Category Archives: Information security

Research confirms that Facebook, Twitter and Google are spying on users

big brother

big brother (Photo credit: Vince_Lamb)

Social networks: can robots violate user privacy?

ECM Plus +++ Recent news in the international media has revealed numerous Internet privacy concerns that definitely deserve attention and further investigation, which is why Geneva-based High-Tech Bridge  decided to conduct a simple technical experiment to verify how the 50 largest social networks, web services and free emails systems respect – or indeed abuse – the privacy of their users.

According to High-Tech Bridge, the experiment and its results can be reproduced by anyone, as we tried to be as neutral and objective as possible. Continue reading


Leave a comment

Filed under Analysis, Analytics & Metrics, Business Risk, Compliance, Content Curation, Content Governance, Content Management, Content management system (CMS), Content Protection, Content Security, Corporate Civic Responsibility (CCR), Corporate Governance, Customer Relations Management (CRM), Data mining, Data privacy, Data protection, Data storage, Digital asset management, Enterprise Content Management, GRC (Governance, Risk & Compliance), Industry News, Information Governance, Information Management, Information security, Intellectual Property (IP), Intelligent Search, Legal, Policy Management, Regulatory Compliance, Reporting, Risk Analysis, Risk Assessment, Risk Management, Security Content Management (SCM), Social Content Management, Trusted Cloud, UGC - User-generated content, WCM

Half of firms suffering from cloudphobia – survey

Snoopers (sic) Paradise

Snoopers (sic) Paradise (Photo credit: the justified sinner)

Fear of governments snooping deters companies from using the cloud

ECM Plus +++ Almost half of IT experts are deterred from keeping sensitive data in the cloud because of fear of government intervention and possible legal action, according to a new survey from Lieberman Software which was released today. Continue reading

Leave a comment

Filed under Analysis, Cloud Computing, Collaboration, Compliance, Corporate Governance, Data centres, Data Governance, Data mining, Data privacy, Data protection, Enterprise Cloud, Hybrid Cloud, Information Management, Information security, Internal Controls, Policy Management, Private Cloud, Public Cloud, Risk Analysis, Risk Assessment, Risk Management, Trusted Cloud, VPS Cloud

Encrypted web moves step closer with HTTPS Everywhere 3.0

English: Logo of the Electronic Frontier Found...

The Electronic Frontier Foundation backing HTTPS Everywhere 3.0 web site encryption

EFF partners boost HTTPS Everywhere 3.0, now protecting 1,500 more sites

By ECM Plus staff

ECM Plus /London/ +++ The Electronic Frontier Foundation has stated its long-term mission to ‘encrypt as much of the Web as possible’.

The Foudantion said it now hopes to encrypt all of it.

According to the EFF, HTTPS Everywhere, the browser extension it produces with the ‘Tor’ Project and a community of volunteers, is now used by more than 2.5 million people around the world, the EFF said. Continue reading

Leave a comment

Filed under Content Security, Enterprise Content Management, Industry News, Information security, Open Source, Security Content Management (SCM)

Chaos abounds as BYOD costs prompt confusion

Confused Man Reading a Bill or Bank Statement

Cost confusion and chaos in BYOD (Photo: s_falkow)

Fiercely divided opinion on BYOD despite ‘hype’

By ECM Plus staff

ECM Plus /London/ +++ A new survey has revealed that fears are rising around the hidden costs of BYOD deployment – as well as ‘class divides’ and evidence that company managers are using BYOD to ‘pacify’  staff.

Moreover, some IT managers are even asking ‘is it worth surrendering control just to raise staff morale?’

Opinion is still divided when it comes to implementing ‘Bring Your Own Device’ strategies within businesses, with many at the top suggesting that such deployments create more problems than they solve. Continue reading

Leave a comment

Filed under Analysis, Budgeting, Business Process Management, Business Risk, BYOD, Collaboration platform, Content Security, Industry News, Information Management, Information security, Intranets & Portals, Mobile Apps, Risk Analysis, Risk Assessment, Risk Management, Software, Workflow

Foundation sues over email and phone hacking allegations


Electronic Frontier Foundation

EFF says government ‘withholding information’ about ‘unconstitutional spying’

Washington, D.C. – The Electronic Frontier Foundation (EFF) sued the Department of Justice (DOJ) today, demanding answers about illegal email and telephone call surveillance at the National Security Agency (NSA). Continue reading

Leave a comment

Filed under Collaboration, Compliance, Content Governance, Content Protection, Content Security, Corporate Civic Responsibility (CCR), Corporate Governance, Customer Relations Management (CRM), Data Governance, Data mining, Data privacy, Data protection, Data storage, GRC (Governance, Risk & Compliance), Industry News, Information Governance, Information Management, Information security, Internal Controls, Policy Management, Regulatory Compliance, Risk Management, Security Content Management (SCM), Segregation of Duties (SoD), Software, Telecommunications, Web governance

Location data takes centre stage in legal case

U.S. Supreme Court building.

