25 February 2014


Posts relating to the category tag "policies" are listed below.

25 February 2014

SANS 2014 Report on Application Security Programmes

The SANS Institute has published the results of a survey about application security programmes.

Partial screen capture of one of the charts from the SANS report 'Survey on Application Security Programs and Practices'

The researchers Jim Bird and Frank Kim stated the goals were to discover:

  • How widespread and mature application security programs are
  • Their effectiveness
  • What tools and practices are being utilised through the development lifecycle and which are most useful
  • How training is being undertaken and its effectiveness
  • How much is being spent on application security, where and whether this is aligned with organisational risk
  • What are the organisations' future plans for application security

488 respondents provided the data summarised in the report, with a quarter of these working in very large enterprises of more than 15,000 people and 39% from organisations with 1,000 or less people. 30% of respondents had development teams with less than 25 staff, and 6% had no developers at all, with all software development being outsourced.

The published report can be downloaded free of charge at SANS Survey on Application Security Programs and Practices.

The survey found that although organisations are investing more in application security, it is not particularly effective, and that root causes are not being addressed and instead there is still a reliance on mitigating software vulnerabilities after deployment. I recommend reading the findings and conclusions in full.

There was another document referenced in the report which I was not aware of. The US-based Financial Services Information Sharing and Analysis Centre has published a useful white paper titled Appropriate Software Security Control Types for Third Party Service and Product Providers to improve software security control practices.

Posted on: 25 February 2014 at 07:15 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

29 January 2014

Privacy Notices and Supplier Contracts

Over Christmas I caught up with a backlog of news stories, tweets and bookmarked items. One relating to privacy notices surprised me, despite being quite an old item.

Photograph of a locked wooden door with an adjacent metal enclosure housing a keypad, video camera, microphone and loudspeaker - a sign on the door reads 'Keep locked shut' and another handmade sign reads 'Visitors - Please press buzzer and show ID to  the camera - thank you'

It seems Google's terms of service (UK version) for Google Analytics include certain privacy requirements on its users (web site operators).

The web post identifies obligations placed on web site operators:

  • Have a privacy policy
  • Abide by all applicable laws relating to the collection of information from visitors
  • State the usage of third party tracking and usage of cookies for tracking

There are additional requirements for users of AdWords and AdSense. A handy reminder that your suppliers can be the source of additional information security and privacy mandates.

After all, if you have an incident, you don't want to be found breaking contractual obligations as well.

Posted on: 29 January 2014 at 08:35 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

15 June 2013

Enterprise Application Usage

Have you ever wondered what applications are typically being used in enterprise-scale organisations and what the risks are? A report by Palo Alto Networks has analysed over 3,000 worldwide traffic assessments to produce an aggregated summary report.

Partial screen capture showing the interactive tool published to allow the data to be examined dynamically

This is the first of three posts relating to publications that came out some time ago — I am just catching up, but hopefully they are worth mentioning. This first post relates to the oldest, a report published in February.

The Application Usage and Threat Report, 10th Edition provides regional data on the use of personal, business and custom/other applications on enterprise networks. The last category relates to 8-10% traffic that does not match any known application such as a custom internal application or a commercial application not yet identified in the assessment, and could include malware. The report provides data on:

  • Usage of applications by category (e.g. social networking, file sharing, photo, video)
  • Application functionality overlap
  • Bandwidth usage by category
  • Malware and exploit prevalence
  • Use of transport layer security.

The conclusions include that social networking, file sharing and video applications are not the most common threat vectors; attackers are masking their activities through custom or encrypted applications. The report's data can be analysed dynamically using a well-designed online tool where the data point information is viewable for each chart element.

Posted on: 15 June 2013 at 10:30 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

05 April 2013

Fair Data?

At the end of January, the Market Research Society (MRS) launched an initiative called Fair Data.

