Canadian privacy bill floats $100k fine per breach victim not notified

Introduced Tuesday, the Digital Privacy Act includes stiff penalties for organizations that fail to adequately respond to breaches.

The need and the challenge

The need and the challenge

Let's agree on a definition of the term "security" and move forward from there, says AT&T's Chris Mark.

Companies settle over false data security framework compliance claims

The Federal Trade Commission has charged 12 companies with falsely claiming to comply with the U.S.-EU Safe Harbor Framework.

2013 Industry Innovators: Security infrastructure

2013 Industry Innovators: Security infrastructure

GRC is at once the biggest pain point (arguably) of most large organizations and the most important task that does not usually get done right.

The changing face of data protection

The changing face of data protection

Information security personnel are challenged with protecting company reputation and enterprise and customer data from a constant and expanding barrage of cyber criminals.

PCI council publishes updated payment security standards

Version 3.0 of the PCI Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA-DSS) became available today.

Don't forget forgotten passwords

Don't forget forgotten passwords

One issue with password systems has always been the 'reset' problem: what to do when a user forgets their password.

Clutter in the airwaves: Mobile payment security

Clutter in the airwaves: Mobile payment security

While already ubiquitous in much of the world, mobile payment options are gaining traction in the United States, reports Stephen Lawton.

First P2P encryption solution gets PCI council seal of approval

So far, one solution, developed by European Payment Services, has been verified under PCI security standards for point-to-point encryption (P2PE) hardware.

How to breeze through your next compliance audit

How to breeze through your next compliance audit

In a perfect world, enterprises would know exactly when an auditor is going to show up, the questions they will ask, and data would be presented on a silver platter ready to prove the organization's compliance.

Toeing the line...across sectors

Toeing the line...across sectors

A major area of concern for security personnel these days is how we are able to achieve and maintain compliance with multiple regulatory governing bodies.

Compliance deadline on HIPAA rules brings expanded responsibilities for third parties handling data

Business associates of HIPAA-covered entities are now legally bound to follow the same guidelines when securing patients' protected health information.

Biting the silver bullet: Protecting corporate assets

Biting the silver bullet: Protecting corporate assets

There are a few key things every business should consider to truly improve data security.

Cover those blind spots: Establishing protocols that go beyond compliance

Cover those blind spots: Establishing protocols that go beyond compliance

Robust enterprise security requires more than checking compliance boxes, says Diebold CSO Adam Williams.

Three's company: Governance, risk and compliance

Three's company: Governance, risk and compliance

The promise of governance, risk and compliance technology is alluring, but getting it to work effectively is a different story, reports Alan Earls.

PCI DSS 3.0 is a start, but more changes are needed

PCI DSS 3.0 is a start, but more changes are needed

The latest version of the payment security industry's data safeguarding standard should also include mandates and guidance around risk management, penetration testing and mobile.

Facebook now documents requests for information it receives from governments

Facebook now documents requests for information it receives from governments

Facebook has released its first-ever transparency report, a document breaking down the number of worldwide government requests for data on users. Not surprisingly, the U.S. is far and away the leader.

PCI Council previews changes to data security standards

PCI Council previews changes to data security standards

The council released a highlight of potential new requirements and guidance to the PCI Data Security Standard and Payment Application Data Security Standard, both due out in November.

Data breach numbers don't lie: How organizations can protect against accidental data loss

Data breach numbers don't lie: How organizations can protect against accidental data loss

To effectively mitigate mobile risk, organizations should employ the same content security capabilities, and ideally leverage the same content policies and rules in mobile environments.

White House offers incentives for critical infrastructure companies participating in cyber security program

The tentative list of incentives would entice companies to participate in the "Cyber Security Framework," a measure that aims to help the nation stave off industrial attacks.

Understanding parallax and convergence to improve security

Understanding parallax and convergence to improve security

To address today's threats, companies require a high degree of convergent perspective, information expertise, and coordination between personnel and groups.

Beyond the checkbox: PCI DSS

Beyond the checkbox: PCI DSS

An upcoming update of a credit card standard offers an opportunity to assess overall security, says Symcor's Della Shea. James Hale reports.