U.S. Supreme Court building.

Government faces new warrantless surveillance battle after losing landmark GPS tracking case as defendant pushes to exclude cell phone location data obtained without a warrant

A federal district court is poised to determine whether the government can use cell phone data obtained without a warrant to establish an individual’s location.

In an amicus brief filed last Monday, the Electronic Frontier Foundation (EFF) and the Center for Democracy & Technology (CDT) argue that this form of surveillance is just as unconstitutional as the warrantless GPS tracking the U.S. Supreme Court already shot down in this case. Continue reading

Leave a comment

Filed under Content Protection, Corporate Social Responsibility (CSR), Data Governance, Data privacy, Data protection, Data storage, Governance Automation, Industry News, Information Governance, Information Management, Information security, Mobile Apps, Mobile communication, Mobile Content, Software, Telecommunications

Smart grids at risk from cyber security in intelligent buildings

English: Intelligent building system - diagram.

Intelligent building system – diagram.

Cyber attacks render smart grids intrinsically unsafe

By ECM Plus staff

ECM Plus /London/ +++ Building owners and designers, and particularly members of the building services industry, are racing to implement intelligent buildings and smart grids, aaccording to new research from a London academic institution. Continue reading

Leave a comment

Filed under Analysis, Analytics & Metrics, Business Continuity, Business process automation (BPA), Business Process Management, Business Risk, Consultancy/Consulting/Systems Integration, Contingency Planning, Enterprise Application Integration (EAI), Enterprise architecture (EA), Enterprise Resource Planning (ERP), Information security, Project Management, Risk Analysis, Risk Assessment, Risk Management, Software

Judges find Feds’ GPS surveillance breaches Fourth Amendment

U.S. Supreme Court building.

Supreme Court finds against Feds

Unanimous Supreme Court ensures Americans have protections from GPS surveillance – EFF amicus brief argued that government installation and use of GPS is a search

In a unanimous decision, the U.S. Supreme Court has confirmed that Americans have constitutional protections against GPS surveillance by law enforcement, holding in U.S. v. Jones that GPS tracking is a “search” under the Fourth Amendment. Continue reading

1 Comment

Filed under Data privacy, Data protection, Industry News, Information security, Intelligent Search, Scanning, Search

New Hampshire home for ‘Cyber Kill Chain’ centre

United Kingdom

Howarth opens new intelligence centre in Farnborough, England. Image: stumayhew

“Minister For War” opens Lockheed Martin’s new cybersecurity intelligence centre in Hampshire

By ECM Plus staff

ECM Plus +++ Lockheed Martin has just opened its first Security Intelligence Centre in Farnborough, England, which the company said would extend its ‘global reach’ and would be ‘augmenting facilities in the United States’.

The new Farnborough centre was opened in the presence of Conservative Party Member of Parliament The Right Honourable Gerald Howarth representing the constituency of Aldershot, also in Hampshire, England. Continue reading

Leave a comment

Filed under Analytics & Metrics, Content Security, Industry News, Information Management, Information security, Intelligent Search, Knowledge Management, Security Content Management (SCM)

‘Collaborate’ event to showcase business risk and info protection


Event to showcase issues in business risk and information protecction

Former intelligence officer to discuss additional means to protect sensitive corporate data against risk

By ECM Plus staff

ECM Plus +++ John A. Nolan, III, a retired U.S. Army intelligence officer, author and expert in the field of business intelligence, will be the keynote speaker at document and workflow specialist Cabinet NG’s annual ‘Collaborate’ conference taking place from October 13-14 at The Westin in Huntsville, Alabama.

While Cabinet NG’s software offer storage, protection and compliance, much else is ‘obtainable’ from the people in and around an organisation that could put its sensitive information at risk, the company said, including proprietary information and intellectual property. Continue reading

Leave a comment

Filed under Business Intelligence (BI), Business Process Management, Business Risk, Collaboration, Data protection, Document Management, Industry News, Information security, Risk Analysis, Risk Assessment, Risk Management, Workflow

Flaws identified in AES encryption

Advanced Encryption Standard InfoBox Diagram

AES: Drowning or waving?

Researchers identify first flaws in the Advanced Encryption Standard


ECM Plus +++ Researchers have found a weakness in the AES algorithm.