Photograph from the London Shard at dusk looking towards Canary Wharf

Existing MRS Company Partners (who are already subject to the MRS Code of Conduct), and others who apply and pass an assessment by the MRS of their "policies and procedures", must firstly adhere to the 10 principles and secondly must "use the Fair Data mark in all relevant dealings with customers and respondents". The 10 principles relate to the following topics:

  1. Consent
  2. Purpose
  3. Access
  4. Security
  5. Respect
  6. Sensitive personal data
  7. Supply chain
  8. Ethics
  9. Staff training
  10. Default to not using personal data unless there is adherence to the above nine principles

So the scheme does not include all eight data protection principles but some extra business process requirements. Perhaps this is because the trust mark has been designed "to be used internationally".

The scheme seems to have some initial endorsements, but these type of things won't work unless there is a large adoption so that consumers and others recognise the mark, and that is backed up by verifiable evidence that it makes a difference. I am not sure if this "kite mark" or "trust seal" is the one to make everyone confident about use of their personal data.

Posted on: 05 April 2013 at 18:32 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

19 March 2013

Data Protection Risks for Mobile Apps

The European Commission's Article 29 Working Party on the Protection of Individuals has published its opinion on data protection risks for mobile apps.

Partial image of the recommendations for app developers in the European Commission's Article 29 Working Party on the Protection of Individuals 'Opinion 02/2013 on Apps on Smart Devices'

Opinion 02/2013 on Apps on Smart Devices describes the roles, risks and responsibilities of four groups: app developers, operating systems/device manufacturers, app stores and third parties. It seems slightly odd to lump together "rganisations that outsource the app development and those companies and individuals building and deploying apps", and think this will lead to confusion.

However, in the conclusions on pages 27-28, there are two useful lists under the headings "App developers must" and "The Working Party recommends that app developers", which would be suitable for consideration of inclusion within internal compliance standards for app development.

Posted on: 19 March 2013 at 08:28 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

18 December 2012


Just in case you have got the development process running slickly, and operation is going smoothly, have you thought about asset disposal, and related data destruction, at the end of life?

Photography of a few autumnal-coloured leaves on a lichen-covered tree

Well, the UK's Information Commissioner has produced a short guide IT Asset Disposal for Organisations.

As it states in the guide "if personal data is compromised during the asset disposal process, even after it has left your organisation, you may still be responsible for breaching the DPA so it is important to manage the process correctly". This is of course relevant for other types of data too. And not just your own equipment, but that of organisations processing data on your behalf (and in the cloud).

Who is your "asset disposal champion"?

Posted on: 18 December 2012 at 06:58 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

07 December 2012

Waffish Behaviour in 2012

In Scotland and northern England, a "waff" is a gust or puff of air, or a passing glimpse. It is also a verb meaning to flutter or cause to flutter. In this post I want to avoid hot air, waffle and waggish comments to highlight guidance on the deployment and use of web application firewalls (WAFs).

Crowd/queue control barriers

WAFs can be controversial in that they can be a blunt instrument to add some protection to web applications, may not be well understood, are often not configured well, can be expensive to acquire, require an ongoing resource commitment, may cause problems with valid business functionality, could lead to the delegation of responsibility for application security primarily to operations, and if not integrated with other software assurance activities, can lead to the mistaken assumption that applications are secure. These issues need to be considered, but WAFs are a valid tool to have in your arsenal of defences.

Some more recent, and older long-standing, viewpoints and uses are described in the sources listed in alphabetical order below:

If you have, or are thinking of using WAFs, do read all of the above and subsequent discussions about some of those papers, as well as listening to suppliers/vendors. Then make up your own mind.

Posted on: 07 December 2012 at 08:54 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

18 September 2012

Mobile Payments, Security and PCI Requirements

Applications that accept payments and are installed on consumer mobile devices, not used exclusively used for a single payment application, such as smart phones, tablets and PDAs have been excluded from the PCI SSC's validation programme Payment Application Data Security Standard (PA-DSS). These types of mobile payment acceptance applications are known as Category 3 - payment applications operating on any consumer electronic handheld device that is not solely dedicated to payment acceptance for transaction processing.

