For the second consecutive year, Ponemon Institute's annual study on the state of security and privacy in health care found that cybercrime was the leading cause of data breaches among hospitals and other medical providers.
Recently released documents set off renewed discussions about Hillary Clinton's information security practices as former U.S. Secretary of State.
Tampa International Airport has expedited and expanded an audit of its network security, following the resignation of an IT consultant who was allegedly found to have shared system passwords with unauthorized parties.
Germany, the United States and Australia were not shy when it came to asking Apple for customer information filing thousands of requests in the second half of 2015.
Microsoft is rolling out new certifications provided through the company's data portal.
A new report found that 16% of organizations do not use any cybersecurity framework and even among companies with more than 10,000 employees, 10% do not currently use a security framework.
The Privacy Shield negotiations have produced an unprecedented agreement between the US and the EU that there will be safeguards against the bulk collection of the EU citizens' data but critics are unconvinced.
For the first time, Google has added an HTTPS report card to its Transparency Report, tracking its progress toward its stated goal of 100 percent SSL/TSL encryption of data in transit.
A new blog post by security researcher Tavis Ormandy chastises security software certification programs for giving antivirus products high grades despite the presence of multiple low-hanging vulnerabilities.
The White House has released a draft of its Source Code Policy, which establishes rules for sharing custom software between federal agencies, in hopes of improving government access to applications and reducing development costs.
A senior U.S. Department of Commerce official spoke with SCMagazine.com Friday morning to defend the virtues of the newly introduced U.S.-EU Privacy Shield pact.
The FTC has ordered nine companies to provide information on the way they assess whether retailers and others are in compliance with Payment Card Industry Data Security Standards (PCI DSS).
The DoD has publicly disclosed its new Cybersecurity Discipline Implementation Plan, which assigns leaders across all military branches greater responsibility for fortifying operational systems against cyber intrusions.
Digital rights group the Electronic Frontier Forum (EFF) yesterday came out swinging against the Privacy Shield, the intended successor to the recently invalidated EU-U.S. Safe Harbor agreement.
A survey of IT professionals casts light on some of the trust and compliance challenges that plague the information security sector.
As cyber attacks continue to increase, IT departments continue to be challenged by older techniques, such as targeted phishing attacks, because the attacks bypass perimeter defenses and are difficult to prevent.
64 percent of more than 1,100 IT security executives believe that simply meeting cybersecurity compliance requirements, as opposed to striving for best practices, is "very" or "extremely" effective at preventing data breaches.
Two reports by a legal competitive intelligence group shed light on how perspectives are shifting among legal professionals.
Moody's will begin to place more weight on considerations related to cyber risks when issuing credit ratings, the agency announced in a report.
Dark web version of GitHub offers a place for developers to code controversial projects anonymously.
Network defense of the nation's critical infrastructure is sorely lacking, according to a report by the Government Accountability Office.
The Federal Communications Commission (FCC) dismissed a petition to require websites to honor "Do Not Track" requests.
Regulatory agencies in the U.S. are increasingly concerned by ransomware attacks against financial institutions. The Federal Financial Institutions Examination Council (FFIEC) published a statement warning financial institutions of an uptick in the "frequency and severity of cyber attacks involving extortion."
U.S. Department of State's Defense Trade Advisory Group (DTAG) met to discuss the classification of "cyber products" reportedly recommended against adding new "cyber products" to the munitions list.
New internet laws agreed by the European Parliament today have been branded as a threat to encryption by campaigners including British world wide web inventor Sir Tim Berners-Lee.
Millennial IT professionals who have worked at a single employer for seven years or more pose the greatest internal risk to their company's security, according to a report.
Criminals have figured out ways to 'hack' chip and pin cards, several years after University of Cambridge Researchers proved it was possible.
To bridge the gap between governance, risk and compliance (GRC) and IT security, organizations must adopt best practices that include automation, raising awareness and documentation, a panel of Industry professionals told an audience Tuesday at SC Congress New York.
The National Institute of Standards and Technology (NIST) unveiled two projects designed to secure email.
Symantec has discovered that unauthorized HTTP certificates were issued for Google webpages and terminated the employees who were involved in issuing the certificates.
This webinar will examine the business risks and regulatory compliance requirements associated with file transfers.
