|Compliance and Privacy News|
There are two stories this week which resonate with each other. Eversheds and their comments on Data Security Policies, which back our own recent analysis of Information Security policies, and Ernst & Young, who have had the mixed fortune to hit the press a lot this year - for losing laptops.
We're lucky, too, to have the VeriSign Security Review. We used to send these round as special newsletters, but we've started from now on with our sponsor's permission to place them on the site itself. And alongside that an iDefense webcast to discuss the economics of vulnerability research.
Interesting, then, that the site is joined by Bruce Schneier's weblog. Bruce is one of the industry's most respected security gurus. Bringing his thoughts to you alongside Richard Steinnon and Tim Callan makes a great deal of sense. In fact we're looking for more Compliance and Privacy big hitting bloggers. Let me know, please, if you know one or are one and where the blog is.
As always, we welcome your feedback - do take part in the discussion forums. The more we get from you, the more we can tailor the content we're providing!
We are running a survey. Click the image of the poll on the left to go to the Compliance and Privacy site and look in the left hand navigation menu. Tell us about you and your organisation's use of SSL.
The image shows that this response uses SSL "Sometimes". Is this you? Do you use it only sometimes? If so, tell us why. If you never use it, tell us why.
We've a place for comments in our discussion forums. I've started the topic off, why don't you come and tell me your views?
Tell us about your use of SSL, good and bad experiences, ease or difficulty of implementation.
Bruce Schneier is an internationally renowned security technologist and author. Described by The Economist as a "security guru," Schneier is best known as a refreshingly candid and lucid security critic and commentator. When people want to know how security really works, they turn to Schneier.
His first bestseller, Applied Cryptography , explained how the arcane science of secret codes actually works, and was described by Wired as "the book the National Security Agency wanted never to be published." His book on computer and network security, Secrets and Lies , was called by Fortune "[a] jewel box of little surprises you can actually use." His current book, Beyond Fear , tackles the problems of security from the small to the large: personal safety, crime, corporate security, national security.
Schneier also publishes a free monthly newsletter, Crypto-Gram , with over 100,000 readers. In its seven years of regular publication, Crypto-Gram has become one of the most widely read forums for free-wheeling discussions, pointed critiques, and serious debate about security. As head curmudgeon at the table, Schneier explains, debunks, and draws lessons from security stories that make the news. Regularly quoted in the media, Schneier has written op ed pieces for several major newspapers, and has testified on security before the United States Congress on many occasions.
Eversheds have allowed us to reproduce their article from their e80 service:
How valuable is your company's data security policy?
Security policies form an essential part of effective data protection compliance. The Data Protection Act requires that appropriate technical and organisational measures are taken against unauthorised or unlawful processing of personal data and against accidental loss or damage.
Therefore, although policies are valuable in many different types of business, they form a fundamental part of those businesses which store and utilise high volumes of sensitive or confidential information. Not only do such policies aid companies in operating within the Data Protection Act but they can also be used to help minimise any repercussions where data security does, for whatever reason, fail.
"As phishing continues to mature, one of the last sanctities supposedly free of such malice has been under attack. The SSL/TLS encrypted Web page used for securely transmitting private information has seen increased abuse by phishers. They took advantage of loopholes in some SSL Certificate practices and obtained certificates that make them look legitimate. IE 7 will change that, and enterprise security managers should take notice: the advent of High Assurance Certificates will prove its long-term effectiveness against phishing."
That is the opening paragraph from the May 2006 VeriSign Security review. The full review is on Compliance and Privacy, as will be future reviews.
Ernst & Young have hit the headlines a lot recently. In the past so has MI5. And the FBI lose loads along with weapons, and oddly the US Department of Justice produces a report that lumps losses of laptops and weapons together!.
How do you protect yourself from the "US Veterans" scenario where disks are taken home and stolen, too? Can you protect yourself?
Add this to the 60% who don't have, or don't know of they have an Infosec policy and things start to look pretty amateur. But surely Information Security is not left to amateurs?
There are few who would argue that "there is no economic value in the discovery of security vulnerabilities". Evidence of this can be seen in the many business models that are emerging to profit from this knowledge. The question that remains is how do these economic models impact those who are affected by the vulnerabilities themselves? This paper looks at economic vulnerability models that exist in the market today and analyzes how they affect vendors, end users and vulnerability researchers. The markets addressed include the government, open, underground, auction and vendor markets. Each of these models are defined, including their expenses, revenues and challenges. The impact and implications of each model are also investigated. Finally, the paper examines how each of the models affects these various actors and project the future of the market to see how the models that exist today will help to shape and drive the future of vulnerability research.
This is a live webcast. We value your participation. Please join us with a fully audio equipped PC on 21 June 2006 2PM EDT, that's 7pm UK time, 8pm European time
Readers should note that references to VeriSign's sponsorship are historical. That sponsorship ended on 28 February 2007, and is simply included here for context and historical purposes. VeriSign is not formally associated with this site in any manner, and has asked us to emphasise this point.