Businesses, small and large, have to deal with workplace information protection and privacy to some extent. The degree, to which these businesses and their management protect their confidential information including employee and client personal information, depends largely on a) their self-interest, b) the regulated environment in which they operate and must comply with, and c) their desire for good business practice.
Many businesses have trade secrets, which if stolen can provide competitive disadvantage and either end their business life, or if they’re lucky, just vanish their expansion and growth aspirations simply put. Therefore, they must protect that business confidential information at any price or they’ll disappear in no time. Businesses spy on each other all the time for valuable trade secrets to help them gain competitive advantage over whether it’s the launch of a new product and service or improvement of existing processes to increase efficiency, productivity and client base. Each business must determine what information is important to them and place security controls around them to secure their business viability and future growth. This is what I mean by “self interest”, protecting something that’s important. Other areas of self interest are financial fraud and to a lesser degree management attachment to the information protection field as certain key management members may be more security conscious than others, possibly due to their past professions and experiences, and therefore place importance on workplace information protection.
Some businesses, depending on the nature of their business and industries in which they operate, have been scrutinized for many years and continue to be heavily regulated by the government such as financial institutions and healthcare companies. Businesses spend a lot of money just to keep up and comply with such regulations. Although, we can always debate over the usefulness of these laws and whether they’re worth the cost companies have to pay in order to comply, there is no doubt that following many of the business scandals and loss of public confidence, the government had to do something to prevent another corporate financial disaster that wipes out people’s retirement accounts, or another personal data leak that leads to mass identity theft and identity fraud. These laws, to some extent, help improve the corporate security controls by raising awareness, visibility, authority and oversight, and ensure confidentiality, integrity and availability of personal and financial data, but we need a national law, similar to the European Data Protection Directive, to address the workplace information protection issues in a consistent manner. There are too many laws floating around, at the federal and state level, overlapping each other, which if consolidated can address most of the risks in a consistent manner. But right now, the laws are too scattered, and may or may not apply to certain industries or even address all workplace information protection risks. Below are a few of the laws that companies have to comply with:
The Gramm Leach Bliley Act or GLBA was created to modernize the financial institutions' privacy law. In general GLBA relates to a "best practices" protection for an individuals' banking statements, social security number, credit card numbers, tax information or other personally identifiable information (PII).
Health Insurance Portability and Accountability Act or HIPAA, which applies to practically all healthcare plans and providers, required improved efficiency in healthcare delivery by standardizing Electronic Data Interchange, and protection of confidentiality and security of health data through setting and enforcing standards.
The Sarbanes-Oxley Act was signed into law in 2002 to improve corporate governance and ensure integrity of financial data. It introduced stringent new rules to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws.
The Federal Red Flags Rule which had to be adopted by covered entities in November 2008, requires financial institutions and creditors with covered accounts to implement an identity theft prevention program.
The details behind some of these laws and others that impact identity theft and workplace information protection can be found in the identity theft laws section. These regulations often require establishment of many security components such as policies, procedures, standards, and an executive security position for managing workplace information protection risks among others.
Having adequate workplace information protection controls just makes good business sense and not only can it save money spent on endless investigations, public relations, consumer notification and recovery of lost data, but can also build consumer confidence. Would it not make sense to secure the online transactions and protect the business and client information at the same time? Consumers are more reluctant to do business online as news of data leaks continue to emerge in the business sections of major newspapers almost weekly, but, would be more inclined to trust doing business online if businesses were able to buy their confidence back through their actions.
We will explore in detail 1) the scope of the information that needs protection, 2) the nature of the information to be protected, 3) rational for and extent of data protection, and 4) strategies for managing workplace information protection.
General Risk Areas
Biometric Authentication To improve security, many modern businesses are beginning to implement biometric authentication to prevent identity theft.
Internal and External Certification This article describes the basic difference between internal and external certification as it relates to professional development in a simple and concise language.
