http://www.siemensjobcam.com/windows-mobile-change-signature/
Laws, regulations and compliance: The best advice to keep your data under their control
Laws, regulations and enforcement:
Top tips to keep your data under their control
The increase in compliance as a problem
high losses profile of TJ Maxx confidential data, the U.S. Department of Veterans Affairs,
UK Child Benefit department, and other large organizations have raised awareness of the need to protect information. Governments and industry around the world have responded with an increasing number of more complex and frequent changes in the regulations. This has made compliance more costly to manage and has raised as signifying problem for today's organizations.
Departments IT is increasingly tasked with protecting their organizations not only
security risks, but compliance risks, such as failed audits, steep administrative fines and criminal penalties, loss of privileges credit card processing, and adverse publicity. The current importance of complying can be seen in Figure 1, which shows how they responded to a SearchSecurity.com survey answered the question "What are the key drivers of
data protection in your organization? "1
A well orchestrated IT security strategy to protect their servers, desktops and data end goes a long way to help achieve compliance with many laws and regulations that now exists. However, the challenge comes not so much the creation of the strategy, but to ensure that all administrators, guests and mobile devices that connect to the network will adhere to the strategy 24 / 7, and internal policies relating to the responsibilities employee for the protection of data are understood and respected.
What is compliance?
In this work, "Compliance" refers to the need for organizations to meet
Government and domestic industry
laws, regulations and policies
The laws, regulations and compliance: The best advice to keep your data under their control
External legal and regulatory requirements
Many people think when they think government regulations on compliance, but in reality the rules outside the organization are not only government but also from industry. Each has its own requirements, but the engine of them all is the need to put an end to the intentional or unintentional exposure two fundamental types
confidential information:
Personal – customers, business partners and employees – plans, intellectual property and
financial.
Government regulations
During the last decade a number of government regulations have introduced requirements, some more specific than others, to protect and preserve the business information over time. Many
address specific areas of business.
Health HIPAA (Health Insurance Portability and Accounting Act standard) established
U.S. national standards in 1996 for transactions e-Health.
Government CoCo (Code of Connection) is a UK government to be used when
connection government networks.
Financial Sarbanes-Oxley (SOX) (adopted in 2002 following the Enron and WorldCom scandals
scandals financial) made major changes in the regulation of financial practices and corporate governance. All U.S. public company boards, management and accounting firms must comply.
Banking Gramm-Leach-Bliley Act allowed investment and commercial banks to consolidate in 1999 and includes provisions to protect consumers' personal information held by financial financial institutions.
Info EU Data Protection Directive protects the privacy of personal data collected for or about EU citizens, especially as it relates to the processing, use and exchange of data.
The Payment Card Industry (PCI) Data Security Standard
Install and maintain a firewall configuration to protect cardholder data
Do not use the default values provided by the supplier of system passwords and other security parameters
Protecting information stored cardholder
Encrypt transmission of cardholder data across open networks, public
Use and regularly update anti-virus software
Develop and maintain secure systems and applications
Restrict access to cardholder data by business need to know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
Maintain a policy that addresses information security
Laws, regulations and compliance: The best advice to keep your data under their control
Industry standards
In industries response to violations of certain high-profile security have also teamed up to create its own set of guidelines, as shown in the following examples. Several standards have been international,
highlighting the extent of the problem.
Cards Credit PCI DSS (Payment Card Industry Data Security Standard) is one of the
best-known standards (see box) governing the handling of information concerning transactions by credit card. It was created by credit card companies including MasterCard and Visa, in response to growing credit and debit cards threats to the security of cards and is designed to prevent credit card fraud, hacking, and other risks.
IT Governance COBIT (Control Objectives for Information and related Technology) is an internationally accepted set of best practices for the development of appropriate government IT and control in a company.
Financial Basel II is an international commercial standard requires financial institutions to
maintain sufficient cash reserves to cover risks of operations.
Center for Internet Security (CIS) is an organization nonprofit organization that helps companies reduce business risk and e-commerce disruptions resulting from inadequate security controls technique. Benchmarks CIS is a set of hardening of the system settings and actions accepted by many auditors to carry out a series regulations, including HIPAA and Sarbanes-Oxley.
