Developing an Information Security Program (ISP) for the Town of Nantucket

This Interactive Qualifying Project report to the Information Technology Department of the Town of Nantucket, discusses the importance of developing an Information Security Program (ISP) for town departments. The report details the history of information security risks, actions taken in response, and a thorough analysis of information security procedures. Our group utilized electronic surveys and interviews to gather feedback regarding the opinions of town employees on the security of information within the town departments and what specifics must be included within the ISP. The final product for this project provides a framework for a comprehensive security policy, and our findings create a detailed guide that will aid with the finalization and implementation of the ISP

SMEs, electronically-mediated working and data security: cause for concern?

Security of data is critical to the operations of firms. Without the ability to store, process and transmit data securely, operations may be compromised, with the potential for serious consequences to trading integrity. Thus the role that electronically-mediated working plays in business today and its dependency on data security is of critical interest, especially in light of the fact that much of this communication is based on the use of open networks (i.e. the Internet). This paper discusses findings from a 'WestFocus' survey on electronically-mediated working and telework amongst a sample of SMEs located in West London and adjacent counties in South-Eastern England in order to highlight the problems that such practice raises in terms of data security. Data collection involved a telephone survey undertaken in early 2006 of 378 firms classified into four industrial sectors ('Media', 'Logistics', 'Internet Services' and 'Food Processing'). After establishing how ICTs and the Internet are being exploited as business applications for small firms, data security practice is explored on the basis of sector and size with a focus on telework. The paper goes on to highlight areas of concern in terms of data security policy and training practice. Findings show some sector and size influences.WestFocus* under the Higher Education Innovation Fund (HEIF 2

Legislative responses to data breaches and information security failures

On July 23, 2008, the Payment Cards Center of the Federal Reserve Bank of Philadelphia hosted a workshop to discuss federal and state legislative responses to data breaches. The workshop addressed several laws and legislative initiatives designed to create greater safeguards for personal consumer information frequently targeted by data thieves and often subject to the failures of information security protocols. Diane Slifer, J.D., M.B.A., who has frequently presented at forums on data security and has represented clients in matters related to data breaches, led the workshop. Slifer examined several highly publicized data breaches and explained how various laws and regulations have been put in place in order to protect and inform consumers whose personal information has been compromised. Additionally, she discussed several legislative initiatives designed to potentially create a more structured and secure environment for private consumer data overall. This paper summarizes Slifer's presentation, the ensuing discussion, and additional Payment Cards Center research. In addition, it offers a brief overview of recent data breaches, a description of various ways that federal and state laws operate, and some thoughts on how effective these laws and regulations have been.Payment systems ; Identity theft ; Fraud ; Law and legislation

ACUTA Journal of Telecommunications in Higher Education

In This Issue Network Security: An Achilles Heel for Organizations of All Sizes Providing Backup in a VolP World Security Concerns Shift lnward Cell Phones, Land Lines, and E911 Security Checklists Higher Ed\u27s Tricky Equation: Directories Help Balance Availability with Security Disaster Recovery Planning Essentials Passing the Test of productivity Interview President\u27s Message From the Executive Director Here\u27s My Advic

The InfoSec Handbook

Computer scienc

An investigation of electronic Protected Health Information (e-PHI) privacy policy legislation in California for seniors using in-home health monitoring systems

