The Security Catalyst

This section addressed the privacy aspects of personal data uses and covered the range of data movement. It dealt with how data is transferred and transported in and out of an organization and among its subsidiaries, vendors and partners.

I felt that this lesson was more targeted as a reminder of the basic building blocks of what is included in a privacy policy. The speaker went through a company’s inventory of personal data assets and the steps necessary to go about establishing the organization framework for a comprehensive privacy information structure.

I could not easily relate to the first half of this lesson because it dealt more with the tactical strategies of creating a privacy plan within a corporation. The speaker spent the first half of the lecture on the importance of policy buildings blocks and how the process of company inventory needs to be engineered from a privacy perspective. I felt that this section was more applicable to seasoned privacy professionals that are more in tune with how their industry and companies guard PII.

The part that really resonated with me was the lesson related to vendor and contract management. In most of my law classes, a reoccurring topic is how attorneys can best limit or prevent liability for our clients. I was reminded of all the case reading that show how an ambiguous contract can leave clients exposed to being sued. The need for companies to have strong information security controls vis-à-vis their vendors when dealing with PII is a crucial part of a contract. The list of questions that need to be answered are too numerous for one article but include issues with audits, training and awareness, further use of shared information , use of sub-contractors, and the ability to exit a contract.

In my software and licensing drafting courses, we are constantly going over how the contract language can shift responsibility and liability on a party. This section of the lecture reminded me of issues related to respondeant superior, which holds an employer responsible for the actions of employers performed within the course of their employment. Unless you specifically have an indemnity clause in your contract, a breach of PII by a vendor could have serious financial consequences for a company. It is crucial to have a proper vetting process of vendors and have a clear contract of liabilities in case of such contingencies.

Finally, did anyone else notice that the last three practice questions were misnumbered? It took me a while to realize this after going back and forth between the Practice Exam Key. Fortunately, I got the right answers after doubting myself for a while. I hope the IAPP fixes this on their next edition of the Training Course Book.

Welcome to the Carnival of the Security Catalyst Community. Each week, a different member of the Security Catalyst Community takes a turn pointing out three to five posts from the community and three links to blog articles by members of the security catalyst community. If you are not a member, but would like to join us, information on the community is included at the bottom of the post.

Here are some posts that I enjoyed in the last few days that may also benefit you.

Eliminating Bad Passwords

From the post: Is it possible to have a list of passwords that are simply not allowed to be used and can Windows enforce this? Password complexity won’t help because most of the passwords are strong but not very inventive. I need a way to specify with a list what passwords windows will not accept.

This is an interesting discussion about how to shift the way people use passwords. It’s a mix of technology and other approaches — and holds some good ideas on making the shift. What do you think is an effective way to encourage the adoption and enforce stronger password usage?

The problem with security mechanisms implemented in user processes

From the post: “I’ve been doing research on security mechanisms (for the Windows platform) that are implemented in the user’s own processes. The problem with these mechanisms is that their design is fundamentally flawed, because a limited user has full control over his own processes and can thus bypass the security mechanism. He just needs internal knowledge about the mechanisms (or a tool), and then he can bypass it because he has the rights to do so.”

This is a discussion that starts explores the technology, combined with enforcement of least privilege. Are you concerned with the abilities of users to circumvent controls? What would you do about it?

What’s the difference between a sinkhole and a honeynet?

From the post: “OK, just a sanity check… Huh this article (http://a0002.blogspot.com/2008/02/configuring-sinkholes-cisco-systems.html) is talking about sinkholes. I honestly have never heard the term (at least not that I can remember), so I decided to check out the post. But as I read on, I really could not see the difference in this and a honeynet. Is this simply another term for honeynet? This article says they are different, but I don’t see it?”

I didn’t really have an answer for this one, but in the spirit of finding and answer — or discussing if we need yet another term to try to remember, I found this to be the start of a good conversation.

Opinions on Thin Clients

From the post: “Although hardening installations, limiting permissions, detailed policies, and user awareness do have an effect, I am starting to get the feeling that the ultimate solution is going to be reducing the exposure through strict control of the resources made available. Although not a new concept, thin clients solutions are capable in most operating systems…”

In addition to exploring the technology, this post takes a look at the requirements for different solutions. How do you define the requirements for success in your solutions? Are thin clients a solution for your requirements and needs?