ISO (International Organization for Standardization) is a bridge between the public private and the world's largest developer and publisher of International
Standards country with 157 members.
Internal guidelines
Many organizations also have their own internal guidelines, in part to ensure compliance with external regulations and partly to protect them from conflicts of interest demands, and loss of credibility with its partners, customers and employees. Some have an additional set of guidelines tailored to specific departments and business units.
Acceptable Use Policy set out the rules for access and use of company systems and
information, and to define employees have responsibilities for maintaining security. These
policies can – and must – make known the risks to employees to create, if you turn off the security settings, as the firewall, or vulnerabilities that arise from the drift of call setup "where computers are late
in security patches and updates.
Laws, regulations and compliance: The best advice to keep your data under their control
In addition, these internal policies may cover all aspects of data protection, including:
What kind of document can be mailed external electronic (and, indeed, within) the organization
What data can be stored on mobile laptops and removable media
What applications can and can not be installed
Any websites or web site should not be visited
The consequences for violating politics.
Web usage in particular has become a priority because:
Huge security vulnerabilities created by the rapid expanding the number of infected Web sites
Music downloading, sharing videos, games, pornography, social networking sites and reduce productivity employees, and consume bandwidth and data storage
Downloaded content might be offensive to other employees that the organization is responsible for legal action.
Compromise compliance
Organizations can be found out of compliance with these standards in a number of ways, but in all cases of default risk of data loss that the rules are designed to protect.
Ignorance / stupidity
It is worth noting that while a large number of data leakage incidents are intentional, the vast majority, up to 98 percent2 actually are not intentional, based on user error or ignorance of corporate policy. Moreover,
many of the largest and most publicized breaches safety have involved lost or stolen laptops and
USB sticks full of sensitive customer or employee information, instead the infiltration of
corporate network.
Malicious software
That said, the threat of malware is significant. Although the cause only 2 percent loss of data, that data had been deliberately stolen with the express intention of exploiting it for profit. malware campaigns Today, unlike the bad sports five years ago, are targeted, cost-effective for vulnerabilities in secret surveillance, theft and sale of confidential information. In
December 2008, for example, accounts for 21 million customers of German banks
offered for sale on the black market for 12 million euros by a hacking gang.3 Other campaigns focus on the use of thousands or millions of computers and botnets for the dissemination of spam and pop-up ads or redirect
search results.
Hackers use a variety of methods to get spyware on computer organization. By far the
The most likely way today is through a website kidnapped. Spammers send emails containing links to compromised web page, where Trojan keylogger or other is downloaded into the visitor's computer unconscious. These spam campaigns quickly mutate in an attempt to avoid being detected and blocked.
Other methods for the company to get data include spyware delivered by an external device such as a USB memory stick, for email attachments infected through unsecured wireless connections. The data also can be compromised by rootkits that are embedded in the operating system.
Laws, regulations and compliance: The best advice to keep your data under their control
Only a few statistics indicate the magnitude of the problem:
In the U.S. the average cost of data breaches in 2008 was just under $ 300,000, or $ 500,000 when non-financial data meant compromised.4
In the UK, losses from online banking fraud from January to June 2008 totaled £ 21.4m ($ 31.3m) – a 185 percent increase on 2007 figures, and 20,000 fraudulent phishing websites are created – an increase of 186 percent.5 20,000 new code samples suspect analyzed every day by SophosLabs.
A website for discovering new infected every 4.5 seconds.
A new website related with spam is discovered every 15 seconds.
No run or off equipment
Laptops used by telecommuters and "road warriors" who have been working from home or
rooms that connect to the Internet in airports, hotels and the like, may well be out of compliance with the policy security of your business the next time you connect to the corporate network, and, indeed, could be infected and commitment of its data. In one case 81 percent of computers had proven corporate security patches from Microsoft,
client firewall disabled, or lack of security software endpoint updates.7
Similarly, compliance threats are invited users do not meet standards, such as contractors or business partners who connect to the corporate network to access mail mail or information.
