to help enterprise security across Europe
The resource centre for busy senior executives seeking the latest insights into IT Compliance & Privacy issues for major organizations
 
sarbaines oxley ofcom communications regulator
Latest Resources      data protection register
compliance resources privacy resource center

Breaking Global News
Global Compliance and Privacy News
- Breaking News, updated every 30 minutes
•   Compliance, Privacy and Security
•  Money Laundering
•  Phishing
•  Regulatory Issues
•  SOX, Basel 2, MiFID


You Tell Us:
S
S
L

T
E
C
H
N
O
L
O
G
Y
We use SSL Technology for web data entry points:

Always
Sometimes
Never
What is SSL?

News
Are Smartphones Endangering Security? - Wick Hill
Dealing with Internet Security Threats - Ian Kilpatrick
How the New EU Rules on Data Export Affect Companies in and Outside the EU - Thomas Helbing
Farmers' Data Leak Highlights Old Technology Use - Wick Hill
Saving Money with SFTP - Wick Hill
UK Information Commissioner targets firm selling vetting data - Eversheds e80
12 Key Steps to Internet Security - Wick Hill
Telephone Monitoring Legality in the UK - Dechert
Firewall or UTM - Wick Hill
UK Information Commissioner demands mobile device encryption - Eversheds e80
Data loss - liability, reputation and mitigation of risk - Eversheds e80
Phorm, Webwise and OIX - BCS Security Forum
The challenges of PCI DSS compliance - Thales, Russell Fewing
"Quality" Data Vendor Spams us! Editor astounded!
National Gateway Security Survey 2008 - Wick Hill
Unified Threat Management - Watchguard Technologies

news archives
:
0 | 1 | 2 | 3 | 4 | 5 |
6 | 7 | 8 | 9 | 10 | 11 |
12 | 13
[What is this?]

Industry Blogs
Tim Berners Lee's Blog
Tim Callan's SSL Blog
Davis Wright Tremaine's Privacy & Security Law Blog
Emergent Chaos Blog
Michael Farnum's Blog
Phillip Hallam-Baker's Blog - The dotFuture Manifesto: Internet Crime, Web Services, Philosophy
Stuart King's Security and Risk Management Blog
David Lacey's IT Security Blog
Metasploit Official Blog
Jeff Pettorino's Security Convergence Blog
Jeff Richards's Demand Insights Blog
David Rowe's Risk ManagementBlog
Bruce Schneier's Security Blog
Larry Seltzer's Security Weblog
Mike Spinney's Private Communications Blog
Richard Steinnon's Threat Chaos Blog
The TechWeb Blog
Tim Trent's Marketing by Permission Blog
Rebecca Wong 's DP Thinker Blog

Newsletters
23 February Newsletter
Newsletter Archives are located in "News"

Industry Update
Internet Security Intelligence Briefing - November 2005
Find out the latest trends in e-commerce, web usage & the latest threats from adware/Spyware

Reports
Phorm, Webwise and OIX
- BCS Security Forum

'The Any Era has Arrived, and Everyione has Noticed' - Stratton Sclavos - VeriSign
Identity Security - Time to Share
Malicious code threats - iDefense
Public Alerts - updated as they happen from Stopbadware.org
Public Alerts - updated as they happen from Websense
Public Advisories - updated as they happen, from iDefense
Phoraging - Privacy invasion through the Semantic web: a special report by Mike Davies of VeriSign

Legislation
Privacy Laws & Business International E-news, Issue 57
Privacy Laws & Business UNited Kingdom E-news, Issue 60

Security Reviews
February 2007 - VeriSign Security Review
The security review archive is here

Case Studies
Finance Industry
Case Study Example

A case study on a Finance industry company.

White Papers
VeriSign® Intelligent Infrastructure for Security
VeriSign® Intelligent Infrastructure: An Overview
Identity Protection Fraud Detection Service - description of the service
Life of a Threat - Video on Threat Management Lifecycle
Optimizing Enterprise Information Security Compliance - Dealing with all the audits
For a full list of all whitepapers, visit our Whitepaper library

Legal Notices
Privacy Policy
Terms of use

basel 2 sarbanes oxley
    legislation
data controller notification binding corporate rules BCR data transfer third countries third part data transfer basel 2 regualtor regulation regulate FSA banking network security RSA encryptin algorithm Bits sacked bank staff
Blogs compliance Reports compliancy Legislation Data Protection Case Studies data privacy White Papers data protection act News information commissioner Events security standards Links information security iDefense
Retail Solutions

Compliance is only one element of the security puzzle - Gabriel Swift

compliance and privacy

Current News Updates

Compliance is only one element of the security puzzle

VeriSign's Gabriel Swift Responds to the Ernst and Young 8th annual Global Information Security Survey

Compliance is only one element of the security puzzle - cost and complexity are equally if not more important to the overall efficiency and protection of users, networks and ultimatlely assets and smooth running of business.

