Category Archives: Compliance

Board communications security and the move to mobile technologies.


March 27, 2014

This case study follows a review we undertook for an ASX Top 20 company. It addresses security of information at the Executive and Board levels – communications, distribution, sharing etc with the move to mobile technologies in the Boardroom.

The results of our work went straight to the top and culminated in the company re-assessing how they were protecting this strategic and highly confidential information. The implications of not doing so, could have had dire results in the event of a compromise. Once we delivered our results, the company understood and responded immediately. (However, most companies are still not doing this as they are unaware of the risks).

Download here: Case Study – Securing the Technology Change Agenda

The 7 reasons why businesses are insecure.


February 27, 2014

By Drazen Drazic

I won’t start by saying that implementing a strong framework is going to solve all business IT security problems. It won’t, but with one, at least you have one big advantage over now – you have a better picture and understanding of where your problems may lie and you’re less likely to be taken by surprise.

At present, most organisations have little understanding of the risks they face – where they are exposed, what they are exposed to and how these exposures could impact the business. So what are the problems?

1. Management and Governance – If the CEO and Senior Officers of the business do not ultimately own the responsibility and accountability for the security of the business, then it just does not get the appropriate attention. When we do “State of Security” reviews for our clients, we pretty much have 90% of our report written after the first hour if we find this layer of the framework not in place. ie; you can be guaranteed that if there is not an effective and ongoing management and governance layer in place, overall security within the organisation is weak. Matt Jonkman in a previous interview with Securus Global explained it well;

Continue reading

Regulation and Compliance – It’s all relative and what you are used to…


June 07, 2013

This old Beast or Buddha post from 2009, our CEO, Drazen Drazic looked at regulation and compliance. It’s worth reviewing again and seeing where we stand in 2013 as the Government starts to follow the likes of the US now in terms of assessing whether more regulation and compliance is needed.

http://beastorbuddha.com/2009/04/14/regulating-it-security-practices-pci-dss-tough-it-could-be-worse-or-betterdepends-how-you-look-at-it/index.html

We welcome your thoughts and comments….

Continue reading

Mandatory Data Breach Notification


May 29, 2013

With the discussion again starting about Australia’s position on Mandatory Data Breach Disclosure (http://bit.ly/1avVg7H), we presented the following to the government in 2012 when RFC was opened in regards to this potential legislation. What are your thoughts?

—————————————————-

The following are our [Securus Global] thoughts on Mandatory Data Breach Notification, in response to the Discussion Paper: Australian Privacy Breach Notification (Oct, 2012).

Organisations most likely to be affected by the introduction of such laws also tend to already have better information security and privacy policies in place.

Where we are coming from: If you have good practices and controls in place, you’re probably also more likely to detect a breach and would, under these new laws, have to openly disclose. (Fair enough).

Continue reading

Cyber Crime Act 2001


April 30, 2013

If computer “hacking”/penetration testing is something you are interested in, and to make a career of it to work with a reputable company to test the security of companies’ environments, as we’ve said before, contact us for information on how you can get started and we’ll help you with areas of study. Most people start off on their own and become self-taught until a certain stage where it helps to join the likes of a Securus Global. If you fit into any of these categories, here’s the document you should read first. Don’t get yourself into trouble. Learn the law:
http://www.comlaw.gov.au/Details/C2004A00937/Download
Download the Cybercrime Act and understand the scope of boundaries of what you can do on your own. And if in any doubt about your research, don’t do it…check with people who know first.

New PCI DSS requirements will come into effect on June 30


June 29, 2012

The Payment Card Industry Data Security Standard (PCI DSS) is a requirement set down by several of the world’s leading payment card providers for any retailer who processes debit or credit card information.

However the scope of PCI DSS compliance, and the fact that individual requirements vary depending on the size of a company, can often make it confusing for businesses to understand.

And it may soon become even harder to internally evaluate PCI DSS compliance with new updates coming into effect on June 30.

Retailers will now be required to “establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities”, according to the security standards council – something which was previously only considered a best practice.

This means that businesses will not only have to be aware of and understand vulnerabilities, they must also be able to rank those vulnerabilities based on the relative risk to their systems.

The importance of having a secure system for managing payment card information has been highlighted in the media lately, with news breaking earlier this week (June 26) that the US Federal Trade Commission has filed a lawsuit against Wyndham Worldwide, accusing the hotel group of not properly securing customer information leading up to the theft of 600,000 payment card accounts.

Facebook donates $10 million as part of privacy class-action settlement


June 19, 2012

Facebook has become the latest company to pay the price for not properly considering the privacy of users.

The social media giant has agreed to donate US$10 million to charity as part of a legal settlement reached in May.

The proposed class-action lawsuit was brought on by five users, who argued that Facebook had violated their right to privacy by publicising their ‘Likes’ on paid advertisements without permission.

However, Facebook may have got off lightly. A study conducted in January 2011 by Edison Research found that 51 per cent of Americans aged 12 and over – or around 160 million people – were now using Facebook.

Had the lawsuit included every one of those users, Mark Zuckerberg’s empire may have been facing billions of dollars in payments.