Partial image of the chart in Appendix B of 'PCI Mobile Payment Acceptance Security Guidelines' showing the suggested responsibilities for the 18 best practices

Mobile payment Acceptance FAQs, published in June 2011, recommended that Category 3 applications intended for use in the cardholder data environment are developed using PA-DSS as a baseline for protection of payment card data and in support of PCI DSS compliance, until the development of appropriate advice, guidance, and/or standards to ensure that such applications are capable of supporting a merchant's PCI DSS compliance. On Friday the PCI SSC published new guidance for developers.

PCI Mobile Payment Acceptance Security Guidelines v1.0 September 2012, describes firstly 3 objectives and guidance for application payment transactions:

  1. Prevent account data from being intercepted when entered into a mobile device
  2. Prevent account data from compromise while processed or stored within the mobile device
  3. Prevent account data from interception upon transmission out of the mobile device

Secondly, guidance on 15 risks and controls in the supporting environment (mobile platform and associated applications):

  1. Prevent unauthorized logical-device access
  2. Create server-side controls and report unauthorized access
  3. Prevent escalation of privileges
  4. Create the ability to remotely disable payment application
  5. Detect theft or loss
  6. Harden supporting systems
  7. Prefer online transactions
  8. Conform to secure coding, engineering, and testing
  9. Protect against known vulnerabilities
  10. Protect the mobile device from unauthorised applications
  11. Protect the mobile device from malware
  12. Protect the mobile device from unauthorized attachments
  13. Create instructional materials for implementation and use
  14. Support secure merchant receipts
  15. Provide an indication of a secure state

Recognising that no one party has sole responsibility for security of Category 3 applications, a table in Appendix B of the guidance suggests responsibilities for the 18 practices. The responsibilities are assigned to device manufacturers (e.g. Apple, Huawei, Motorola, Nokia, Samsung), operating system developers (e.g. Apple, Google, Microsoft), application developers (e.g. you?), and merchants as end-users or payment acceptance service providers.

The guidance also provides a list of ten additional sources of information to support the guidance. Further advice and standards on mobile payments are expected from the PCISSC in 2013.

In the next post, I will discuss some related updated guidance from Visa.

Posted on: 18 September 2012 at 23:30 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

26 July 2012

Smart Grid .EU

The European Network and Information Security Agency (ENISA) has published a report providing recommendations for member states on smart grid security.

Partial image from the cover of ENISA's report 'Smart Grid Security'

ENISA is facilitating a number of initiatives to co-ordinate stakeholders with an interest in smart grid cyber security. The report Smart Grid Security is the output from a series of interviews with experts to identify the risks and challenges related to cyber security aspects of smart grids.

The report provides ten recommendations for member states including (No 5) the development of a minumum set of security measures based on existing standards and guidelines, and (No 6) the development of a security certification scheme for components, products and organisational security.

A high-level, but useful, read for those interested in Critical Infrastructure Protection (CIP) and Critical Information Infrastructure Protection (CIIP). The extensive bibliography is worth digging through for further guidance.

Posted on: 26 July 2012 at 06:57 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

19 June 2012

Consultation on Notice & Action (Takedown)

The European Commission has begun a consultation on procedures for notifying and acting on illegal content hosted by online intermediaries.

Portion of the questions in the online response form to the European Commission's consultation on 'A Clean and Open Internet: Public Consultation on Procedures for Notifying and Acting on Illegal Content Hosted by Online Intermediaries'

A Clean and Open Internet: Public Consultation on Procedures for Notifying and Acting on Illegal Content Hosted by Online Intermediaries asks for the views of citizens, organisations and public authorities about the exemptions for liability of service providers for online content under the E-Commerce Directive (implemented in the UK as the E-Commerce Regulations). The consultation is seeking views concerning four aspects:

  • Notice and Action procedures
  • Notifying illegal content to hosting service providers
  • Action against illegal content by hosting service providers
  • The role of the EU in notice-and-action procedures

There is a thorough briefing of the issues on Out-Law.com.

Responses can be submitted via an online form (the full form can be viewed in advance by downloading it as a PDF. The consultation runs until 5th September 2012.

Posted on: 19 June 2012 at 07:41 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

Policies : Web Security, Usability and Design
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/policies
Requested by on Sunday, 20 April 2014 at 11:47 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2008-2014 clerkendweller.com