InfoSecMinds

For like-minded people

Posts Tagged Information Security

Healthcare & Security: A Hacker’s Perspective

Dec 30

Posted by Vinod Puthuseeri in HIPAA, Information Security, Information Security Management System | No Comments

by Renee Chronister, CEO, Parameter Security

Here’s another heart-stopper. The latest Ponemon Institute study reveals 60% of healthcare providers had more than 2 security breaches in the last year with the average breach costing them $2 million. Whoa! It then goes on to state that 70% of hospitals say protecting patient data is not a priority.

Healthcare providers in the Ponemon study also say they lack resources, trained personnel, policies and procedures to safeguard patient records. 58% claim they have little or no confidence in their ability to protect records in their possession. Forget WikiLeaks, as a hacker, this is music to my ears.

So what this really means for healthcare is that something has got to change. Specifically, the mindset that data security is not a priority and that all I have to be is HIPAA compliant to be secure. Well, I hate to be the bearer of bad news but I can’t tell you how many times I’ve hacked HIPAA compliant healthcare providers but I guess telling your patients, personnel and anyone else affected by the data breach that “I was HIPAA compliant” is better than “Data security isn’t a priority” but I’m guessing that will still go over like a lead balloon.

Read the rest of this entry »

Tags: , , , , , , , , , , , , , ,

Assessing C-I-A values.

Dec 23

Posted by Vinod Puthuseeri in CIA Triad, Information Security Risk Assessment, Information Security Risk Management, Risk Assessment | 2 Comments

It is a common discussion during an information security risk assessment exercise at most of the organizations. As a general practice the asset value is derived by weighing the confidentiality ©, Integrity (I) and availability (A) value of an asset. While the assets are categorized into Information, Hardware, Software, Service and People, my argument always has been to say that C-I-A values can be assessed for Information Assets only and for all other it should just be the availability value.

Read the rest of this entry »

Tags: , , ,

Frisking of VIP’s at airport’s

Jul 22

Posted by Vinod Puthuseeri in Physical Security | No Comments

In the recent incident of Dr. APJ Kalam been frisked at the IGI airport by the staff of Continental Airlines has created some news. The Airline has also tendered an apology to Dr. Kalam for the inconvienence caused – this is as reported in the TimesofIndia daily newspaper on 22nd July 2009.

Now does that apology mean that Continental Airlines will not frisk any VIP’s in future while they board the flight..? I see a security concern here.

Read the rest of this entry »

Tags: , , ,

Depth of Control Implementation

Mar 10

Posted by Vinod Puthuseeri in ISMS | No Comments

Discussing with various personnel it is quite amazing to see each one come up with their own way of interpreting controls and to what depth each control need to be implemented. I would like to illustrate a discussion that I had recently. The standard too does not talk about this and it is left to the person who implements and to the auditor on how they want to look at the implementation effectiveness.

Up until now some of the aspects that we look into while implementing a control is as mentioned below; 

  1. Is the control implementation cost less than or equal to loss of the damage a threat could cause to an organization?
  2. Does the control implementation enable process improvements?
  3. Is the control implementation required as a part of legal, regulator or contractual requirements?

Read the rest of this entry »

Tags: , , ,

Security Breach – Who's responsible?

Jan 27

Posted by Vinod Puthuseeri in Information Security, Information Security Risk Assessment, ISMS, ISO 27001:2005, Risk Assessment | 4 Comments

The very first lesson taught to me in my computer classes where “A computer is as smart as you are” and this statement holds good even today. For the computer would do only that a person would want it to do. The only advantage a computer has over human is that of speed and storage capacity.

While looking at various aspects of data loss, the end reason always point to “PEOPLE”. The above statement holds good not only because there are data loss (which is now the high rated security risks), even if you look at any frauds that has happened in the recent past, everything has been manipulated by “HUMAN”. No matters what standards are adopted, what stringent rules are set in an organization, frauds still happen.

Read the rest of this entry »

Tags: , ,