Online Security: Who's Liable?

Hackers, viruses, and other online threats don't just create headaches for Internet users -- they could also create prison sentences for corporate executives, experts say.

Though business groups have lobbied successfully against laws focused on cybersecurity, companies that don't make efforts to secure their networks could face civil and criminal penalties under an array of existing laws and court decisions, according to security and legal experts.

[...]

Though health-care, banking and deceptive-business laws all create security obligations, a new accounting-reform law being phased in is likely to have the biggest impact.

The 2002 Sarbanes-Oxley Act holds executives liable for computer security by requiring them to pledge that companies' "internal controls" are adequate, and auditors are starting to include cybersecurity in that category, said Shannon Kellogg, director of government affairs at RSA Security.

[...]

[CLB: nice overview article.]

(0) comments

PIPEDA

Three months into the federal privacy law, companies are confounded by its implications. The Canadian Institute of Chartered Accountants releases a compliance roadmap based on international best practices to help point the way. Plus: what the Ontario commissioner thinks.

[...]

Terrific links from the article:

Canadian Privacy Institute http://www.canadianprivacyinstitute.ca/

Canadian Institute of Chartered Accountants (CICA) http://www.cica.ca/

Deloitte &Touche http://www.deloitte.ca/

Ontario's Privacy Commissioner http://www.ipc.on.ca/

__posted by Carolyn L Burke @ 7:00 p.m.
subscribe to Integrity

(0) comments

Microsoft struggles to build trust

Winning trust is not a short-term activity in any walk of life, as Microsoft is finding with its security-based Trustworthy Computing. Since Bill Gates emailed his developer colleagues almost two years ago, demanding an improvement in the quality of code and a reduction in the number of security flaws, the industry has been keenly awaiting evidence of improvements.

Meta Group analyst Michael Warrilow says buyer attitudes to Microsoft are softening but there is still a long way to go before anyone 'trusts them'.

(0) comments

Summary:

The Witty worm first hit computers known to be vulnerable and emerged so quickly that most companies had no time to apply a patch, according to an analysis of the program.

[...]

[T]he worm was released in a way that would it allow it to speed its attack on vulnerable servers.

The Witty worm started spreading early Saturday morning. In about 45 minutes, the worm had infected the majority of vulnerable servers--about 12,000--on the Internet, according to the report. Within 10 seconds, 110 compromised hosts appeared, which led CAIDA to believe that those servers were used to actively spread the worm, a tactic known as 'preseeding.'

The Witty worm burned out quickly, due to its malicious nature. The worm slowly corrupted the information on a system's hard drive by writing 65 kilobytes of data to a random place on the drive. As a result, nearly half the systems infected by the worm crashed within 12 hours.

Compared with the Microsoft SQL Slammer worm, which infected 70,000 to 100,000 computers, the Witty worm attacked a smaller population, according to CAIDA. The worm also attacked computers that were specifically in place to protect against such threats.

The implications of this evolution should not be ignored, the report said.

'With minimal skill, a malevolent individual could break into thousands of machines and use them for almost any purpose with little evidence of the perpetrator left on most of the compromised hosts,' it stated.

(0) comments

CSR at the heart of business - The Work Foundation (British)

Corporate social responsibility (CSR) is now firmly entrenched in the business lexicon. For some organisations, activities that they would describe as socially responsible can act as a shield to fend off criticism of their poor business practices and performance. For others, being corporately socially responsible is part of the warp and weft of doing good business. These businesses are already committed to strategies and practices that others will describe as CSR but which they themselves would more accurately call high performance. This report is concerned with the evidence that supports the latter group of business activities.

(0) comments

Stopping data, identity theft via offshoring

R Raghavendra | March 25, 2004

Companies depend on information to operate their business processes. Much of this information is stored and processed electronically, and is exchanged with business partners over computer networks, many of which are public.

The security of this information -- or data -- may be at risk owing to vulnerabilities, with potentially serious consequences to the business of a company or individual.

Data security addresses staff at a business process outsourcing centre who handle the data and put in place systems which guard against careless/criminal agents. It also involves putting in place laws that make it an offence to steal and misuse data.

As BPO involves job losses and has become very emotive, what the people in the US are saying is not so much that the networks extending to India are technically insecure but that 'God knows what those guys do with our tax and social security info; they won't even go to jail if they filch something'.

A key solution is to get the organisation certification for information security management systems or ISMS.

Extensive guidance on organisational aspects of risk assessment and control is given by the British Standards Institution code of practice for ISMS.

The certification is called BS7799-2.2002. It holds the key to mitigating the problem of "identity theft" while offshoring finance and accounts processes even before it arises.

[...]

(0) comments

Is hacking ethical?

The definition of hacker has changed radically over the years. With the aid of the mass media, the word has developed a negative connotation rather than the positive one it used to have. Add ethical in front of hacker, and it's even more confusing.

For the purposes of this article, I'll define those hackers with malicious intent as 'crackers.' Hackers can be categorized into the following three buckets:

Hacktivists: Those who hack as a form of political activism.

Hobbyist hackers: Those who hack to learn, for fun or to share with other hobbyists.

