Sunday, March 25, 2007

Basic rules while on the net...

Just in line with my last post for a layman user on being safe on the net -- please read this article.

An additional note: Change the default user id and password on the router, and if you are an advanced user, put some physical address based filters on it. That way only the router will recognize only those computers that are on your network based on the filter configuration.

3/25/2007 11:46:00 PM  

Gift card float fraud scheme

Customer data stolen from TJ Maxx had been in use in what the investigators call the gift card float scheme. See details here. Some of the things that you should do are 1) always verify your purchases either manually or using a tool like Intuit Quicken or MS Money, 2) notify your card company right away, and invalidate the card, and 3) set up alert on your credit report through. You can get information on all these through your bank. And many banks offer this for free to their clients.

3/25/2007 09:17:00 AM  

Tuesday, March 20, 2007

Security at offshore vendors

With the advent of BPO has arrived a whole set of risks that may not be new, but definitely new in its avatar. "Just How Secure Are Your Offshore Vendors?" is an interesting article that hits on the key assessment areas that you should focus on at your offshore vendors when they are handling your business processes. The article is available here.

3/20/2007 06:34:00 PM  

Sunday, March 11, 2007

Should you stop at complying? Or go on to make money off of compliance??

As I mentioned sometime back - certain companies are having difficulties to get funding for their security and risk initiatives, while some are well funded already. The thing is that off the second lot, only a few use the funding wisely. Its mostly because the second set of companies (of course, fortunate to get funding) set their goals on tactical security and risk initiatives - mainly to comply with internal requirements and/or external regulatory mandates. What they are not realizing is that the funding could be used in a strategic fashion to develop and implement projects that support the organization's risk initiatives and posture. Recommendation: Use the funding wisely... do not stop at compliance. Its only one milestone and there are several others, achieving which, would help your organization in ways unimaginable.

3/11/2007 10:40:00 PM  

Tuesday, March 06, 2007

Email Retention - lessons from Intel

Marketwatch reports this morning that Intel may have lost its email pertaining to an antitrust law suit. Apparent from the article is a common issue that corporates have today - inconsistent implementation of policies related to security, risk, compliance and governance management. There is something that everyone can learn from this - (i) Get your people (employees) on board with such policies and (ii) tie employee benefits/incentives to the quality of policy implementation, and (iii) continuously measure and monitor policy performance and adjust accordingly.

3/06/2007 07:42:00 AM  

Friday, March 02, 2007

Real ID Controversy

Yesterday, Secretary Chertoff issued a press conference on the Real ID initiative that has been gaining controversy momentum across the country. Truth be told, I am generally okay with a security-infused ID for every individual. However, I do not understand how the Secretary thought that some information was not top secret. To quote from the press release:

"Now here’s how these standards are going to work. It’s very simple and it’s really a matter of common sense. Applicants for driver’s licenses are going to need to bring documents to their state Department of Motor Vehicles offices in order to validate or prove five things: who they are, what their date of birth is, what their legal status is in the United States, their social security number and their address. None of this stuff is top secret stuff."

When he says that the Dept of Homeland Security will not maintain a master database of personal information on any individuals, I guess its because all personal information is not all that personal anyways!

Perhaps that was not the intention he had, but definitely requires re-characterization.

3/02/2007 06:08:00 PM  

Buidling a case for security

Couple nights ago, I attended a vendor-sponsored meeting where I heard some attendees talking about their issues in convincing their CFO to spend money on security initiatives. I thought this is a problem that should have a ready response from the security industry. Apparently, not! So, how do you sell security and ask for a budget?

The point is: You will never be able to win funding without talking to the CFO in a language that he understands. I believe that connecting the dots between security and risk management is what is key in convincing the CFO to get the money. i.e., lack of security means plenty of risks. And plenty of risks mean exposure that would directly affect the top management. As long as you do not distill your requirements in that fashion, it is not going to work in your favor. And stop blaming the CFO... he just does not understand what you are talking about!

3/02/2007 12:23:00 AM