For what its worth and from recent experience, Auditors (External & Internal) are moving to a common risk based approach and I am seeing a trend where they are applying CoBIT as their framework for their review. I am not recommending every organization adopt CoBIT or that it is a one size fit all, but if you want to get ahead of the curve, I would recommend you identify the controls/processes that would benefit & fit your organization, implement them, and assess yourself against CoBIT’s assessment guidance.

Nice to see you writing. Keep up the good work!

-Mike
P.S. Got my CISA recently. Welcome me to the dark side.

I just purchased the IAPP Foundation Companion Course Book + DVD (happy to share with you at a later stage).
The IAPP Foundation Companion Course Bookhas three main sections:
1. Introduction to Privacy – Common Principles and approaches
2. Info security – protet and safeguard personal informarion
3. Online Privacy – Common Principles and approaches

To be honest, I am struggling with section 1 (Introduction to Privacy – Common Principles and approaches).
Do we have to memorise all the slides and its boring/dry law theory type content to pass the Foundation Exam?
Its too confusing and all the laws appear to be the same.

Patrick, what would you say would be the EASIEST and less painful way to prepare for the CIPP Foundation Exam
I dont know what else I can do, any suggestions would really help!

Please email me on lavinde@gmail.com your thoughs or opinions or suggestion in helping me pass the Foundation Exam. Thanks!.

While the steps outlined above are good, they will only give you part of the picture and could lead to implementing security for its own sake.

Sure, encourage people to use a password or phrase that others would not readily associated with them (no pet names no birthdays, car models, etc.) — but then why not make it easier and show them quick substitutions for letters / numbers / special symbols, a process that surely would readily encourage and incite them to create a strong passwords more than some formula would.

Why add complexity when you don’t need to?

(Each time you experience a site that doesn’t support strong, complex passwords, write to the technical contact of the domain you just registered at, demanding to know when they are going to have decent security. Eventually they will come around. )

To create a random password that is moderately secure, secure enough to be used widely, take two uncommon names or words, such as the names of drugs. Take 4 characters from the middle of the first, four from the second, and scramble the order of the 8 characters. Do a Google search and open the first link. Open a command prompt and ping the domain name. You’ll get an IP address. Take 2 digits from that address and insert them into the string of letters.

It’s easy to generate random passwords, but the problem with having many random passwords is that its hard to remember them all. What’s needed is a way to store than that is secure.

Well there are better, more secure method ways to generate secure credentials for web use, ones that doesn’t bog down when you encounter one of the majority of all sites that don’t allow true complex passwords, or passwords of length greater than 8.

Using a password vault with a strong, complex key is part of the solution. A password vault will allow you to use a unique logon name for each domain, and the same reasonably complex password for every site. The combination is a _much_ longer, _more_ complex password.

Solve the username/mailbox name problem by registering a domain and set up minimal webhosting of that domain with a hosting service such as GoDaddy that charges about $1/week or less for hosting service. All such providers offer free catchall mail forwarding. Catchall mail forwarding allows you to create a unique mail address for each site you visit, with no requirement for you to administer email accounts. All mail sent to your domain is then forwarded to your ISP mailbox.

This works well for suites like this where they want just your email address to post. You can make the address sitename@mydomanname, and if validation is needed you’ll get the valuation message.

For better security when you register at a site, create a less predictable logon name for it using any method you choose, once you log on successfully to the site, send an email to logonname@yourdomain.com with the site name as the message. You now have a record of the logonname and site. Your password, which you’ve never written down, is still secure.

There are many ways to generate usernames base on website names, but here’s my favorite.

Use Excel or another program to randomly select two 8-digit numbers as your permanent keys. You should be able to memorize them because they are shorter than a phone number and you won’t have to keep changing them. Use one 8-digit number as the master password for your browser, the second to generate usernames.

