Info Risk Today Podcast

Since becoming Vermont's first CISO three years ago, Kris Rowley's been on a quest to create an <b><a href='/articles.php?art_id=1478'>IT security culture</a></b> in state government. Rowley's latest initiative, bringing <b><a href='https://www.govinfosecurity.com/risk-assessment-c-44'>risk assessment</a></b> in-house, is helping build that culture.

Now that the <a href='https://ffiec.bankinfosecurity.com/'><b>FFIEC Authentication Guidance</b></a> update has been issued, there is no more important task for banking institutions than to conduct their <a href='https://ffiec.bankinfosecurity.com/categories.php?catID=44'><b>risk assessments</b></a>, says Matthew Speare of M&T Bank Corp.

The long-overdue HIPAA compliance audit program likely will launch late this year or early in 2012 after up to 20 test audits are completed, says Susan McAndrew, deputy director of the federal agency overseeing the program.

Doug Johnson of the American Bankers Association says banking institutions should spend the next five months focusing on their risk assessments, as they work to meet the FFIEC's new authentication guidance update.

Keeping data secure is the greatest challenge during any merger or acquisition, and the first critical step is figuring out which confidential information could be at risk of exposure.

Eddie Schwartz didn't shy away from the offer to become RSA's first chief security officer after the security firm experienced a sophisticated <b><a href='/advanced-persistent-threat-c-308'>advanced-persistent-threat</a></b> breach. Instead, Schwartz embraced the hack as the reason to take the job. (See <b><i><a href='/rsa-to-get-its-first-chief-security-officer-a-3728'>RSA to Get Its First Chief Security Officer</a></i></b>.)

Recent high-profile <a href='https://www.bankinfosecurity.com/battling-breach-fatigue-a-3621'><b>data breaches</b></a> and heightened threats add up to one thing: a bright future for information security professionals who want to start or re-start a career in <a href='/risk-management-c-38'><b>risk management</b></a>.

Minnesota has seen an increase in malicious traffic since the state government shut down a week ago, but state CISO Chris Buse says sophisticated intrusion-detection systems and an alert skeleton staff have prevented any harm from being done, at least to the part of state government IT controlled by the Office of Enterprise Technology.

RSA customers who feel victimized by last March's breach of the security vendor's computers have viable options that include continued use of the SecurID <b><a href='https://www.govinfosecurity.com/authentication-c-206'>authentication</a></b> tokens, those offered by competitors, or something entirely different: <b><a href='https://www.govinfosecurity.com/biometrics-c-207'>biometrics</a></b>.

Insider fraud expert Shirley Inscoe says Citi is not the only financial institution that's doing a poor job of keeping up with employee misconduct. Few banking institutions grasp how damaging inside jobs actually are.

Major U.S. card issuers continue to get poor marks when it comes to steps they take to prevent card fraud. In fact, according to research released by Javelin Strategy & Research, prevention measures for the last three consecutive years have continually declined, despite exponential increases in fraud.

Today's top <a href='https://www.bankinfosecurity.com/fraud-c-148'><b>fraud</b></a> threats recognize no global boundaries, says James Ratley, head of the Association of Certified Fraud Examiners. And they require a stronger global workforce than ever before.

The Fed's ruling on interchange cuts mandated by the Durbin Amendment will aid fraud prevention and could accelerate a move to chip-based payments, says Randy Vanderhoof, director of the Smart Card Alliance.

Eddie Schwartz, the new - and first - chief security officer of RSA, says the IT security provider hit by a sophisticated <b><a href='https://www.govinfosecurity.com/advanced-persistent-threat-c-308'>advanced-persistent-threat</a></b> attack in March is focusing internal security on efforts to reduce the time an intruder can go undetected.

<b>For all the latest news and views, please visit the <a href='https://ffiec.bankinfosecurity.com/'>FFIEC Authentication Guidance Resource Center</b></a>. <p> <p>Gartner's Avivah Litan says regulators have done a nice job of emphasizing why and how banks and credit unions need to implement layered security that adequately addresses online risks. But the guidance falls short when it comes to customer education.

<b>For all the latest news and views, please visit the <a href='https://ffiec.bankinfosecurity.com/'>FFIEC Authentication Guidance Resource Center</b></a>. <p> <p> Aite's Julie McNelley says the final <a href='https://ffiec.bankinfosecurity.com/articles.php?art_id=3801'><b>FFIEC online authentication guidance</b></a> offers greater detail in areas such as layered security, but that institutions have much to do to prepare for regulatory assessments in 2012.

A key factor in minimizing the risk of a breach when working with business associates is to provide these partners with the minimum amount of information they need to perform their services, says security expert Brian Lapidus.

Minnesota faces a government shutdown Friday, and state CISO Chris Buse confronts unexpected barriers in preparing for it. No one yet knows what services the IT security organization must support once the midnight deadline passes.

Organizations' biggest obstacles to <a href='/interviews/pressure-on-privacy-pros-i-1144'><b>privacy</b></a> protection are the organizations themselves - specifically, their silos - says Dr. Ann Cavoukian, proponent of the new concept, Privacy by Redesign.

Fraud expert Ori Eisen says banks spend too much time reacting to ACH fraud, rather than trying to stop it. Now that the FFIEC's new online authentication guidance is official, banks must focus on eliminating outdated solutions and moving toward automated solutions for device identification and log analysis.

SafeNet CEO Chris Fedde says top executives, not chief information or chief information security officers, should have final say on what data to encrypt.

