The twenty most recent reported data-loss or theft incidents of 2010, based on data reported by the Open Security Foundation* impacted the following organizations:

- Farber Enterprises, 30 Nov 2010
- Houston Independent School District, 2 Dec 2010
- University of Arizona, 2 Dec 2010
- American Check Casher of Oklahoma, 3 Dec 2010
- Mesa County, Colorado, 4 Dec 2020
- University of Wisconsin, Madison, 9 Dec 2010
- University of Alberta, 9 Dec 2010
- Gaelic Athletic Association, 10 Dec 2010
- Walgreens, 10 Dec 2010
- Genesco, Incorporated, 10 Dec 2010
- Mountain View Medical Center, 10 Dec 2010
- McDonalds Corporation, 11 Dec 2010
- NatWest, 11 Dec 2010
- Gawker Media, 12 Dec 2010
- Department of National Defence, Canada, 12 Dec 2010
- Mesa County Sherriff’s Office, 12 Dec 2010
- Mountain Vista Medical Center, 13 Dec 2010
- Ohio State University, 15 Dec 2010
- NY State Office, Temporary/Disability Assistance, 15 Dec 2010
- Dean Health Systems, 20 Dec 2010

* Source: Open Security Foundation, 2010 (see http://datalossdb.org/)

These twenty were preceded by another 351 during 2010, impacting: AMR Corporation, Aon Consulting, British Columbia Lottery Corporation, Citibank, Equifax, Federal Reserve Bank, Jackson Hewitt, Hartford Life Insurance Company, Loma Linda University Medical Center, Navy Federal Credit Union, NBC Universal, Paychex, Starbucks, St. Mary’s Medical Center, the U.S. Army, State Department and Verizon Wireless among many others.

For details of these and others, see the comprehensive database compiled and made available by the Open Security Foundation at http://datalossdb.org/.

What Others Can Find Out about You and Your Employees
Think you’re immune to the problem? Think again! Your employees are leaving trails all-over the Internet for anyone to exploit.

Visit What The Internet Knows About You – Today!
See http://whattheinternetknowsaboutyou.com/ to test it out for yourself
See http://wtikay.com/docs/details.html to read the background details

Due to lax or non-existent controls that make it easy to identify where your employees have been, who they are, and routes that can be used to craft attacks, it is rather easy to gather intelligence about you and your organization.

What Others Are Finding Out about You and Your Employees!
The widespread adoption of smart-phones, both inside and outside the organization, is leaving many firms exposed to personally identifiable data-sharing practices that are now being challenged in the courts. The most recent lawsuit targets Apple and the makers of Apps that run on the iPhone. The same Apps, App-makers and Android-based smart-phones could be next.

Read the news at:

• Apple sued over iPad and iPhone Add ‘data leaks’
See: http://www.bbc.co.uk/news/technology-12089225

• Apple, App makers hit with privacy lawsuits
See http://www.washingtonpost.com/wp-dyn/content/article/2010/12/28/AR2010122803648.html

• Apple Sued for Allegedly Sending Data to Advertisers
See http://online.wsj.com/article/BT-CO-20101228-706485.html

The lawsuits do focus the issue on appropriate uses of personally identifiable data – even if it’s too early to decipher the outcomes.

Beyond PID: Financial, customer, audit, security and other sensitive information
What’s more important, PID covering your employees and your customers, or senstive information about your financials, audit profile data, internal fraud investigations, configuration control data for your websites and critical data-bases, information security controls and procedures governing access to sensitive information, information covering strategic partners, suppliers, mergers or acquisition-plans, patient data, new drug-testing results, utility-grid data, minerals-exploration findings, new manufacturing methods, board minutes … or other information?

• Whatever you value, is it worth protecting, do you know where it’s located, who has access to it, and how it should not be used?
If you can answer these questions immediately: count yourself among the lucky 10 percent of the population that can!

• Do you know what your information risks are – today?
If you can answer this question in less than a week, count yourself among the prepared 8 percent of the population.
And, make sure the CEO and the board know about this.

Take Action — Today!
For 90 percent, it’s time to tell the CEO and the board what needs to be done, before you too become the next headline covered in the Wall Street Journal, The Washington Post, the BBC, and find yourself listed in the Open Security dataloss database.

See the recent research, “What Color Is Your Information Risk — Today?” at http://www.itpolicycompliance.com/research_reports/

The two-minute benchmark test
Too busy to read research? Take two-minutes to find out how well prepared you are by benchmarking and comparing your practices against others in your industry, your peers, and the best performing organizations.

The Assessments@ITPolicyCompliance for managing information controls compares your practices to manage information against the real-World choices and practices of more than 3,800 other organizations.

