Perimeter e-Security has recently added a new feature to the popular MailSafe™ email encryption service. MailSafe™ clients can receive secure responses directly into their Outlook Inbox without having to login to their Mailsafe™ account. Recipients, however, will continue to retrieve their secure messages in the Mailsafe portal.
Perimeter’s MailSafe™ service allows every outgoing message to be scanned by a content filtering engine. The filtering engine checks for “Secure:” in the Subject: field as well as any other Rules that the client sets. Once a secure email is “sent” it is automatically encrypted and, stored on a secure MailSafe™ server. The email’s recipient is then sent a link and to a registration page to create login credentials or a login page if previously registered. The MailSafe™ server infrastructure is well-protected by multiple layers of intrusion defense systems. The system also allows an administrator to congfure the entire system and review information about all users’ MailSafe™ activity.
Kaliber, a leading reseller for Perimeter e-Security, has installed over 3000 seats of MailSafe™ in support of compliance strategies which require the encryption of emails containing Personally Identifiable Information. This success can be attributed to the ease of installation, set up and use of MailSafe. There is no hardware to purchase and no software to install. Plus end users do not have to modify their work processes in order to send a secure email. This most recent update will help improve MailSafe™ usability and integrate it even more seamlessly into users’ work processes.
As more and more critical applications and services move to the cloud, organizations are increasingly receptive to the idea of using a managed security service to protect their network and information assets. The number and types of external threats to a network are growing exponentially, and unless a company has a dedicated and highly specialized team devoted to network security, it’s hard to keep up with the rapidly changing threat landscape. After all, the threats of the Internet are the same for every company regardless of its size.
There are many benefits for small or midsize companies or even branch offices of large companies that use a managed security service. First of all, it’s a great way to get the security expertise that would be too expensive to hire and retain in-house. The same goes for technology. A small company might not be able to afford to buy the best technology, but it can rent the use of the technology from a service provider. Moreover, the company can get a broader range of solutions that otherwise might not be in the budget — solutions such as intrusion detection and prevention (IDP/IDS), antivirus and antispam, content filtering, encrypted email and secure VPNs.
Further, the ever-changing regulatory requirements associated with Massachusetts 201 CMR 17.00, HIPAA, Sarbanes Oxley, and various state data breach notification laws, has significantly complicated many organizations’ ability to effectively manage their risk. Whether they need to meet regulatory requirements or to maximize the risk reduction impact of their spending on security. Kaliber Data Security and its partner Perimeter eSecurity has a solution for your business. We assist our clients by developing a comprehensive yet practical set of services to meet their specific regulatory or risk reduction needs. These services are designed to help ensure that regulatory processes are followed while risks are managed and controlled appropriately.
Need a solution to encrypt your current USB flash drives? With the new Massachusetts Data Privacy regulations just around the corner you may want to look at a FREE application from Rohos (www.rohos.com). Rohos Mini Drive creates a hidden, encrypted partition on USB flash drive memory devices. This free, portable encryption tool allows you to work with files on the hidden partition without opening a special program.
Rohos Mini Drive is easy to setup and easy to use. The intuitive Setup Wizard automatically detects your USB flash drive and builds the encrypted partition properties. Simply, plug in your portable drive and start the program. Setting up the drive requires choosing a password–that’s it. One click - and you can save your first file into protected volume. Encryption is automatic and on-the-fly.
Despite the name “Mini” the program provides a decent portable data security solution and is well designed even for newbie users.
Operating Rohos Mini Drive is fairly straightforward. Depending on the size of the drive, creating the partition should happen reasonably quickly. Once the partition has been created, you can change the disk size and partition drive letter. The Rohos Disk Browser displays and manipulates items in the protected partition. Single-click functions include open, saving, deleting, and displaying file properties. Searching and opening the partition is also easily selected from a short pull-down menu.
Rohos Mini Drive includes features to open the protected drive on systems where the user doesn’t have administrator rights. That makes this app easy to use anywhere from public library labs to your best friend’s system. This is a great app for anyone needing to transport personal files and doesn’t want the expense of buying new USB drives.
