Nearly a year after ordering the phase-out of Wired Equivalent Privacy (WEP), a technology introduced in 1999 to protect data flowing over wireless networks, the PCI Security Standards Council this week released new guidelines for enhanced wireless security.
via News.
Google wants to make its Internet cloud compliant with the Federal Information Security Management Act in the next year.
Dave Girouard, president of Google Enterprise said Wednesday during the National Defense University conference on cloud computing that the technology giant is certifying and accrediting its Internet cloud service for use by civilian and Defense Department agencies.
And HIPAA does apply to deceased individuals. “It doesn’t matter whether a patient is dead or alive — the HIPAA and state privacy law protections still apply,” Stephen K. Phillips, a healthcare attorney in San Francisco, told me. “A deceased patient’s rights accrue to his/her legal representative for enforcement and redress purposes.”
At the same time, said Phillips, it’s possible that Jackson may have given Klein permission to discuss his PHI, or private health information, in public. In that case, Phillips said, “you haven’t violated the law by doing so, unless and until that authorization is withdrawn.” I tried to contact Klein to clarify these important points several times, but never received a response. His attorney didn’t get back to me either.
via Michael Jackson doctor went too far | Salon.
Just days before perpetrators executed one of the broadest denial of service attacks against federal-interest IT systems, the Government Accountability Office was on the Hill presenting its recommendations for reforming FISMA; including plans to enhance and improve testing, policy, communications, reporting and auditing.
With IT security resources so heavily invested in policy, audits and compliance reporting, where is the room for real innovation and progress?
MasterCard today clarified a June 15 bulletin about the use of remote key injection (RKI) services for upgrading encryption protocols on merchants’ point of sale (POS) terminals, saying it was not an edict.
via MasterCard seeks to clarify remote POS security upgrades policy.
This report is based on data collected online from a random-sample panel of 2,339 respondents in September 2008. The survey targeted respondents based on representative proportions of gender, age and income compared to the overall U.S. online population. Overall margin of sampling error is ±2.03% at the 95% confidence level, for 2008.The report was also based on interviews with executives from the PCI Council, Heartland, and eight security vendors.
Using data masking, a technology which alters sensitive information while maintaining realism, production data can be eliminated from testing and development environments
via Meet PCI DSS Compliance Requirements for Test Data with Data Masking.
In a purported second major security change in recent weeks, MasterCard has decided to disallow merchants’ use of remote key injection (RKI) services to install new encryption keys on point-of-sale (POS) systems, says a Gartner analyst.
via MasterCard halts remote POS security upgrades.
The SANS Institute InfoSec Reading Room recently published an article by Christian J. Moldes entitled PCI DSS and Incident Handling: What is required before, during and after an incident. Moldes’ whitepaper is a good starting point for developing an incident response plan to address payment card security breaches. The paper hits upon the key aspects of payment card security breach handling from an information security professional’s point of view. The paper, however, speaks little of the legal implications of a payment card security breach, and the incident response considerations that arise out of those implications.
In their paper, “Predicting Social Security Numbers from Public Data,” researchers Alessandro Acquisti and Ralph Gross said they observed a correlation between an individual’s SSN and their birth data. The duo said they gathered the data from profiles on social networking sites, data brokers, voter registration lists, online white pages and the publicly available Social Security Administration’s Death Master File.
via Researchers predict SSNs, crack algorithm putting identities at risk.