Competitive businesses the world over face the security challenge: how to open their doors to trade confidently with suppliers and customers, while safeguarding sensitive data and resources and achieving compliance with legislation. It's a tall order, fraught with cost and complexity.

Security is not an option these days. Key regulations, including Sarbanes Oxley, Basel 2, and data protection legislation, as well as industry-specific regulations such as new FSA guidelines, demand security as an essential component of compliance.

The consequences of a breach can range from the wasteful and expensive to the catastrophic. On the one hand there is the cost to put things right, or recover from the network downtime that can result; on the other there could be substantial loss of confidence and long-term damage to the brand and company reputation, which can depress revenue. It's not a risk many companies are prepared to take and the preventative measures cost a fraction of remedial fixes.

Organisations should look to vendors that we don't pretent to make securing your business and its network easy, but make it simple for you to: understand the challenges of cost, complexity and compliance and can help you address all three with a portfolio of solutions and comprehensive expertise.

Built in security from the core to the edge of the network is important equally taking a layered approach to both physical and logical security—to protect your data centres and network resources.

Organisations should consider the management of firewalls, encryption, intrusion detection and more…complete with managed services that let businesses focus on thier core competancies, whilst the management of security is outsourced to a vendor that has both the capabilities and the security threat intelligence to protect, monitor and report on the worldwide security landscape - not just rely on limited internal intelligence

Security built into the network is of uptmost importance, and will minimise the vulnerabilities to attack and minimising the likely consequences of an attack and speed to recover.

  • Redundant hot standby equipment
  • Multiple links and intelligent routing—no single point of failure
  • Duplicated power supplies
  • Stringent monitoring and maintenance to detect and address issues before they affect service

are all important elements to the built in security components organisations should consider.

Similarly , multilayer security that protects the premises, data centres and the network are important such as

  • premises that are protected by guards, with locks, cameras and alarms to deter intruders
  • Data centers and Storage have the highest security to protect customers' data
  • Logical security with strong two factor authentication and password protection ensuring that only authorised personnel gain access to critical or sensitive data
  • Ensuring employees are educated to handle any requests for information wisely and sensitively
  • you should have means in place to test and review all security measures regularly to stay ahead of potential security threats

Its important to secure from the core to the edge

Security is only as strong as your weakest link. That means that policy and technology must work in partnership to meet the imperatives of your business, allowing confident trading relationships with trusted parties, while preventing unauthorised access to sensitive data and abuse of company resources. Your security must cover all information flows, intra-company as well as inter-company. You need a multi-layered approach that takes in the perimeter of your network, access to resources and the content of messages.

The perimeter

A breach can be equally catastrophic whether its cause is deliberate or accidental. Our perimeter-protection solutions help you to ward off malicious attacks from hackers, as well as ensure that your security policy and best practice is being followed.

Managed firewall Solutions

Sitting between the Internet router and your network resources, the firewall is more than just the first level of defence, ensuring that only authorised traffic flows to and from public Internet. In addition, it also helps ensure that bandwidth is being utilised appropriately and not for personal applications by giving you the ability to audit the connections that are being requested from the inside, and block them if necessary.

Organisations can typically have more than one firewall in multiple locations therefore adding to the complexity of managing and proactively monitoring traffic, and blocking the correct content

Security Operations Centers

Multinational Organisations should look to vendors that have a wide coverage of Security operations centers across the world - with 24/7 proactive monitoring and automated scripts that can leverage intelligence from other customers

Protection from DDos attacks

DDoS (Distributed Denial of Service) attacks attempt to overwhelm your server's internal resources and cause loss of service. Firewalls offer some protection by recognising an attack and dropping the connection before damage can be done to the server. Although this stops the attack reaching intended targets it still floods the leased line with traffic and can cause unacceptable congestion. Detection and mitigation services are the ideal remedy:

  • DDoS detection solutions apply hardware sensors that can recognise the early signs of an attack, thus allowing time for counter measures, such as DDoS migration, to take effect
  • DDoS mitigation services make use of large-scale special systems within the MCI network. These detect an attack and then divert traffic away from your servers so it can be separated and the DoS contingent removed; a clean stream of legitimate traffic is returned to you.