Companies who operate in the online environment have a responsibility to protect the privacy and secure information of clients.

But as new technology emerges and businesses find new ways to interact with customers, companies may find themselves left with unexpected vulnerabilities.

If you’re concerned about the privacy of your client information, then a due diligence assessment is an excellent way to review the security protocols of your business.

A security due diligence assessment is a third party evaluation of the threats and compliance gaps in your system, and provides you with a thorough list of recommendations aimed at ensuring complete user privacy.

PCI DSS plays an important role in business operations


June 14, 2012

The importance of having the correct systems in place to handle commercial payments has been discussed at a leading economic forum.

In an address to the Australian Payments Clearing Association (APCA) on May 28, the governor of the Reserve Bank of Australia (RBA), Glenn Stevens, has explained how various organisations have been instrumental in delivering a safe trading environment.

While in previous decades the majority of business transactions took place using written cheques and certificates, the digitisation of many accounting processes meant that entire industries were now able to interact and close sales on a faster turnaround.

However, with new developments came the need to provide regulation and balance to the transaction clearing processes.

While the larger end of the scale is governed by the Payment Systems Board (PSB), the payment card industry data security standard (PCI DSS) is used to ensure commercial enterprises are processing and storing their client’s information in a compliant manner.

Mr Stevens explained that the PSB was responsible for “the stability of financial market infrastructure” and was largely focused on high-value payments” in financial markets and the local stock exchange and currency markets, rather than daily transactions between client and business.

He went on to say that a number of developments meant that the RBA and the PSB were facing increased levels of change.

Most notably, the need to meet the “global push to strengthen financial regulation in the wake of the global financial crisis” was becoming a high priority – with investor confidence and market stability on the line.

Mr Stevens asserted: “All this means financial market activity that is important to Australia will be increasingly reliant on centralised financial market infrastructure.”

“Hence the resilience of that infrastructure will be critical, and the obligation of the official sector to provide proper oversight to ensure that resilience will correspondingly increase.”

It is easy to see how Mr Steven’s comments can also relate to smaller operations – with the systems in place at a company having a direct impact on both the capacity and image of the enterprise as a whole.

Meeting the standards set out by the PCI compliance council not only helps to protect the daily operations of a business – it also ensures that the infrastructure it has in place helps to deliver services that actively improves on client confidence.

As Mr Stevens explained: “This is a continuation of a trend that has been under way for some time, and to which we have already responded with a significant boost in the resources we devote to these issues within the Bank.”

We are not enemies. Do not be afraid.


June 11, 2012

It’s a natural reaction. You receive a security test report only to find that there are security issues with your system. You immediately start plotting ways to cover them up, smooth them over, and remove them from record. Stop!

Every security consultant has experienced this reaction and every security consultant worth a damn has told their client that it’s okay. Just like functional bugs, security issues are a fact, a certainty of complex software, and the best way to deal with them is out in the open.

It’s not your fault

As the person responsible for a system, whether management, operations, development or testing, it’s easy to be defensive and shift blame. The reality is it’s almost never important whose fault a security issue is, and even when it is, it’s unlikely to be your fault alone. And even then, it’s just not productive. Continue reading

Aus-US alliance to combat cyber crime

A new collaboration between Australia and the United States will improve cyber security standards at home – as well as across the globe, according to Nicola Roxon.

The Australian attorney-general, who is also the minister for emergency management, stated last week (May 18) that recent discussions between US and Australian policymakers in Canberra spelled good news for cyber security management.

Roxon said: “Countries everywhere are increasingly reliant on critical infrastructure such as telecommunications, which enables online activities that contribute to global commerce and trade and play an increasingly important role in national security.”

She added that while such activities have a widespread benefit to the Australian and US economies, they also pose new risks and challenges when it comes to cyber security management.

The two nations will work closely in the coming years to actively combat malicious activity in the online space – and will meet regularly to discuss effective strategies for cyber security co-operation. The May 18 statement of cyber security intent follows a number of other statements jointly signed between the United States and Australia that will foster greater collaboration when tackling international crime.

According to Roxon, the latest collaboration will primarily centre around digital control systems and other aspects of critical infrastructure.

Under the new agreement with the United States, the two countries will create collaborative education and training opportunities , as well as an exchange of information – such as IT and cyber security best practices.

National cyber incident response teams in both nations will also work closely with one another to share information and awareness on specific cyber security incidents and issues. Representatives from Australia and the US will meet annually for progress reviews – identifying successes and challenges.

Earlier this year, Roxon also announced the creation of an Australian branch of CREST – the Council of Registered Ethical Security Testers.

This represents another significant collaboration with international security efforts – CREST Australia is affiliated with CREST Great Britain, which requires its members to meet competency requirements by passing a series of exams.

CREST Australia’s role is to create and enforce the ground rules for Australian cyber security testing – a move that will ensure penetration testing and other work carried out by security professionals is carried out to a recognised standard.

In March, Roxon asserted that the creation of CREST Australia would establish clear and uniform cyber security testing standards.