jump to navigation

“Boo!” – October 2012 issue of TransactionWorld October 30, 2012

Posted by Chris Mark in Uncategorized.
Tags: , , , , , ,
add a comment

I (Chris) am finally back in the US after traveling for the past two months.  If you haven’t had a chance yet, please check out October’s issue of TransactionWorld and read articles by Chris Mark (Security Economics) and Heather Mark (Portable Security).  If you don’t subscribe to TW, you should check it out.  Everything you could want to know about payments. (well..not everything but quite a bit).

“You Can’t Unring That Bell!” – What is a”Data Breach” and When Should I Notify? August 21, 2012

Posted by Chris Mark in cybersecurity, Data Breach.
Tags: , , , , , , , , , , , ,
add a comment

There are currently over 45 state breach notification laws, several data protection laws, and numerous regulations including PCI DSS, HIPAA/HITECH, FISMA, and more.  I frequently find myself working with companies on data breach notification plans.  One of the more interesting (and heated) discussions comes when I ask them to define a “data breach” or “data compromise”.  More interesting is when I ask them to define a “suspected data breach”.  Visa’ rules state that “suspected” breaches must be reported within 24 hours of identification or there could be penalties. Consider the following example.  You, as CSO, are informed of a malicious software outbreak in the customer service department. Does this require notification under the state breach notification laws, or relevant regulatory regimes?  Maybe, maybe not.  It is dependent upon a number of factors including access to data, data protections (ie. encryption), segmentation, the various laws etc.  In short, it is not easy to decipher yet it is critical to be as accurate as possible.

Understanding what is, and what is NOT, a data breach or data compromise is the first step in defining your company’s data breach notification plan.  The reason it is so critical is in the titled of this article.  Once you notify that your company has been ‘breached’ you cannot ‘unring that bell’.  The genie is out of the proverbial bottle and things start moving quickly.  Most company’s would absolutely hate to make an announcement only to find that, while they may have experienced a security incident, it did not impact sensitive data (PII, CHD, NPI, PHI, etc.).   It is important that you work with your compliance group, legal (don’t forget legal!), and the infosec & risk department to ensure you have a solid understanding of when, and under what conditions your company is required to notify of a breach or suspected breach.  Here are some basic definitions to use as a starting point.  (check with your legal council and don’t simply use these…there..that should protect me!;)

Security Incident/Event – Any event that compromises the availability, accessibility, or integrity of any asset.  This includes systems, personnel, applications, services, etc.

Data Breach – Any exposure of or unauthorized access of sensitive and/or protected data to include PHI, PII, CHD, and NPI.

Suspected Data Breach– In the absence of  direct evidence (identified fraud, or misuse of data, for example), any Security Incident in which it can be reasonable assumed that sensitive and/or protected data was exposed or accessed without authorization.

Remember, some state breach notification laws do not consider a breach of encrypted data as a trigger for notification…others do 😉  If you need help unraveling these issues (insert shameless marketing plug)…contact Mark Consulting Group…www.MarkConsultingGroup.com

graphic by Hippacartoons.com

“The Rise of Cyber Espionage” – The Counter Terrorist Magazine August 5, 2012

Posted by Chris Mark in cyberespionage, cybersecurity, terrorism.
Tags: , , , , , , , , , , , ,
2 comments

UPDATE:  I want to thank The Counter Terrorist magazine staff for including attribution to the article.  They quickly corrected a mistake and the inaccuracy.  Kudos!

Chris Mark (that is me;) has an article in the June/July 2012 issue of The Counter Terrorist Magazine.  The article is titled: “The Rise of Cyber Espionage” and provides an overview of the current cyber espionage issues being faced by US businesses today.  The article covers the breach at RSA to the subsequent attacks at Lockheed Martin, General Dynamics and others as examples of the types of attacks being faced by state sponsored cyber espionage groups. While this magazine may be new for some readers of this particular blog, it in its 4th year and is filled with great information for military, law enforcement, first responders, and even businesses.  This particular issue is 76 pages of information covering Iran’s Nuclear Objectives, Cyber Espionage, First Responder Intelligence, Intelligence for Terror, and a number of great product reviews and other information.  The magazine is subscription based but if you are interested in a copy of this particular issue, leave a comment with your email and other contact information and I can forward a free ezine.

“SDVOSB” – Mark Consulting Group Registers as Service Disabled Veteran Owned Small Busines August 3, 2012

Posted by Chris Mark in News.
Tags: , , , , , , , ,
add a comment

I have finally completed the Department of Veterans Affairs and the SAM (formerly CCR etc.) registration process to have Mark Consulting Group certified as a Service Disabled Veteran Owned Small Business (SDVOSB).  Hopefully, the VA will complete verification within a few days.  If you are in need of information services please consider The Mark Consulting Group.

According to the United States Code of Federal Regulations, a Service Disabled Veteran Owned Small Business (SDVOSB) is formally defined thus:“A service-disabled veteran-owned small business concern is a business not less than 51 percent of which is owned by one or more service-disabled veterans, or in the case of any publicly owned business, not less than 51 percent of the stock of which is owned by one or more service-disabled veterans; the management and daily business operations of which are controlled by one or more service-disabled veterans, or in the case of a veteran with a permanent and severe disability, a spouse or permanent caregiver of such veteran. In addition, some businesses may be owned and operated by an eligible surviving spouse. Reservists or members of the National Guard disabled from a disease or injury incurred or aggravated in line of duty or while in training status also qualify.”

“Experts Around Every Corner; Part Deux” -Safes, Security, Expertise and Ignorance July 16, 2012

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , ,
add a comment

“There is nothing so stupid as an educated man. If you get him off the thing he was educated in.” – Will Rogers

This weekend I was reading a major news source and I was struck by an article on Safes.  As I have a gun safe, and other safes, I thought it would be interesting to read. I have written posts before on expertise (Experts in every room).  Various ‘expert’s are interviewed in the article.  One in particular stood out.  He said: People need to wake up. They think they are protecting themselves, but they may actually be putting themselves at more risk,”  As this was a very pointed statement (People need to wake up!)…I immediately thought that my own strategy of securing my valuables was mis directed.  I continued reading to see who this expert was…He then said: “Sure you want to have some cash at home, but more than a little feels unsafe,” (I have added the bold)…the expert was a man named Michael Cresh…what is his job?  You are probably thinking police officer, security expert, safe expert, or something similar.  You would be mistaken.  He is a Certified Financial Planner.  If I were asking for financial planning, this is the person that I would turn to. If I am considering the purchase of a safe, I can safely say (pun intended) I could not care less what a CFP has to say unless he has some other level of expertise.  His statement belie his ‘expertise’ and demonstrate he has little understanding of physical security or risk analysis as it pertains to physical security. (…feels unsafe).

When considering a security professional that proclaims expertise, take a very close look.  Whether maritime security, information security, personal security, or any other area of security there are more than a few self proclaimed experts walking the halls.

Last year I wrote a paper for companies to use when evaluating expertise in the maritime security industry.  While focused on maritime security it is relevant to all areas of expertise.  You can read the article here.