According to cryptanalysts, they managed to come up with a clever new attack that can recover the secret key four times easier than anticipated by experts. The attack is a result of a long-term cryptanalysis project carried out by Andrey Bogdanov (K.U.Leuven, visiting Microsoft Research at the time of obtaining the results), Dmitry Khovratovich (Microsoft Research), and Christian Rechberger (ENS Paris, visiting Microsoft Research). Continue reading

Leave a comment

Filed under Business Risk, Content Protection, Content Security, Industry News, Information security, Regulatory Compliance, Risk Analysis, Risk Assessment, Risk Management, Security Content Management (SCM)

Encrypted password court case puts Fifth to the test

This is the Electronic Frontier Foundation (EF...

Content encryption comes to the fore in test case

Foundation urges court to uphold privilege against self-incrimination

The Electronic Frontier Foundation urged a federal court in Colorado to block the government’s attempt to force a woman to enter a password into an encrypted laptop, arguing in an amicus brief that it would violate her Fifth Amendment privilege against self-incrimination. Continue reading

Leave a comment

Filed under Business Intelligence (BI), Content Management, Content Protection, Data privacy, Data protection, Document Management, Industry News, Information security, Intellectual Property (IP), Risk Management

Digital rights guide to protect computers and mobile devices published

Hugh D'Andrade's design to commemorate Electro...

Digital rights take centre stage in new publication

New ‘Know Your Digital Rights’ guide to constitutional liberties


EFF +++ The Electronic Frontier Foundation has answers to these questions in our new “Know Your Digital Rights” guide, including easy-to-understand tips on interacting with police officers and other law enforcement officials.

“With smart phones, tablet computers, and laptops, we carry around with us an unprecedented amount of sensitive personal information,” said EFF Staff Attorney Hanni Fakhoury. “That smart phone in your pocket right now could contain email from your doctor or your kid’s teacher, not to mention detailed contact information for all of your friends and family members. Your laptop probably holds even more data — your Internet browsing history, family photo albums, and maybe even things like an electronic copy of your taxes or your employment agreement. This is sensitive data that’s worth protecting from prying eyes.” Continue reading

Leave a comment

Filed under Business Intelligence (BI), Business Risk, Compliance, Content Protection, Content Security, Data Governance, Data privacy, Digital rights management, Industry News, Information security, Media asset management, Mobile Apps, Mobile communication, Mobile Content, Risk Assessment, Risk Management

EFF launches campaign to protect privacy

Reporters Without Borders Internet censorship ...
Internet censorship around the world

Tor programme to support open internet and protect privacy

By ECM Plus staff

ECM Plus +++ The Electronic Frontier Foundation has just launched a new campaign to promote internet privacy. Dubbed as the ‘Tor Challenge’, the campaign is to encourage Internet users all over the world to support the Tor network by operating relays. Continue reading

Leave a comment

Filed under Data privacy, Data protection, Industry News, Information Governance, Information security, Risk Management, Web governance

‘HTTPS Now’ campaign urges users to take an active Role in protecting internet security

Logo of the Electronic Frontier Foundation

HTTPS Now campaign for information security

Wide deployment of encryption protocol provides basic security for web surfing

The Electronic Frontier Foundation and Access have launched an international campaign for HTTPS Now, rallying consumers around the world to help make web surfing safer. Continue reading

Leave a comment

Filed under Content Protection, Industry News, Information security, Risk Analysis, Risk Assessment, Risk Management

OBITER DICTA: Cloud data center chaos set for earthquake catastrophes?


With a cloud security standards void to bring enterprise disasters closer?

The ostensible absence of universally-agreed cloud security standards and SLAs for enterprises who venture forth into the sexy and hip cloud outsourcing trend, without implementing an adequate risk assesment profile, is a recipe for digital data centre disaster. Continue reading

Leave a comment

Filed under Business continuity, Business Risk, Cloud Computing, Content Management, Data centres, Data protection, Data storage, Disaster Recovery, Enterprise Cloud, Hybrid Cloud, Information security, NAS (Network Attached Storage), Private Cloud, Public Cloud, Risk Analysis, Risk Assessment, Risk Management, SAN (Storage Area Networks), Telecommunications, Trusted Cloud, Trusted Content, Virtualization, VM2VM, VPS Cloud

Galileo pontificates cloud payments for banks

Credit cards

Safety in numbers?: Cloud payment plans from Galileo

Cloud processing for regional and smaller banks and financial firms

ECM Plus – Galileo Processing has just taken the wraps off its new suite of solutions that enable payment card issuing banks and payment card programme managers to use cloud computing while ensuring levels of security, availability and regulatory compliance.

