With lingering questions about how virtual environments will play with compliance, security experts here have warned organizations to avoid virtualizing any highly regulated applications — and to also consider new ways to use virtualization to enhance security.
Our exclusive InformationWeek survey shows that IT and executives are on the same page when it comes to information security threats, policies and more.
Asking a C-level executive if security is important is like asking a politician if they love America. Everyone knows the right answer is “Yes.”
According to a report, the U.S. Department of Interior can’t locate nearly 20 percent of the computers that are supposed to be in its care. The report also finds that many PCs are not encrypted, and the disposal process for computers is not uniform.
Insurance company Aetna has contacted 65,000 current and former employees whose Social Security numbers (SSNs) may have been compromised in a Web site data breach.
The job application Web site also held names, phone numbers, e-mail and mailing addresses for up to 450,000 applicants, Aetna spokeswoman Cynthia Michener said. SSNs for those people were not stored on the site, which was maintained by an external vendor.
As merchants work to reduce the scope of PCI compliance and the risk due to having credit card data in their environment, some companies are actually taking access to this data away from people who need it to do their job, including the managers who are charged with investigating fraudulent credit card transactions. Instead of PCI controls helping reduce fraud, for some companies, they are making fraud detection more difficult.
Microsoft wants to speed adoption of its security development lifecycle (SDL), starting with the release of a free SDL Process Template that is integrated with the Visual Studio Team System. The company also announced additions to its SDL Pro Network and updates to the SDL process.
Either through accidental loss or theft, the National Archives and Record Administration informs Congress of more than a terabyte of missing data from the Clinton administration, including sensitive information on hundreds of individuals who visited the White House. Accident or not, the FBI has launched a criminal investigation into the matter.
The Payment Card Industry (PCI) Council has set up a task force to examine cloud computing services to figure out what unique exposure credit card data faces if stores, restaurants, hotels and the like relegate their card information to a provider.
For security professionals, two free risk-management guides out this week provide directions on how to establish corporate security metrics, as well as tips on organizing risk-assessment and presenting findings.
The Center for Internet Security’s “Security Metrics 1.0” is a pithy compilation of 20 “metrics definitions” covering six areas: incident management; vulnerability management; patch management; application security; configuration management; and financial metrics. The 83-page paper shoots for a mathematical approach that lets an organization build a scorecard for each category to assess and chart progress—or decline—in each of the six security-management areas.
The Hartford has a dedicated insurance offering called CyberChoice that pays off if failure of the IT infrastructure results in liability for loss of personal information, intellectual property and the like. The insurance pays for investigation of the failure and payment of the costs of notifying customers if there is a reportable breach.