1
T he European 'Cyber-tools Online Search for Evidence' Foundation has completed a methodology to help companies do computer forensics across the different EU states. The guidelines standardise single system evidence collection, so companies can avoid legal pitfalls. Robin Urry at the Joint Research Centre said a demo of the standard ran successfully in the UK, Belgium, France, Italy and Germany. Adhering to the CTOSE model, also means that police units in different countries use the same investigation procedures. This eradicates the risk of evidence being deemed inadmissible in a court said Urry. Interpol, Europol and High Tech Crime Units throughout Europe helped mould the standard. The process, which also includes guidelines for first responders is being used in a major bank and Urry urges other organizations to refer to the standard and customize it for their own use. "CTOSE is a good first stake in the ground to help everyone walk the same path in digital evidence." The European Commission gave the project 1.5m and around 70 members in academia, private industry and law enforcement formulated it. Members included: QinetiQ, University of St Andrews, University of Stuttgart, Alcatel, the European Commission Joint research centre among others. The CTOSE methodoloy will be replicated in the US and Australia in 2005. Security firms leap into Cahoot debate n e w s 7 Infosecurity Today November/December 2004 IT security directors under jail threat Brian McKenna I nformation security directors need to pay close attention to emerging US and EU corporate governance and privacy legislation in order to stay out of prison, security experts have warned. Speakers at the SecurIT summit in Montreaux, Switzerland told delegates to look beyond network security and cotton on to a perilous new legal environment. Michael Colao, Director of Information Management at investment bank Dresdner Kleinwort Wasserstein, said: “Two years ago CIOs and CSOs did not need to worry about the law; now there are regulations being imposed on them that hold them personally liable”. UK data protection legislation set the European scene by stipulating that companies take ‘appropriate technical and organizational measures’ to safeguard information. This lead has been extended across Europe in ways that will challenge security heads for years to come. Italy’s data protection act entails a training element, and runs to a book length of “excruciating detail”, Colao complained. And the tendency of local law, like the Italian regime and California’s SB 1386, to turn global, forcing global companies to declare data privacy leaks, ups the stakes significantly, he added. For instance, the Disciplinario Tecnico in the Italian legislation requires all companies whose business bears on the country to clear out dormant accounts every six months. The penalty? Three years in jail. Microsoft has had to change its internal global security policy because of the Italian DPA, he said. Colao also slammed recent anti- spam legislation that defines the phenomenon as ‘unsolicited commercial detail’. Legitimate email has to require ‘prior consent’ from the recipient. “This is bad law”, he said “Proving prior consent is very difficult. We just don’t know what the enforcement posture of this legislation will be, but one thing is for sure: it won’t deter spammers”. The Belgian penalty for spamming is set at a hefty 250,000. Meanwhile, Agne Lindberg, a partner at the Delphi law firm in Sweden advised SecurIT delegates that the EU Decision on cybercrime of 20 June 2003, currently stuck in the European Parliament, will raise the bar on company liability. Sanctions against companies whose networks get used for cybercriminal activity will be significant: “you will need very tight controls; policies won’t be enough”, he said. He also cautioned delegates to pay close attention to the legal implications of off-shoring. “India, as an example, has peculiar legislation that has a wide fair use licence”. Software developed under contract belongs to the on-shore company for five years only, for instance. Colao echoed Lindberg. “You can outsource IT, but you can’t outsource legal liability”, he said. A t least three IT security companies were prompt to comment on the avoidability of Cahoot's well-publicized security breach of 5 November. RSA, Kavado, and Netegrity stepped forward to offer advice. The BBC exposed Abbey's online bank to be guilty of a security blunder introduced during a system upgrade twelve days previously. The upshot of the breach was that customers were able to see details of other people's accounts, but unable to move money around. Tim Pickard strategic marketing director RSA Security, Emea commented: "This is graphic proof of RSA Security's assertion that username and password security is totally inadequate for today's ecommerce. Enlightened electronic traders such as AOL in the service provision sector and Credit Suisse in the online banking environment, have already committed to the next generation of secure log-on service. Strong, two-factor authentication, incorporating something that the user knows and something that the user has, would dramatically improve the security of consumers in this type of environment." Netegrity, meanwhile said, in a statement 'although no financial loss was suffered, the damage to Cahoot's brand and customers' confidence could be long-lasting’. And Vik Desai, CEO of web application security provider Kavado said that "banks owe a duty of care to protect their customers privacy and also a legal obligation under the Data Protection Act. We already protect many financial institutions customers from this sort of security breach, but some are yet to take make a minor investment in the inexpensive technology available which can be quickly and easily installed to protect customers from both the mistakes of IT departments and also attacks by cyber criminals. "This security breach could easily have been prevented by installing web application firewalls which prevent applications allowing unauthorised access, even in the event of the IT department making a mistake. In this instance the technology would have prevented access to account details without the user name and password being supplied, and secondly would have alerted the bank to the security problem in the system upgrade". CTOSE branches out to US and Australia Sarah Hilley