According to Galileo, their cloud processing offers clients a dedicated virtual environment where clients can preserve intellectual property. Users can develop their own app and functionality to support their card programmes. Continue reading

Leave a comment

Filed under Analytics & Metrics, Billing & Customer Care Systems (BCCS), Cloud Computing, Compliance, Customer Relations Management (CRM), Data Governance, Data privacy, Data protection, Information Governance, Information Management, Information security, Intellectual Property (IP), Trusted Cloud, Vendor News

Upcoming UK Census data offshoring destined for more debacles

Divisions of the United Kingdom

ONS offshoring Briton's personal data for £150m

Report reveals 2011 UK Census of private data set to go offshore to foreign agencies, increasing probability of yet more Government-sanctioned personal data breaches

ECM Plus – A new Guardian report indicates that the British Government’s Office of National Statistics is to pay a foreign agency £150 million in taxpayer money to undertake the collection and processing of Britain’s families and personal income data, with new extra questions in this year’s Census demanding to know the details of sources of incomes as well as additional personal data in the 32-page questionnaire, now destined to go offshore in the government cutbacks and ‘efficiency-savings’ outsourcing deal. Continue reading

Leave a comment

Filed under Business Intelligence (BI), Content Categorisation, Content Fingerprinting, Content Management, Content Monetization, Content Protection, Content Security, Data centres, Data Governance, Data privacy, Data protection, Data storage, Document archiving & retrieval, Document Management, Document scanning & imaging, Forms management, processing, eForms, Information Governance, Information security, Records Management, Scanning, Search, Security Content Management (SCM)

FEATURE: Key considerations for ‘cloudsourcing’ contracts – CAMM

Cloud computing sample architecture

Cloud computing sample architecture


Economics dictates that the CEO, and CFO have a balancing act delivering security, and quality operational services, whilst at the same time, attempting to reduce the organisational and operational costs of delivering the business’ mission.

One opportunity in focus is that of ‘CloudSourcing’, where, depending on the size and type of business, they may be considering engaging in a contract in which part, or all, of their operations are placed into the hands of a Cloud Provider, be this SaaS, PaaS, IaaS or any other such ‘Anything-as-a-Service’ that may accommodate the operational model. Continue reading

Leave a comment

Filed under Business continuity, Cloud Computing, Compliance, Consultancy/Consulting/Systems Integration, Content Security, Data centres, Disaster Recovery, Features, High Availability, Hybrid Cloud, IaaS (Infrastructure-as-a-Service), Information Governance, Information Management, Information security, PaaS (Platform-as-a-Service), Private Cloud, Public Cloud, Regulatory Compliance, Risk Management, SaaS (Software-as-a-Service), Security Content Management (SCM), SIP, Telecommunications, Virtualization, VPS Cloud

FEATURE: Cloud computing – the calm before the storm


Sourcefire. Picture: joelesler

Enterprises across the world are hunting down the best way to scale their computing capability. Finding ways to work smarter has become increasingly important in today’s cost-controlled market. IT departments searching for a solution often demand that the infrastructure has to be quick, cheap and dynamic and this is one of the reasons that cloud computing is being touted as a potential corporate game changer.


Cloud Computing has been described as, arguably, the third revolution of IT, following the Personal Computer and Internet revolutions. But like most revolutions, progress towards widespread acceptance of the new regime is likely to take some time, amidst suspicion, a lack of confidence, wise skepticism and some false starts.

Many CIOs are in the process of moving applications and services into the Cloud. Some are considering Cloud-based computing due to economic reasons, while others are looking to create new dynamic IT services. Regardless of the reasons, with organisations contemplating moving to a Cloud environment many are forgetting a potentially fatal element, security. Before an IT director can make a clear sensible decision about a future Cloud strategy, let’s investigate where some risks lie, and work out where responsibility and accountability falls.

Ensuring a security evaluation is undertaken is a ‘must do’. Never simply assume that a service provider’s security is up to scratch. It must be checked. Matt Watchiniski, Sourcefire’s Director of Vulnerability Research Team, endorses this view. He says that as more and more enterprises and organisations move their applications to SaaS platforms, some provider is bound to fail miserably. We haven’t seen the major compromise, but this risk has to be on the horizon. So with storm clouds ahead, who is going to be in the dock when there is a failure? An understanding of accountability needs to be clear. Businesses using these types of services need to make sure they understand who is responsible for fixing these problems when they crop up, and who is legally accountable for the data loss. Outsourcing your data to the Cloud does not equate to outsourcing the risk, if your Cloud provider was responsible for the loss of your customer’s data, you could still find yourself accountable.

The impact of failure

Serious failures within a cloud infrastructure can have repercussions that reach much further than within a single enterprise. Last year, after a major server outage, thousands of users of the Sidekick mobile phone and messaging service were warned that their personal data and photos had “almost certainly been lost”. Over a week later Microsoft, owner of Danger the cloud-computing provider, confirmed that they had managed to recover “most, if not all the customer data”. This example publically highlights the potential danger of entrusting trusting personal data to the cloud, but it doesn’t mean there’s a major design flaw in the Cloud-Computing concept. It’s implementation specific, but it negatively impacts confidence in the whole market.

