Browsing articles in "Compliance and Regulation"

10 Ways I Can Steal Your Data: eBook

I wrote an eBook sponsored by SolarWinds. I share real life stories of non-traditional, non-hacker ways I can steal your data.  You can download the PDF for free (registration required).

clip_image001

I’ve also been contributing a blog series over on THWACK, 5 MORE Ways I can Steal Your Data, 5 More Ways I Can Steal Your Data: Work for you and Stop Working for You, 5 More Ways I Can Steal Your Data: Accessing Unmonitored Servers and Services, 5 More Ways I Can Steal Your Data: Ask the Security Guard to Help Me Carry it Out.  There’s one more post coming up soon, too.

Data protection from a data architect’s point of view is going to be a big focus of mine over the next year or so.  I’m hoping it will be yours, too.

Canadian IT Pros: Win a 3D Movie Pack

Want to do some learning AND have a chance at winning one of 200 3D Cineplex Movie Prize Packs?

Just register and complete 2 Microsoft Virtual Academy courses about Windows 10, the cloud, and more.

image

image

So get registered, take two modules or more, and tell me what film you see with your winnings.

Big Challenges in Data Modeling: Ethics & Data Modeling–24 April

Modeling with Graeme

I have a great topic and panel for this month’s Big Challenges in Data Modeling webinar on Thursday, 24 April 2014, 2:00 PM EDT. It’s free, but you have to register to get the log in information.

Ethical Issues in Data Modeling

We’ll be talking about the nature of ethics, data and data modeling.  I bet all of you have been placed in a tough situation before, either by other IT professionals or by business users who ask you to do something that you aren’t sure is ethical.  Maybe it’s legal, maybe it isn’t.  Maybe it’s about protecting data or data quality.

Some of the topics I hope we can discuss:

  • What is the nature of ethics?
  • How do ethics differ from morality? Legality?
  • Can ethics be taught?
  • Where does ego come into play here?
  • What about Codes of Ethics and Codes of Conduct?
  • Is there one right answer? Is there an always wrong answer?
  • What’s the difference between a whistleblower and a tattletale?
  • What tools do we have in making ethical decisions?
  • How should we deal with unethical co-workers? Management? Customers?
  • What does it all mean, anyway?

Ethical Situations in Data and Data Modeling

  • If the answer is always “it depends”, what does it depend on?
  • What if faster data means lesser data quality?
  • Have you ever been asked to falsify a status report?
  • Have you had to deal with someone else who provided incorrect information to a business user or management?
  • Have you ever been asked to look the other way when security policies are being broken?
  • Have you raised an issue of data protection that was ignored? Or minimalized?
  • What about using production data for testing and development?
  • What if the data is right, but the transformations or reporting is wrong?
  • What if it’s intentionally wrong or misleading?
  • Have you ever had to deal with someone else’s ego?
  • Have you escalated an ethical issue? What about a legal one? A moral one?
  • Do data modelers have distinct areas that we need to watch out for when it comes to ethics?
  • Have you ever left a job or project due to ethical reasons?

 

Panelists

Len Silverston (http://www.univdata.com/ | @lensilverston ), author of Universal Data Models I, II, III, speaker, coach, consultant, trainer.

 

 

Denny Cherry, (http://dcac.co/ | @mrdenny ) author of Basics of Digital Privacy, Securing SQL Server and other books, speaker, consultant and trainer.

 

 

Tamera M. ClarkTamera Clark (http://clarkcreations.net/blog/ | @tameraclark ) speaker, volunteer, Business Intelligence expert

 

Kerry Tyler, (http://www.airbornegeek.com/ | @airbornegeek ) speaker, volunteer, Business Intelligence Developer.

 

 

image

YOU! Our webinars consider attendees as panelists. You’ll have the opportunity to ask questions, chat with other attendees and tell your own stories. You can even arrive early and stay late for our pre-show and after-show discussions. 

 

 

Register now and bring your ethical questions and comments.

Let’s Talk Data Modeling, Privacy, Data Breaches and the Role of Data Architects 28 Feb

Tomorrow, Thursday 28 February at 2;00PM EST, I’ll be moderating a panel of expert data modelers as part of my Big Challenges in Data Modeling Series at Dataversity.net .  In this month’s webinar, we’ll be debating the role of data architects in how we can best support business processes related to data privacy, data security and compliance.  We’ll start by talking about recent data breaches and privacy issues.