Stopping data breaches, compliance violations and lawsuits by harnessing Big Data

Stopping data breaches, compliance violations and lawsuits by harnessing Big Data

Finding each sensitive document and email in a massively growing data center is near impossible, but finding all of them requires a simpler strategy.

It's time for leaner, more efficient IT operations

It's time for leaner, more efficient IT operations

Most companies actually require only a small IT operational team, and can greatly reduce the costs associated with ensuring compliance and security.

Blue Coat may be selling monitoring technology to additional repressive regimes

According to a Citizen Lab report, security firm Blue Coat also may have violated U.S. sanctions that bar the sale of technologies to countries with a history of human rights grievances, such as Iran, Syria and Sudan.

Protecting regulated mobile data a gray area for practitioners

Protecting regulated mobile data a gray area for practitioners

A study has found that 40 percent of IT security professionals weren't sure if their organizations were compliant with laws governing mobile data.

Is your IT department "donating" your attorney-client privilege without your knowledge?

Is your IT department "donating" your attorney-client privilege without your knowledge?

There are a number of organizations out there that ask for — and often receive — access to data on both successful and unsuccessful attacks on your technology infrastructure.

2013 ebook on GRC

2013 ebook on GRC

In order to achieve implementation throughout the various units of a business, a chief compliance officer must be put in charge of coordinating the security pros running the network to the managers all the way up to the boardroom.

Decoding the cloud

Decoding the cloud

Unfortunately, data security and regulatory compliance requirements do not evaporate in the public cloud, says Vormetric's Ashvin Kamaraju.

PCI compliance in the cloud decoded

PCI compliance in the cloud decoded

As interest in the public cloud remains strong, a security expert makes sense of new recommendations for securing payment card data in those environments.

Retailer fights PCI fines for noncompliance after breach, sues Visa

Sportswear retailer Genesco is suing Visa after the credit card company imposed more than $13 million in fines.

Hotel tech trade association offers best practices for reducing payment card risk

Hotel tech trade association offers best practices for reducing payment card risk

When it comes to credit card fraud, the hospitality industry has offered an attractive target for cyber criminals. Now, one trade group is helping these properties overcome security and compliance hurdles with a new framework.

Following cyber order from Obama, CISPA is back

Following cyber order from Obama, CISPA is back

Lawmakers have begun debate on the controversial threat information-sharing bill known as CISPA, which would complement the president's cyber security executive order. But it has a host of privacy objections to clear first.

PCI council clarifies merchant's cloud security obligations

The Payment Card Industry Security Standards Council (PCI SSC) released recommendations for card data security and compliance in cloud environments.

The security and compliance option that every CIO should know about

Depending on an organization's size, managing the attack surface isn't as simple as checking items off a list.

PCI e-commerce guidance issued for merchants

The council charged with administering the PCI standard has documented common vulnerabilities in online payment environment and offered suggestions for installing technology to deter threats.

Video: The benefits of legal counsel

Bryant Bell, senior product marketing manager of Guidance Software, sits with SC Magazine reporter, Danielle Walker, to discuss some of the benefits of having legal counsel in the security industry.

Security as the infrastructure platform of the future

January is a good time to plan. It's the start of a new year and those things that seemed so far away in December are suddenly right around the corner.

U.S. Health Department unveils new HIPAA rules

The Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security rules undergo their biggest changes since the legislation was passed in 1996.

How do you drive IT security innovation? Try thinking like a user!

How do you drive IT security innovation? Try thinking like a user!

It's time for an anthropological approach that protects users based upon enablement, not disablement.

Compliance confluence: 1st Credit and SureCloud

Compliance confluence: 1st Credit and SureCloud

A highly regulated debt collector from the U.K. needed to achieve compliance, but it wanted to scrap all of the point solutions on which it traditionally relied.

Risky business: Marriage of compliance & security

Risky business: Marriage of compliance & security

Compliance brings with it the stigma of cost, complexity and confusion, but viewing it from a risk point-of-view may help make it more tolerable.

California sues Delta Air Lines over mobile privacy

The Golden State recently revived a decade-old law to begin going after alleged offenders whose mobile apps don't contain a "conspicuous" privacy policy.

Comparing programs can yield rewards

Comparing programs can yield rewards

We all know what we spend internally, but how do we get reliable, timely information for comparison purposes?