On the positive side, Cloud service providers typically have more resources to put into security and reliability than most businesses, and far more than a small business. Where would you rather your sensitive, client and internal data was stored? Public clouds advertise a robust, highly physically secure data centre. Additionally there should be a team of on-site security experts focused on protecting that information stored. Compare this to the alternative of the data being stored on a laptop which is continually moving around and being accessed in different locations. The data centre now seems the smart choice, but don’t forget you are handing over your information to someone else, and therefore losing direct control over it.

Compliance matters

Those considering a move to the Cloud need to consider how their market is regulated. Strict codes of conduct apply to many businesses and in some cases, regulations might stipulate that personal data has to remain within a specific country thus ruling out the use of certain providers who distribute data globally. In some situations the storage and processing of information away from a user or the enterprise is seen as a real advantage, a good example of this would be in a government, military or other high-security environment. Because of this advantage I expect to see some near-term implementations of Government controlled and designed community Cloud infrastructures. If those who are accountable for potential data loss are in control of the Cloud constructed to protect it, many of my concerns dissipate and central responsibility can be re-established around critical information that has traditionally been distributed. Imagine a world where DVDs of sensitive data are no longer lost in the post; they are simply re-referenced within the Cloud.

Make sure your house is in order

If the idea of storing and working with your critical data in a shared external infrastructure looks attractive in terms of cost metrics, before looking for a provider it is clear that some research needs to be undertaken.

Firstly, you need to prepare a list of mandatory security controls that you demand around the data you consider most sensitive, and then come up with suggestions of how a provider could potentially demonstrate these controls to you in action. Only then start to research the providers that believe they can meet the demands you place on your data. This should be part of ­any due diligence process. As the service consumer you should be in control of your data wherever it is, and you should have the ability to demand that any provider can prove their security capability, as it is likely that you will ultimately be accountable for a breach. Find out who you call if there is a problem and details around what service can you expect? In times of crisis you need guarantees that it will be prompt and responsive. The Cloud provider needs to be transparent.

If you have performed in-depth research before looking at service offerings you should understand the problems that face Cloud providers. Never be scared to call foul when you see a complex problem with an over simplified solution. It’s a cliché, but if it sounds too good to be true, it probably is. Always make sure you keep the horror show that is accountability in mind. Out of sight should never mean out of mind.

Leon Ward is Senior Security Engineer, Sourcefire –


1 Comment

Filed under Cloud Computing, Compliance, Content Security, Data Governance, Data storage, Features, IaaS (Infrastructure-as-a-Service), Information Governance, Information security, PaaS (Platform-as-a-Service), Security Content Management (SCM)

Identity Document Act kills ID Cards and NIR database

UK National Identity Card (Front)

House of Lords consign ID cards and register to history. Picture: ZapTheDingbat

Last night in the Lords at 9.49 pm, Royal Assent was given to the Identity Documents Act.

All existing ID cards will now be cancelled within one month.

The National Identity Register, the database which contains the biographic and biometric fingerprint data of card holders, will also be destroyed within two months.

According to sources, this saves £835 million in planned future expenditure.

Leave a comment

Filed under Asset management, Content Security, Data Governance, Data privacy, Data protection, Database management, Document archiving & retrieval, Document Management, Document scanning & imaging, Industry News, Information Governance, Information security, Records Management

HTTPS Everywhere anti-FireSheep security gaining traction

Hugh D'Andrade's design to commemorate Electro...

Image via Wikipedia

EFF tool provides protection from ‘Firesheep’

ECM Plus – The Electronic Frontier Foundation has just launched a new version of ‘HTTPS Everywhere’, a free security tool with enhanced protection for the Mozilla Firefox web browser against so-called “Firesheep” and other exploits of webpage security flaws.

According to the Foundation, HTTPS secures web browsing by encrypting both requests from the Firefox browser to websites and the resulting pages that are displayed. Without HTTPS, online reading habits and activities are vulnerable to eavesdropping, and accounts are vulnerable to hijacking.

Their report stated that while many sites on the web offer some limited support for HTTPS, it said it was often difficult to use. Websites may default to using the unencrypted, and therefore vulnerable, HTTP protocol or may fill HTTPS pages with insecure HTTP references. The HTTPS Everywhere tool uses carefully-crafted rules to switch sites from HTTP to HTTPS.

The new free version of HTTPS Everywhere responds to growing concerns about website vulnerability in the wake of Firesheep, an attack tool that could enable an eavesdropper on a network to take over another user’s web accounts, on social networking sites or webmail systems, for example, if the browser’s connection to the web application either does not use cryptography or does not use it thoroughly enough. Firesheep, which was released in October as a demonstration of a vulnerability that computer security experts have known about for years, sparked a flurry of media attention.