Managing Identity Theft Risks Managing identity theft risks should be a priority for many organizations because identity theft incidents are on the rise, can happen to many businesses, and can often have devastating consequences for companies and their customers.
Offshore Outsourcing Security Risks There are many offshore outsourcing security risks that create real challenges for companies, especially in the areas of privacy management and regulatory compliance.
Cybercrime Cases and Scenarios Cyber criminals are increasingly presenting us with creative cybercrime cases and scenarios as our digital universe continues to be connected.
Stolen Employee Access Password According to a few research studies, stolen employee access password is by far the leading cause of system hacking cases and data breach incidents.
Managing Emails That Contain Personal Information Preventing emails that contain personal information from being sent to employees or outside of an organization is a step that many organizations take to manage risks.
WordPress Plugin Security Risks The WordPress plugin security risks are many and can negatively affect millions of websites that use the WorPress program if plugins are not managed properly.
New Cybersecurity Challenges Due to the global Internet connectivity of many devices and networks, the computer security risk landscape has expanded and includes many new cybersecurity challenges.
Becoming a Cybersecurity Expert This cybersecurity career guide intends to encourage and educate IT professionals and students for becoming a cybersecurity expert in a growing field. Download a copy of the ebook.
Top Information Security Certification Top information security certification among most in demand information security certifications is the Certified Identity and Access Manager (CIAM) designation which we will cover in this article.
Smart Device Security Risks Smart device security risks will increase as we embrace an increasing number of Internet connected devices also called Internet of Things or IoT.
Access Certification Access certification is a regulatory compliance requirement and chances are that your information security policies require managers to review and validate access for their employees.
Identity and Access Management Market The identity and access management market will grow from $7.2 Billion USD in 2015 to $12.78 billion USD in 2020, forecasting an expected annual growth rate of 12.2%.
Vendor Risk Management When companies place their trust in others to serve them and ultimately their customers, they must have some assurance that the vendors are managing the risks.
Selecting IAM System Identity Access Management or IAM system brings together a set of enterprise processes to manage user identities and their access to systems and data in order to secure company assets.
How We Increase Data Security Risks We have to discuss how we increase data security risks before we can discuss how we can reduce information security risks.
Know Your Employee A "know your employee" process validates the employee identity and background before they are hired and monitors their activities for as long as they remain employed.
Expand Privacy Skills As privacy regulations and requirement evolve, privacy professionals must expand privacy skills to understand and assess the security controls within their organizations.
Managing Information Security Violations Managing information security violations is an important part of a comprehensive information security program. Learn why some violate the security policies and how to manage the risk.
Difference Between Privacy and Security As security or privacy professionals, we’re often asked “what is the difference between privacy and security?” This article discusses their differences and interrelationship.
Security Risks of Human Errors Human errors are the biggest contributors to data security breach incidents which can be addressed with a combination of technology, processes and training to reduce risks.
Data Breach Trends When we analyze information security incidents, there are many pieces of information that can be used to establish data breach trends and help us improve security to prevent future events.
Data Protection Officer The required skillset around regulatory knowledge, communication, audit, risk assessment, and cyber security makes it difficult to find a qualified Data Protection Officer for workplace information protection.
Data Protection Safeguards There are 3 categories of data protection safeguards that information security professionals must consider when planning their data protection and compliance efforts.
Personally Identifiable Information (PII) Personally Identifiable Information or PII can be considered Sensitive Personal Information (SPI) or non-sensitive personal information. You can find the complete PII list here.
Government Security Lawsuit In a recent government security lawsuit, the Federal Trade Commission claimed that Wyndham Worldwide Corporation failed to adequately safeguard its computer systems and won the case. Workplace information protection can be a huge liability for companies.
Cyberliability Insurance Cyberliability insurance may not prevent a company from going out of business after a data breach but can place customers and regulators at ease while covering some of the data breach costs.
Spoofing and Phishing Although the terms spoofing and phishing may seem to mean the same thing, there is a clear difference between the two acts which we explore in this article.