Visit: www.ITPolicyCompliance.com/Assessments/ – Today!

Find the answers to how your practices for managing information controls compare with:
• your industry
• your peers, and
• best performers

Practices covered by this assessment include:
• Segregating different kinds of IT systems
• Classifying information
• Identifying the locations of sensitive information
• Segregating access to sensitive information
• Prevention and detection
• Protecting sensitive information
• Detecting the leakage of sensitive information

Visit: www.ITPolicyCompliance.com/Assessments/ – Today!

Specific to your industry and size of your organization, all of the confidential and free assessments deliver immediate feedback on how well, or poorly, you are managing business value and risk related to the use of IT compared to others in your industry, your peers and the best performing organizations. More importantly, the two-minute assessments quickly identify how you compare with others and practices that will improve outcomes.

Who should be interested: senior managers in IT, audit, risk, and compliance
Time to value: minutes

Regardless of size or industry, most organizations are continuously looking to improve operational effectiveness across all functions: IT is no exception.

Improve your outcomes, visit Assessments@ITPolicyCompliance today.

Ever wonder why — and more importantly how —just 1-in-10 organizations are able to leverage IT for competitive advantage?  The latest research from the IT Policy Compliance Group unveils the strategies, management tactics and tools that are consistently being used by the best performing organizations to maximize value and minimize risk for IT.

Research findings covered in the report, How the Masters of IT Deliver More Value and Less Risk, include:

• GDP growth rates, corporate revenue and profits
• Revenue, profit, customer retention outcomes
• Spending on IT and outcomes
• Largest business risks related to the use of IT
• Business risk outcomes
• Who manages value and risk related to the use of IT
• Strategic management tools
• Tools for reporting and managing value and risk
• GRC tools
• Sources of information
• Systems of record
• Timeliness of assessments
• Reporting and managing value and risk

The diagram below illustrates the key strategic management tools used by the C-Level masters of IT, including COBIT, IT Balanced Scorecards, IT Portfolio Management and Strategic IT Maps.

The choices made by the masters of IT impact both top- and bottom- line results of organizations, from revenue and profit, to financial exposure from business downtime, lost and stolen customer data and spend on audit. The chart below shows how top-line growth can be dramatically improved by the choices made to manage the value delivered by IT.

The masters of IT do things very differently than all others. Find out today what these organizations and people do, how they do it, and why it’s important to your organization.

Reports last week that Microsoft intends to put a “do not track” button in its forthcoming release of Internet Explorer browser joins a long-line of add-ons for numerous web-browsers that would — in theory — put users in charge of whether they are targets for on-line advertising. See “Add do not track to Firefox, IE, Google Chrome by Dennis O’Reilly at CNET http://news.cnet.com/8301-13880_3-20024815-68.html

But, recent research reveals these “do-not-track” efforts may be useless.

Tracking of User Web browsers
A review of the past and present reveals the following practices to track and identify users and their web-browsers:

Old school: Cookies
A tried-and-true method and still used today. For an introduction to cookies, see: http://en.wikipedia.org/wiki/HTTP_cookie. Its author was trying to solve the “shopping-cart” problem and never intended his invention to be used for tracking purposes. It was not until years after his invention when he found advertising being served up to him based on his searches, that he realized his “shopping-cart” solution had been subverted for private-gain. Cookies combined with IP addresses and 3rd party analytics are now the most common method employed to serve-up advertising based on web-surfing behavior.

“So what” you say? Read on…

Contemporary school: LSO Super-cookies
A more contemporary approach uses Flash-based LSO super-cookies (or Silverlight cookies), that are combined with 3rd party analytics to serve-up advertising based on web-surfing behavior.
See http://en.wikipedia.org/wiki/Local_Shared_Object

No one ever tells users this is happening, and the practice continues unabated because people are visual creatures, unaware their use of the Internet is leading to more personal data being collected about them. If you want to change what’s done on your PC or laptop with Flash stored objects, you have to visit http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager04.html but doing this does not block LSO cookies and the tracking that occurs as a result.

Users of Firefox can add plug-ins that will detect and delete these. Such plug-ins as Better Privacy, Ghostery, Request Policy, TorButton and Noscripts among others provide tools for those that do not want to be tracked. And, plug-ins for Firefox can be used to prevent Java script from hi-jacking a lot of personally identifable data.

“So what” you say? Read on….

You are Now being Fingerprinted
The new school of tracking actually fingerprints your web browser, with or without cookies, and without your knowledge or consent. When combined with the ubiquitous ability to geo-track and more importantly grab your unique IP address (unless you spoof this), the reality is that even without cookies the trackers can continue to harvest data about users for advertisers and their supporting search-engine, device, App and network-service enablers. You don’t believe this?….

