Friday, November 3, 2017

Data Privacy and Security : Where to draw the lines?

For the longest time, information security and data privacy have been interpreted hand in hand when it comes to digital or electronic data. While this is true for the most part as far as security controls to ensure data privacy is achieved to meet certain regulatory laws or requirements (depending on geographic locations), it is also equally important to understand the legal side of things which might not always be all about  technical security controls. Since the interpretation are usually left for lawyers and legal personalities to debate and in some cases might tend to be stretched a little too far, it is always a good idea to come back to the basics of things every once in a while so as not to be lost or overwhelmed (or even loose your hair along the way (pun intended).

1. Define and refine the scope.

This is crucial as this will determine if your company's data privacy compliance process will last for months or even a year and therefore too exhausting (not to mention bandwidth and budget also) for most of us already on a tight budget so the ideal guideline would be to follow the KISS method as much as possible. (Keep It Simple Stupid) 
2. Don't forget the 3 basic state of data. PHI/PII data would cover data at rest (stored), data in use (live), and data in motion (transmitted back and forth over the network).

3. Get your legal dictionary game on. Although people with legal background will likely tend to initially lead the march towards data privacy compliance, it would not hurt for technical security folks like us to grab as much legal terminology boot camp or workshops (whether formal or online) so as not to get easy lost with all the legal jargons and terminologies that will come your way everyday once the ball gets rolling. This does not mean that you can trade legal debacles with data privacy "expert "lawyers but just to be on the same page with them would already be a big plus. This would also help you focus on your disposition and not let your decision making as a data privacy stakeholder be swayed by purely legal opinions and thereby help the team come up with a collaborative/joint decision instead on just picking a side had if you just listened to their views by ear.

Monday, October 9, 2017

PCI-DSS : What you need to know without losing your hair along the way

PCI-DSS is currently regarded as one of the most credible international standard when it comes to certifying any organization that involves handling/processing of credit card data. Even though it is well detailed in the PCI-DSS official website, it won't hurt to understand the basics first before anything else as it can be very easy to be loose track of what the standard was trying to protect to begin with once multiple interpretations have been by multiple parties (i.e. self-declared "experts", consultants, IT people, etc. and what not).

Wednesday, October 4, 2017

BCP and Security : Are they really related?

For security professionals who are more familiar with CISSP and similar certifications, Business Continuity Planning (BCP) or its distant relative Disaster Recovery (DR) are intertwined with security as a module even though some would argue that it does not fall under the realm of Confidentiality and Integrity in the information security triad or CIA of things (A for availability).
However, based on my actual experience these past few years, they seem to be more of an inter dependency than anything else when it comes to an actual crisis event. Security controls take a momentary backseat from senior management priorities when loss of profit is imminent. Hence it is equally important to keep of track of things during and after an actual crisis so as not compromise a company's security posture once business as usual (BAU) is restored. Even better would be to on top of things during one so security controls are only partially relaxed and not completely set aside if senior management insists.

Saturday, September 30, 2017

Security Incident Management : More than computer alerts

When you hear the phrase "Security Incident Management" or any derivative of such, some information security people may immediately associate this with computer related events which in reality, forms only a part of an ideal information security incident management process, that is if we are truly going to cover the people, process and technology aspect of security.  

A security incident is defined as an adverse event in an information system and/or network that pose a threat to computer or network security. In other words, an incident is any event that causes, or may cause a breach of information security in respect of availability, integrity and confidentiality. Examples of such incidents could be unauthorized access to the company's information system, disruption of data, denial of availability, misuse of system resources, computer viruses and even hoaxes.

The following are the wider types of incidents: 

Physical Security
A physical security incident is the act of violating an explicit or implied physical security policy. Examples of such incidents could include activity such as:
Attempts (either failed or successful) to gain unauthorized access to a facility

Riots / strikes which could adversely affect any of the company's locations

Theft of company property

Logical Security
Any real or suspected adverse event in relation to the security of computer systems or computer networks can be termed as a logical security breach. In other words, a logical security incident can be defined as network or host activity that potentially threatens the security of computer systems

Examples of such incidents could include activity such as:
Attempts (either failed or successful) to gain unauthorized access to a system or its data

Unwanted disruption or denial of service

The unauthorized use of a system for the processing or storage of data

Changes to system hardware, firmware, or software characteristics without the owner's knowledge, instruction, or consent

Personnel Security
Any act of abuse, threat, or assault directed by or against company employees or their property can be termed as a personnel security incident. Such breaches can occur in the performance of their duties or as a direct result of their duties. Commonly occurring examples of such incidents are: A person threatening another person over e-mail

Harassment at the workplace

Violation of other company behavioral policies or misconduct
Certified Ethical Hacker Network Security Internet Security Computer Security Wireless Network Security