General Data Protection Regulation The European Union will soon propose and enforce the General Data Protection Regulation (GDPR) which will offer the most comprehensive data protection reform to date.
Certified in Data Protection Certified in Data Protection or CDP is a global and comprehensive data protection training and certification program designed and administered by Identity Management Institute.
Employees Pose the Greatest Risk Company employees pose the greatest risk to an organization for many reasons but mainly because they have authorized and trusted access to critical information and assets.
Identity Management Overview The term “identity management” refers to policies, processes, and technologies used for controlling user access to systems and information. Read this identity management overview article for details.
Certified Identity and Access Manager (CIAM) The Certified Identity and Access Manager™ (CIAM) designation is the leading international credential which is vendor-neutral and created for experienced identity and access management professionals.
Data Obese Companies are considered data obese when they possess unneeded data which is collected, created and mismanaged by the enterprise in the course of the business.
Data Breach Incident Lessons As more and more personal data breach incidents occur and become highly visible, there are a few things that organizations can learn from data breach incident lessons to improve security.
Password Attacks Hackers often resort to password attacks to penetrate business systems and user accounts because passwords are often weak and used repeatedly for accessing multiple accounts.
What is Private Information Before we secure personal data , respond to personal data breach incidents, and assess risks, we have to be able to clearly answer what is private information.
Data Breach Response Steps As we hear stories about data breach incidents at our own companies or elsewhere, there are certain steps that we have to take by law and for risk management purposes.
Data Breach Response Companies must consider various options with regards to a data breach response when the incidents occur within their own business boundaries and elsewhere.
Identity Theft Confusion To avoid identity theft confusion, identity theft prevention and fraud mitigation efforts within an organization must be clearly defined and assigned the appropriate responsibility.
Workplace Identity Theft Response Businesses must develop and implement a workplace identity theft response program in light of increasing data breaches and popularity of big data and cloud for processing and storing data.
Unauthorized Address Change Requests Unauthorized address change requests are sometimes used to commit fraud and companies must implement proper address change management procedures to detect and prevent fraud.
26 Identity Theft Red Flags The Federal regulation specifically calls out 26 identity theft red flags that companies should consider as part of their identity theft prevention and training programs.
Managing Customer Address Discrepancy Managing customer address discrepancy is mandatory by laws and a reasonable identity risk management practice. This article discusses methods for validating customer address discrepancies.
Red Flags Rule Compliance Audit The primary objective of the Red Flags Rule compliance audit by Identity Management Institute is to give stakeholders the assurance that the Identity Theft Prevention Program is adequate.
Professional Relationship Management Whether a professional is an employee working within a team or an independent service provider, having great professional relationship management skills is essential for managing others.
CIPA® Critical Risk Domains The CIPA® Critical Risk Domains™ (CRD) define the knowledge areas for professional training and certification in the field of identity theft protection.
Is business identity theft the next battleground? Business identity theft is the next battleground for businesses which must protect their brand assets and criminals who see digital brands a as easy and valuable targets.
Professional Information Verification Professional information verification as it relates to employment applications and service provider claims is one of the best ways to detect employment fraud and ensure service provider integrity.
Workplace Identity Theft Solutions Companies should have an identity theft prevention plan as part of their workplace information protection solutions to prevent identity theft knowing that data breach incidents are inevitable.
Employee Red Flags Rule Training Many companies are now required to provide employee Red Flags Rule Training for compliance and identity theft prevention purposes.
5 Identity Theft Focus Areas There are in general 5 identity theft focus areas in the workplace that we must concentrate on to detect identity theft and prevent identity fraud.
Customer Identification Requirements Regulated companies such as banks must abide by customer identification requirements and implement a written Customer Identification Program (CIP) appropriate for their size and type of business.
I Received an Email From Target I received an email from Target to notify me about the fact that I was one of the potential victims of their data breach and that Target was offering free credit monitoring for one year.