Security organizations redefined - what’s your perspective?

From the post: “That said I’m curious about what you’re seeing in regards to the security organizations you’ve been a part of and how they’re changing, or not changing. And I’d like to break it into two huge general areas – tactical and strategic. “Tactical” referring to operations, infrastructure, applications and all the technological nuts and bolts that security is comprised of and tasked with securing. “Strategic” referring to security drivers such as governance, compliance, market dynamics, corporate culture, and risk management.”

For me, this is a fascinating topic. I believe we are at a time when the industry is poised for maturity. This is an insightful look at where and how things may change. Are you seeing these changes in your organization? Is this good, or should we be working to guide something different?

Some Interesting Posts from the Security Catalyst Community Bloggers
Here are some recent posts from the members of the Security Catalyst Community that you may have missed. You can see the complete list of blogs of the Security Catalyst Community here: http://www.securitycatalyst.org/forums/index.php?topic=28.0. As long as you are a current member of the Security Catalyst Community, your blog will be listed there.

I loved this post from Kees Leune: Passwords are the root of all evil. Kees is an active member of the SCC (though his blog is not currently listed). Now, to be clear, I loved this post, but found I didn’t really agree with it. I don’t think passwords are bad in theory. I think they are poorly practiced and the problem comes with application, not users. We have a difference of opinion, but I understand the frustration and concerns over passwords - just haven’t found a better solution. We still have keys for our doors, but most locks can be picked with relative ease if you have the right tools. In the end, though, I would have loved to see a solution suggested. Regardless, interesting and thoughtful read.

I thought Scott penned a good look at ROI in A Barn Door Has No ROI. I often discourage people from bothering with ROI; I don’t find it to be a highly effective measure to communicate need. Instead, I generally suggest people work to reduce costs and communicate benefits in simple and common language (no jargon). Scott lays out a simple and easy to understand scenario that will help in the future.

Dana Hendrickson launched a great post called What Should We Really Believe?. With the understanding that “knowledge is power” (which I totally believe in), Dana is starting to review comments and claims to see which hold up, and which need a closer look. The first post sets some context and is a great start. Hopefully more get involved!

Joining the Security Catalyst Community
We are a positively focused and supportive community that unites passionate professionals to achieve three goals:
(1) Create a community where it is acceptable to be vulnerable and ask for help when you need it
(2) Create a community where anyone with an idea can share their approach in the pursuit of helping another. If today is your first day in security, welcome – share what you have learned without fear.
(3) Create a forum where members can share their passions, expand their thinking and find support with others who believe in making a positive difference.

To create your account, point your browser to: http://www.securitycatalyst.org/forums/ and register an account. WE ENFORCE A STRICT NAMING STANDARD. Please register using your real full name in the following format: firstname.lastname (we generally use all lower case and separate the names with a period). This is important for our community of professionals. Accounts are reviewed quickly and activated. Your currency of the community is your participation. We look forward to learning from you!

Last week, I received my materials from the IAPP to prepare for the exam to become a Certified Information Privacy Professional (CIPP). I will be taking the exam on March 28th in Washington, D.C. In a happy coincidence, the annual IAPP Summit will be held that weekend so I plan on staying the weekend to hopefully meet other privacy professionals.

The training series comes in five parts on a CD-ROM. The last week, I completed two of the trainings. The first training session dealt with privacy laws and compliance. It was a cursory overview of significant legislation in the United States, such as FCRA, GLBA, HIPPA, and the European Directive. All of the five training sessions are in a streamlining, video format from one of IAPP’s 2006 National Summit. This was a relief because I thought that I might be at a disadvantage by not taking the on-site training course. Fortunately, I feel like I am getting the same type of instructions without the hassle of having to go to a remote location.

The speaker for the first session was a solo-practitioner. She did a great job of going through the legislation and highlighting some of the key things to remember with respect to individual laws and regulations. She advised audience members to find out from their legal departments what requirements they might have to comply with based on the type of industry they were in. Apparently, there are arcane privacy laws for all types of different companies, especially those doing business in Europe.

One interesting note that the speaker discussed was whether companies should collect personal information and how this information should be used. Specifically, she warned us about distinguishing between an “opt-in” versus an “opt-out” policy. The former is an affirmative indication of choice based on an express act of the individual authorizing the use. In contrast, an “opt-out” choice is implied by the failure of the individual to object to the use or disclosure of the information being collected.