Test the fingerprint of your browser
See how unique your own web browser’s fingerprint is, visit Panoptoclick at:

http://panoptoclick.eff.org/

It doesn’t matter whether you use in-private browsing or not: you and your IP address are now being uniquely fingerprinted. The research paper from the Electronic Frontier Foundation available on the Panoptoclick site (http://panopticlick.eff.org/browser-uniqueness.pdf) reveals that browsers are overwhelmingly trackable and that policymakers should consider treating web-browser fingerprints as personally identifiable data.

The Europeans may be inclined to do this, but watch-out if you are not a citizen of a Euro-country.

Some good uses of fingerprinting browsers:
Good uses of the approach include applications being used in financial services and by goods and service providers as another check to ensure against fraud. One of many such providers of the technology is technology is 41st Parameter.
See more at http://www.the41st.com/industries.asp

Focused on financial services, the company also delivers products and services for eCommerce, Travel, DRM and Social networking applications.

Beware Traffic Analysis
Although 41st Parameters stated applications of its technology are focused on uses that many people will applaud, there is no reason the same technology from another company with a very different business model, or a hacker for that matter, cannot be used with the last item on the list — social networking applications — that should scare everyone from consumers to CEOs of the largest companies because of the ability to easily conduct traffic analysis, a technique that yields useful information about searches and sites being used by a targeted group. For an introduction to traffic analysis and a few of its applications, see http://en.wikipedia.org/wiki/Traffic_analysis

Fingerprint on the Web: meet Social media!
Social media meets fingerprinting
See more: http://www.webpronews.com/topnews/2010/12/15/gawker-attack-sends-ripples-throughout-the-web

Personal details stored by users on social media sites such as facebook, linkedin or any number of other Internet social media sites (see http://en.wikipedia.org/wiki/List_of_social_networking_websites for a more complete list of social media networks) can easily be used to link your personal information with old-fashioned cookies, LSO cookies, fingerprints, IP address and other information being collected.

Instead of a government overtly conducting spying on its citizens, the primary harvesting-engine of personal preferences and interests in the West is coming from the private-sector.

“So what”, you say? Read on…

Mobile smartphones
The Wall Street Journal reported the findings of its investigation on the personal-information data-collection and data-sharing practices that are employed for Mobile smartphones in its article “Your Apps Are Watching You” printed on December 18, 2010.
See more: http://online.wsj.com/article/SB10001424052748704368004576027751867039730.html?mod=googlenews_wsj

In their findings, the authors found the following: that personal details are routinely being collected and shared, including among others, age, gender, location and the ID of the smartphone. Of course, this is a great-practice for financial gain from the sale of advertising, but the data being collected can be used for purposes beyond advertising. And, if there is a buck to be made from the sale of personally identifiable data, you can be assured these activities are already underway. An interactive database of the Journal’s results can also be found at www.WSJ.com/WTK

Who’s got your back?
What protections can you take if you are a consumer or a business? What protections can your company employ to limit what your competitors can learn about your strategic plans, customer visits, merger and acuisition plans, or strategic partners by using traffic analysis? What about traditionally more secretive national defense or homeland security initiatives?

While the ethics of modern Internet advertising are debatable (service providers who double-dip by charging consumers for a service and then selling data for a profit that is then used to target prospective customers), the real-worry is how the information being collected can be used for traffic analysis and targeting purposes, in the public and private-sector alike. Traffic analysis knows no boundaries!

In retrospect, the “do-not-track” missive of a week or so ago appears sophomoric at best, and misleading at worst!

You tell us: is this too paranoid, or are we already in an era that is beyond privacy-that-can be legislated, where the practices on the Web already outstrip boundaries of national law and regulation, without any possible solution other than more defensive technical traps and arsenals – if there are any?

Openleaks (www.openleaks.org) (see Reuters says it plans to be up-and-running in 2011, is already “drowning in applications”, and promises to stay neutral when it comes to politics.

This comes on the heels of WikiLeaks events of the past two weeks that have seen Julian Assange indicted on sex-related charges, the U.S. Department of Justice authorizing significant actions related to criminal charges and the abandonment of business as usual among organizations and people identified in the ‘leaks’.

I’m glad to see some journalistic credibility and redaction-to-protect-people: but are you glad about this turn-of-events?

Whether you agree or disagree with the widespread availability of sensitive information, the unfolding of these events is witness to some sad realities, including:

• Less than 1-in-10 organizations knows whether sensitive information has flown the coop

• The other 9-in-10 don’t find out until it’s much too late

• Less than half of all organizations even classify information

• Only 4-in-10 organizations take precautions to cryptographically protect sensitive information

To understand the extent of the problem, see:

What Color Is Your Information Risk

Automation, Practice and Policy in Information Security for Better Outcomes

Assessments @ IT Policy Compliance

Army’s of lawyers, lawsuits and criminal charges are not going to put the information-leaking Genies back into the proverbial bottle, whether the leakers focus on governments, large businesses, celebrities or other inviting targets.