ISP piracy alert system now expecting early-2013 launch

The Center for Copyright Information attributes the push back to Hurricane Sandy-related testing delays.

PCI council issues guidance to help meet risk assessment piece

The PCI Security Standards Council, the body that manages payment security industries guidelines, on Friday released a methodology for meeting a risk management requirement included in the standard.

Security firm Trustwave among defendants in S.C. breach suit

A South Carolina attorney has amended a lawsuit to include compliance assessor Trustwave as a defendant, opening the door to whether a security provider can be held liable for a breach at a customer's site.

SC Congress Chicago: Build a program that supports compliance

At SC Magazine's Chicago security conference, professionals from various industries aimed to simplify strategies for tackling security guidelines and regulations.

Game on: Case study with Electronic Arts and Allgress

Game on: Case study with Electronic Arts and Allgress

Video game players are used to fending off alien invaders, but the IT staff at Electronic Arts (EA) was challenged to reduce cyber risk within its own environment.

Compliance

Compliance

At a recent SC Magazine Rountable, information security and compliance professionals discussed how changes in technology are leading to an evolution in their roles.

Appellate ruling leaves bank security responsibilities unclear

In a major victory for organizations that have sustained massive losses due to unauthorized transactions made by hackers, an appellate court has ruled in favor of a Maine construction company against its bank.

GRC

GRC

Global companies facing a slew of regional laws, as well as small and midsized companies required to meet regulatory demands, need governance, risk and compliance solutions.

Medicine man: Risk assessment

Medicine man: Risk assessment

In 1854, an English physician was one of the first to use an epidemiological method to ID disease risk. Ben Sapiro of the Dominion of General Insurance Co. wants his peers to do the same with security.

Global Payments working to again validate its PCI compliance

For the first time, breached processor Global Payments disclosed on Tuesday that a number of card brands have removed the company from their approved list of service providers.

Can't we just ignore PCI DSS?

Can't we just ignore PCI DSS?

Adopting PCI DSS is a sensible thing to do from a security perspective, says New Net Technologies' Mark Kedgley.

A room of her own: Philips Electronics North America and Wisegate

A room of her own: Philips Electronics North America and Wisegate

A privacy officer at a global company found a way to collaborate efficiently at a top level, while ensuring the protection of company assets, reports Greg Masters.

Will Bill C-11 make backups illegal in Canada?

Will Bill C-11 make backups illegal in Canada?

Canada's Bill C-11 leaves us with a few concerns and unanswered questions when it comes to rules and restrictions on the process of data backup.

Manage your risk, not somebody else's

Manage your risk, not somebody else's

The primary driver for security should be to cut risk rather than attempting to churn through an unending string of audit and compliance exercises.

Sponsored Video: Greg Fitzgerald of Fortinet on data management

Fortinet's Greg Fitzgerald discusses major vulnerabilities, data management, and privacy and compliance issues in the industry at this year's RSA Conference 2012 in San Francisco.

RSA Conference 2012: Risk management in the enterprise faces challenges

A panel discussion on risk management hovered around issues of balancing the scientific element of data gathering with the art of interpreting the information.

Defining a DLP strategy

Defining a DLP strategy

DLP solutions remain fairly immature, but the need to protect and monitor sensitive information is greater than ever.

Why big business is dealing with big security concerns

Why big business is dealing with big security concerns

Businesses are forced to implement specific security mandates even if they don't support their actual security goals.

An educated decision: Network smarts at WVU

An educated decision: Network smarts at WVU

West Virginia University was looking to protect student and staff data. It found a software solution to assist in the process, reports Greg Masters.

Campus relief: Kilgore College and Viewfinity

Campus relief: Kilgore College and Viewfinity

A community college in Texas found a tool that enabled it to fend off viruses while coming into compliance, reports Greg Masters.

Getting serious about health care security

Getting serious about health care security

Health care providers and their patients both have parts to play in the high-stakes game of protecting sensitive medical information, especially as technology becomes easier to implement and enforcement of regulations intensifies.

Security spending to increase in 2012, survey shows

While the nation's economy remains in the tank, the information security market appears to be avoiding a major slowdown.