This study examined privacy legislation in California to identify those electronic Protected Health Information (e-PHI) privacy policies that are suited to seniors using in-home health monitoring systems. Personal freedom and independence are essential to a person\u27s physical and mental health, and mobile technology applications provide a convenient and economical method for monitoring personal health. Many of these apps are written by third parties, however, which poses serious risks to patient privacy. Current federal regulations only cover applications and systems developed for use by covered entities and their business partners. As a result, the responsibility for protecting the privacy of the individual using health monitoring apps obtained from the open market falls squarely on the states. The goal of this study was to conduct an exploratory study of existing legislation to learn what was being done at the legislative level to protect the security and privacy of users using in-home mobile health monitoring systems. Specifically, those developed and maintained by organizations or individuals not classified as covered entities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The researcher chose California due to its reputation for groundbreaking privacy laws and high population of seniors. The researcher conducted a content analysis of California state legislation, federal and industry best practices, and extant literature to identify current and proposed legislation regarding the protection of e-PHI data of those using in-home health monitoring systems. The results revealed that in-home health monitoring systems show promise, but they are not without risk. The use of smartphones, home networks, and downloadable apps puts patient privacy at risk, and combining systems that were not initially intended to function together carries additional concerns. Factors such as different privacy-protection profiles, opt-in/opt-out defaults, and privacy policies that are difficult to read or are not adhered to by the application also put user data at risk. While this examination showed that there is legislative support governing the development of the technology of individual components of the in-home health monitoring systems, it appears that the in-home health monitoring system as a whole is an immature technology and not in wide enough use to warrant legislative attention. In addition – unlike the challenges posed by the development and maintenance of the technology of in-home health monitoring systems – there is ample legislation to protect user privacy in mobile in-home health monitoring systems developed and maintained by those not classified as covered entities under HIPAA. Indeed, the volume of privacy law covering the individual components of the system is sufficient to ensure that the privacy of the system as a whole would not be compromised if deployed as suggested in this study. Furthermore, the legislation evaluated over the course of this study demonstrated consistent balance between technical, theoretical, and legal stakeholders. This study contributes to the body of knowledge in this area by conducting an in-depth review of current and proposed legislation in the state of California for the past five years. The results will help provide future direction for researchers and developers as they struggle to meet the current and future needs of patients using this technology as it matures. There are practical applications for this study as well. The seven themes identified during this study can serve as a valuable starting point for state legislators to evaluate existing and proposed legislation within the context of medical data to identify the need for legislation to assist in protecting user data against fraud, identity theft, and other damaging consequences that occur because of a data breach

An Analysis of Perceived Faculty and Staff Ccomputing Behaviors That Protect or Expose Them or Others to Information Security Attacks.

A mixed-methods study, conducted in 2007-2008, designed to quantify and assess behaviors that either protect or expose data at academic institutions to information security attacks. This study focused on computing practices at two academic institutions: East Tennessee State University and Milligan College. Interviews with six information technology professionals and online surveys were used to assess faculty and staff members\u27 awareness and practice of safe computing behaviors. The constant comparison method was used to analyze qualitative data. Descriptive statistics and univariate and multivariate analysis of variance techniques were used to analyze the quantitative data. Overall, the analyses indicated that the faculty and staff members at these institutions were equally aware of information security issues and practices and tended to practice safe computing behaviors--though apparently at a level that was less than commensurate with their awareness of these behaviors. Raised awareness correlated with safe computing behaviors, as did computer usage: those who had used computers for more than 20 years appeared to be more aware of safe practice than those who had used computers for 20 years or less. Password management emerged as a major challenge for the participants. They were also concerned with phishing emails and they tended not to be aware of FERPA regulations

Employer Liability and Bring Your Own Device: Do Existing Regulations Support Employer Liability for a Compromised Personal Device?

As employers increasingly permit employees to use their personal devices (known as Bring Your Own Device, or “BYOD”) for business purposes, and as the risk of data exposure continues to rise, the question of how, when, and against whom to attach liability remains in flux. This paper will endeavor to explore employer liability as viewed through the lens of hacked or compromised BYOD devices. The research begins by identifying BYOD as a concept along with the risks and benefits incident to the practice. It then discusses current state and federal data protection regulations. It then explores recurring themes in data breach litigation with a particular emphasis on portable device cases. In the remaining parts, the author attempts to discover congruencies in data breach liability and employer liability for portable devices by examining two states with strict data protection regulations that could apply to portable devices regardless of the question of ownership. Lastly, the author identifies the arguments against regulating BYOD devices and suggests that current regulatory frameworks provide ample redress for compromised personal devices used for work purposes. Submitted to the Washington State Office of Privacy and Data Security.https://digitalcommons.law.uw.edu/techclinic/1007/thumbnail.jp