Joined by BrusselsLeaks, IndoLeaks, BalkanLeaks (see Forbes a coming-of-age of leaked confidential information is More-leaks as newbie info-leakers vie for attention, power, control, advocacy-position, fraud, ransoms and other aims.

If organizations want to come to grips with the coming down-side era of the Internet, it will be time to do what should have been done all along: clean-up-your own house!

This starts with coming to grips with the extent of poor practices, including pretending the risks do not exist or shooing the risks away, lax or non-existent policies, non-existent or poorly understood procedures, non-existent controls and underfunded practices.

Law has never stopped the flow of information … cleaning up one’s own house is much less expensive and more likely to avoid embarrassing consequences and worse.

Are you more at risk because employees are using the Web to download Warez from Internet-sharing sites? What about transferring confidential company data or customer information using Email, thumb-drives and print-outs? Are your financial, sales, customer and partner records accidentally being siphoned because employees don’t know better? Do your employees know what your policies and procedures are, and how do you know?

The new Assessments@ITPolicyCompliance compares your practices for managing internal procedural controls for human-behavior against real World practices at more than 3,600 other organizations.

Visit: www.ITPolicyCompliance.com/Assessments/ to find out more

Find the answers to how your practices for internal procedural controls to manage IT related business risk and value compare with:
• Your industry
• Your peers, and
• Best performing organizations

The assessment – Management of Procedural Controls – compares how well or poorly you use internal procedural controls to manage business risk and value. Practices covered include:

• Change management for policies, procedures, assets and controls
• Information-handling
• Acquisition and use of IT assets
• Background checks
• Training for ethics, compliance and IT polices
• Surveys about ethics and policies
• Social engineering and penetration testing
• Automation of internal control procedures

Visit: www.ITPolicyCompliance.com/Assessments to find out more

Specific to your industry and size of your organization, the confidential and free assessment delivers immediate feedback on how well, or poorly, your practices for managing internal procedural controls are compared to your industry, your peers and the best performing organizations.

The Assessments@ITPolicyCompliance enable you to rapidly identify changes to practices that will:
• Increase the value delivered by IT
• Reduce business downtime
• Reduce data loss or theft
• Reduce the time and money spent to pass and sustain audits.

Who should be interested: senior managers in IT, audit, risk, and compliance
Time to value: minutes

Regardless of size or industry, most organizations are continuously looking to improve operational effectiveness across all functions, and IT is no exception. Assess yourself and your organization today with the Assessments@ITPolicyCompliance today.

• When it comes to aligning and managing the value proposition of IT, is there a difference between the wide-range of frameworks being used by organizations?
• Does it matter which framework is employed to manage service-levels, business risks, and compliance with policy or regulatory audit?
• Which approach works best: choose one and standardize across the organization; or use several to optimize value, reduce risk, and sustain compliance?

The new Assessments@ITPolicyCompliance for Frameworks and Standards compares your choices to manage value, risk and compliance against the real-World choices and practices at more than 3,600 other organizations.

Visit: www.ITPolicyCompliance.com/Assessments/ to find out more

Find the answers to how your practices for Frameworks and Standards compare with:
• your industry
• your peers, and
• best performers

Practices for Frameworks and Standards covered by the assessment include:
• ITIL – IT Infrastructure Library
• IT Portfolio Management
• COBIT – Framework for IT governance and control
• ISO 20000 service framework
• COSO risk management standard
• ISO 17799 or 27002 security standards
• CIS (Center for Internet Security) benchmarks
• Balanced Scorecard
• SDLC (Systems or software Development Lifecycle)
• How integrated these are in existing procedures

Visit: www.ITPolicyCompliance.com/Assessments to find out more

Specific to your industry and size of your organization, the confidential and free assessment delivers immediate feedback on how well, or poorly, your use of frameworks and standards for managing value, risk and compliance compare to your industry, your peers and the best performing organizations.

More important, the intuitive risk-index of the Assessments@ITPolicyCompliance enables you to quickly identify changes to your practices that will:
• Improve the value delivered by IT
• Reduce business downtime
• Reduce data loss or theft
• Reduce the time and money spent to pass and sustain and audits.

Who should be interested: senior managers in IT, audit, risk, and compliance
Time to value: minutes

Regardless of size or industry, most organizations are continuously looking to improve operational effectiveness across all functions, and IT is no exception. Assess yourself and your organization today with the Assessments@ITPolicyCompliance today.