“These new enhancements make HTTPS Everywhere much more effective in thwarting an attack from Firesheep or a similar tool” commented The Foundation’s senior staff technologist Peter Eckersley. “It will go a long way towards protecting your Facebook, Twitter, or Hotmail accounts from Firesheep hacks. And, like previous releases, it shields your Google searches from eavesdroppers and safeguards your payments made through PayPal.”

Other sites targeted by Firesheep that now receive protection from HTTPS Everywhere include, Cisco, Dropbox, Evernote, and GitHub.

In addition to the HTTPS Everywhere update, the Foundation also released a guide to help website operators implement HTTPS. “Firesheep works because many websites fail to use HTTPS,” said technology director at the Foundation, Chris Palmer. “Our hope is to make it easier for web applications to do the right thing by their users and keep us all safer from identity theft, security threats, viruses, and other bad things that can happen through insecure HTTP. Taking a little bit of care to protect your users is a reasonable thing for web application providers to do and is a good thing for users to demand.”

The first beta of HTTPS Everywhere was released last June. Since then, the tool has been downloaded more than half a million times.

To download HTTPS Everywhere for Firefox:

For more on implementing HTTPS in websites:

Leave a comment

Filed under Content Management, Content Security, Industry News, Information security, Security Content Management (SCM), Web compliance, Web Content Management, Web Experience Management (WEM), Web governance

Xerox arm does ‘documents on demand’ compliance bundle

Before the signing ceremony of the Sarbanes-Ox...

Before the signing of the Sarbanes-Oxley Act

Mr. Copy launches DocuShare on Demand hosted ECM for document management

ECM Plus – Xerox’ Mr. Copy has just launched DocuShare on Demand targeting small-to-medium-sized businesses

The D-o-D system is a hosted enterprise content management solution which enables users to undertake document management, collaborate, review and approve as well as web publishing.

Xerox said that when coupled with Xerox scan-enabled multifunction devices from Mr. Copy, DocuShare on Demand provides a complete document management solution from one trusted vendor.

“It’s important to offer services that will help customers improve business operations and productivity” commented Bob Leone, president of Mr. Copy. “We developed DocuShare on Demand for companies committed to business modernization and green technology initiatives. We work closely with customers to contain costs and implement sustainability processes. In addition, we ensure document integrity and follow rigorous security standards, including SAS 70, Red Flag and HIPAA certifications.”

Xerox also claims that DocuShare on Demand can save users up to 90 percent of operational and storage costs relating to document management. It added that the new service would improve operational efficiencies by cutting the time it takes to find vital information by up to 80 percent.

The company also boasts compliance for HIPAA, FERPA, Sarbanes-Oxley and 37 other state privacy laws were also bundled in the package.

Leave a comment

Filed under Compliance, Data Governance, Data privacy, Data protection, Document archiving & retrieval, Document Management, Document scanning & imaging, Enterprise Content Management, Information Governance, Information Management, Information security, Vendor News, Web compliance, Web governance

Information Commissioner: Street View breaches data protection laws

Christopher Graham, the UK Information Commiss...

Commissioner Graham finds Street View broke law

Government watchtdog finds search engine giant of unlawful Street snooping in private data dredge

ECM Plus – The UK Government Information Commissioner has found search engine behemoth Google will be subject to audit and must sign an undertaking not to breach data protection laws again.

The Information Commissioner further stated that if the search engine company were to undertake such an unlawful data breach in the UK again, they would ‘face enforcement action’ the ICO said in a statement.

Commissioner Christopher Graham said: “…there was a significant breach of the Data Protection Act when Google Street View cars collected payload data as part of their wi-fi mapping exercise in the UK.”

Commissioner Graham has instructed Google to sign an undertaking in which the company commits to take action to ensure that breaches of this kind cannot happen again.

Furthermore, in light of the breach of data protection, an audit of Google UK’s Data Protection practices will also be undertaken.

However, the Information Commissioner rejected calls for a financial penalty to be imposed on the search engine giant, but said that it was ‘well placed to take further regulatory action if the undertaking is not fully complied with.’

According to the ICO statement, iInternational data protection authorities that undertook in-depth investigations into Google’s activities found fragments of personal data, including emails, complete URLs – and passwords.

ICO said that following the admission by Google that personal data had indeed been collected, and the fact that Google used the same technology in the UK, the Commissioner decided that formal action was necessary.

Commissioner Graham is also requiring Google to delete the payload data collected in the UK as soon as it is legally cleared to do so.

Information Commissioner, Christopher Graham, added: “It is my view that the collection of this information was not fair or lawful and constitutes a significant breach of the first principle of the Data Protection Act.”

Said Graham: “The most appropriate and proportionate regulatory action in these circumstances is to get written legal assurance from Google that this will not happen again – and to follow this up with an ICO audit.”