One of the more contentious debates I have on projects is whether or not data modelers and architects should even have a role in these processes.

Joining me for this month’s panel are:

  • Eva Smith ( @datadeva | blog ) Director of Information Technology at Edmonds Community College (EdCC) where she oversees college IT functions and serves on the IT Commission for the Washington State Community and Technical College system.  Eva also volunteers for DAMA, International on the Editorial Board for the Data Management Body of Knowledge (DMBOK) Version 1, and as DAMA-I liaison to the Institute for Certification of Computing Professionals (ICCP).
  • Loretta Mahon Smith( @silverdata ) is currently the IBM Global Business Services, Business Analytics & Optimization Lead for the Data Modeling Center of Excellence. She has an extensive background in the financial services industry and is also a long time DAMA volunteer.
  • Peggy Schlesinger is a well-respected Master Enterprise Architect with Intel Corporation with a long history in Master Data Management.  She is currently working on the Semantic Definition for the enterprise to improve and accelerate Business Intelligence, and is moving the environment toward Self-Service Business Intelligence.
  • YOU

As always, our last panelist is YOU! Unlike many webinars, we run these as highly-interactive events.  We have a formal Q&A for when you want to ask a question of the panel, but we also have a peer-to-peer chat open so that you can discuss what you hearing in real time.  We try to keep track of what’s going on in the chat so that we can comment and address the points being raised there.  I love this feature and hope you will join us to be part of this event.

If you have a topic or question you’d like us to address, leave a comment below and we’ll try to work it in.

Also, if you are unable to make the webinar, you can register now anyway and listen to the recording later.  So get registered now.

Got Health Data? Your Penalty Exposures for Data Breaches Just Increased

Jan 30, 2013   //   by Karen Lopez   //   Blog, Compliance and Regulation, Data, Data Breach  //  1 Comment

I’ve been blogging about health data breaches lately, but I’m not sure if there are more of them or if the reporting requirements are more strict.  I suspect the latter.

One of the things I’ve noticed is that many of the breaches seem to be of multiple exposures by the same organization, which has led to recent legislative changes to the HITECH Act.  You can see from the quote below that not only has the limit to the penalty been increased, but the penalties for repeat violators are higher. 

Given the sensitive nature of health data, I’m still thinking that we need to move more towards criminal penalties for wilful neglect and repeat violations.

In addition to redefining the scope and liabilities of business associates in the healthcare industry, the final HIPAA omnibus rule includes revisions to the penalties applied to each HIPAA violation category. While the American Recovery and Reinvestment Act of 2009 (ARRA) initially established a tiered penalty structure, it hasn’t been revised until now.

Section 160.404 refers to the amount of civil monetary penalty as administered under the HITECH (Health Information Technology for Economic and Clinical Health) Act. The original penalty structure used to be:

image

via HIPAA Violation Penalties Rise in Response to Data Breaches | SmartData Collective.

Do you think companies are bearing enough of the responsibility for protecting our data?  Do you as a data professional get enough support from management to ensure that data is protected?

Federal Department Bans Use of Portable Devices (YAFF)

Jan 22, 2013   //   by Karen Lopez   //   Blog, Compliance and Regulation, Data, Data Breach  //  4 Comments

portable hard drive

I thought I had blogged about this Canadian data breach, but I guess not.  All these data breaches are coming so fast it’s hard to keep up. In this report, we have another YAFF: a portable hard drive being used as a backup device.

It looks like Human Resources and Skills Development Canada (HRSDC) will be taking a three-pronged approach to protecting our data: first, a new policy banning portable storage devices; second, use of data loss protection technologies and third, establishing consequences for staff that cause a data breach.

OTTAWA — The federal department at the centre of a massive data breach says it is banning the use of portable data devices in its offices, using new technology to prevent information from being easily removed from the network and warning any staff that violation of the new rules could mean the loss of their job.

