Category Archives: Information Security Compliance

Cybersecurity compliance articles

Computer Incident Response Teams & Incident Response Policy

Computer Incident Response Teams (CIRTs or IRTs) play a crucial role in information security incident response. An effective Incident Response Policy is essential for guiding the team in handling incidents and ensuring a coordinated and efficient response. This policy should outline the steps, tasks, and procedures that need to be followed during incident response. It covers various aspects, including communication, escalation, incident tracking, reporting and documentation, investigation checklists, remediation checklists, evidence collection, forensics investigation, data retention, and more. Additionally, the article emphasizes the importance of proper security architecture, baselines, and processes for incident identification. It also highlights the containment, eradication, and recovery phases of incident response, emphasizing the need for caution, evidence gathering, problem correction, and system restoration. By following a well-defined incident response policy and learning from each incident, organizations can improve their incident response capabilities and better protect their systems and data.

Guidelines for Media and Data Sanitization: Protecting Confidentiality

Media sanitization is a critical process that organizations must undertake when retiring or repurposing information systems. The goal is to ensure that sensitive data stored on media remains protected throughout the retirement process. NIST Special Publication 800-88 provides valuable guidance on media sanitization, emphasizing the need to safeguard the confidentiality of recorded information. There are two primary types of media: hard copy and electronic. Each requires specific measures to render data inaccessible. The process of sanitizing media involves three categories: Clear, Purge, and Destroy. Clear employs logical techniques to protect against simple data recovery methods, while Purge utilizes physical or logical techniques to make data recovery infeasible. Destroy involves techniques that deform or destroy the media, preventing any future use for data storage. Cryptographic Erase (CE) is an effective method when encryption is involved, rendering the data unrecoverable without the encryption key. Physical destruction techniques such as bending, drilling, cutting, shredding, and thermal destruction provide a robust defense against data recovery. By following these guidelines, organizations can effectively protect the confidentiality of sensitive information throughout the retirement process, mitigating the risks associated with data exposure and unauthorized access.

The Crucial Leadership Role in Information Security

Leadership plays a critical role in information security within organizations. This article explores the importance of leadership in promoting security practices and the role of the Chief Information Security Officer (CISO) in advocating for a security-conscious culture. It emphasizes the need for leaders to lead by example, adhere to security policies, and actively engage in staff training and development. The key characteristics and responsibilities of a CISO are discussed, including risk articulation, communication skills, and promoting a security-aware culture. The article concludes by highlighting the shared responsibility for information security across the organization and the significance of integrating security measures at all levels.

Consumer Privacy Bill of Rights

Consumer Privacy Bill of Rights Consumer Privacy Bill of Rights Introduction The Consumer Privacy Bill of Rights (CPBR) was proposed as a draft bill by President Obama on 27 February 2015. The CPBR is intended as a law that will govern the collection and dissemination of consumer data. The Obama administration re-introduced the CPBR as an… Read More »

Locard’s Exchange Principle and the Daubert Test

Locard’s Exchange Principle and the Daubert Test Locard’s Exchange Principle is based on the precept that when people interact within an environment, they always leave traces of their activities. This is the basic principle of forensic science. In the digital and physical world, Locard’s Exchange Principle applies in that if people attempt to steal, remove, add, alter, or… Read More »

Creating an Effective Information Security Policy

Creating Effective Information Security Policy

In today’s digital landscape, organizations must prioritize information security. This comprehensive guide explores the key elements and best practices for creating an effective information security policy. Learn how to protect valuable data, mitigate risks, and foster a culture of security awareness.

Online Terms of Service Agreements in Contract Law

The Importance of Online Terms of Service Agreements in Contract Law Online Terms of Service agreements (TOS) found in contracts must have the following elements to be considered legal and enforceable: Parties to the contract must have the legal ability to enter a contract known as contractual capacity. A contract can only be used for transactions that are… Read More »

Safe Harbor and State of Texas Breach Notification Laws

The Concept of Safe Harbor The concept of “Safe Harbor” refers to specific actions, example; encryption of private data, that an individual or an organization can take to show a good-faith effort in complying with the law. This good-faith effort provides a person or organization “Safe Harbor” against prosecution under the law (Grama, 2015, pg.253). The State of… Read More »

Section 409 of the Sarbanes-Oxley Act (SOX)

Section 409 of the Sarbanes-Oxley Act (SOX) Section 409 of the Sarbanes-Oxley Act (SOX) states that organizations that are subject to SOX are required to disclose to the public, on an urgent basis, information on material changes in their financial condition or operations. The disclosures must to be presented in terms that are easy to understand and supported… Read More »

Understanding the Health Information Privacy Complaint Process: Consent and Investigation

Explore the Health Information Privacy Complaint Form and the authority of the Department of Health and Human Services’ Office for Civil Rights (OCR) to collect and receive relevant material and information. Learn about the voluntary nature of consent in investigations, the potential impact of withholding consent, and how it may affect the progress and resolution of a complaint. Gain insights into the importance of providing consent to facilitate a thorough investigation and ensure the protection of individual privacy rights.