Use the first 6 digits of the first 2 digits of the second number 6 characters from the site name. Use the 7th digit count out the corresponding number character in the site name. Take that letter and count its alphabet position. If it is greater than 10, subtract 10. Call the result “X”

Write out the letters you selected, insert the last digit of the second 4-digit number after the X-th character. Insert the first digit of the first 4-digit number after it. Your logon name will then look something like LL##LLLL.

“The literal legal interpretation of a director’s duties to the corporation views the corporation as a person, subject to public laws that govern the relationship between individuals and society. Governments therefore grant every corporation a legal license to operate by way of a corporate charter. By contrast, the inferred legal interpretation that directors owe duties to shareholders (because shareholders bear the greatest risk due to their residual claim of corporate profits) views corporations as private property. This view subjects corporations to private law that governs relationships between individuals, which include contract law and property law. If corporations are not property but legal persons (Bakan, 2004), ownership of a person, even a legal person, could be considered slavery and therefore illegal. Ironically, corporations won the right to be legal persons by successfully claiming rights to the Fourteenth Amendment to the United States Constitution, which was enacted to end slavery (Nicholls, 2005).”

I wonder to what extent a “corporation” might be an appropriate analogy for “personal information”. Should personal information be treated as a distinct legal person (persona), similar to a corporation, and should it therefor be subject to public law, rather than property law? If so, would it be appropriate to have a governance structure (personal information governance) to direct the use of personal information (or personas)?

Ever wonder how spammers can consistently post spam comments on blogs advertising the latest and greatest chemical whatchamacallit, despite the CAPTCHAs? It’s because they’ve spent some serious manhours developing some very smart algorithms to get around just that, picking out the most likely letters despite the image being warped, noisy, and otherwise computer-unfriendly. Because of this, we now have highly advanced OCR programs capable of picking words out of the most illegible of documents.

off the top of my head, obfuscation similar to that used in malware has also be used to ‘protect’ the intellectual property present in legitimate programs. as i recall the MtE mutation engine (from back in the days of dark avenger) was used in a ‘legitimate’ obfuscation product.

stealth technology has been used to protect ‘protected’ recycle bins and other files and resources that developers don’t want users messing with (not just by sony but by lots of folks).

i’m tempted to say full disk encryption as well but i don’t know for sure because i don’t know where the KOH virus fits into the timeline of full disk encryption products.

Our paper is available at:

http://www.noticebored.com/html/job_desc.html

Kind regards,
Gary Hinson

[Source: The Security Catalyst] quoted: I already knew that a government Privacy Commons policy would have to include disclosures about how personal information may be transmitted to other federal agencies, for example. But I was surprised to hear from…

Thanks in advance !
Marc

You are correct that the market does not value privacy and security, and it is one of the first places to cut among industries with low margins. But I think that blaming a lack of security on poor funding is too simplistic. In the ASA’s example, their privacy policy (and common sense) should have told the representative not to give out personal information over the phone.

I think that Awareness alone (even without training, expertise or funding) will solve 35% of security problems. Training will solve 75% of the problem, while adding Expertise and Funding will solve 98% of the problems. My experience has been that it is possible to solve a majority of the problems with just awareness and training, even without funding.

There is also a lack of consistency and guidelines in the industry. Example: go to usbank.com and then go to wellsfargo.com or etrade.com. What do you see? wellsfargo.com and etrade.com automatically redirect you to a page over SSL. usbank.com doesn’t? Why? You will need to ask them. But darn it – they have that cute little lock so that tells everyone its secure doesn’t it?

Chris, I believe you have misunderstood my position. I do not feel auditor’s perform their testing simply to find what is wrong, instead I feel an auditor tries to meet the objectives of their engagement. In the process of conducting procedures to ensure controls are in place and operating effectively an auditor may find the controls do not meet the control objectives. After performing their due diligence in determining if a control failure effects the overall effectiveness of a system, they must report their findings.

After throwing out all that technical analysis I would say this, both parties to an audit should openly discuss what the objectives are and keep communications open throughout. Hopefully this helps build value for all parties involved.