This discussion immediately reminded me of the public relations debacle faced by Facebook when it launched its web Beacon program. The program allowed companies in Facebook’s network to transmit information to Facebook about its members. For example, whenever a Facebook member visited these sites and made a purchase, the information was transmitted to Facebook and all the people on that individual’s contact list could view the purchase.

Organizations like Move.org and other privacy groups responded with massive protests and eventually Facebook apologized for its mistakes and began to allow for an “opt-out” choice. The initial approach taken by Facebook put its members into the program by default. The company knew that no one would voluntarily want to do part of web beacon and tried to furtively implement the program without any affirmative steps to signal an “opt-in” option.

What occurred to Facebook should be a lesson to other companies collecting information from their users. The practices of collecting information such be clear, straight-forward, and simple. The FTC is still continuing to expand on its new guidelines for activities, such as behavioral targeting by advertisers and online companies. While Facebook managed to escape without civil damages or FTC fines, its reputation was left bleeding.

Overall, it was an interesting lesson and this was one of the more useful things that I learned in the lecture. I feel like the exam will be pretty straight forward. There is an immense amount of information that can be thrown at us. It would be impossible to analyze every aspect of the laws and regulations unless the exam becomes two days instead of two hours. It is a great introduction for someone not yet familiarized with the privacy space.

I am excited to introduce to you a new program that I host and produce for Cornell University called “Driving the Digital Revolution.”

Driving the Digital Revolution is a simple, but powerful, way to consider the changes taking place around us every day. The digital revolution has led cultures from poverty, literally changed the face of global business, local business and even impacted on the family structure. Without question, the digital revolution both counts on and plays an active role in shaping how people protect information.

Cornell takes its role in driving the digital revolution seriously. In both education and research, emphasis is placed not only on the field of study, but in how that subject is being transformed by advances in computing and information resources. It realizes that as ideas and technologies are advanced, we have an obligation to not only consider the consequences, but to study and anticipate the unintended consequences.

I am sharing this with you for two reasons:

(1) I am passionate about this series and the opportunity to work with other experts to dig deeper and uncover important concepts that are driving the digital revolution; their words have a lasting impact on me, and I believe they will on you, too.

(2) We are at a place in our industry when we need change. We need to grab on to a vision of hope and drive change. Studying how Cornell participates in driving the digital revolution is a blueprint for our success.

So sit back, plug in and consider the words — and passion — of Dean Constable and how they apply to what you do. Working together, we can change the way people protect information.

There are three ways to listen and subscribe (so you get every episode)
1. Each episode incorporates the ability to listen on the website! Simply point your browser to http://www.cis.cornell.edu/alumniblog/ and press play
2. You can download this episode directly: http://www.cis.cornell.edu/alumniblog/podcast/cornell-ddr-01.mp3
3. If you prefer to use and subscribe using RSS, here is the feed: http://www.cis.cornell.edu/alumniblog/feed/

 

 Driving the Digital Revolution [30:16m]: Play Now | Play in Popup | Download (92)

Hi Everyone,

As many of you know, Michael and I are deeply interested in issues of technology, security, and the law. My interest in privacy has developed alongside my exposure to information security and the harm that is caused by data breaches. My time in law school has pushed me to analyze some of the challenges that have arisen with internet usage and it has made me more aware of how the law needs to catch up with our continued loss of privacy protections. I fundamentally believe that the danger is not technology. Rather the danger is that we as a country need to have a serious and honest debate about what type of information we expect to be protected.

Since starting down this path, I learned from people in the legal and security field about the International Association of Privacy Professionals (IAPP). The IAPP trains individuals from all types of industries on the current state of U.S. and international laws and offers certifications in information privacy. Since most academic institutions, including mine, do not offer a full course on privacy matters, I have decided to educate myself on privacy laws. The CIPP is recommended for intermediate-level privacy professionals who have some background in privacy laws. Fortunately, I haven taken enough classes that the subject matter will not be completely new to me but will let me build on my current knowledge.

As a contributor on this site, Michael and I felt that it would be interest to discuss my experience studying for the exam and how it relates to current trends or problems. If there are others out there that can also share what they are doing to prepare for the exam or how they passed it, please contact us.

Talk to you soon!!!