New bill introduced in the senate "Fostering a Global Response to Cyber Attacks Act", available here.
David Rice has a must read blog post here, on leadership of security and compliance. It includes this insightful observation: "In other words, compliance is blind to value and insensitive to risk."
He goes on to discuss how lack of a national cyber security leader is a problem.
Jim
This just in from riding the risk range - RIM is so far out in front with end-to-end enterprise-class mobile smartphone security, nobody is going to catch them before all the ice cap melts in Antarctica. The battle is for number two.
This just in from riding the risk range. Do not trust mobile wireless devices (can you say iPhone?) with any sensitive information.
Just about anybody with a mouthpiece in the security and compliance industry is talking about the increased risk of cloud computing. They should be, the risks of cloud computing are higher than traditional IT inside a controlled, trusted network. The ongoing risk dialogue around cloud computing has been good. It's started organizations down the path to identifying and understanding the issues, one small step for mankind.
The efficiencies driving cloud computing are creating a similar growth curve in mobile computing for the enterprise marketplace. See the amazing proliferation of smart phones, netbooks and other wireless devices supporting fully-enabled web sessions and IP telephony. The security and compliance marketplace hasn't yet turned up the volume for the risks associated with the IP data stream supporting mobile computing. Mobile computing adds an entirely new risk dimension to everything it touches, in the cloud or inside a trusted enterprise network. This discussion is just beginning to commence.
Don't try this at home - the risks are greatly compounded when a mobile user accesses cloud-based sensitive enterprise resources with a wireless devices. You need to understand the risks and how to manage them before firing up the latest cool wireless gadget. Compliance is not part of the Apple/AT&T service. Bolting security onto the latest consumer wireless device is going to be more painful than a mouthful of root canals sans anesthesia.
Prima facie, assume no compliance. Empirical evidence shows Apple's security for enterprise usage to be equivalent to Microsoft's circa 2000, despite selling a million iPhones monthly. Fixing the flaws in the iPhone is going to be ugly and take a lot of time. If security is a requirement, RIM has a good security and compliance solution for the Blackberry.
Do not beam yourself off the surface of the planet with an insecure wireless device. More on this later, Risk Ranger signing off, Hi-O Silver
Here’s an industry with no regulation, no oversight, no one looking over their shoulders. And they collect A LOT of data about individuals, and they have a lousy record of securing this information. The industry in question is higher education, and as anyone who has gone through the college application and financial aid gauntlet can attest, colleges collect extremely detailed information on applicants and their parents. They get a copy of your taxes, income and expense info., SSN for student and parents, and much more.
Work took me to both the RSA show and the InfoSec show this year (whose brilliant idea was it to schedule those two shows back-to-back, anyways?). Wandering around both shows a little, and talking to some of the vendors, it struck me that:
The big buzz seemed to me to be around two things:
Bob Blakley has a great blog post up here on the effect that privacy breach insurance may have on privacy. He describes how the concept of moral hazard applies to this area, with the unintended consequence that the actual privacy of data may get worse as a result. Worth reading.
A new cyber crime study about targeted and politically inspired attacks on countries, was reported on in the NY Times today here. My first reaction was to just sort of shrug...this sort of attack has been going on for a while, last fall saw similar attacks on the White House itself, and the Obama and McCain campaigns. The actual research papers (there are two related papers, one that addresses the targeted attacks on Tibet and the Dalai Lama is here, and a much broader study is available here), have a lot of interesting details- worthwhile reading.
Rich Mogull pretty well nails the problem with respect to some of the recent breaches in the retail area. I couldn't have said it better.