AKIBIA'S PRACTICAL GUIDE TO ENTERPRISE TECHNOLOGY
Entries with Label: Compliance
Ten Steps for the Mass Data Security Law
Wednesday, March 04, 2009
Massachusetts recently pushed back the implementation date of the Massachusetts Data Security law, formally known as 201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH. This law, which was scheduled to take effect on January 1, 2009, was originally delayed to May 1, 2009 and then delayed again to January 1, 2010. While there are no guarantees that the law will not be pushed back a third time as we approach the end of 2009, prudent organizations should not count on this and should take the opportunity provided by this extension to get in compliance.
HIPAA Revitalized in 2009 and Beyond
Friday, March 13, 2009
It’s been a few years since the Health Insurance Portability and Accountability Act of 1996 (HIPAA) came into effect and since then there seems to have been a “gliding along” approach. Many health organizations are now either compliant or at least feel like they have a grasp on HIPPA privacy and security safeguards and what they all mean. The challenge for organizations has always been “how to” protect Personally Identifiable Information (PII) in both paper and electronic form. HIPAA has often been labeled somewhat ambiguous and enforcement is not always forthcoming. HIPAA has also been overshadowed somewhat by other compliance and regulatory advances by the government and private industry.
PCI DSS v1.2 and its Requirement from WEP to WPA Wireless Encryption
Wednesday, May 06, 2009
Although PCI SSC changed the wireless security standards 6 months ago with the release of PCI DSS v1.2, many merchants are still using WEP in the storage, processing or transmission of credit card information.
The Checklist Approach to IT Security is Failing You
Monday, May 18, 2009
In the past few weeks I have spoken to a number of companies about IT security, and a familiar theme has emerged – too many companies lack a sound framework for overall IT security. Instead many companies are overly focused on completing a check list – firewall, encryption, PCI compliance.
Death by A Thousand Processes: Getting Compliance Right Requires a Change in Thinking
Wednesday, July 08, 2009
It seems like every day we wake up to find a new compliance mandate staring us in the face. These mandates put pressure on our infrastructure, mind share and our budgets. Industry estimates show the cost for compliance can be anywhere from 8-12% of the IT budget of a Fortune 500 company to as much as 25% of the overall IT budget for a mid market company.
Implement, educate and enforce strict Social Media usage policies – in that order
Thursday, August 06, 2009
For several years I have championed for organizations of all sizes and industries to review and update their IT security policies - while simultaneously imploring companies to implement policies when none exist. If the proliferation of compliance and regulatory requirements still has not convinced you to take IT policy and procedure seriously, then prepare for Web 2.0 to force it upon you!
IT Needs Turbo Compliance
Thursday, September 03, 2009
IT executives are exhausted by the compliance challenge. Managing so many complex rules and requirements takes time, budget and resources, and even still executives can’t be sure they have done everything necessary to ensure compliance.
Boston’s Missing Email Case Has Many People Asking Questions about Digital Forensics
Wednesday, September 16, 2009
On September 14, Massachusetts Secretary of State William Galvin ordered the city of Boston to seize computers and software used by Mayor Menino’s aide, Michael J. Kineavy. Under question is whether Kineavy may have violated state law by deleting emails. According to the news articles, Kineavy deleted emails from his inbox and trash folder every day, possibly before the city’s systems made a backup. Alan N. Cote, head of the public records division in Galvin’s office, ordered the city to hire “a qualified independent and competent technology expert to employ all reasonable means of recovering and restoring the missing records”.
Don’t Put off Until Tomorrow…
Thursday, September 24, 2009
The third extension for MA CMR 17 has me thinking of one of my grandmother’s favorite sayings “don’t put off until tomorrow, what you can do today.” As we all know, Massachusetts again extended the deadline for CMR 17 compliance to March 1, 2010 from January. While it’s human nature to see the extension as an opportunity to table compliance projects until the New Year, I caution against that.
New Requirement - New Fire Drill?
Thursday, March 25, 2010
Gartner research suggests that companies that select individual solutions for each regulatory challenge spend 10 times more on the IT portion of compliance projects than companies that take a proactive and more integrated approach. One grocery chain in New England is doing just that.