Intrusion detection and prevention

Peer-to-peer connections inside your network are not controlled or audited by the firewall.

Computer Security Institute found that over 30% of reported security incidents originated from systems that were internal to the customer's network.

IDS and IDP systems, however, sensors are deployed that ‘listen' into all your IP transactions. They build a map of typical traffic patterns and use this, as well as libraries of known threat patterns (signatures), to assess whether there is any suspicious traffic on the network. In IDP systems, the sensors can also block suspicious traffic automatically.

Such solutions are ideal to combat inappropriate access requests from within the network and can help mitigate the risk from viruses, trojans and malware; although not looking for viruses specifically, they do detect abnormal behaviour and so can help to isolate an infection.

VPN solutions

VPN services allow companies to share information, more effectively and securely, with remote workers and trading partners, over an existing private network or the public Internet. They combine the best public and private networking, to deliver increased connectivity, control, scalability, and security at the right price

Organisations should look to combine firewalls, remote access solutions and encryption, together with management services to ease your administration, if required. We can help protect sensitive transactions, such as online purchasing, and information that's critical to your competitive advantage.

Everything is not always as it first seems, so it's essential that you verify that only authorised users can gain access to information and resources and, further, that all communication is legitimate and unlikely to cause harm.

Access solutions

Mobility and remote working offer clear advantages for agility and resilience, but it's vital that these benefits don't come at the expense of security. Without robust security, for example, a stolen laptop could mean losing much more than just the hardware, if the thief can gain remote access to your network. To protect your business against malicious intrusion you need more than basic password protection; strong authentication solutions are essential

Strong (Two factor Authentication)

Organisations should look to industry-leading two factor authentication solutions that comply to the OATH standards (www.oath.com) , and look to OTP (one time passwords or single sign-on) devices and implementation of PKI certificates.

•With strong authentication, you can encrypt communication between two people, or two devices (certain vendors can authenticate in the cloud rather than having to invest in costly CPE equipment

Organisations should look for solutions are based on industry-standard PKI, which can identify devices as well as people and so form part of a VPN solution and look to deploy SSL solutions that push a PKI certificate to the user during the session and encrypts all traffic that follows—essential for ecommerce transactions. Strong authentication alleviates the burden of password administration. Because the passwords are harder to guess, they need changing less frequently

Content Scanning/Anti virus and Anti Spam

Content scanning

When receiving information from a point outside your trusted network, you need to make sure that the content is clean and unlikely to contaminate your resources.

Email scanning

95% of viruses are spread by email (source) and so verifying that emails are free of viruses is fundamental. However, keeping the definitions up to date is time consuming.

You should look towards organisations that can provide integrated anti-virus and anti-spam solutions that scan both inbound and outbound mails ensures that your network is protected and prevents viruses from inadvertently being passed to a customer or suppliers.

Message continutiy

Equally organisations should look to message continuity solutions that enable you to stay up and running should a breach occur. Solutions that can mirror and provide the facility to continue sending and receiving email through a replacate repository - can avoid any potential downtime - particularly in large organisation where email is a mission critical application

Message Archiving

With the proliferation of internal security breaches, and in situations where legal evidence of an email trail is required, organisations should look to having an offline store of every email that is sent and received (to comply with basel 2 regulations in some countries this can mean keeping records of up to 15 years worth of email. Shouls an employee wish to conceal evidence of a email communication by deleting suspect communications, then an offline archive can help keep this evidence and act as an audit trail should any legal issue require documentary evidence. such solutions would have helped with

  • Enron & Worldcom Financial Collapse
  • Shell who were fined fined £17.5m by the FSA
  • Citibank Japan, Tokyo office closed by FSA

Managed Internet scanning

Web browsers and IM chat clients are another area of risk, and can fall foul of viruses and worms just like email. Additionally, you will want to ensure that employees are not using company resources inappropriately or even illegally. Organisations should look vendors that can provide Internet and IM scanning, and add layers of security to ensure policy is enforced.

Discuss this article

 


This site is independent of all its sources
The contents of the site are sourced from across the industry. All copyrights are acknowledged.