IT security directors under jail threat

Embed Size (px)

Citation preview

Page 1: IT security directors under jail threat

The European 'Cyber-tools

Online Search for Evidence'

Foundation has completed a

methodology to help companies

do computer forensics across

the different EU states.

The guidelines standardise

single system evidence

collection, so companies can

avoid legal pitfalls.

Robin Urry at the Joint

Research Centre said a demo of

the standard ran successfully in

the UK, Belgium, France, Italy

and Germany.

Adhering to the CTOSE

model, also means that police

units in different countries use

the same investigation

procedures.

This eradicates the risk of

evidence being deemed

inadmissible in a court said

Urry.

Interpol, Europol and High

Tech Crime Units throughout

Europe helped mould the

standard.

The process, which also

includes guidelines for first

responders is being used in a

major bank and Urry urges

other organizations to refer to

the standard and customize it

for their own use.

"CTOSE is a good first stake

in the ground to help everyone

walk the same path in digital

evidence."

The European Commission

gave the project �1.5m and

around 70 members in

academia, private industry and

law enforcement formulated it.

Members included: QinetiQ,

University of St Andrews,

University of Stuttgart, Alcatel,

the European Commission

Joint research centre among

others.

The CTOSE methodoloy will

be replicated in the US and

Australia in 2005.

Security firms leap into Cahoot debate

ne

ws

7In

fosecu

rity Tod

ayN

ovember/D

ecember 2004

IT security directors under jail threat Brian McKenna

Information security directors

need to pay close attention to

emerging US and EU corporate

governance and privacy legislation

in order to stay out of prison,

security experts have warned.

Speakers at the SecurIT summit

in Montreaux, Switzerland told

delegates to look beyond network

security and cotton on to a

perilous new legal environment.

Michael Colao, Director of

Information Management at

investment bank Dresdner

Kleinwort Wasserstein, said: “Two

years ago CIOs and CSOs did not

need to worry about the law; now

there are regulations being

imposed on them that hold them

personally liable”.

UK data protection legislation

set the European scene by

stipulating that companies take

‘appropriate technical and

organizational measures’ to

safeguard information. This lead

has been extended across Europe

in ways that will challenge security

heads for years to come. Italy’s

data protection act entails a

training element, and runs to a

book length of “excruciating

detail”, Colao complained.

And the tendency of local law,

like the Italian regime and

California’s SB 1386, to turn

global, forcing global companies to

declare data privacy leaks, ups the

stakes significantly, he added. For

instance, the Disciplinario Tecnico

in the Italian legislation requires all

companies whose business bears

on the country to clear out

dormant accounts every six

months. The penalty? Three years

in jail.

Microsoft has had to change its

internal global security policy

because of the Italian DPA, he

said.

Colao also slammed recent anti-

spam legislation that defines the

phenomenon as ‘unsolicited

commercial detail’. Legitimate

email has to require ‘prior consent’

from the recipient. “This is bad

law”, he said “Proving prior

consent is very difficult. We just

don’t know what the enforcement

posture of this legislation will be,

but one thing is for sure: it won’t

deter spammers”.

The Belgian penalty for

spamming is set at a hefty

�250,000.