A Boston Globe Article Ignites a Password Controversy - Why We Need Them, How to Make Them Effective
Wednesday, April 14, 2010
The article by Mark Pothier in the Sunday Boston Globe entitled “Please Do Not Change Your Password” has caused some controversy among IT staff members, security managers, and technology users. The article provides a compelling argument that the costs associated with frequent password changes outweighs the costs of security breaches caused by weak or static passwords. Although a position on either side of this debate may be supportable, the reality is that there are a number of standards that organizations (your employer for example) must follow including periodic password changes, password complexity requirements and password history requirements.
Compliance and Security Go Hand in Hand – How to Achieve Both
Friday, May 28, 2010
The buzzword “Compliance” has now overshadowed many of the previous popular terms in security discussions. Many equate “compliance” with “security,” but recent literature abounds with titles such as “Compliant Does Not Mean Secure” and “Information Assurance: The Difference between Secure and Compliant.” These articles make the case that it is possible to be compliant yet not secure. Most discussions focus on payment card industry (PCI) security, because of the high value of the data involved, the stringency of the compliance standards, and recent security breaches of major players. It is also useful for illustration purposes, since the typical PCI technical environment is usually confined, and the standards are very specific. However, it is important to expand the discussion beyond one security standard, especially since others are more comprehensive, although less specific.
Health Providers Beware of the New HITECH Act
Friday, June 18, 2010
The Health Information Technology for Economic and Clinical Health Act, or more commonly known as the HITECH Act, is part of the American Recovery and Reinvestment Act of 2009. This act appears to put some teeth into the HIPAA regulation of 1996. The HITECH Act wants to provide some general and specific incentives for companies to adopt the electronic health record (EHR) systems for health organizations. With these incentives also comes greater increased privacy and security protections for consumers and potential increased liability for those that are not in compliance.
The Death of Information Security
Monday, August 16, 2010
It may be hard for you to imagine a day without an Information Security group, but the truth is that the role of the security team is changing rapidly as priorities shift and other functions become more security savvy. Certainly the responsibilities of the current security team won't ever disappear, but I see more and more organizations adopting a decentralized model of managing information security. We now have robust privacy and compliance functions within many organizations with responsibilities that greatly overlap with the traditional security team. The most significant trend that I see is the move towards a deeper focus on risk management principles.
The Missing Link
Wednesday, September 15, 2010
Bill Brown has taken a bold step in the IT management world. Bill, who is the current CIO at Iron Mountain has carved out a newly created position as the SVP Global Compliance Process. While the traditional approach is to put someone in charge of overall audit and legal compliance, Bill has smartly created a bridge position between the business need for compliance and the IT operational delivery of the same.
Too Many Requirements; How One VP of IT Handles It
Thursday, September 30, 2010
In 1996 IT departments were only concerned with two mandates, but today there are over 200 and more than 2500 security controls associated with them. The cost, both in budget and time, associated with understanding, addressing and proving compliance with these ever expanding mandates is considerable. Because requirements expand and change on a regular basis, the project of managing compliance is never complete, leaving CIOs and their IT departments constantly at risk of non-compliance.
The Next Generation of Smartphones in the Enterprise
Tuesday, December 28, 2010
In recent years the Smartphone market has turned the industry upside down. According to comScore, (http://www.comscoredatamine.com/2010/12/u-s-smartphone-vs-non-smartphone-subscriber-share/), Smartphone adoption in the U.S. now represents 1 in 4 subscribers, compared to 1 in 10 just two years ago. Enterprise IT Administrators are now struggling to test and manage different types of handheld devices’ access to corporate networks. In the past, IT Administrators were able to mandate what phones were approved and limit corporate Smartphones to one or two models.
You can outsource the work, but not the responsibility
Tuesday, February 01, 2011
Many organizations are under the impression that if they outsource their credit card transactions, then they are not responsible for their PCI compliance. While this may minimize the scope of the PCI environment, it does not alleviate the responsibility for their PCI compliance.
Federal FISMA Compliance Rated “Poor”
Tuesday, May 03, 2011
Last year responsibility for ensuring compliance with FISMA was turned over to the Department of Homeland Security. The Office of Management and Budget’s report for FY2010 finds that government agencies aren’t doing so well with compliance to FISMA. In fact, OMB’s annual report on implementation of the Federal Information Security Management Act of 2002 found federal compliance with information security guidelines to be poor.
Choosing the Right Consultant
Wednesday, June 15, 2011
Some organizations may be afraid to get consulting guidance for their compliance issues.
More from midTECH
Tuesday, June 28, 2011
Ever wonder why vendors try to twist IT problems to their gain?