A national data breach notification bill was passed in the U.S. House of Representatives on Tuesday, December 8, 2009.
The Data Accountability and Trust Act (http://thomas.loc.gov/cgi-bin/bdquery/z?d111:h.r.02221:/)
would require any organization that experiences a breach of electronic data containing personal information to notify all U.S. individuals whose information is breached. The law requires that the Federal Trade Commission to also be notified.
In addition, organizations would be required to designate an information security officer and establish a data security policy. The policy would have to address the collection of personal information and include a process for identifying and correcting system vulnerabilities and disposing electronic data.
Under the bill, personal information is defined as, “an individual’s first name or initial and last name, or address, or phone number,” along with at least one of the following: Social Security number; driver’s license number or other state identification number; financial account number, credit or debit card number, along with the security/access code or password needed to access the financial account.”
The bill was introduced April 30 by Rep. Bobby Rush D-Ill., chairman of the House Subcommittee on Commerce, Trade and Consumer Protection. Next, it will go to the Senate for a vote.
”For the past five years, the Privacy Rights Clearinghouse contends that nearly 340 million records containing sensitive personal information have been involved in security breaches,” Rush said Tuesday on the House floor. “However, there is no comprehensive federal law that requires all companies that hold consumers’ personal information to implement reasonable measures to protect that data. Also, there is no federal law that requires companies that experience a data breach to provide notice to those consumers whose personal information was compromised.”
There have been a number of similar bills recently introduced in Congress, including two federal data security laws, which have cleared the U.S. Senate Judiciary Committee. None, however, have previously passed a vote on the House floor.
”The ball is in the Senate’s court,” Kellogg said. “There will need to be some work in the Senate to bring together different proposals to move this legislation forward. Hopefully we can finally see a federal law.”
The act would be enforced by the FTC, the bill states. Also, the FTC would be required to place a notice on its website about breaches that would be of public interest. Organizations that do not fall under the FTC’s jurisdiction are not required to notify breach victims.
Developed by the AICPA but applicable to all types of businesses, GAPP is designed to assist firms in creating an effective privacy program that addresses their privacy obligations, risks, and business opportunities.
GAPP can be used by organizations for the following:
- Designing, implementing, and communicating privacy policy
- Establishing and managing privacy programs
- Monitoring and auditing privacy programs
- Measuring performance and benchmarking
2. Notice. The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed.
3. Choice and consent. The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.
4. Collection. The entity collects personal information only for the purposes identified in the notice.
5. Use, retention, and disposal. The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes or as required by law or regulations and thereafter appropriately disposes of such information.
6. Access. The entity provides individuals with access to their personal information for review and update.
7. Disclosure to third parties. The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.
8. Security for privacy. The entity protects personal information against unauthorized access (both physical and logical).
9. Quality. The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice.
10. Monitoring and enforcement. The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy related complaints and disputes.
Special thanks to the PC GUY. See his post @ http://www.northjersey.com/news/business/thepcguy_102309.html
Secretly tucked away in the innards of the Windows operating system is a handy utility. It’s called onscreen keyboard. You access it by clicking the Start button and then clicking Run.
The Run function is used by technical folks to execute diagnostic commands based on old, pre-Windows DOS code. Though ancient, these commands often yield helpful information.
When the Run window opens, type the letters “osk” (without the quotes) and press Enter. A replica of a keyboard will appear onscreen.
You can type as you normally would by clicking on each key. To get capital letters, click on the shift key, and the keyboard will display all capital letters and other shift-related characters: Shift 4 yields a dollar sign, Shift-/ (forward slash) yields a question mark, etc.
This virtual keyboard is handy not only for when your regular keyboard malfunctions, but also when you need an extra layer of security to enter passwords and other sensitive information.
If you use a shared or a public computer, for instance, you never know if a tech-savvy creep will uncover data you entered. Data can be surreptitiously monitored by several means, including the use of key-logging software that records every letter you type.