Leigh Williams says preventing online data breaches requires cooperation within the online ecosystem from domestic and international organizations. Spearheading and maintaining that cooperation requires federal oversight, he contends.

A new consortium is leading an effort to devise best practices for ensuring the security of networked medical devices.

Sen. Robert Menendez says regulators should have the power to compel banks to toughen IT security and offer timely customer notification of a breach. But if they don't, the Banking Committee member says in an interview, they should come to Congress to get that authority.

Online and <a href='/mobile-banking-c-106'><b>mobile banking</b></a> are taking the world by storm - especially in the Asia-Pacific region. But many institutions are simply not prepared to manage security and privacy appropriately in these venues, says Gartner's Matthew Cheung.

Northrop Grumman Cybersecurity Research Consortium's Robert Brammer says IT security researchers should think like Wayne Gretzky, the National Hockey League hall of famer: Skate to where the puck will be.

The latest component of the U.S. Department of Veterans Affairs' ongoing effort to protect medical devices from malware is the creation of a centralized patch management system, says Randy Ledsome, the VA's acting director of field security operations.

Greg Rattray, VP of Security at BITS, says we can't necessarily stop the spread of dangerous malware like Zeus, but banking institutions can do a better job of mitigating the risk and damage that follow such an attack.

AppSec's VanHorn says more segregation of employee duties is needed.

Working with business associates to prevent health information breaches requires far more than writing detailed contract terms on privacy and security, says regulatory expert Christopher Hourihan.

FDIC examiner Donald Saxinger says cloud computing can pose challenges when it comes to business continuity during disasters. Proactive vendor management, he says, is the best way to address potential hiccups before they become big problems.

The PCI Security Standards Council's new guidance on virtualization in the payments space aims to provide best practices for securing the payments chain's virtual platforms and appliances.

Today's advanced threats require an advanced cyber defense. That's why Bob Lamb of Booz Allen Hamilton recommends a new Cyber Operations blueprint that helps organizations assess and meet their cyber needs.

The executive director of a Southern California <a href='/amlbsa-c-256'><b>health information exchange</b></a> describes a pilot project that's testing whether patient identifiers make it easier to match patients to their records from multiple organizations.

IT security expert Marcus Ranum says RSA's offer to replace its SecurID tokens is a deal worth taking.

Authentication expert Steve Dispensa says banking institutions need to realign their <a href='/authentication-c-75'><b>authentication</b></a> infrastructures to include a mix of in-band and out-of-band measures.

For nearly two years, banks and businesses across the U.S. have been plagued by a wave of corporate account takeover. And while there's no one answer, Texas bank examiner Phillip Hinkle sees ways that institutions can better detect and prevent these crimes.

What's the top threat on the minds of global IT leaders? Employee-owned mobile devices - or BYOD (bring your own device), as the trend is known. The struggle: Do mobile device benefits outweigh the organizational risks?

Quantifying the safety or danger of cyberspace is tough. But a highly respected IT security practitioner and an experienced risk management consultant have teamed to develop an index they contend reflects the relative security of cyberspace by aggregating the views of information security industry professionals.

Payment card fraud. ACH and wire transfers. ATM skimming. And especially insider crimes. These are among today's top information security threats to institutions, says banking regulator Gigi Hyland in an exclusive interview.

New authentication guidance, when it is passed down, needs more attention on mobile, says Fraud Red Team's David Shroyer,a former Bank of America security executive.

The FDIC's Donald Saxinger says vendor management programs are getting more scrutiny from regulators, especially in areas of emerging technology such as cloud computing and mobile banking.

Adam Greene, the primary author of the proposed <a href="/agency-releases/accounting-disclosures-under-hitech-act-r-2452"><b> accounting of disclosures rule</b></a> mandated under the <a href="/agency-releases/american-recovery-reinvestment-act-2009-r-1853"><b>HITECH Act,</b></a> describes its major provisions and offers advice on how to prepare.

As the financial industry anxiously awaits the release of new online authentication guidance from the FFIEC, experts speculate about what steps banks and credit unions should be taking now to prepare.

After one commercial customer fell victim to corporate account takeover, this institution suffered significant losses and learned that legal disputes rarely favor the bank.

The same approach governments and businesses employ to protect individuals from the dangers of secondhand smoke could be applied to safeguard cyberspace, says Scott Charney, Microsoft's vice president of trustworthy computing, engineering excellence and environmental sustainability.

With the 2011 National Defense Authorization Act (NDAA), the DOD is taking a leadership position by defining policy that emphasizes the need to protect and defend the software layer.

"Ethical hacking" - is the term an oxymoron, or is it one of today's necessities in the fight against cybercrime? Jay Bavisi, president and co-founder of the EC Council, feels strongly about why we need ethical hackers more today than ever before.

From <a href='/epsilon-biggest-breach-ever-a-3502'><b>Epsilon</b></a> to <a href='/sony-begins-playstation-restoration-a-3641'><b>Sony</b></a>, recent <a href='/battling-breach-fatigue-a-3621'><b>data breaches</b></a> and legislative trends tell a dramatic story about the turbulent state of privacy worldwide, according to <a href='https://www.bankinfosecurity.com/privacy-trends-laws-j-trevor-hughes-iapp-a-1966'><b>J. Trevor Hughes</b></a>, head of the International Association of Privacy Professionals.

With so much critical information being exchanged today via e-mail, now is the time to deploy next-generation e-mail encryption solutions, says Bob Janacek, CTO and founder of DataMotion.