CyberEspionage (Again)…The Counter Terrorist Magazine February 19, 2014Posted by Chris Mark in Uncategorized.
Tags: risk management, Chris Mark, security, PCI DSS, cybersecurity, cybercrime, cyberespionage, AT&T
add a comment
In light of the continuing attacks against companies by Eastern European organized criminal groups, I thought it appropriate to remind everyone that state sponsored attacks are still a major issue. Here is a link to an article I wrote in The Counter Terrorist Magazine on the topic of CyberEspionage. “The economics of cyber-theft is simple: Stealing technology is far easier and cheaper than doing original research and development. It is also far less risky to the spy than historic cloak and dagger economic espionage.”
Chris Mark & Heather Mark in Feb 2013 TransactionWorld February 1, 2013Posted by Chris Mark in Uncategorized.
Tags: AT&T, Chris Mark, cybercrime, cybersecurity, Heather Mark, Maritime Security, PCI, risk management, somali pirates
add a comment
February’s edition of TransactionWorld was released today and both Chris and Heather have articles in the issue. Chris (that is me) wrote “Security in Dangerous Waters; Pirates & CyberCrime” while Heather wrote “Shifting Targets; Dealing with Regulatory Shifts in Data Security & Privacy”. Please be sure to check out the articles..
Security Survey December 3, 2012Posted by Chris Mark in Uncategorized.
Tags: CISSP, risk management, security, security survey
add a comment
I am completing a project for an research brief and would appreciate if any security professionals (or former security professionals) could take 5 minutes to answer the survey. NO personal information is collected. Thank you in advance for your help!
“Boo!” – October 2012 issue of TransactionWorld October 30, 2012Posted by Chris Mark in Uncategorized.
Tags: Chris Mark, Dr. Heather Mark, economics, PCI DSS, risk management, security, transactionworld
add a comment
I (Chris) am finally back in the US after traveling for the past two months. If you haven’t had a chance yet, please check out October’s issue of TransactionWorld and read articles by Chris Mark (Security Economics) and Heather Mark (Portable Security). If you don’t subscribe to TW, you should check it out. Everything you could want to know about payments. (well..not everything but quite a bit).
Tags: cybercrime, cybersecurity, data breach, FISMA, HIPAA, HITECH, NPI, PCI DSS, PHI, PII, privacy, risk management, state breach notification
add a comment
There are currently over 45 state breach notification laws, several data protection laws, and numerous regulations including PCI DSS, HIPAA/HITECH, FISMA, and more. I frequently find myself working with companies on data breach notification plans. One of the more interesting (and heated) discussions comes when I ask them to define a “data breach” or “data compromise”. More interesting is when I ask them to define a “suspected data breach”. Visa’ rules state that “suspected” breaches must be reported within 24 hours of identification or there could be penalties. Consider the following example. You, as CSO, are informed of a malicious software outbreak in the customer service department. Does this require notification under the state breach notification laws, or relevant regulatory regimes? Maybe, maybe not. It is dependent upon a number of factors including access to data, data protections (ie. encryption), segmentation, the various laws etc. In short, it is not easy to decipher yet it is critical to be as accurate as possible.
Understanding what is, and what is NOT, a data breach or data compromise is the first step in defining your company’s data breach notification plan. The reason it is so critical is in the titled of this article. Once you notify that your company has been ‘breached’ you cannot ‘unring that bell’. The genie is out of the proverbial bottle and things start moving quickly. Most company’s would absolutely hate to make an announcement only to find that, while they may have experienced a security incident, it did not impact sensitive data (PII, CHD, NPI, PHI, etc.). It is important that you work with your compliance group, legal (don’t forget legal!), and the infosec & risk department to ensure you have a solid understanding of when, and under what conditions your company is required to notify of a breach or suspected breach. Here are some basic definitions to use as a starting point. (check with your legal council and don’t simply use these…there..that should protect me!;)
Security Incident/Event – Any event that compromises the availability, accessibility, or integrity of any asset. This includes systems, personnel, applications, services, etc.
Data Breach – Any exposure of or unauthorized access of sensitive and/or protected data to include PHI, PII, CHD, and NPI.
Suspected Data Breach- In the absence of direct evidence (identified fraud, or misuse of data, for example), any Security Incident in which it can be reasonable assumed that sensitive and/or protected data was exposed or accessed without authorization.
Remember, some state breach notification laws do not consider a breach of encrypted data as a trigger for notification…others do ;) If you need help unraveling these issues (insert shameless marketing plug)…contact Mark Consulting Group…www.MarkConsultingGroup.com
graphic by Hippacartoons.com