But you can avoid detection by using a virtual keyboard, since it leaves no tracks; key-logging software does not record mouse-click content. Furthermore, you can add an extra layer of security by moving the virtual keyboard around the screen periodically. In the highly unlikely, but theoretically possible instance that someone can track the location of your cursor and attempt to deduce which letters you are clicking on, shifting the position of the keyboard will make detection of what you type just about impossible.
Using a mouse on a virtual keyboard won’t allow you to set any speed-typing records, but when you’re in a pinch with a flagging keyboard or require an extra degree of security, it’s a perfect alternative.
Here in Massachusetts we are faced with a first in the nation Personal Data Privacy Protection regulation which is meant to motivate businesses to institute best practices with regard to protecting the personal information of residents of the Commonwealth.
The regulation outlines some specific things a business should do to become compliant with the law. Step 1: Designate an Information Security Officer. Step 2: Develop a Written Information Security Plan, etc.
At a seminar on the subject which I recently attended, a prototype plan was handed out. Upon reading it, I was reminded of an old joke:
A helicopter was flying around Seattle when a malfunction disabled all of the aircraft’s electronic navigation and communications equipment. Due to the clouds and haze, the pilot could not determine the helicopter’s position and course to steer to the airport. The pilot saw a tall building, flew toward it, circled, drew a handwritten sign, and held it in the helicopter’s window. The pilot’s sign said “WHERE AM I?” in large letters.
People in the tall building quickly responded to the aircraft, drew a large sign, and held it in a building window. Their sign said “YOU ARE IN A HELICOPTER OVER SEATTLE.”
The pilot smiled, waved, looked at his map, determined the course to steer to the Seattle airport, and landed safely.
After they were on the ground, the co-pilot asked the pilot how the “YOU ARE IN A HELICOPTER” sign helped determine their position? The pilot responded “I knew that had to be the MICROSOFT building, because similar to their help-lines, they gave me a technically correct but totally useless answer!”
The sample WISP which was handed out at the seminar met these criteria exactly. It was technically correct but totally useless. It simply regurgitated the law without offering any specific guidelines or guidance on how an employee should behave and what actions were or were not necessary.
A WISP should not just lay out general platitudes about the desire of the company to protect data. It should be a useful tool that employees can learn from and refer to in case of a question regarding data security.
Topics which should be covered include:
- E-mail and Internet Acceptable Use
- Social Media Site Usage
- Anti-Virus – What to do if one is detected
- Phishing and Pharming – How to discern and how to react
- Remote Access Policy
- E-Mail retention Policy
- Information Sensitivity Policy (Protecting an organization’s information)
- Password Policy (Strength and Renewal)
- Laptop Protection
- USB port Encryption
- Wireless Encryption Policy
Each individual section should outline the issue, the risks associated, actions which should be taken and penalties for non-compliance.
Only by creating meaningful, actionable policy will businesses move away from seeing data privacy protection as a burdensome government intrusion and treat it more like it should be: as a best practice for businesses that operate in the modern information age.
To many, data security is seen as merely an effort to protect against data loss or exposure. Consequently, this perspective unfairly positions data security as a cost for which the benefit is: “So far as we know, nothing happened.”
A better approach would be to associate the value of the data with the business process it supports and thereby derive significant additional organizational benefits from improved data security.
The Aberdeen Group has identified four high-level categories for potential business value from investments in IT security: manage risk, achieve and sustain compliance, enhance revenue and reduce costs.
By managing risk, firms avoid the monetary loss from systems downtime, the inability to bill and/or collect, and the inability to communicate with customers. Further, proper risk management will help avoid negative publicity, loss of sales, cost of reporting and fines for non-compliance.
Efforts toward achieving compliance will generally result in enhanced business reputation by demonstrating respect for customers’ and employees’ information, achievement of service level agreements and the implementation of industry best practices.
But how can data security efforts enhance revenue? Because data security efforts which focus on process often expose areas of shared information. These areas can then be exploited for cross-selling opportunities, improved transaction time, identification of new services and higher customer retention rates.
Besides revenue enhancement, the other holy grail, of business investment is cost savings. A process-based approach to data security can yield cost savings by identifying ways to streamline activities, scale processes larger and faster, reveal potential efficiencies and improve productivity.