Identity Theft Impacts Others This article discusses how identity theft impacts others as well as what governments, customers and other impacted companies are doing to manage the potential identity fraud risks.
Identity Risk Manager Certification The Certified Identity Risk Manager™ designation is the leading international identity risk manager certification which addresses all identification, workplace information protection, privacy, fraud, and compliance risks.
Best Way to Share Files Securely We often have to share confidential documents with others for various reasons but we have to make share we share files securely as much as possible.
Keep Criminals Out of Your Business Companies must fight to keep criminals out of their businesses where valuable information and other assets exist because criminals increasingly join highly valuable businesses for personal gain.
2013 Identity Theft Industry Analysis This article summarizes the results of a 2013 identity theft industry analysis. The final report focuses somewhat on the current market, service users, and industry trends.
Identify Bad Checks Employees who handle checks must be trained to identify bad checks and reject them before they are accepted for further processing which may not be cost effective.
Criminal Justice Information System (CJIS) The Criminal Justice Information System (CJIS) is the world’s largest repository of criminal records and entities accessing this FBI system must comply with the CJIS security policy.
Government Inconsistency Government inconsistency in the context of privacy is the greatest risk to its own credibility, national security and regulations.
Vendor Assurance When a company outsources services to a vendor, it must also perform some type of vendor assurance review or audit to make sure the vendor is not placing the company at risk including its workplace information protection policies.
Identity Theft Program Implementation If identity theft program implementation is on your mind and you are wondering how you can comply with the requirements of the Red Flags Rule, read this article.
Identity Management Training Identity management training must be a required component of any effective identity risk management and compliance program which is managed centrally as much as possible.
Workplace Identity Obesity Workplace identity obesity which is the excessive collection, retention and sharing of customer information is a real threat to consumer identity privacy and protection.
Is Your Organization Preventing Identity Fraud? Identity theft is on the rise and management must address all aspects of an effective identity theft prevention program including employee training for preventing identity fraud.
Who is Watching the Security Chief? As companies establish information security groups and assign information security staff and manager to monitor computers and protect their company assets, who is watching the security chief?
Identity Theft Speaker An expert identity theft speaker can inform the audience about identity theft threats and educate them about the latest techniques to prevent, detect and resolve identity theft. Engage one!
Identity Theft Risk Analysis Identity theft risk analysis is an absolute necessity and regulatory requirement to identify and address all identity theft risks.
Identity Risk Management Certification An identity risk management certification is gaining recognition as professionals attempt to manage growing identity risks within their corporate environments.
Fraud Training Employee fraud training for preventing identity theft, reducing fraud costs, and avoiding penalties by complying with the Red Flags law is absolutely critical which must be handled by qualified staff.
Trusted Cyberspace Identity Strategy The trusted cyberspace identity initiative known as the National Strategy for Trusted Identities in Cyberspace (NSTIC) aims to improve workplace information protection as well as online identification, authentication and privacy.
Address Change Fraud Address change fraud committed through social engineering is one the non-technical and easy scams used to steal customer information and commit identity fraud.
Identity Theft Prevention Program A comprehensive, well documented and fully executed identity theft prevention program is a workplace information protection necessity to properly address all identity theft risks and comply with various identity theft laws.
Bad Business Reputation Identity theft and fraud can inflict bad business reputation on companies which fail to protect their customers against fraud and privacy violations due to negligence.
Corrupt Insiders Corrupt insiders are major threats to a company’s information and intellectual property assets and there are behavioral and technical safeguards which must be considered to manage criminal acts.
Customer Education Customer education is not only mandatory under certain laws but also a great business practice to reduce security risks and fraud costs resulting from customer’s lack of awareness and education.
Red Flags Rule Shortfalls Red Flags Rule shortfalls must be understood and considered to address all identity theft risks when implementing an identity theft prevention program while complying with the identity theft law.
