Tag Archive for Paper

| April 13, 2020
Comments Off on What the Internet Should Be Like

What the Internet Should Be Like

Take some time away from you FB feed while locked down and expand your horizons. Check out something on the Internet that might make you think. Here are a few ways to expand your online horizons.

Neal Agarwal at neal.fun is trying to make the web more fun. The developer created The Deep Sea. With the interactive visualization of the ocean, you can scroll, scroll, and then scroll some more to see what sea life (and other things) reside at various depths of the Oceans.

The deep-sea

What the Internet Should Be Like
Thanks to the site, you can see how deep-sea critters can dive.

The size of space

Another site Mr. Agarwal developed is The Size of Space. This one is an interactive visualization of the scale of the universe.

What the Internet Should Be LikeAt this site, you can compare the size of a Saturn 5 rocket that took NASA astronauts to the moon to Sagittarius A*, the supermassive black hole at the center of the Milky Way galaxy, our home.

Detroit Industry

The Detroit Institute of Arts has an online presence. One magnificent artifact is “Detroit Industry.” The murals depict the development of industry history and Detroit. You can see the four-wall mural created by Diego Rivera in 1932-1933 online via Google’s Arts and Culture project.

"Detroit Industry" by Diego Rivera. 1932-1933

Toilet Paper Calculator

Of course, we can’t ignore current events. The Toilet Paper Calculator by Nathan Yau offers a tool to estimate how TP much you need to hoard buy to survive the COVID lock-down.

The Toilet Paper Calculator

rb-

This is the internet I signed up for.

Stay safe out there!

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , ,
| December 11, 2012
Comments Off on Disposal Dummies Cause Privacy Problems

Disposal Dummies Cause Privacy Problems

The article Disposal Dummies Cause Privacy Problems, posted at  SecureWorld Post by Rebecca Herold lays out the privacy problems caused by dumb disposal policies. The article claims that trash-based breaches are worse than ever.

Disposal Dummies Cause Privacy ProblemsThe oldest security and privacy problem, unsecured disposal of personal information, is prevalent today as it was centuries ago reports the author. She says because of the rapidly growing amount of data, in which EMC (EMC) and IDC claim that data is doubling every two years, along with print information, there are even more ways in which disposal-related breaches are occurring. Here are just a few instances I found:

The blog outlines some of the most common egregious information disposal dummy security and privacy mistakes:

  • DTrash canonating print documents with personal information on them to outside groups, like pre-schools and community groups, to use as scrap paper.
  • Selling computers, smartphones, copiers, fax machines, and other computing devices, to recoup some of the investment, but not irreversibly removing the data before the sale.
  • Putting digital storage devices in the trash without first irreversibly removing the data.
  • Putting print documents containing personal information into unsecured dumpsters, and not shredding them.
  • Never throwing away no-longer-needed hard copy and digital devices; letting them accumulate in storage areas, with inadequate or no security, allowing them to be taken by anyone who happens along.

Data disposal is important because breaches caused by poor disposal activities are getting so bad that the article states there are growing numbers of laws explicitly covering disposal, and bills are being proposed at the state and federal levels. The Disposal Rule (part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA) has been in effect since 2005. The blog says FACTA has many very specific requirements that basically all types of businesses, of all sizes, that do most types of credit checks must take when disposing of information in all forms.

In Michigan, data destruction requirements are covered in IDENTITY THEFT PROTECTION ACT MCL Section 445.72a. where destruction of data containing personal information required; violation as misdemeanor; fine; compliance; “destroy” are defined.

MichiganBesides the fact that secure information disposal is now a legal requirement for most businesses, it makes sense to dispose of information securely to prevent privacy breaches. By having effective disposal policies, procedures and supporting technologies in place businesses demonstrate reasonable due diligence.

Ms. Herold argues that all organizations, from the smallest to the largest, need to follow proper information disposal practices or they will experience significant privacy breaches and non-compliance penalties. She presents an action plan to get started:

  • Assign overall responsibility for information security and privacy compliance to a position or department within your organization, which will include responsibility for the disposal of information in all forms.
  • Perform a disposal risk assessment to find exactly how your organization really disposes of all types of information.
  • Create information disposal policies and procedures, or update existing ones, based upon the results of the disposal risk assessment.

The policies and procedures need actions:

  • Locate, inventory, and gather at the end of their business useFilingcabinetfulness all types of digital storage devices, including CDs, DVDs, USB drives, external drives, tapes (yes, many organizations still use them), microfiche (yes, these too), and any other type of storage media.
  • Inventory all types of computing equipment, including not just the “traditional” computers, but also devices such as printers, fax machines, copiers, smartphones, MP3 devices, and any other types of devices that do computing activities.
  • Define acceptable shredding methods and locations for paper documents. Finely cross-shredding hard copy information is recommended, as well as ensuring any contracted shredding company does such shredding on-site.
  • Define acceptable methods of irreversibly removing data from computing and digital storage devices. Degaussers are still often used, in addition to contracted services to wipe storage devices clean.
  • Make sure you include information backups, and all types of information archives, in your disposal procedures. These items are typically overlooked, and many breaches have resulted from such items.

Data destructionThe bottom line for all organizations, the author argues is: You need to make sure there are proper safeguards for information, computing, and storage devices, during the disposal process.

