Friday, May 30, 2014

Twenty Critical Security Controls

Last year, the Center for Strategic and International Studies (CSIS) released Version 4 of the Twenty Critical Security Controls as was determined by a consortium of representatives from the NSA, US CERT, the DoD's JTF-GNO and Cyber Crime Center, the DoE, the State Department, and some top commercial forensics experts and pen testers from the banking and critical infrastructure sectors.

The critical controls identified by the workgroup focus on four basic tenets:

  1. Offense Informs Defense: Using knowledge from actual attacks to build effective defenses
  2. Metrics: Establishing metrics standards to measure the effectiveness of security
  3. Continuous Monitoring: Continuous monitoring/auditing to validate whether security measures in a timely manner
  4. Automation: To achieve reliable, scalable, and continuous measurements of controls
The controls identified are worthy of consideration by entities of all sizes. To read more, click this link.

Wednesday, May 21, 2014

Canada's Anti-Spam Legislation

The legislation that the Canadian government has passed to control spam will come into full effect on July 1, 2014. While the legislation was originally passed in 2011, and parts of it are already in effect, most of it will come into force on the later date of July 1. For example, there is a new agency - the Spam Reporting Centre (SRC) which is expected to be operational in July. That will be where suspected spam can be reported, and where the enforcement process will originate.

Penalties for sending spam will be heavy - a maximum of $1 million for individuals and $10 million for businesses.

A major impact will be on businesses and organizations sending out mass emailings. They will need to fully conform to the requirements of the legislation, which include the need to obtain consent from recipients before sending the message, the need to fully identify the sender of the messages and, thirdly, the need to provide an easily accessible unsubscribe mechanism for the recipients. some of this has already been in force and has for several years been recognized as good practice by ethical organizations, but now suspected violators will be reportable to the SRC and enforcement proceedings initiated. Regulations to the legislation provide definitions of and explanations of these components.

There is a good deal more to this legislation than these bare facts and the details can be found on the related website at http://www.fightspam.gc.ca/.

Thursday, May 01, 2014

Monitoring CRM Usage

A sad fact of life is that many businesses have an expensive Customer Relationship Management (CRM) system and are spending lots of money gathering data, but don't make best use of it. The first step in remediation is to initiate a tool that is available on most systems - Internal Reporting. IR assembles various metrics and usage statistics that indicate how and where CRM is being used in your company. From there, appropriate policy responses can be developed. For a good article on this topic, check this out.