Leave a comment

Filed under Business Intelligence (BI), Compliance, Content Security, Data centres, Data Governance, Data privacy, Data protection, Data storage, Enterprise Content Management, Enterprise Search, Industry News, Information Governance, Information security, Intellectual Property (IP), Knowledge Management, Reporting, Rights Management, Scanning, Security Content Management (SCM)

Does application security pay?

Information security

Information security frameworks

Communicate the business value of application security solutions in a language that matters to the board

by Craig LeGrande & Amir Hartman, Mainstay Partners

The last decade has seen a dramatic shift in the way companies manage information security and protect vital data.

In the past, businesses confronted the threat of cyber attacks and data breaches primarily by building firewalls and other “perimeter defences” around their networks, but the threat has continued to evolve, and more criminals are hacking into applications that are running on a plethora of new devices and environments, including cloud, mobile, and social media.As a result, the focus of threat protection is moving from securing the infrastructure to securing the software applications that businesses write and deploy.

The shift has created a market for a new generation of products and services – known as software security assurance (SSA) solutions – that help companies uncover vulnerabilities in their code, effectively fix these defects, and produce software that is impervious to security threats.In an effort to quantify the business value of SSA, Fortify Software (the leading provider of SSA solutions) commissioned Mainstay Partners to conduct in-depth interviews of 17 global customers – organisations that have implemented SSA, and representing a cross-section of industries. The study found that companies are realising substantial benefits from SSA right out of the box, saving as much as $2.4M per year from a range of efficiency and productivity improvements, including faster, less-costly code scanning and vulnerability remediation and streamlined compliance and penetration testing.

Exponential increases in benefits, however, are being achieved by companies that deploy SSA in more comprehensive and innovative ways. These advanced deployments include embedding software security controls and best practices throughout the development lifecycle, extending SSA programs into critical customer-facing product areas, and leveraging SSA to seize unique value-generating opportunities. For these strategic companies, the benefits of software security solutions can add up to as much as $37M per year.In our interconnected world, software is everywhere – not just in data centres or on desktop computers, but in mobile phones and all kinds of wireless devices and consumer products.

Software resides on the Web and in the cloud, where businesses rely on software-as-a-service solutions (SaaS) for mission-critical business functions. Application security protects the software that is running in all these environments and devices, and the business improvements of SSA are seen as extending to wherever applications are deployed.At a time when IT budgets are coming under closer scrutiny, chief information security officers (CISOs) say they are being called upon to justify SSA investments from a cost benefit perspective.

This article provides the evidence needed for information security executives to communicate the business value of software security solutions in a language that the board can relate to.Faster vulnerability remediation:Across the board, companies adopting SSA solutions report significant efficiency improvements in finding and remediating software security flaws:

By introducing automated SSA technology and best practices, organisations reduced average remediation from 1 to 2 weeks to 1 to 2 hours.Organisations saved an estimated $44K annually in remediation costs per application.For the average organisation, these cost savings are estimated conservatively to amount to $3M per year.Streamline compliance and penetration testing: Companies are facing tighter government and industry regulations for application security, particularly in new software standards in the financial services and health-care industries.By configuring the SSA solution to address specific compliance mandates, for example, organisations quickly identified and ranked vulnerabilities according to severity. The solution also generates a report that documents these activities, creating an audit trail for regulators:The average organisation adopting SSA saw its fees paid to compliance auditors fall by 89% – or about $15K annually.

The average organisation achieved a 50% reduction in penetration testing efforts, translating into annual savings of more than $250K.Avoid data breaches:The threat of a major data breach can keep CISOs awake at night, and most are aware of the history of high-profile security failures that have damaged company reputations and resulted in millions of dollars in legal and PR fees, remediation expenses, lost revenue, and customer churn:The average cost of a data breach is about $3.8M, or $204 per compromised recordCompanies can save an estimated $380K per year by adopting SSA solutions to avoid major data breaches.

Avoid software compliance penalties:Businesses that fail to comply with industry standards for software security can face substantial penalties. In the payment card industry, for example, penalties can range from $5K to $25K per month. Moreover, when lost sales, customer churn, and remediation expenses are also factored in, the full cost of PCI non-compliance can be substantially more:By ensuring compliance through systematic application security testing, companies can conservatively avoid approximately $100K in penalties annually.

Pay-for-performance benefits:In an innovative use of software security technology, companies that outsource software development to partners are leveraging solutions to drive cost-effective “pay for performance” programs:

Companies using SSA to screen and adjust the price of outsourced code can capture fee savings of about $100K annually while improving the overall quality of code delivered by development partners.