Research and security hackers: Those concerned with discovering security vulnerabilities and writing the code fixes.

...

__posted by Carolyn L Burke @ 7:23 a.m.
subscribe to Integrity

(0) comments

Corporate Policies, Corporate Governance

By: Chris Koressis, Oct 2002

[...]

Subjects that should be addressed by corporate policies include:

Compliance with laws, regulations, and accounting standards.

Whistle blowing. These policies should address the obligations of employees to the company and its stakeholders with regard to reporting wrongdoing and also the protections against termination that employees have for doing so.

Records retention and destruction, including how records should be categorized, how long each category of record should be retained, and what records can be destroyed at some point.

Ethics and business practices.

Sexual harassment.

Confidential information and trade secret protection , including what steps employees must take to protect a company's confidential information and that of third parties.

Internet and e-mail use.

Privacy, including what legal obligations a company has in the absence of a privacy policy and whether that default position can be improved from the company's perspective by drafting a policy. Privacy policies should also address how such guidelines should be brought to the attention of customers.

[...]

Policy Tune-up

Companies should review their policies from time to time to ensure that they are up-to-date and address all legitimate issues. However, here are seven steps that companies should consider taking immediately with regard to their policies:

Consolidate all existing policies and eliminate duplication. Rather than providing a safety net in efforts to cover all possible scenarios, duplication instead creates confusion and inconsistency that can be exploited in a lawsuit.

Develop a standard format and method of organization for policies. This makes policies easier to find, read, and amend as necessary to reflect changes in legislation and case law.

Create internal consistency among present policies. Some polices must be detailed and lengthy, and procedures often must be specified as part of a given policy. This level of detail, however, increases the risk that internal inconsistencies will appear, such as the use of undefined jargon, improperly used terms, and procedures that contradict the intent of a policy.

Ensure that all applicable legislation and regulations are followed.

Develop a process for employee training. Policies that are not communicated to employees and implemented through training are ineffective. A company should not rely on such policies as a defense to a lawsuit, nor should it use such a policy to fire an employee who breaches it. Moreover, for employees to buy into company policies, they need to understand how corporate policies protect them as individuals and the company against liability.

Identify gaps in policy and amend or draft new policies to address them.

The integrity of an organization ultimately depends on the character of its employees, from the top down. Corporate policies will not prevent a dishonest officer or employee from engaging in fraud or other misdeeds. They will, however, make a company more attractive to its stakeholders and help it avoid potential liability.

__posted by Carolyn L Burke @ 2:40 p.m.
subscribe to Integrity

(0) comments

Edmonton Journal

Integrity officer rips whistle-blower bill

Kathryn May

Ottawa Citizen; CanWest News Service

March 23, 2004

OTTAWA - Canada's integrity officer says the government's much-vaunted whistle-blower legislation tabled Monday is too weak and could discourage bureaucrats from exposing wrong-doing and corruption.
Edward Keyserlingk said the proposed bill is a 'disappointment' that ignores the meatiest of the recommendations urged by a working group whose blueprint would have made Canada's whistle-blower laws the strongest in the Commonwealth.

Keyserlingk was recruited as Canada's first integrity officer more than two years ago to investigate allegations of wrongdoing in government. He has long argued the policy he administers is too feeble to protect public servants from reprisals, which cost his office the credibility and trust it needed to investigate.

Keyserlingk said the bill is an improvement over that toothless policy, but is a far cry from what's needed in that it could "further feed cynicism and lack of confidence" within the public service. "I think (the bill) will surprise an awful lot of people, it certainly surprises me," said Keyserlingk.

"There has never been a climate more receptive to whistle-blowing protection and given everything the government is saying about getting at wrongdoing and protecting whistle-blowers, we all expected something far more robust.

"It does not respond to public servants' cynicism and lack of confidence and I think it might end up feeding both and, to me, that's a tragedy. It's better than what we have now, but it is deficient in so many ways."

But Privy Council president Denis Coderre said the bill was "inspired" by the 34 recommendations of the working group and strikes a "balance" between between encouraging bureaucrats from coming forward with suspicions of wrongdoing while protecting against disgruntled employees with an axe to grind. He said the government wants to be able to handle as many complaints as possible internally but employees do have the option of taking their complaints to a new integrity watchdog.

He said the bill was a key part of the Martin government's vow to change the culture of government.

"We encourage federal public servants to come forward and disclose possible serious wrongdoing and whenever they do, I expect them to be treated fairly," said Coderre.

"This government came to office with a commitment to change the way things work. The actions we are taking today reflect that commitment."

The government pledged to fast-track the whistle-blower bill as part of its plan to clean up government and get to the bottom of the Quebec sponsorship scandal.

Until the bill is passed, bureaucrats have been promised blanket protection from job reprisals and retaliation if they come forward with any information that can shed light on the $250-million fiasco.

The biggest disappointment is that the bill creates a new public service integrity commissioner who reports through a minister, rather than directly to Parliament, which many argue undermines the office's independence and credibility. The commissioner's seven-year appointment must be approved by the Senate and House of Commons.

