The following is a list of recommended Virtual Private Network monitoring and security controls:

• Use firewalls and Intrusion Detection/Prevention Systems (IDS/IDPS) in order to monitor VPN connections.
• Use anti-malware and personal firewalls on remote clients and servers.
• All VPN connections require authentication.
• Logging enabled and auditing performed on a regular basis in order to detect possible attacks.
• Establish user and administrator security training requirements.
• VPN’s placed within a Demilitarized Zone (DMZ) to isolate them from internal protected networks.
• Split tunneling to allow local internet access on remote hosts should be prohibited.
• Use strong authentication mechanisms to include certificates, smart cards, or tokens.
• Access privileges granted on as-needed basis.
• Use strong alternative authentication mechanisms such as Terminal Access Controller Access Control System (TACACS), and Remote Authentication Dial-In User Service (RADIUS).
• Remote access computers physically secure.
• Use strong industry proven encryption with sufficient key strength to protect confidentiality.

It is important to note that even though Virtual Private Networks provide secure communications over insecure networks, client-side security must also be addressed in order to ensure end-to-end security.

References

HKSAR-The Government of the Hong Kong Special Administrative Region. (2008, February). VPN Security. Retrieved September 20, 2017, from https://www.infosec.gov.hk/english/technical/files/vpn.pdf.

Oracle Docs. Defining a VPN. https://docs.oracle.com/cd/E19047-01/sunscreen32/806-6347/6jfa0g87q/index.html.

Tech Target. Virtual Private Network. http://searchnetworking.techtarget.com/definition/virtual-private-network.

The post Virtual Private Network (VPN) Security and Monitoring Controls appeared first on .

The concept of “Safe Harbor” refers to specific actions, example; encryption of private data, that an individual or an organization can take to show a good-faith effort in complying with the law. This good-faith effort provides a person or organization “Safe Harbor” against prosecution under the law (Grama, 2015, pg.253).

The State of Texas Statute 521.002 states that when a an individual’s first name or first initial and last name are combined with other private information, example, Social Security Number, that the information must be encrypted. The State of Texas Bus. & Com. Code 521.002, 521.053; Ed. Code 37.007(b)(5), and Pen. Code 33.02 all have provisions for personal private data protection, but none of these set a specific encryption standard. According to this law as long as an organization encrypts personal private information as the law specifies, theft of encrypted information would not require a breach notification which fulfills the principle of Safe Harbor (State of Texas Statutes 521.053, 2009).

Further research into Texas information system requirements revealed that encryption standards for state agencies are controlled by the agencies themselves. Texas Administrative Code 202.1 was the only law found addressing encryption at a state level for all other agencies and it also did not provide an encryption standard. Note: this law was repealed March of 2015 and no other laws were found (Texas Administrative Code 202.1, n.d.).

References

Grama, J. L. (2015). Legal issues in information security (2nd ed.). Boston, MA: Jones & Bartlett Learning.

State of Texas Statutes 521.053. (2009, April 01). Business and Commerce Code Title 11. Personal Identity Information Subtitle B. Identity Theft Chapter 521. Unauthorized Use of Identifying Information Subchapter A. General Provisions. Retrieved June 2, 2016, from http://www.statutes.legis.state.tx.us/Docs/BC/htm/BC.521.htm#521.053

Texas Administrative Code 202.1. (n.d.). Texas Administrative Code Title 1. Part 10. Chapter 202. Sub Chapter A. Rule 202.1. Retrieved June 2, 2016, from http://texreg.sos.state.tx.us/public/readtac$ext.TacPage?sl=R&app=2&p_dir=&p_rloc=142456&p_tloc=&p_ploc=&pg=1&p_tac=142456&ti=1&pt=10&ch=202&rl=1&dt=&z_chk=&z_contains=

Disclaimer

The post Safe Harbor and State of Texas Breach Notification Laws appeared first on .