Comcast settles charges of unauthorized disclosure of details on 75,000 who paid for unlisted VoIP telephone service.
Internet service providers in Russia were ordered to block access to Wikipedia but efforts have been thwarted by HTTPs.
Demonstrating compliance with PCI DSS is far from a trivial exercise. Are you sure you can document your organization's compliance with the new 3.0 standards?
Nearly two-thirds of survey respondents believe their organization is a potential target for nation-state cyberattacks.
The Office of Management and Budget (OMB) proposed new cybersecurity guidelines earlier this week to help government agencies draft contracts with third-party groups.
Morgan Stanley dodged a bullet this week when the Federal Trade Commission (FTC) ruled the firm did not violate security protocols concerning a breach earlier this year.
Managing compliance and risk has become one of the most torturous assignments in the enterprise, particularly for those that must adhere to the ever-increasing challenge of industry, state and federal regulations.
The aviation authority instructed operators to take "interim action" to prevent loss of AC electrical power, until a software fix is available.
EMV, despite its security features over magnetic stripe cards, cannot prevent against "wholesale breaches of large numbers of credit card numbers," report authors said.
Sprint Communications has agreed to pay $15.5 million to the federal government for charging law enforcement agencies for surveillance upgrades.
NIST and NARA collaborated to produce the final draft of "Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations."
Retired Senior Executive,CIA - Insider Threat Detection, Larry Knutsen, will review the evolution of U.S. policy on insider threats and what they mean to your organization.
A recent Verizon study found that regular testing of security systems was a compliance weak point for merchants.
Sarah Dahlgren, the New York Fed's head of supervision, announced that the bank had created a team dedicated to cybersecurity.
A Russian man who was arrested in Spain on suspicion of cyber fraud reportedly will be extradited to the U.S. within the next few days.
The Obama administration has set another record for withholding government files under the U.S. Freedom of Information Act.
The percentage of companies compliant with PCI DSS Requirement 11 dropped to 33 percent last year, a Verizon report found.
Today there are more options for securing enterprise data than ever before. Yet with so many approaches, choosing the best fit isn't always an easy decision.
President Obama told Reuters that cybersecurity requirements proposed by China need to change if the country wants to do business with the U.S.
The rules, approved Thursday, ban ISPs from charging for internet "fast lanes," or blocking legal internet services.
Virtualization changes everything. The agility and cost efficiencies enabled by virtualization and the cloud are beneficial, as long as you understand why virtualization requires different security.
President Obama imposed sanctions against North Korea, a medical services provider will be forced to pay a "neglect" penalty over HIPAA violations, the House passed the Intelligence Authorization Act, and other security news.
The DHS will gain more control - and federal cybersecurity likely will be improved - when a FISMA update is passed, reports Lee Sustar.
In an attempt to put the issue to rest, the agency warned businesses against blocking guests' personal hotspots.
The wolf isn't at your door, it's inside. Ignorance is definitely not bliss. Just ask any of the regulatory agencies.
Identity is a critical component of proving compliance. Whether complying with industry regulations or security best practices, your auditors need to know who has access to what servers and data as well as who exactly did what, where and when.
A panel held during the annual NRF conference discussed ways that retailers could bolster security.
Last October, the FCC came after Marriott with a $600,000 fine.
New Jersey Governor Chris Christie signed the legislation last Friday.
The privacy controls will be added to version 7 of HITRUST's CSF due out later this month.
Part of my role requires me to ask questions that an auditor might. This is especially true when it comes to compliance, why it matters, and how it makes a difference.
The alliance defined specifications for devices, servers and client software that will help usher in the "post password" era.
The reality of ubiquitous reliance on ICT has given rise to the criticality of cyber security, says Cisco CSO Edna Conway.
The company has agreed to pay $200,000 as part of the settlement, and will be required to beef up its COPPA-related reporting activities.
Veterans Affairs has failed an annual cybersecuirty audit for the 16th year in a row, a new report reveals.
Security teams are sharply focused on bringing security to applications and meeting compliance requirements in the delivery of these applications and services.
When a care provider supplied laptops to its roving employees, it added a security solution to enable efficient collaboration. Greg Masters reports.