Best Enterprise Security Solution & Best Regulatory Compliance

Throughout the day, SC Magazine will be announcing the finalists from each of its 32 award categories. Now, let's turn to our Excellence section.

Check Point adds Dyanasec for governance, risk, compliance

Check Point Software Technologies bolstered its portfolio Monday with the acquisition of privately held Dynasec, a 7-year-old, Israel-based provider of governance, risk management and compliance solutions.

Overcoming America's lost decade of IT security

Overcoming America's lost decade of IT security

An overreliance on compliance and limited information sharing between the federal government and the private sector have resulted in attackers holding a firm edge over security professionals. How do we take back a decade of losing?

FISMA compliance to require monthly reports

Beginning in October, federal agencies will be required to report on their information security posture on a monthly basis, instead of annually.

Keys to the city: Richmond, Va. and PacketSentry

Keys to the city: Richmond, Va. and PacketSentry

The city of Richmond, Va. found a solution to help prevent trojans from entering the gates, reports Greg Masters.

Something borrowed: Benefits of PCI

Something borrowed: Benefits of PCI

The prescriptive nature of the Payment Card Industry Data Security Standard, often referred to as PCI, can benefit even those companies not processing credit card transactions.

In search of a global network security standard

In search of a global network security standard

A government-adopted and enforced global benchmark for network security may lend value, and borrowing from the PCI DSS playbook could help in its creation.

Internet security an early focal point for new government

Internet security vaulted into the spotlight as an early focal point for Prime Minister Stephen Harper's new government, on both the domestic and international fronts

Thoma Bravo buys Tripwire after it drops IPO plans

Private equity investment firm Thoma Bravo has bought Tripwire, a year after the compliance maker had planned an IPO.

Diversity breeds system resilience

Diversity breeds system resilience

IT managers should consider the benefits of non-interoperable platforms, says AT&T's Ed Amoroso.

Education Dept. proposes new privacy, data sharing rules

As part of a broad effort to better safeguard student privacy, the U.S. Department of Education hired its first ever chief privacy officer.

Scaled down, armored up: Small and midsized business protection

For many small and midsize businesses, neglecting IT security is a thing of the past, reports Angela Moscaritolo.

SC Magazine's CSO of the Year

SC Magazine's CSO of the Year

SC Magazine has recognized Scott Sysol of CUNA Mutual Group as CSO of the Year for his work around data privacy, risk reduction, enterprise-wide IT controls and tapeless backup.

2011: A security manager's wish list

2011: A security manager's wish list

This year, thanks to a renewed focus on the insider threat, the longings of the security professional may come to fruition.

Cybersecurity update fails with "don't ask, don't tell" vote

Senate Republicans on Thursday shot down an attempt to repeal the military's "don't ask, don't tell" policy that bars gays from serving openly, likely the death knell to a bill that also would have brought major changes to the way the federal government handles information security. A U.S. Senate procedural vote on Thursday to continue debating the National Defense Authorization Act of 2011 failed to garner the 60 votes necessarily to move forward. The bill, passed by the House of Representatives in May, contains provisions to update to the Federal Information Security Management Act (FISMA) and establish a cybersecurity office within the Executive Office of the President. — AM

Senate votes to exempt lawyers, doctors from Red Flags

Lawyers, doctors and accountants may avoid having to comply with the Federal Trade Commission's new identity theft rule.

Eight questions CIOs should ask on cloud security

Eight questions CIOs should ask on cloud security

As more organizations continue migrating to the cloud, what should information leaders at organizations be asking of their provider?

Legal matters: Aon Corp. and Mitratech

Brokerage services provider Aon Corp. found help in streamlining its network operations throughout its global reach into 120 countries, reports Greg Masters.

PCI Council: P2PE simplifies PCI DSS compliance

The group responsible for managing payment security rules plans to release two new guidance documents early next month assessing the impact of emerging data security technologies on payment card security.