Under implementation
Because today's blended threats to the network are so numerous and come from of many different
sources, the only viable way to continue to comply with the regulations for the protection of multiple data is to create a policy detailed security support of powerful integrated technology. You need to ensure that the protection to cover the point and gateway and enables an track, monitor and enforce:
accordance
Access Control
and anti-malware
anti-intrusion protection
Encryption
authentication.
Security Policy
Safety technology without a clear policy is a strategy doomed to failure, as people
are often the weakest link in any security strategy.
A security policy is important both strategically and education as it gives you a deep knowledge and understanding of mission-critical business of your organization
units, systems, applications, and data and allows you to organize, synthesize, communicate the objectives of its security organization, rules and mechanisms.
Your policy should also include assessment for compliance, setting default, apply when not met, and reporting on compliance issues.
Laws, regulations and Compliance: The best advice to keep your data under their control
Endpoint Protection
endpoint protection consisting software-based centralized management server that takes care
policy, installation, management and updating.
"Protection against malware Each desktop, laptop and a device that has access to the network must have a proactive threat protection zero-day for which no signatures yet exist.
They also have to be constantly updated with the latest security patches and updates – either their own organization or belonging to a visitor, and no matter what operating system supports. Malware protection must go hand in hand with the center managed endpoint firewall protection, allowing you to control the internet and other connections to and from each team.
Encryption hard disk encryption makes that data on lost or stolen laptops, USB devices, optical discs and smartphones useless to anyone outside the company, and that can only be read by someone with authorized access and
encryption keys.
control devices to prevent employees Writing on CD, USB drives and other removable media, you can stop confidential information from leaving your organization. control devices can also block wireless connections to ensure that no confidential information used to take outside the organization.
Application Control central control and management of applications that may not
want your employees to use, such as instant messaging, can connect to both security and
productivity hole they create.
When an authentication and validation of the recording equipment in the network may
manage and control access to your network, servers, applications and data, and restrict access only to those who need it.
And Endpoint Access Control
Endpoint compliance and vulnerability management software is key to ensure and enforce the point security strategy final. Make checks crucial security applications such as customer firewalls, anti-virus and anti-spyware, and the latest updates and security patches are installed, activated and fully updated and compatible with corporate security policies at all times.
Non-compatible systems can be aligned with the installation of the necessary applications,
patches and updates, or prevention of an evaluation system for access to anything but the Internet. Once connected, these solutions allow access only to applications and user data are authorized to
access.
compliance points Vulnerability end solutions and can also provide complete reports on network connections and the position of the compatible devices are connected in the past, what can be invaluable when preparing for a compliance audit.
Gateway protection
Data protection and policy enforcement for email and Internet traffic is critical. The protection of the gateway where traffic enters and leaves this is not only more efficient and effective solution
but it is also more transparent to end users. This allows sophisticated centralized policy throughout the organization and security not impact productivity.
Laws, regulations and compliance: The best advice to keep their data under their control
By inspecting mail filtering outgoing email, policy options sophisticated can be used to
block, warn, or quarantine sensitive data and the types of unwanted files, while alerting management, managers and users of violations. In addition, the policy configuration can be used to enforce encryption rules and disclaimers. Email incoming mail can also be inspected and scanned to eliminate the productivity drain of spam and other malicious content, links or attachments.
email encryption email encryption sensitive or proprietary doors ensures that confidential data are protected from unauthorized access by anyone other than the recipient. Central management policies can be implemented to ensure full compliance across the organization or specific groups.
Web content and URL Filter By scanning all web traffic for malware and policy violations Acceptable Use, you can protect your organization against today's Web threats from known malicious sites, trusted sites kidnapped malicious web mail potentially unwanted applications. It is equally important to filter and control the output either being posted by users on forums, sent via webmail, or is the result of a transmission from an infected system on the network.
Conclusion
As new threats emerge and new practices evolving labor, government, industry and organizations continue to create new regulations to protect business and sensitive personal data. Comply with all standards and guidelines may seem daunting, but with the right mix of policies, technologies, and strategy can achieve a completely secure network and enforce.
