state to a cloud-based foundation, as envisioned in the Federal Cloud Computing Strategy.
Posted in Cloud Computing, Infrastructure Security, Laws and Regulations, Policy and Governance | Leave a Comment »
October 29, 2011
ComputerWorld / Nancy Gohring
The Small Biz Cyber Planner will ask a series of questions such as “Does your business use credit cards?” and “Does your business have a public website?” Based on the responses, it will generate a planning guide to help companies put in place basic policies to protect against cyberthreats.
Posted in Policy and Governance, Security Strategy, Tech and Laws | Leave a Comment »
October 1, 2011
The National Institute for Standards and Technology (NIST) is currently seeking comments through Nov. 4 on its Guide for Conducting Risk Assessments.
In addition to providing a comprehensive process for assessing information security risk, the publication also describes how to apply the process at the three tiers in the risk management hierarchy—the organization level, mission/business process level, and information system level.
To facilitate ease of use for individuals or groups conducting risk assessments within organizations, a set of exemplary templates, tables, and assessment scales for common risk factors is also provided. The templates, tables, and assessment scales give maximum flexibility in designing risk assessments based on the express purpose, scope, assumptions, and constraints established by organizations.
Posted in Policy and Governance, Report / Paper, Risk Management, Standard / Framework | Leave a Comment »
September 11, 2011
Steven De Haes / ISACA Blog
…..Governance of Enterprise IT (GEIT) is an integral part of corporate governance and addresses the definition and implementation of processes, structures and relational mechanisms in the organizations that enable both business and IT personnel to execute their responsibilities in support of business-IT alignment and the creation of business value from IT-enabled investments. GEIT clearly goes beyond the IT-related responsibilities and expands toward (IT-related) business processes needed for business value creation. ISACA frameworks such as Val IT and the upcoming COBIT 5 fully embrace these concepts.
Posted in Policy and Governance, Report / Paper, Standard / Framework | Leave a Comment »
August 20, 2011
Cebula and Young / Carnegie Mellon
This report presents a taxonomy of operational cyber security risks that attempts to identify and organize the sources of operational cyber security risk into four classes: (1) actions of people, (2) systems and technology failures, (3) failed internal processes, and (4) external events. Each class is broken down into subclasses, which are described by their elements. This report discusses the harmonization of the taxonomy with other risk and security activities, particularly those described by the Federal Information Security Management Act (FISMA), the National Institute of Standards and Technology (NIST) Special Publications, and the CERT Operationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVE®) method.
Posted in Information Security, Policy and Governance, Report / Paper, Risk Management | Leave a Comment »
July 10, 2011
The Framework and Process Reference guide exposure drafts are available for download from the ISACA site.
This foundational COBIT volume introduces the following, which combine to provide a comprehensive, effective framework to support the governance and management of enterprise information and related technology:
- Principles
- Drivers
- Benefits
- Enablers
- Other aspects
The COBIT 5 Process Reference Guide incorporates and is the successor to COBIT 4.1, Val IT and Risk IT processes. It describes the:
- Goals cascade
- Process model
- Process reference model
- Detailed processes
The online questionnaire will remain open until 31 July 2011.
Posted in Policy and Governance, Risk Management, Security Strategy, Standard / Framework | Leave a Comment »
July 2, 2011
Sounds like the right move…
This new security challenge was on the agenda at the June 8th-9th meeting of NATO defence ministers in Brussels. Ministers agreed on an action plan and on a revised cyber defence policy which will not only ensure a quicker and more effective protection of NATO’s own network, but also provide the Allies and Partners with more assistance in preventing the cyber attacks, coping with them and limiting their impact.
The new strategy requires that all NATO structures be brought under a centralised protection system, and that all of its networks be monitored round the clock as of 2012.
Posted in Laws and Regulations, Policy and Governance, Security Strategy, Tech and Laws | Leave a Comment »
July 2, 2011
The Federal Financial Institutions Examination Council (FFIEC) today issued a supplement to the Authentication in an Internet Banking Environment guidance, issued in October 2005. The purpose of the supplement is to reinforce the risk-management framework described in the original guidance and update the FFIEC member agencies’ supervisory expectations regarding customer authentication, layered security, and other controls in the increasingly hostile online environment.
Posted in Authentication, Laws and Regulations, Policy and Governance, Risk Management | Leave a Comment »
June 5, 2011
Dallas Boyd @ Homeland Security Affairs Journal
The motives behind disclosures of sensitive information vary, but a common refrain is that they spur remedial action that would otherwise be avoided. Critics argue, however, that these revelations recklessly endanger the public. Whatever their effect, a soft consensus seems to have formed that airing this information does not subtract from national security to such an extent as to justify the extraordinary powers that would be required to suppress it.
Posted in Cybersecurity, Laws and Regulations, Policy and Governance | Leave a Comment »
April 30, 2011
More and more companies are coming with formal Coordinated Vulnerability Disclosure Processes/Standards
After a product or service is released, we feel security is a shared responsibility across the broad community. Collaboration between security researchers and vendors is ultimately about preventing attacks and protecting the computing ecosystem. By working together through coordinated efforts when vulnerabilities are identified, we can effectively minimize customer risk while a solution is developed. We encourage others to adopt this philosophy in the interest of creating a safer and more trusted internet for everyone.