The author concludes with some recommended resources and articles to aid you with improving your own personal, and organizational, disposal practices:

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , ,
| January 15, 2010
Comments Off on Paper Based Data Breaches Growing

Paper Based Data Breaches Growing

Paper Based Data Breaches GrowingBrian Krebs at the Washington Post’s Security Fix points out that paper-based data breaches on the rise. Krebs cites statistics for the Identity Theft Resource Center, a San Diego-based nonprofit which says at least 27 percent of the data breaches disclosed publicly in 2009 stemmed from collections of sensitive consumer information printed on paper that was lost, stolen, inadvertently distributed, or improperly disposed of.

The ITRC has logged 125 paper breaches of the 463 incidents they recorded in 2009. These breaches were across all sectors, with businesses having the most followed by the government sector.

“Computers were supposed to take us to a paperless society, yet computers probably create more paper than before we had them because now we want a hard copy as well as what’s on the computer,” ITRC co-founder Linda Foley told Security Fix. “It’s a double danger of course because paper – especially when it’s just tossed in a dumpster somewhere – is not like data on a hard drive. It’s ready to use, it often contains the consumer’s handwriting and signatures, which can be very useful when you’re talking about forging credit card and mortgage applications.”

Stuart Ingis, a partner with the law firm Venable LLP in Washington, told Security Fix that many clients he deals with strictly speaking do not have a legal obligation to report paper-based breaches, but that most of his clients err on the side of caution.

Experts say that paper data breach incidents come to light in large part due to a proliferation of state data breach notification laws. Some 45 states and the District of Columbia have enacted laws requiring companies that lose control over sensitive consumer data such as Social Security or bank account numbers to alert affected consumers and in some cases state authorities. Concerned about the mounting costs of complying with so many state breach regulations, businesses often find it easier and cheaper to adhere to the strictest state laws. The current federal data breach notification proposals will preempt state measures and will allow paper-based breaches to go unreported because they would require notification only when data stored electronically is lost or stolen and are largely silent on paper breaches. Only Massachusetts and North Carolina currently require notification whether the data breach is in electronic or paper form.

rb-
When we talk to clients about information security and not just information technology security, we ask them to consider that lost paper documents are just as damaging to a company’s reputation should they get into the wrong hands as electronic data stored in an Excel spreadsheet or database server? But data on paper is just another form of data that needs to be protected by information security policies.

Related articles
  • Identity theft and data breaches increased in 2010 (lexingtonlaw.com)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| July 4, 2009
Comments Off on Data Destruction Policy Suggestions

Data Destruction Policy Suggestions

Data Destruction Policy SuggestionsHumans have created more digital information than we have the ability to store according to EMC‘s digital universe survey. ComputerWorld recently published an excellent article with a lawyer’s point of view about data destruction. Attorney Mark Grossman is a tech lawyer and the founder of the Grossman Law Group and Tate Stickles a partner in the Grossman Law Group offers some insight for creating an effective data destruction policy.

Highlights of a data destruction policy

  1. Data destruction is intended to be permanent.
  2. Policies must be consistently enforced.
  3. The goal is to identify and classify what data the firm has and create effective policies for disposing of it.
  4. Legal and proper data destruction may prevent extensive fishing expeditions by your opponents.
  5. A regular business process addressing data destruction should provide some “safe harbor” protections under the Federal Rules of Evidence relating to electronic evidence.
  6. Have a data retention policy – A data destruction policy is the second part of your data retention policy which will help decide where data is stored and make it easier to delete old data.

General rules

  1. The general rule for the disposal of any data is that simple deletion and overwriting of data is not enough.
    • When reusing media, wipe the old data, confirm that the data is gone, and then document the process then the media can be reused.
    • Media that leaves the control of the firm by destroying old media or reselling it to another party need more processes up to the physical destruction of media.
  2. Obligations to take certain data destruction steps depend on the laws, rules, or regulations that regulate the firm:
    • Sarbanes-Oxley,
    • Gramm-Leach-Bliley,
    • The Fair and Accurate Credit Transactions Act,
    • HIPAA,
    • Check with your tech attorney who can provide guidance on what laws, rules, and regulations may apply to your company’s situation.
  3. Not heavily regulated firms can look to other destruction standards:
    • U.S. Department of  Defense standards and methods (DoD 5220.22-M,
    • National Institute of Standards and Technology’s Guidelines for Media Sanitation (NIST SP 80-88),
    • International, national, state, and local laws, rules, and regulations.
  4. Should address how to classify and handle each type of data residing on the media.
  5. Needs a process for the review and categorization of the types of data your company has and what kinds can be removed.
  6. Classifications and contents of data will play a role.
  7. Data and media containing confidential information, trade secrets, and the private information of customers require the strictest controls and destruction methods.
  8. Data and media containing little to no risk to the firm may have relaxed levels of control and destruction.
  9. Review contracts with other companies to ensure proper handling of data destruction within the terms of those contacts. I.e., non-disclosure agreements can contain data destruction terms that must be complied with.
  10. When reselling or recycling media, take samples to make sure that the proper levels of data destruction are maintained.
  11. In-house data destruction requires verification that the data sanitation and destruction tools and equipment are functioning properly and maintained appropriately.
  12. Document the entire policy so the firm will know what media is sanitized and destroyed. The documentation should allow easy answers to who, what, where, when, why, and how questions.

The last step of an effective policy is to have a process. in place so the firm can follow up with regularly scheduled testing of the process and media to ensure the effectiveness of the policy.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,