IBM buys compliance software firm OpenPages

IBM on Wednesday announced that it has agreed to acquire Waltham, Mass.-based risk and compliance management software provider OpenPages for an undisclosed sum. In a news release, IBM said the acquisition will expand its ability to help businesses address risk management and compliance challenges. OpenPages, which will be integrated within IBM's Business Analytics software portfolio, offers solutions to assist organizations with internal audits, vendor risk management and IT risk and compliance management. The company has more than 200 clients, including Barclays, Duke Energy and Carnival Corp. — AM

HP to buy ArcSight for $1.5 billion

Another IT security company was gobbled up by an IT bellwether when HP on Monday announced plans to acquire Cupertino, Calif.-based SIEM provider ArcSight for $1.5 billion.

Is there a silver bullet to the payment industry's data security woes?

Is there a silver bullet to the payment industry's data security woes?

Security professionals must consider all the options available to them to secure cardholder data.

Control corporate financial risk

Control corporate financial risk

Entitlement reporting can help organizations control risk and meet compliance mandates, while accounting for employee access.

PCI Council unveils expected changes for DSS guidelines

The body that manages PCI guidelines has released a summary of expected changes, but merchants will not find any mention of emerging data security technologies.

Dealing with compliance: Interview with Michael Thelander, product marketing manager at Tripwire

SC Magazine Deputy Editor Dan Kaplan sits down with Tripwire's Michael Thelander to learn whether compliance remains a driver for organizations, especially as new regulations pop up and existing mandates become more stringent. Thelander also touches on compliance in the cloud, and whether it can be achieved.

IBM buys IT management provider BigFix

IBM on Thursday announced plans to acquire BigFix, an Emeryville, Calif.-based provider of security management solutions. Specifically, BigFix software offers a single IT management platform that allows organizations the ability to manage applications for vulnerabilities, systems lifecycle, configuration and compliance. Terms of the deal were not disclosed, but a Bloomberg report valued the transaction at $400 million. IBM's last security-related acquisition was last fall when it picked up database security firm Guardium for a reported $225 million. — DK

Security budgets stable or increasing at financial firms

Drivers such as compliance and insider threats are helping to keep information security budgets at financial institutions alive and well, according to a new study.

Today's CISO can sink or swim

Today's CISO can sink or swim

Leave behind technological baggage and build business, says Verdasys' Emeric Miszti.

PCI Council releases new PIN security standard

The group responsible for managing payment security rules has released version 3.0 of the PIN Transaction Security (PTS) standard. The new version replaces the PIN Entry Device (PED) standard in an effort to streamline point-of-sale security guidelines to also cover unattended payment terminals, such as fuel dispensers, and hardware security modules, which are nonuser facing devices used in PIN translations. The update "simplifies the testing process and eliminates overlap of documentation," according to the PCI Security Standards Council. The council also plans to release updates to its Payment Application Data Security Standard and flagship PCI Data Security Standard later this year. — DK

New PCI internal assessor training program

The PCI Security Standards Council, tasked with managing the Payment Card Industry Data Security Standard (PCI DSS), on Friday announced a new training program designed to educate internal security personnel on conducting assessments. The three-day course, to be led by PCI Council experts, either will enable security departments to better work with with third-party assessors or allow them to conduct their own assessments, Bob Russo, the council's general manager, told SCMagazineUS.com. Merchants that process more that six million annual transactions are required to conduct annual on-site PCI DSS assessments. Classes will be held in multiple locations. For more information, including pricing, visit here. — DK

Study finds businesses spending too much on compliance

A new report from Forrester Research's consulting arm reveals that organizations are focusing too much on compliance and not nearly enough on protecting valuable proprietary information.

Two-day SC Magazine PCI econference continues today

Join us Tuesday and Wednesday for our special two-day SC eConference and Expo: Complying with PCI.

Solid state: A new state data breach regulation

Solid state: A new state data breach regulation

A new privacy regulation in Massachusetts evokes anxiety for many, but getting in line may prove to be no big deal, reports Greg Masters.

Forty percent using compensating controls to meet PCI

Forty-one percent of merchants are relying on compensating controls to meet Payment Card Industry Data Security Standard (PCI DSS) requirements, according to a survey released Monday by the Ponemon Institute and commissioned by encryption firm Thales. The survey, which polled 155 qualified security security assessors, who are charged with confirming a company's adherence to PCI. Compensating controls "may be considered for most PCI DSS requirements when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints," according to the PCI Security Standards Council. — DK

Sign up to our newsletters

POLL