Meanwhile, Agne Lindberg, a

partner at the Delphi law firm in

Sweden advised SecurIT delegates

that the EU Decision on

cybercrime of 20 June 2003,

currently stuck in the European

Parliament, will raise the bar on

company liability. Sanctions

against companies whose networks

get used for cybercriminal activity

will be significant: “you will need

very tight controls; policies won’t

be enough”, he said.

He also cautioned delegates to

pay close attention to the legal

implications of off-shoring. “India,

as an example, has peculiar

legislation that has a wide fair use

licence”. Software developed under

contract belongs to the on-shore

company for five years only, for

instance.

Colao echoed Lindberg. “You

can outsource IT, but you can’t

outsource legal liability”, he said.

At least three IT security

companies were prompt to

comment on the avoidability of

Cahoot's well-publicized security

breach of 5 November. RSA,

Kavado, and Netegrity stepped

forward to offer advice.

The BBC exposed Abbey's

online bank to be guilty of a

security blunder introduced during

a system upgrade twelve days

previously. The upshot of the

breach was that customers were

able to see details of other

people's accounts, but unable to

move money around.

Tim Pickard strategic marketing

director RSA Security, Emea

commented: "This is graphic

proof of RSA Security's assertion

that username and password

security is totally inadequate for

today's ecommerce. Enlightened

electronic traders such as AOL in

the service provision sector and

Credit Suisse in the online

banking environment, have

already committed to the next

generation of secure log-on

service. Strong, two-factor

authentication, incorporating

something that the user knows

and something that the user has,

would dramatically improve the

security of consumers in this type

of environment."

Netegrity, meanwhile said, in a

statement 'although no financial

loss was suffered, the damage to

Cahoot's brand and customers'

confidence could be long-lasting’.

And Vik Desai, CEO of web

application security provider

Kavado said that "banks owe a

duty of care to protect their

customers privacy and also a legal

obligation under the Data

Protection Act. We already

protect many financial institutions

customers from this sort of

security breach, but some are yet

to take make a minor investment

in the inexpensive technology

available which can be quickly and

easily installed to protect

customers from both the mistakes

of IT departments and also

attacks by cyber criminals.

"This security breach could

easily have been prevented by

installing web application firewalls

which prevent applications

allowing unauthorised access, even

in the event of the IT department

making a mistake. In this instance

the technology would have

prevented access to account details

without the user name and

password being supplied, and

secondly would have alerted the

bank to the security problem in

the system upgrade".

CTOSE branchesout to US andAustraliaSarah Hilley

Objective Jail Classification Systems: A Guide for Jail ... Jail Classification Systems: A Guide for Jail Administrators Prepared by James Austin, Ph.D. February 1998 This document

Objective Jail Classification Systems: A Guide for Jail ... Jail Classification Systems: A Guide for Jail Administrators Prepared by James Austin, Ph.D. February 1998 This document

Documents
The County Jail

The County Jail

Documents
Jail Crowding: Understanding Jail Population Dynamics

Jail Crowding: Understanding Jail Population Dynamics

Documents
Direct Supervision Jail

Direct Supervision Jail

Documents
Jail Visit

Jail Visit

Documents
jail reforms.pdf

jail reforms.pdf

Documents
Jail Census Report

Jail Census Report

Documents
Jail cell1[1]

Jail cell1[1]

Education
Threat to CEOs, Directors and Joint Employersmedia.straffordpub.com/products/expanded-flsa-liability-responding-t… · 12-03-2014  · Threat to CEOs, Directors and Joint Employers

Threat to CEOs, Directors and Joint Employersmedia.straffordpub.com/products/expanded-flsa-liability-responding-t… · 12-03-2014  · Threat to CEOs, Directors and Joint Employers

Documents
Sheriff’s Greeting 3 Jail Services Division 9 Field … Annual Report.pdfDuring the year, the jail booked 7,199 inmates into the jail and booked 7,180 inmates out of the jail. The

Sheriff’s Greeting 3 Jail Services Division 9 Field … Annual Report.pdfDuring the year, the jail booked 7,199 inmates into the jail and booked 7,180 inmates out of the jail. The

Documents
Advanced Persistent Threat Awarenessf6ce14d4647f05e937f4-4d6abce208e5e17c2085b466b98c2083.r3.cf1.r… · 2014 ADVANCED PERSISTENT THREAT AWARENESS STUDY RESULTS ISACA Board of Directors