According to the Aberdeen Group, “Organizations with top performance in data protection initiatives allocate the time and resources necessary to succeed well beyond the deployment of enabling technologies.” These organizations make investments in process analysis, awareness, training and reporting and consistently measure and monitor their results to assure that the entire organization benefits from the IT security program.
On the Kaliber Web Site I recently linked to an article from the New York Times technolgy feed which discussed how Twitter’s coporate email accounts on Google Apps were hacked: http://www.kaliberdatasecurity.com/newsdetails.php?id=11
So what simple things can be done to protect our information with so much of our lives and data being stored on the web?
The first thing I recommend is that you use a separate password for every site and web service that requires you to provide credentials. While that may initially seem to be a daunting task, here is a suggestion to ease the burden and to comply with most password strength rules:
Construct a 9 character password with the following 3 components: 4 characters, a punctuation mark, and 4 numbers. The first 4 characters should be a nickname for the website: e.g., face for Facebook, twit for Twitter, bofa for Bank of America, etc. The punctuation mark should vary based on the type of account ‘$’ for financial accounts, ‘)’ for social networking sites, ‘@’ for email accounts, etc. The 4 numbers can be the same for all of your accounts but pick some non-personal code. Do not use your birthday or your birth year of the last 4 digits of your phone number. Pick a random set of 4 digits and stick with them. Finally, as most passwords are case sensitive, always make one of the first four characters uppercase (say the third.)
With this method and assuming your 4 digit code is 1111 (also not recommended) your passwords might look like:
boFa$1111 for Bank of America; twIt)1111 for Twitter, etc.
The main reason for having separate passwords for every system is to limit a hacker’s ability to use a discovered password on more than one site.
There still remains, however, an additional outstanding issue. That is, how should you answer the security questions that most websites provide to help recover lost passwords. As the NY Times article discusses and as was the case in the hacking of Sarah Palin’s email during the 2008 presidential campaign, hackers have been able to change the password by answering the recovery questions correctly.
The best websites, allow you to ask and answer the questions. If that is the case, create a question for which the answer is not in the public record. For example, your High School mascot can be fairly easily obtained. Your favorite babysitter’s name, less so.
Some websites, offer a large list of questions for you to select as your recovery questions. Again the trick here is to choose the questions for which your answers are least known to anyone but yourself.
Finally, for those sites which have not caught up and still ask basic questions like Mother’s Maiden Name. The best strategy is to provide false information. But, of course, now you have to remember that data. So pick a strategy that works and remember it.
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that imposes certain requirements on employer-sponsored health plans including regulations covering how employers must protect employees’ medical privacy rights as well as the electronic disclosure of employees’ medical information.
So what does HIPAA mean for an employer?
Any form of self insurance will create HIPAA compliance issues, such as an HRA, MSA, HSA and even a Flex Plan. HRA’s, HSA’s and partial self insurance can be an attractive method of providing medical insurance considering the increasing cost of medical coverage but the employer is considered to be part of the process and by definition has access to claims and employee medical history, conditions, etc. Therefore, full compliance is required.
The only exceptions are for a healthcare plan is one that:
1. Has fewer than 50 participants,
2. Is fully insured by an insurance company
3. AND does all other administration for the plan internally. That means if there is a Flexible Spending Account it is administered by the employer and not a third party.
What does it mean to be HIPAA compliant?
1. Designate a privacy officer whose job it is to develop and implement HIPAA policies and procedures
2. Identify employees or classes of employees who will have access to PHI and under what circumstances this access will be permitted
3. Develop a privacy training program for your healthcare administration employees
4. Document all administrative measures and how PHI is to be used and protected including employee sanctions for non-compliance.
5. Furnish participants with a written notice of the plan’s policies regarding the privacy of and access to PHI.
6. Create forms including reports, employee authorization, complaint and documentation for non-compliance actions
7. Obtain Business Associate Agreements from third parties involved with the administration of your healthcare plan
8. Develop security procedures to protect any protected information from internal and external access