Social Security Number Verification As the majority of companies rely on a social security number to validate a customer’s identity for running their businesses, social security number verification is a necessary step in the process.
CIAM and CIPA Differences This article aims to address commonly asked questions about the differences of the CIAM and CIPA designations.
Red Flag Training Companies affected by identity theft or Red Flags Rule and FFIEC compliance must strongly consider a professional red flag training and certification for their employees and identity theft programs.
Comply with Red Flags Many businesses and organizations fall within the definition of the federal identity theft prevention law who must comply with Red Flags Rule. Are you a covered entity?
Identity Theft Risk Management Identity theft risk management efforts are usually concentrated around four general areas which are protection of personal information, compliance, fraud prevention and lawsuits.
Office Privacy Office privacy is a great corporate benefit which is no longer offered and if anyone wants to remain private, they should open their own business and disconnect from the Internet.
Employee Fraud Risk When risk managers perform risk assessments to identify threats facing their organizations, they should consider an employee fraud risk a real threat to the company and propose mitigating solutions.
Identity Theft Certification The Certified Red Flag Specialist (CRFS) program is an identity theft certification and training program closely aligned with the federal Red Flag identity theft risk management and prevention law.
Chief Identity Theft Prevention Officer In light of increasing identity theft risks and federal Red Flags Rule enforcement, companies concerned with identity theft and compliance must consider a Chief Identity Theft Prevention Officer.
Call Center Training Many companies realize the necessity of call center training for reducing customer service risks including fraud, corporate espionage, customer disloyalty, lawsuits and penalties.
Risk Management Certification There are many risk management certification options in the marketplace. Some are general while others are more specific in nature which may be selectively combined for full risk management coverage.
Negligence Ripple Effect When companies which collect millions of personal records are careless about workplace information protection, their negligence ripple effect goes beyond their business boundaries affecting other companies.
Certified Red Flag Specialist ™ (CRFS) Identity Management Institute (IMI) has introduced the Certified Red Flag Specialist ™ (CRFS) program to train, test and certify professionals responsible for supporting the Red Flag program.
Red Flag Compliance Covered financial institutions and creditors must adhere to the Red Flag compliance rules and may be subject to regulatory audits and non-compliance penalties.
Red Flags Rules The Red Flags rules are the set of requirements that financial institutions and creditors must follow to implement the necessary controls to prevent, detect and respond to identity theft.
2010 Security Incidents The 2010 workplace information protection incidents have been collected from limited but credible sources and there are some interesting conclusions when compared to prior year data breach incidents including status quo.
Certified Identity Risk Manager The Certified Identity Risk Manager designation is developed by Identity Management Institute for experienced professionals who contribute to the collective identity management practices of a company including components of workplace information protection.
SAS 70 to SSAE 16 Transition As service organizations attempt to boost client confidence by reporting their validated controls, audit standards will change from SAS70 to SSAE16 on June 15, 2011 requiring additional information.
New Hire Identity In order to validate a new hire identity and confirm completeness and accuracy of employment applications, many techniques should be considered including forward and backward background checks.
Passport Privacy Violation The US State Department continues to uncover other passport privacy violation cases of their workers breathing too closely into the passport information of famous figures.
Organized Medicare Fraud This organized Medicare fraud is reportedly the largest case apprehended which involved many shadow clinics, stolen identities of many doctors and Medicare patients, and over $100 million in claims.
Electronic Health Record Patient health information is converting to electronic health record and to expedite the transition, the US government is offering a unique cash incentive program to eligible program participants.
Information Security Purposes Depending on the type of organization, there are generally three information security purposes; securing the business information, protecting customer information, and, complying with various laws.
Internet Security Initiative An internet security initiative was announced by the Department of Homeland Security (DHS) which aims to improve cyberspace and secure online identification.
Define Personal Information We must first define personal information per the appropriate privacy laws in order to properly identify and protect them.
Protect Stored Information As confidential information is stored on mobile storage devices, management must protect stored information through policies and automated tools for detecting and preventing unauthorized storage.
