Archive for the ‘Blogroll’ Category

News Release – Privacy and Security Controls related to Healthcare (H.R.3200)

Thursday, September 17th, 2009

Wash., DC, Sept. 18 —  “Because none of the health care reform legislation being offered by the White House or the U. S. Senate or the House of Representatives contains adequate provisions for assuring privacy and proper security controls for people’s health care records, it is essential that this grave concern be immediately addressed,” says SecurityCAFÉ Founder and President Shawn E. Anderson, PMP. 

“The unintended consequences of errors of omission currently being committed in haste are sure to have far-reaching harmful impact on millions of Americans,” the 20-year computer security expert explained to delegates attending the Values Voters Summit at the Omni Shoreham Hotel in Washington.

“Unrestricted access to people’s private health records represents a dire risk to their privacy and makes potential misuse certain,” Anderson says.  “Our lawmakers must be held accountable for invasions of privacy of any system they intend to impose on unsuspecting millions of Americans.  Right now, all of the health care reform proposals being offered contain ample potential for major abuse, manipulation and exploitation.” 

The computer security consultant calls records security the “Achilles Heel” of current health care reform proposals, urging immediate attention incorporating substantive protections.” He says “It is essential to anticipate and to prepare for an unfathomable volume of sensitive medical data.   Implementation of effective safeguards is imperative.” 

SecurityCAFE’s three-pronged computer specialty is in relating people, policy, process and technology to the functions of assurance, forensics and engineering.  Its internet website is  www.SecurityCAFE.com  Anderson may be reached by telephoning  571/216-6410 or e-mailing  Info@SecurityCAFE.com

CyberSecurity – huh???

Wednesday, February 11th, 2009

This blog was created because I’m discouraged at how privacy and data protection are being treated in general by companies, our government, and the international community as a whole. They say we need to focus more on cyber security but what is Cyber Security anyway? How do you secure something that is “cyber” meaning everywhere in the ‘bit stream’?

It would nice if companies and our government would start focusing on the data and not the pipeline. We sit in our cars on the freeway every day and while they are maintained the real value is the passenger inside the cars. That is where the important information sits. Those cars have our doctors, lawyers, police officers, fireman, the mailman, and the guy who pours our coffee every day. I’ve held many positions in security over the years, from Security Engineer to Chief Information Security Officer. Every organization I go into it is a very similar story.

How do we protect the network?

Most organization do not really have a clue what is riding on the network so they spend millions and millions to protect everything. We need to start focusing on the basics so we can spend this money a more wisely with lest fraud, waste, and abuse. 

1.       What is the baseline – What data do we have and how important is that data. If it’s not critical or life saving then who cares how we protect it. Either way we need a baseline of the data

2.      Implement strong policy and hold people accountable. If someone commits murder we don’t prosecute the gun manufacturer or the car company. We focus on the person that committed the offense. Stop going after the networking personnel because they didn’t build a security capability to stop “Bob” in finance from going to a porn site or losing his external harddrive because he kept taking it home every night.

3.      Train, train, train them. We don’t let people drive without taking a class so why do we let people drive on our networks without taking training?

4.      Document your system and the changes you make to that system.

5.      Finally monitor the environment. Make sure the software is up to date, patches are put in place, and that people are accessing the data they are supposed to be accessing.This is about holistic security. Make sure the employees are badging into the building and then appropriately accessing what they need to in order to do their jobs. Data protection is digital but it is still the same data we dealt with 50 years ago. It sits in cabinets, on computers, desks, and is spoken in the hallways of buildings.

How do we secure this and what is the importance of privacy and governance as a whole if we don’t’ know what it is we are spending the money on?