Normal 0 false false false EN-US X-X-None None
Laws, regulations and enforcement:
Top tips to keep your data in your control
The increase in compliance as a problem
the high-profile losses confidential data from TJ Maxx, the U.S. Department of Veterans Affairs Affairs,
UK Child Benefit department, and other large organizations have raised awareness of the need to protect information. Governments and industry around the world have responded with an increasing number of more complex and frequent changes regulations. This has made compliance more costly to manage and has emerged as signifying an issue for organizations today.
IT departments are increasingly tasked with protecting their organizations not only
security risks, but compliance risks, such as audits failed, steep administrative fines and criminal penalties, loss of privileges credit card processing, and adverse publicity. Compliance is important can now be seen in Figure 1, which shows how they responded to a SearchSecurity.com survey answered the question "What are the key drivers of
data protection in your organization? "1
A well-orchestrated IT security strategy to protect their servers, desktops and data will end a long way to help achieve compliance with laws and regulations thousands that exist today. However, the challenge comes not so much the creation of the strategy, but to ensure that all administrators, guests and mobile devices that connect to the network will adhere to the strategy 24 / 7, and internal policies relating to the responsibilities employee for the protection of data are understood and respected.
What is compliance?
In this work, "compliance" refers to the need for organizations to meet
Government and domestic industry
laws, regulations and policies
Laws, Regulatory and compliance: The best advice to keep your data under their control
Foreign legal and regulatory requirements
Many people think when they think government regulations on compliance, but in reality the rules outside the organization stem not only from government but also in the industry. Each has its own requirements, but the driving force of these is the need to put an end to the intentional or unintentional exposure of two basic types of
confidential information:
Staff – Clients, business partners and employees – plans, intellectual property and
financial.
Government Regulations
During the last decade a number of government regulations have introduced requirements, some more specific others, to protect and preserve corporate information over time. Many
address specific areas of business.
Health HIPAA (Health Insurance Portability and Accounting Act standard) established
U.S. national standards in 1996 for electronic health transactions.
Government CoCo (Code of Connection) is a standard UK government to be used when
access networks government.
Financial Sarbanes-Oxley (SOX) (adopted in 2002 following the Enron and WorldCom scandals
financial scandals) important changes in the regulation of financial practices and corporate governance. All cards of U.S. public company, management and accounting companies must comply.
Banking Gramm-Leach-Bliley Act allowed investment and commercial banks to consolidate in 1999 and includes provisions for protect consumers' personal financial information held by financial institutions.
EU Information Protection data protects the privacy of personal data collected for or about EU citizens, especially as it relates to treatment, use and exchange of data.
The Payment Card Industry (PCI) Data Security Standard
Install and maintain a firewall configuration to protect cardholder data
Do not use the default values supplied by the vendor for system passwords and other security parameters
Protect stored cardholder data
Encrypt transmission of cardholder data across open networks, public
Use and regularly update anti-virus software
Develop and maintain secure systems and applications
Restrict access to cardholder data by business need to know
Assign an identification unique to each person with computer access
Restrict physical access to cardholder data
Track and monitor all access to resources network and cardholder data
Regularly test security systems and processes
Maintain a policy that addresses information security
Laws, regulations and compliance: The best advice to keep your data under their control
Standards industry
In response to security breaches of certain high-profile industries also have teamed up to create their own sets of guidelines, as shown in following examples. Several international standards,
highlighting the extent of the problem.
Credit cards PCI DSS (Payment Card Industry Data Security Standard) is one of the
best-known standards (see box) that regulate the handling of information concerning transactions credit card. It was created by major credit card companies, including MasterCard and Visa, in response to growing credit and security threats debit card and is designed to prevent credit card fraud, hacking, and other risks.
IT Governance COBIT (Control Objectives for Information and Technology) is an international accepted best practices for developing appropriate IT governance and control in a company.
Financial Basel II is an international commercial standard requires financial institutions to
keep sufficient cash reserves to cover risks of operations.
Security Center for Internet Security (CIS) is an interruption organization nonprofit that helps companies reduce business risk and electronic commerce as a result of inadequate technical security controls. Benchmarks CIS is a set of hardening of the system settings and actions accepted by many auditors to carry out a series of regulations, including HIPAA and Sarbanes-Oxley.