Thought Authentication Although somewhat futuristic, thought authentication may just be the next generation of authentication mechanism for accessing systems.
Influential Information Security Leader I have identified the top three characteristics of an influential information security leader to be trust, credibility and reporting level within the organization.
Customer Role Businesses must acknowledge the customer role as a business partner in the battle against identity fraud and provide the necessary customer awareness and education.
Company Identity Theft Similar to consumers, businesses are not immune to identity theft and in fact company identity theft is a serious threat to any business with credit lines and great reputation.
Certified Identity Protection Advisor ™ Become a Certified Identity Protection Advisor ™ (CIPA). Learn about the exam and certification process.
Employing Ex Hackers Employing ex hackers to help identify computer security vulnerabilities is a smart idea as they are highly skilled, but such actions must be carefully managed to maintain workplace information protection.
Identity Theft Lawsuits I've recently been asked what the future holds for companies and consumers from an identity theft risk standpoint. My answer is more identity theft lawsuits.
IdentityMate Consulting IdentityMate is an identity risk management firm providing workplace information protection solutions to both consumers and companies.
Privacy or Security Some people still lack the knowledge about the privacy or security roles. This article might shed some light on their differences and similarities.
Poor Identity Management The purpose of this article is to discuss poor identity management practices on the part of business management and consumers which lead to identity theft, fraud, privacy violations and poor overall workplace information protection practices.
2008 Security Incidents It was recently reported that the 2008 security incidents were on the rise compared to 2007 and there are very good reasons why. Let's explore the causes for these incidents.
Identity Management Institute Identity Management Institute is established to redefine the identity management field, help professionals connect to one another, increase identity risk awareness and help solve identity challenges.
Policies and Procedures Policies and procedures are major tools to reduce an organization's risks and as such must be carefully developed for high risk areas of any organization.
Identity Safeguard Companies which must collect and manage customer private information as part of their business operations must incorporate and monitor the identity safeguard controls.
TJ Maxx Identity Theft The computer intrusion case inflicted upon TJ Maxx continues to be one of the largest and most complex identity theft casees in recent workplace information protection history.
System Accounts System account management is one of most challenging workplace information protection areas that must be properly managed to reduce the risk of account misuse and lack of ownership.
Data Breach Notification Following a personal information security incident, a consumer data breach notification is necessary to team up with customers to prevent and detect fraud.
Security Negligence Information security negligence is a common occurrence although businesses are starting to slowly address business related information security risks.
Chief Education Officer Large and regulated companies must assign a Chief Education Officer to coordinate all corporate training efforts and manage business risks including regulatory compliance.
Corporate Security Accountability - Management must assume corporate security accountability to effectively protect consumer information and comply with information security laws and regulations.
Just Needed Training Employee training needs must be properly assessed to develop a focused training scope. Just Needed Training provides a process to effectively define, prioritize and provide training.
Information Security Risks These are some of the most important information security risks for the information security function within any organization in possession of confidential information assets.
Data Security Breach As we continue to see more data security breach cases, their causes continue to remain the same.
A Factual Article Is Not Inclusive Of All Risks When writing an article about a certain risk, some factual article may be based on objective facts as evidenced in the news, but others may just be based on subjective judgment.
Fraud Notification Process When companies face stolen or lost personal information, they must carefully consider the fraud notification process, which includes discovery, identification and fraud probability assessment.
Fist In A Bucket Of Water Some may think an employee is just a fist in a bucket of water, but without key performer employees, long term business success may not be assured.
Information Security Strategy Businesses have often confidential and personal information that they need to protect and as such must have a workplace information protection strategy.
Stop Crook Employers Beware of crook employers and CEOs who would sell their client and employee information to make an extra buck.
Unauthorized Sale Of Personal Information Believe it or not, trusted company employees sell consumer data to criminal gangsters for profit. It's a win-win for both parties.