Human Resources and Skills Development Canada (HRSDC) said Monday that it will start using “data loss technology,” which would allow the department to restrict when, where and which staff can remove information from government systems. Reviews have already started to see what risks the use of secured, portable data devices, such as USB memory sticks, carry in the department’s work and whether there are enough safeguards to prevent another massive breach of personal information from happening again.

via Federal department bans use of portable devices after personal data breach | canada.com.

Their loss of more than half a million student loan borrowers’ data has led to class action lawsuits.  A missing external hard drive is the hardware piece of this breach; the fact that this drive contained unencrypted backups is the behavioural issue.  Perhaps we need to start thinking about how to train end users on the consequences of moving data from “the system” to any place else, even for backup purposes.

Is there a solution?

I have more questions than solutions here, though.  Usually enterprise backup solutions involve software plus a server or external service.  I’m not sure why HRSDC was using a portable hard drive for backup.  They are harder to manage, they tend to walk away, and they aren’t that reliable.  So I’m going to guess here that this device was a personal device or being used to sneakernet files from one location to another.  Perhaps from office to home, or from office to office.  Both of those scenarios bother me because they most likely were not official methods for doing these tasks. 

I don’t think there’s one answer.  Training, policy, inspections, consequences, real monitoring and protection, more training, more inspections, some tough decisions.  It’s a complex issue that will require complex responses.  I’d like to hear what other organizations are doing to mitigate data breaches.

Utah Health Department – Yet Another Flashdrive FAIL (YAFF)

Jan 18, 2013   //   by Karen Lopez   //   Blog, Compliance and Regulation, Data, Data Breach, Data Stewardship  //  2 Comments

Red USB Drive

I think we need to have an industry acronym now that this seems to happen every week.  My proposals:

  • Yet Another USB Breach (YAUB)
  • Blame A Thumbdrive (BLAT)
  • Yet Another Flashdrive Fail (YAFF)

I like the YAFF one best, so I’m going with that, even though the #FAIL really isn’t in the hardware, but in the abuse of policy and hardware to cause a data breach.

This week’s YAFF announcement comes again from Utah, where a contractor with access to sensitive health data lost a USB flash drive somewhere between Salt Lake City, Denver, and Washington, DC.

What’s different about this news story is that we get more insight as to why that data was on a portable device.  And it’s just as I prognosticated in a previous post: the contractor was frustrated with an infrastructure issues.

The contractor, Goold Health Systems, handles Medicaid pharmacy transactions for the Health Department.Department spokesman Tom Hudachko said the GHS employee, identified only as a woman from Denver, was having trouble with an Internet connection Thursday while trying to upload the data to a server. The employee saved the personal information to an unencrypted USB memory stick and left the Health Department with the device. The employee lost the stick sometime in the following days while traveling between Salt Lake City, Denver and Washington, D.C.

(emphasis mine)

via Utah health department reports another data breach | NewsOK.com.

The contractor lost her job over this.

People Forget Policy When They Are Frustrated or Stressed

I once found a QA contractor cursing at his computer because he was having trouble sending a large file via his Hotmail account.  I offered to help.  When he showed me what he was doing I just about had a heart attack.  He had been trying to send our offshore contractor a copy of a production database backup.  This backup contained names, addresses, phone numbers, credit card information  (no, the legacy system shouldn’t have been storing this information, but it did), SSNs, Driver’s license numbers and other forms of ID. It was an identity theft treasure chest of awesome.

When I asked him why he was trying email this information to our offshore contractor he said he was frustrated that corporate email system would not let him email such a large file.

He told me the only reason he did this was that he had to get the bug logged and fixed before the weekend because he had plans to be away.  He also forgot that production data was never supposed to leave the building.    I’m not sure he ever really felt that what he was doing was wrong, or had any idea why emailing sensitive data was wrong.

The other shock I got was that it was a production DBA who had given him the backup.  When I asked the DBA why he did this without even asking what it was for, he said "I was really busy and didn’t have time."

I wonder just how many times this scenario plays out every day in offices around the world.

Love your data, even when you are stressed.  Especially when you are stressed.

Pages:12»

Subscribe via E-mail

Use the link below to receive posts via e-mail. Unsubscribe at any time. Subscribe to www.datamodel.com by Email


Categories

Archive

UA-52726617-1