ISO (International Organization for Standardization) is a bridge between the private and public sectors and is the largest developer Global and International Editor
Standards with 157 member countries.
Internal guidelines
Many organizations also have their own internal guidelines, in part to ensure compliance with external regulations and partly to protect them from conflicts of interests, demands, and loss credibility with its partners, customers and employees. Some have an additional set of guidelines tailored to specific departments and business units.
Policies Acceptable Use Policy set out the rules for access and use of company systems and
information, and define the responsibilities of the employees to maintain security. These
policies can – and must – make known the risks to employees to create, if you turn off security features such as firewall, or vulnerabilities arising from the so-called "configuration drift", where teams are late
in its security patches and updates.
Laws, regulations and compliance: Top tips for keeping your data under their control
Furthermore, these policies inmates can cover all aspects of data protection, including:
What types of document can be emailed external (and indeed, within) the organization
What data can be stored on mobile laptops and removable media
That application can and can not be installed
Any websites or web site should not be visited
The consequences for violating the policy.
use Web, in particular, has become a priority because:
Huge security vulnerabilities are created by the rapidly expanding number of infected Web sites
Music downloading, sharing videos, games, pornography, social networking sites and reduce employee productivity, and consume bandwidth and data storage
Downloaded content may be offensive to other employees that the organization is responsible for legal action.
Compromise compliance
Organizations can be found out of compliance with these standards in a number of ways, but in all cases of default risk of loss of information that the rules are designed to protect.
Ignorance / stupidity
Worthwhile noted that while a large number of data leakage incidents are intentional, the vast majority, up to 98 percent2, are actually unintentional, based a user error or ignorance of corporate policy. Moreover,
many of the security breaches largest and most publicized have been implicated lost or stolen laptops and
USB memory sticks full of sensitive customer or employee information, rather than infiltration the
corporate network.
Malicious software
That said, the threat of malware is significant. Although the cause of only 2 percent loss of data, that data had been deliberately stolen with the express intention of financial exploitation for profit. Today's malware campaigns to Unlike the poor to have the sport five years ago, are targeted, cost-effective for vulnerabilities in secret surveillance, theft and sale of confidential information. In
December 2008, for example, accounts for 21 million customers of German banks
offered for sale on the black market for 12 million euros by a hacking gang.3 Other campaigns focus on the use of thousands or millions of computers as botnets to disseminate spam and pop-up ads or redirect
search results.
Hackers use a variety of methods to get spyware on the computers of an organization. With far the
The most likely way today is through a website kidnapped. The spammers send emails containing links to the website committed, where a trojan or keylogger download in the visitor's computer is involuntary. These spam campaigns quickly mutate in an attempt to avoid detection and locked.
Other methods to obtain data from the company include spyware delivered by an external device such as a USB memory stick, by email infected attachments and through unsecured wireless connections. The data also can be compromised by rootkits that are embedded in the operating system.
Laws, regulations and compliance: The best advice to keep your data under their control
Only a few statistics indicate the magnitude of the problem:
In the U.S. the average cost of data breaches in 2008 was just under $ 300,000, $ 500,000 or when non-financial data means is compromised.4
In the UK, losses from online banking fraud from January to June 2008 totaled to £ 21.4m ($ 31.3m) – an increase of 185 percent over 2007 figures, and 20,000 fraudulent phishing websites were set up – An increase of 186 percent.5 20,000 new samples suspicious code are analyzed every day by SophosLabs.
A website for discovering new infected every 4.5 seconds.
A new page spam-related web is discovered every 15 seconds.
No run or off equipment
Laptops used by telecommuters and road warriors "Who have been working from home or
rooms that connect to the Internet in airports, hotels and the like, and may be out of compliance with its company security policy the next time you connect to the corporate network, and, indeed, could be infected and compromised data. In one case 81 percent of corporate computers tested had missing Microsoft security patches,
client firewall disabled, or lack of security software endpoint updates.7
Similarly, the performance of the threats come from non-compliant results users such as contractors or business partners who connect to the corporate network access e-mail or information.