Posted in Application Security, Communication, Policy and Governance, Secure Coding | Leave a Comment »
February 3, 2011
This is a follow up to the 2008 report “Securing Cyberspace for the 44th Presidency”, published by Center for Strategic and International Studies (CSIS), which included 25 recommendations for change. Now two years later, CSIS published this report to review where progress has been made on these recommendations and where action is necessary. The report identified 10 key areas where the nation must take action. The report starts with
2010 should have been the year of cybersecurity. It began with a major exfiltration of data from Google and other Fortune 500 companies, saw the Department of Defense describe how its classified networks had been compromised, watched the Stuxnet worm cut through industrial control systems, and ended with annoying denial of service attacks over Wikileaks.
and suggest cloud as one of the solutions -
Cloud computing has weaknesses, but it also offers the opportunity to aggregate and automate cyber defense. Much of the burden of security will shift from consumers and businesses to service providers that may be better equipped to meet advanced challenges.
which is correct but it’ll not come free – data security during transmission from end user to cloud and authentication will be two big ticket items that we need to pay for. The report ends with……and with what will not work.
Many of the solutions still advocated for cybersecurity are well past their sell-by date. Public-private partnerships, information sharing, and self-regulation, are remedies we have tried for more than a decade without success. We need new concepts and new strategies if we are to reduce the risks in cyberspace to the United States.
Posted in Cybersecurity, Policy and Governance, Privacy, Report / Paper, Risk Management, Security Strategy, Tech and Laws, Threat Management | Leave a Comment »
January 27, 2011
This is the most simple, honest, and practical answer to the question “how can I protect my privacy” – divulge less information about yourself on web and other platforms!
…in many cases, there’s no need for someone verifying your credentials to know everything about you. A bouncer at a nightclub needs to know that you’re 21, not your name or home address. A county database may only require proof that you’re a local resident, not your phone number or e-mail address.
Old rivals, Microsoft and IBM, are developing a solution to this problem using a system called ABC4Trust
Attribute-based Credentials (ABC) allow a holder to reveal just the minimal information required by the application, without giving away full identity information. These credentials thus facilitate the implementation of a trustworthy and at the same time privacy-protecting digital society.
One likely application for the ABC system: electronic identity cards issued by national governments. Microsoft has already demonstrated a system that can verify that someone is at least 18 years old and resides in Berlin, without disclosing an actual birthdate.
Posted in Communication, Consumer Information Protection, Policy and Governance, Privacy | 1 Comment »
January 22, 2011
If you missed this earlier, FTC has extended deadline for comments on Privacy Report (Protecting Consumer Privacy in an Era of Rapid Change: a Proposed Framework for Businesses and Policy Makers) until Feb 18th.
Stakeholders emphasized the need to improve transparency, simplify the ability of consumers to exercise choices about how their information is collected and used, and ensure that businesses take privacy-protective measures as they develop and implement systems.
At the same time, commenters and participants urged regulators to be cautious about restricting the exchange and use of consumer data in order to preserve the substantial consumer benefits made possible through the flow of information. Participants noted, for example, that the acquisition, exchange, and use of consumer data not only helps to fund a variety of personalized content and services, but also allows businesses to innovate and develop new products and services that offer consumers convenience and cost savings.
Posted in Communication, Policy and Governance, Privacy, Report / Paper | 1 Comment »
January 20, 2011
At first glance it felt as if some author is trying to get attention by using controversial heading but as I read the post, I realized author <quote> drafted most of the original text that evolved into ISO 27002 and achieved the world’s first accredited certification <unquote>. Yes, it’s David Lacey (Director of Research, ISSA-UK) expressing his views on the current state of security.
Today’s ISO standards are based on a body of text created over twenty years ago. In fact, aside from a sprinkling of security technologies, which you can count on one hand, nothing really new has emerged in the lifetime of today’s security managers.
…..
The traditional Swiss Cheese model of defence in depth is falling down. It’s not just methods, standards and technologies that have failed to keep up with a changing threat landscape. We also lack the communications and psychology skills needed to influence security attitudes and behaviour across an extended community of networked staff, customers and suppliers.
But he also suggested solutions (i.e., what has worked or might work) -
The Global Security Challenge encourages and rewards innovative security technologies……Virtualisation transforms the infrastructure from both a user’s and an attacker’s perspective…….Trusted computing also offers huge potential for eliminating a large slice of the risk landscape, through reliable, automatic device authentication and data encryption…….One thing is certain: We need much greater vision and investment in new security technologies.
Posted in Application Security, Cybersecurity, Policy and Governance, Standard / Framework | Leave a Comment »
January 5, 2011
Howard Schmidt discusses guiding principals that lie behind White House Internet policymaking: Deterrence, resilience, privacy and partnerships.
The concept of privacy must evolve to a point that the information necessary for an online transaction is minimized and available for the shortest amount of time to validate the transaction and then vanish.
Posted in Consumer Information Protection, Policy and Governance, Privacy | Leave a Comment »