The government has received three major reports calling for tougher whistle-blower protection over the past year and all called for an independent watchdog, similar to agents of Parliament such as the auditor general, official language commissioner, information commissioner, chief electoral officer and privacy commissioner.

The bill offers protection to all federal workers except bureaucrats who work in national security, such as the RCMP, CSIS, Communications Security Establishment and the military. It requires all departments and agencies to appoint a senior officer who can take complaints internally, but bureaucrats can opt to go directly to the commissioner.

Keyserlingk said the new integrity commissioner would have no more investigative and enforcement powers than he now has. The commissioner will investigate wrongdoing and make recommendations to heads of departments and agencies. It can also submit special reports to Parliament.

But the commissioner has no power to subpoena, can't get access to cabinet documents, can't follow investigations into ministers' offices nor probe complaints from Canadians about wrongdoing in government -- all of which were recommended by the working group.

John Gordon, vice-president of the Public Service Alliance of Canada, said the bill offers public servants no more protection than they have now.

He said the watered down bill is "political manoeuvring" to make the government look like it's committed to whistle-blowing, knowing it will never pass before an anticipated spring election. The Liberals first promised whistle-blower legislation in the 1993 election campaign.

© The Edmonton Journal 2004

(0) comments

Press Room

SAFETY NET
CFOs Feel Their Companies are Most Susceptible to Disasters and Information Security Threats, Survey Finds

MENLO PARK, CA -- In a sign of the times, many executives are concerned about their companies’ ability to protect and sustain business operations in the event of a significant disruption. According to a new survey, 37 percent of chief financial officers (CFOs) said they perceive their firms to be most vulnerable in the area of disaster recovery, followed by security of information systems, at 24 percent. When the same executives were asked where they plan to invest the most dollars in 2004 to ensure future business growth, 28 percent said technology enhancement.

The survey was developed by Robert Half Management Resources, the world’s premier provider of senior-level accounting and finance professionals on a project and interim basis. It was conducted by an independent research firm and includes responses from 1,400 CFOs from a stratified random sample of U.S. companies with more than 20 employees.

CFOs were asked, “In which one of the following areas do you feel your company is most vulnerable?” Their responses:

Disaster preparedness/recovery		37%
Security of information systems		24%
Protection of intellectual capital		11%
Detection of accounting fraud		10%
Theft by company employees		2%
Other		3%
None/not vulnerable		11%
Don’t know/no answer		2%
		100%

CFOs were also asked, “In which of the following areas will your company invest most heavily in 2004 to ensure its future growth?” Their responses:

Technology enhancement		28%
Marketing		20%
Facilities expansion		17%
Training		17%
Additional personnel		9%
Acquisitions		3%
Other		2%
None/don’t know		4%
		100%

“Potential business disruptions, such as operational failures, network intrusions and e-mail viruses, are top of mind for many executives,” said Paul McDonald, executive director of Robert Half Management Resources. “As a result, CFOs are allocating more funds to technology in 2004, in areas such as systems upgrades and implementations, and business continuity planning. In addition, firms are increasing investment in security within operating systems, across applications and throughout networks.”

McDonald added, “CFOs and chief information officers are collaborating on technology decisions to gain the maximum return on their investment. They are addressing opportunities to enhance their systems’ reliability and efficiency, increase employee productivity and boost profitability.”

Robert Half Management Resources has locations in major cities throughout North America, Europe and Australia, and offers online job search services at www.roberthalfmr.com.

(0) comments

Liberty Alliance Collaborates With Six More Industry Bodies Cementing Federated Identity's Importance Across Industries

The Liberty Alliance, the consortium developing an open federated identity standard and business tools and guidance for implementing identity-based services, today announced new relationships with six global alliances. Network Applications Consortium (NAC), Open Mobile Alliance (OMA), Open Security Exchange (OSE), PayCircle, SIMalliance and WLAN Smart Card consortium are working collaboratively with the Liberty Alliance, demonstrating that federated identity is a key enabler in everything from mobile payments and on-demand networking to integrating electronic and physical security systems.

"Identity is not an add-on," said Michael Barrett, vice president of privacy and security at American Express and president of the Liberty Alliance. "Many of today's IT limitations exist because identity wasn't adequately built into the foundation of our networks and no one wants to make that mistake in the future. The growing adoption of Liberty's standard clearly demonstrates that federated identity is a top priority across multiple industries."

...

Identity is a foundational element of any relationship - both in the physical and virtual world. As identities become inextricably linked to personal attributes, roles, permissions and processes, relationships and the security to protect those relationships will become more complex.

...

(0) comments

Statewatch

Statewatch is a non-profit-making voluntary group founded in 1991. It is comprised of lawyers, academics, journalists, researchers and community activists. Its European network of contributors is drawn from 13 countries. Statewatch encourages the publication of investigative journalism and critical research in Europe the fields of the state, justice and home affairs, civil liberties, accountability and openness.

Statewatch Observatories on civil liberties and openness in the EU:

New laws and practises affecting civil liberties since September 11

Surveillance of telecommunications

Freedom of information in the EU

EU asylum and immigration policy

__posted by Carolyn L Burke @ 7:19 a.m.
subscribe to Integrity

(0) comments