Enforce compliance
Because today's blended threats to the network are so many and come from many different
sources, the only viable way to continue to comply with multiple regulations for data protection is to create a policy detailed security support of powerful integrated technology. You need to ensure that the protection you have referred to the endpoint and the gateway and allows you to track, monitor and enforce:
accordance
Access Control
and anti-malware
intruder protection
Encryption
authentication.
Security Policy
The security technology without a clear policy is a strategy doomed to failure, since people
are often the weakest link in any security strategy.
A policy Safety is important, both strategically and education as it gives you a deep knowledge and understanding of mission-critical business of your organization
units, systems, applications and data, and allows you to organize, synthesize, communicate your organization's security objectives, rules and mechanisms.
Its policy should also include assessment of compliance, the establishment of non-enforcement when non-compliant, and report on compliance issues.
Laws, regulations and compliance: The best advice to keep your data under their control
Endpoint Protection
endpoint protection software that consists of server-based centralized management which is responsible
policy, installation, management and updating.
"Protection against malware Each desktop, laptop and a device that has access to the network must have proactive protection against zero-day threats for which signatures do not yet exist.
They must also be constantly updated with the latest patches and security updates – either your own organization or belonging to a visitor, and no matter what operating system supports. Malware protection must go hand hand with firewall protection endpoint centralized management, allowing you to control the internet and other connections to and from each team.
Encryption Hard Drive Encryption makes data on lost or stolen laptops, USB devices, optical disks and smart phones useless to anyone outside the organization, because they can only be read by someone with authorized access and
encryption keys.
Device control prevent employees from writing on CDs, USB drives and other removable media, you can leave confidential information from leaving your organization. control devices also can block wireless connections to ensure that no confidential information used to take outside the organization.
Control centralized monitoring and management applications of applications that may not
want your employees to use, as messaging instantly connects to both security and
productivity hole they create.
When an authentication and validation recording equipment in your network, you
manage and control access to your network, servers, applications and data, and restrict access only to those who need it.
Endpoint compliance and access control
Endpoint compliance and vulnerability management software is key to ensure and enforce the strategy of endpoint security. Make checks crucial for security applications such as customer firewalls, anti-virus and anti-spyware, and the latest updates and security patches are installed, activated and fully updated and compatible with corporate security policies at all times.
Unsupported Systems can be aligned with the installation of the necessary applications,
patches and updates, or impede an evaluation system of access to anything but the internet. Once connected, these solutions allow access only to applications and user data are authorized to
access.
Endpoint and vulnerability solutions can also provide complete reports on network connections and the position of the compatible devices are connected in the past, which can be invaluable when preparing for a compliance audit.
Gateway protection
Data protection and policy enforcement for email and Internet traffic is critical. The protection of the gateway where traffic enters and leaves this is the solution, not only the most efficient and effective
but it is also more transparent to end users. This sophisticated form of any centralized political organization and security not impact productivity.
Laws, regulations and compliance: The best advice to keep your data under their control
By inspecting mail filtering outgoing email, policy sophisticated options can be used to
block, warn, or quarantine sensitive data and file types are not allowed, while alerting management, managers and users of violations. In addition, policy settings can be used to enforce encryption rules and disclaimers. email entrant may also be inspected and scanned to eliminate the productivity drain of spam and other malicious content, links or attachments.
Mail encrypted e mail encryption sensitive to the doors ensures that confidential or proprietary data is protected from unauthorized access by any person other than the recipient. Central management policy can be implemented to ensure full compliance across the organization or specific groups.
Web content and URL filtering By scanning all web traffic for malware and violations of the AUP, you can protect your organization Today's web threats from malicious Web sites known, trusted Web sites hijacked, malicious web mail, and unwanted applications. It is equally important for filter and control the output if it is posted by users on forums, sent via webmail, or is the result of a transmission from an infected system on the network.
Conclusion
As new threats emerge and develop new working practices, government, industry and organizations continue to create new regulations to protect business and sensitive personal data. Comply with all rules and guidelines can seem overwhelming, but by combining appropriate policies, technologies, and strategy
network can achieve a completely secure and enforce.
About the Author
This article was provided by Sophos and is reproduced here with their full permission. Sophos provides full data protection services including: security software, encryption software, antivirus, and malware.
Crossware Mail Signature running on Windows Mobile