Whether it's for PCI compliance or HIPAA assessments companies follow the conventional model of point-in-time certification accompanied by a costly and painful annual review and correction process.
The search engine company updates it piracy report to let users know how its adjusting search results to stop illegal piracy efforts.
The FCC launched an investigation last year after a consumer complained of the practice.
Needing more than signature-based remedies, First Financial Bank found a way to close the gap between what exists and what's possible. Greg Masters reports.
The nonprofit organization alleges that the Maricopa County Community College District violated the FTC's "Safeguards Rule."
We explore the landscape today with which security teams must contend and compile a number of best practices and strategies you can apply to protect your company.
The Center for Digital Democracy has asked the FTC to investigate 30 U.S. firms' data collection practices, including Adobe, AOL and Datalogix.
The guidance is meant to help merchants and third parties better understand their roles and responsibilities in the payment security ecosystem.
The consensus from our panel of experts is that PCI DSS should be just one item on a far broader effort to integrate data security into enterprise risk management.
As a precaution, the ID theft protection service has removed the app from the App Store, Google Play, and Amazon Apps.
The Federal Trade Commission banned the retailer from misrepresenting its abidance in an international security framework
The agreement marks the largest HIPAA settlement to date.
Is there such a thing as an exchange of secure information in an insecure world?
A Texas-based company, Concentra, paid the HIPAA settlement stemming from a 2011 breach.
Introduced Tuesday, the Digital Privacy Act includes stiff penalties for organizations that fail to adequately respond to breaches.
Let's agree on a definition of the term "security" and move forward from there, says AT&T's Chris Mark.
The Federal Trade Commission has charged 12 companies with falsely claiming to comply with the U.S.-EU Safe Harbor Framework.
GRC is at once the biggest pain point (arguably) of most large organizations and the most important task that does not usually get done right.
Information security personnel are challenged with protecting company reputation and enterprise and customer data from a constant and expanding barrage of cyber criminals.
Version 3.0 of the PCI Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA-DSS) became available today.
One issue with password systems has always been the 'reset' problem: what to do when a user forgets their password.
While already ubiquitous in much of the world, mobile payment options are gaining traction in the United States, reports Stephen Lawton.
So far, one solution, developed by European Payment Services, has been verified under PCI security standards for point-to-point encryption (P2PE) hardware.
In a perfect world, enterprises would know exactly when an auditor is going to show up, the questions they will ask, and data would be presented on a silver platter ready to prove the organization's compliance.
A major area of concern for security personnel these days is how we are able to achieve and maintain compliance with multiple regulatory governing bodies.
Business associates of HIPAA-covered entities are now legally bound to follow the same guidelines when securing patients' protected health information.
There are a few key things every business should consider to truly improve data security.
Robust enterprise security requires more than checking compliance boxes, says Diebold CSO Adam Williams.
The promise of governance, risk and compliance technology is alluring, but getting it to work effectively is a different story, reports Alan Earls.
The latest version of the payment security industry's data safeguarding standard should also include mandates and guidance around risk management, penetration testing and mobile.
Facebook has released its first-ever transparency report, a document breaking down the number of worldwide government requests for data on users. Not surprisingly, the U.S. is far and away the leader.
The council released a highlight of potential new requirements and guidance to the PCI Data Security Standard and Payment Application Data Security Standard, both due out in November.
SC Magazine Articles
- GCHQ infosec group disclosed kernel privilege exploit to Apple
- 77% of organisations unprepared for cyber-security incidents
- 117 million LinkedIn email credentials found for sale on the dark web
- Furtim malware can run AND it can hide
- Ubiquiti warns of worm using known exploit on outdated AirOS firmware
- Some U.S. Bancorp workers' W-2 info exposed in ADP data breach
- Spearphishing attack nets $495K from investment firm
- Updated: Gmail, Yahoo email credentials among millions found on the dark web
- Report: Ransomware feeds off poor endpoint security
- Organizations need formal vendor risk management programs, study
- 2.5K Twitter accounts hacked to spread links to adult content
- Study: Federal agencies still lack strong cyber hygiene practices
- Petya and Mischa - the Ransomware Twins (sort of)
- Bad guys update ransomware DMA Locker with version 4.0
- Lieu, Hurd urge colleagues to use encryption, improve cyber hygiene