Advanced Persistent Threat Awarenessf6ce14d4647f05e937f4-4d6abce208e5e17c2085b466b98c2083.r3.cf1.r… · 2014 ADVANCED PERSISTENT THREAT AWARENESS STUDY RESULTS ISACA Board of Directors

Documents
Prez FreeBSD jail

Prez FreeBSD jail

Technology
Tihad Jail

Tihad Jail

Documents
Jail Medical Summit

Jail Medical Summit

Documents
DEVELOPING A JAIL INDUSTRY: A WORKBOOK · 2012-05-14 · Developing a Jail Industry Introduction Defining Jail Industry I. Introduction to Jail Industries Since 1987, the National

DEVELOPING A JAIL INDUSTRY: A WORKBOOK · 2012-05-14 · Developing a Jail Industry Introduction Defining Jail Industry I. Introduction to Jail Industries Since 1987, the National

Documents
Working to Avoid Incarceration: Jail Threat and Labor

Working to Avoid Incarceration: Jail Threat and Labor

Documents
o or COUNTY JAIL NEEDS · PDF fileo roller – or COUNTY JAIL NEEDS ASSESSMENT Hall of Justice Replacement Jail August 15, 2013

o or COUNTY JAIL NEEDS · PDF fileo roller – or COUNTY JAIL NEEDS ASSESSMENT Hall of Justice Replacement Jail August 15, 2013

Documents
Jail Bloating: A Common But Unnecessary Cause of Jail ... overcrowding.pdf · Jail Bloating: A Common But Unnecessary Cause of Jail ... forward in the understanding of criminal case

Jail Bloating: A Common But Unnecessary Cause of Jail ... overcrowding.pdf · Jail Bloating: A Common But Unnecessary Cause of Jail ... forward in the understanding of criminal case

Documents
Jail Information Model · Jail Information Model Abstract The Jail Information Model is a new process designed to cultivate jail-based information about internal and external safety

Jail Information Model · Jail Information Model Abstract The Jail Information Model is a new process designed to cultivate jail-based information about internal and external safety

Documents
Kilmainham Jail Restoration

Kilmainham Jail Restoration

Documents
Redevelopment Old Jail

Redevelopment Old Jail

Design
2015 GLOBAL THREAT REPORT · 02/10/2016  · Q 2016 Predictions If thereÕs one thing that businesses, boards of directors and C-level execs can take from CrowdStrikeÕs 2015 Threat

2015 GLOBAL THREAT REPORT · 02/10/2016  · Q 2016 Predictions If thereÕs one thing that businesses, boards of directors and C-level execs can take from CrowdStrikeÕs 2015 Threat

Documents
REQUEST FOR PROPOSALS FOR A JAIL … FOR PROPOSALS FOR A JAIL MANAGEMENT SYSTEM FOR THE COLUMBIA COUNTY JAIL Procurement Documents COLUMBIA COUNTY, ... F. Jail Management System Proposal

REQUEST FOR PROPOSALS FOR A JAIL … FOR PROPOSALS FOR A JAIL MANAGEMENT SYSTEM FOR THE COLUMBIA COUNTY JAIL Procurement Documents COLUMBIA COUNTY, ... F. Jail Management System Proposal

Documents
Jail Ministry:

Jail Ministry:

Documents
140 million jail

140 million jail

Documents
THE CELLULAR JAIL

THE CELLULAR JAIL

Education
Jail Kay Din Jail Ki Ratain-Ibrahim Jalees-Maktaba Jalees Karachi-1979

Jail Kay Din Jail Ki Ratain-Ibrahim Jalees-Maktaba Jalees Karachi-1979

Documents
Jail Operations

Jail Operations

Documents
Cellular Jail

Cellular Jail

Documents
The Denver County Jail - Bryan & Baxter · The Denver County Jail: History: The Denver County Jail facility was built in 1956. The Jail was designed to hold 1,500 inmates waiting

The Denver County Jail - Bryan & Baxter · The Denver County Jail: History: The Denver County Jail facility was built in 1956. The Jail was designed to hold 1,500 inmates waiting

Documents