Faster product launches boost revenue and margins:For companies that sell e-commerce and other commercial software, discovering security flaws late in the development life cycle can delay new product introductions (NPI) by weeks or months, putting revenue and market share at risk and adding millions of dollars in development costs:

Companies can capture an estimated $8.3M of additional software revenue through a comprehensive SSA program to minimise product delays.Companies can realise development cost savings of about $15M per year from SSA-driven reductions in product delays.Maximise the value of M&A deals:Companies can extend the value of their software security solution by deploying it in strategic ways, i.e. using it to perform software security audits of acquisition targets that own core products critically dependent on software:

In the case of a company completing two $100M deals a year, using SSA to assess the software assets of prospective acquisitions can yield valuation benefits of approximately $10MRealising The Full Potential Of SSA

For companies able to exploit all of the opportunities for value creation, that potential can reach $37M annually. There are three stages that organisations typically go through on the path to SSA maturity:

Explore: These organisations deploy an SSA solution across a small number of applications (10–20) and developer teams as a proof-of-concept initiative.

Accelerate: These organisations are moving beyond “toe-in-the-water” pilot programs and are actively incorporating threat detection and remediation techniques across key development teams and applications.

Optimise: These organisations have embedded software security tools, processes, and training within a formal SDLC program. Many are also leveraging SSA solutions in innovative ways to generate additional business value and create competitive differentiation.

As this article has demonstrated, SSA solutions not only help companies minimise the risk of a successful cyber attack, but also offer substantial efficiency and productivity benefits that help control costs, speed software development cycles, and in some cases even boost revenue and asset values.BOX OUT A : Key FindingsThe full benefit potential of SSA solutions can reach $37M annually.Initial SSA deployments can create $2.4M in annual benefits.Average vulnerability remediation time fell from 1 to 2 weeks to 1 to 2 hours.Repeat vulnerabilities reduced from 80% to virtually zero.

Organisations saved an estimated $44K in remediation costs per application.Companies reducing time-to-market delays saved an estimated $8.3M annually.BOX OUT B : What should organisations look for in a SSA solution?

Not all vendors offer the same functionality and services. When evaluating the options, organisations should look for an SSA value-maximising solution that:

Offers both deep remediation functionality and a breadth of supporting services

Provides support for cross-team collaboration – bringing information security teams, developers, risk officers, and auditors together in a coordinated effort

Seamlessly integrates with existing application life-cycle management (ALM) and development environments, shortening time to remediation

Provides in-depth guidance on how to correct each security vulnerability, thus accelerating remediation further

Offers robust governance capabilities, including the ability to define and communicate security policies and rules across the organisationProvides research on the latest threat trends and techniques, ensuring that teams are aware of all emerging threats

The reduction in remediation time is due to several factors, including SSA capabilities and practices that (1) pinpoint the exact location of a flaw in the code lines, (2) prioritise vulnerabilities to focus resources on the most critical flaws, and (3) provide guidance on how to correct each vulnerability. Estimate based on a conservative 10 vulnerabilities per application, and 67 critical applications.

Mandates and standards commonly impacting application development projects include: the Payment Card Industry Data Security Standards (PCI DSS), the Federal Information Security Management Act (FISMA), Sarbanes-Oxley Act (SOX), the Health Insurance Portability and Accountability Act (HIPPA), and North American Electric Reliability Corporation (NERC) standards.

Assumes 50% reduction in penetration testing effort; legacy environment costs are based on an average of eight penetration tests per year at $67K per test.
(See “Top 10 Data Breaches and Blunders of 2009,” eSecurity Planet: “” Top-Ten-Data-Breaches-and-Blunders-of-2009.htm.)

Fourth Annual U.S. Cost of Data Breach Study, Ponemon Institute, 2009. Assumes that the average company would experience a major data breach once every 10 years. Assumes that an average penalty period would last six months. Research indicates that penalties make up only 30% of the full impact of non-compliance (“Industry View: Calculating the True Cost of PCI Non-Compliance,” Ellen Lebenson, CSO Online). Assumes a non-compliance period lasting six months. Average penalty periods range from 3 to 24 months. Assumes average fee discounts of 1% applied to annual outsourced development expenditures of $10M.

Estimate assumes a $20B company earning 1.25% of its profit per quarter from new product sales; 50% of product introductions are assumed to benefit from SSA efficiencies, which help avoid an average of four critical vulnerabilities per product and 30 days of delays. Estimate assumes a $20B company incurring new product development costs equal to 3% of revenue; 50% of new products, or $300M in expenses, are assumed to be impacted by SSA efficiencies, which help avoid an average of four critical vulnerabilities per product and 30 days of delays; the resulting 5% productivity increase saves $15M in development expenses.

Sample customer assumptions include: $20B customer, 10% new product revenue contribution; 50% first year margins; two-month product delay due to vulnerabilities; 500 critical/severe vulnerabilities; $3.8M cost per breach @ 10% probability; $200M in M&A @ 5% valuation benefits.

Leave a comment

Filed under Content Security, Features, Information security, Security Content Management (SCM)